

Part01
Chatbot “Xbow”
Ranks First on HackerOne
The performance of artificial intelligence (AI) has surpassed that of human red team members. On the HackerOne platform, an AI chatbot named “Xbow” currently ranks first in the reputation leaderboard of the US security industry. The platform connects businesses with ethical hackers through a bug bounty program, and Xbow has significantly outperformed 99 other hackers in identifying and reporting vulnerabilities in enterprise software. The company operating the bot stated that this is a first in the history of bug bounties.
This development not only showcases the rapid advancements of AI in the cybersecurity field but also reveals that attackers can easily scale this technology. “Unfortunately, in this case, the application of AI is more beneficial to attackers than defenders, as large organizations still require human verification of critical service patches, a process that is currently difficult to automate,” said David Shipley from Beauceron Security.
Part02
Discovered Over 1000 Security Vulnerabilities
Xbow is a fully autonomous AI penetration testing tool, and its creators claim it “operates similarly to human penetration testers,” capable of completing comprehensive tests in just a few hours. According to its official website, the tool has passed 75% of web security benchmark tests and can accurately identify and exploit vulnerabilities.Xbow has submitted nearly 1060 vulnerabilities to HackerOne, including:
- Remote Code Execution
- Information Disclosure
- Cache Poisoning
- SQL Injection
- XML External Entity
- Path Traversal
- Server-Side Request Forgery (SSRF)
- Cross-Site Scripting
- Key Exposure
The tool also discovered a previously unknown vulnerability in Palo Alto’s GlobalProtect VPN platform, affecting over 2000 hosts. Among the vulnerabilities submitted in the last 90 days, 54 were classified as critical, 242 as high risk, and 524 as medium risk. Currently, 130 vulnerabilities have been fixed, and 303 are in the classification process.Notably, about 45% of the vulnerabilities are still awaiting resolution. Nico Waisman, the security chief at Xbow, stated that this highlights the “quantity and impact of vulnerabilities submitted against live targets.” The company first conducted “capture the flag” challenge tests using platforms like PortSwigger, then established benchmark tests simulating real-world scenarios, ultimately allowing the AI to perform white-box penetration testing by accessing the source code.Part03
Defenders Need to Change Strategies
Despite Xbow rapidly surpassing human red team members, experts believe that defenders still have a long way to go in responding to AI attacks. Erik Avakian, a technology consultant at Info-Tech Research Group, pointed out, “Hackers are quickly adopting new tools that enable them to launch attacks more swiftly and accurately.”Automated systems can not only initiate large-scale attacks but also create highly realistic fake content, including voice, video, and emails, “blurring the line between reality and falsehood.” Avakian emphasized, “Security teams are no longer just combating individuals behind keyboards; they are now fighting against a system or team that can scan, exploit, and adapt almost in real-time.”Shipley from Beauceron warned that automated vulnerability discovery could be dangerous: “Accelerating vulnerability discovery and exploitation will lead to more data breaches, ransomware incidents, and critical infrastructure disruptions.” He believes that defenders are already overwhelmed by the demand for software patches, and this development will only make matters “worse.”Avakian suggests that organizations need to:
- Collaborate with partners capable of machine-speed detection and response
- Establish a comprehensive security roadmap and risk protocols
- Enhance team training
“Teams that understand how these new technologies work and how attackers use them will be able to respond more quickly and confidently,” Avakian concluded, “This shift is not coming soon—it has already happened.”
References:
The top red teamer in the US is an AI bothttps://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.htmlRecommended Reading
Radio Discussion
