XBOW is a cybersecurity company building an autonomous offensive security platform, effectively an AI "hacker" that continuously identifies, validates, and reports real exploitable vulnerabilities at machine speed. Founded in 2024 and headquartered in the United States, the company aims to replace point-in-time penetration testing with always-on, AI-driven adversarial testing modeled on real attacker techniques.

The platform's emphasis on validation is central to its positioning: rather than only flagging potential issues, XBOW is designed to confirm exploitability, which reduces false positives and helps security teams prioritize findings that represent genuine risk. This continuous approach contrasts with traditional penetration tests that capture security posture only at a single moment in time.

XBOW was founded by Oege de Moor, known for his work creating GitHub Copilot and GitHub Advanced Security, along with engineers from the original Copilot team, and its security leadership has included CISO Nico Waisman, formerly CISO at Lyft, who assembled a team of experienced human hackers to help train the autonomous system. The company has publicized strong results on a major bug-bounty leaderboard as evidence of its capability.

In early 2026 XBOW raised a $120 million Series C led by DFJ Growth and Northzone at a valuation above $1 billion, and subsequently added $35 million in strategic investment from partners including Accenture Ventures, NVentures (NVIDIA), Samsung Ventures, SentinelOne S Ventures, DNX, and Liberty Global, with total funding reported around $237 million. It has also pursued integration with major security ecosystems for continuous AI-driven testing.

XBOW competes with traditional penetration testing services, bug-bounty programs, and automated vulnerability scanning tools, differentiating on autonomous, validated, continuous offensive testing rather than periodic manual engagements or unvalidated scanner output.

The platform is best suited to security-mature organizations that want continuous, autonomous adversarial testing across their attack surface and the ability to prioritize confirmed, exploitable vulnerabilities.