XBOW
@Xbow
Followers
1,635
Following
6
Media
12
Statuses
38
Bringing AI to offensive security by autonomously finding and exploiting web vulnerabilities. Watch XBOW hack things:
Seattle, Washington, USA
Joined May 2007
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1202461 Tweets
Pavel Durov
• 350745 Tweets
#सत्संग_क्यों_सुनें
• 189732 Tweets
Sant Rampal Ji Maharaj
• 189530 Tweets
ドジャース
• 165792 Tweets
Hezbollah
• 79828 Tweets
嫌いボタン
• 57247 Tweets
ガッチャード
• 55233 Tweets
FANDOMS PELA AMAZÔNIA
• 36760 Tweets
日韓百合
• 31150 Tweets
Nevada
• 27067 Tweets
Daytona
• 25470 Tweets
#UFCVegas96
• 24233 Tweets
プリキュア
• 23958 Tweets
Maya Moore
• 17367 Tweets
#NASCAR
• 16685 Tweets
#SUPER_EIGHT_20TH
• 16319 Tweets
カグヤ様
• 14441 Tweets
設営完了
• 12463 Tweets
Milito
• 11757 Tweets
Chivas
• 11556 Tweets
関西デビュー20周年
• 10949 Tweets
Serna
• 10654 Tweets
Michael Morales
• 10227 Tweets
Trey Lance
• 10078 Tweets
クロトー
• 10055 Tweets
Pinned Tweet
XBOW is the world’s first fully automated web pentester.
It previously scored an unprecedented 75% on renowned web pentesting benchmarks from
@PentesterLab
and
@PortSwigger
.
So we decided to give it a harder challenge: competing against humans.
26
54
315
XBOW finds and exploits vulnerabilities in 75% of 647 renowned web benchmarks. Given a short description of the benchmark, it autonomously pursues high-level goals, executing commands and interpreting their output to achieve exploitation. Check it out:
6
23
88
XBOW, from the minds who previously brought you GitHub Advanced Security and GitHub Copilot (
@oegerikus
) legendary security researchers (
@nicowaisman
) and pioneers at the intersection of AI and security (
@moyix
).
4
9
64
In 28 minutes, XBOW matched 40 hours of work by the most experienced pentester, who has 20 years of experience, with both solving 85%.
3
4
44
What if an AI’s “brilliant” solution to a problem is just memorized? Modern AI systems have seen the whole web, so there’s only one way to be sure—we created 104 novel benchmarks. Now we can be certain that beautiful solves like this one are real:
0
6
43
Real vulnerabilities don’t come with hints—so we asked XBOW to solve this task without giving it even a description of the benchmark. It performed just as well, finding exploiting an GraphQL-based IDOR vulnerability entirely autonomously:
1
5
41
Can’t find a working PoC? No problem, says XBOW—and it proceeds to read 22,000 words’ worth of GitHub issues to understand the vulnerability before writing its own exploit. Check out the trace:
0
7
33
We created 104 novel benchmarks that include every web vulnerability class you see in the wild: from SQL injection through IDOR to SSRF.
We hired 5 pentesters from well-established pentesting companies.
1
1
27
If you’re interested in seeing how XBOW performs on a specific benchmark - either a public one like PortSwigger or a novel XBOW one - let us know below, and we’ll try to share some traces!
You can see a full list of benchmarks XBOW has solved here:
2
0
18
XBOW not only finds critical vulnerabilities like SSTI, it also writes its own payloads customized to the target:
0
2
16
For more details, read more about the experiment here:
1
0
15
@binalkp91
@PentesterLab
@PortSwigger
Pick out a challenge from this list and we can share XBOW's solution!
0
0
6
@shido__________
@PentesterLab
@PortSwigger
We'll be open-sourcing our benchmarks soon! In the meantime, if you're curious about how XBOW tackled specific benchmarks, feel free to reach out. We'd be happy to share the details with you. Just let us know which ones you're interested in from here:
0
0
5
@CyberQueenMara
@PentesterLab
@PortSwigger
Thanks! Agreed, the more time humans can spend hunting the really cool bugs the better :)
1
0
2