CEO @oegerikus was hosted today on @FoxNews to discuss how XBOW is changing the game in cybersecurity. "We found a flaw in a well-secured company. They fixed it. Then our AI checked again and found a bypass for their fix. These AIs are pretty clever." Full interview and

SAST and DAST operate in silos. Attackers don’t. XBOW agents combine both: → Static tells them where to look → Dynamic shows how to break it → Coordination = real exploits, not noise Autonomous testing needs attacker logic, not just coverage. ⚡️Deep dive here:

Action required now: Upgrade to Chef Automate 4.13.295 or later immediately. CVE: https://t.co/D2A9zVxJAT This is autonomous security testing in practice - finding and responsibly disclosing critical vulnerabilities before they're exploited at scale

The discovery path: Found during testing on a HackerOne program, then realized it affected the upstream open-source Chef Automate project. We immediately disclosed to Progress (Chef's parent company), who responded quickly with a fix.

What makes this interesting from a testing perspective: XBOW also discovered a default authentication token (93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506) that provided access to previously protected endpoints. This token exists in some GitHub repos but

How XBOW found it: XBOW's autonomous testing identified SQL injection through the type field in the filters array using PostgreSQL's string concatenation operator. The application uses pq driver, and error messages revealed the injection point.

The vulnerability allows authenticated attackers to execute arbitrary SQL commands against the PostgreSQL database through the compliance profiles search endpoint at /api/v0/compliance/profiles/search. Potential impact: compromised data access.

🚨 Critical SQL injection in Chef Automate (CVE-2025-8868) If you're running Chef for infrastructure automation, patch immediately to version 4.13.295 or later. Full technical breakdown: https://t.co/BtOAk40tVn What XBOW found 🧵

Live in 1 hour. 200+ zero-days. 0 false positives. Real apps. @moyix & @pwntester walk through how XBOW agents validate exploits at scale. 📍Join here:

AI attacks are scaling. Defenders aren’t. We're entering the Chaos Phase, where autonomous exploit tools move faster than manual security ever could. With AI, defenders will win. But those that are slow to adopt AI will lose.

XBOW found a new zero-day in Apache Druid. It wasn't just a lucky guess. XBOW is trained to think like a human attacker, using historical CVE knowledge to find a novel SSRF (CVE-2025-27888). This is how AI-powered pentesting turns old knowledge into new findings. Read the

200+ real vulns. 0 false positives. XBOW agents ran autonomous exploits across Docker Hub webapps, and uncovered vulnerabilities traditional tools miss. Systematic. Validated. No assumptions. 🗓️ This Thurs — @moyix + @pwntester lead a live breakdown https://t.co/Wztoo32YGs

We're excited to partner with @Rhymetec to combine our autonomous AI hacker with their deep human expertise. Machine speed with human ingenuity. This is how security teams get the advantage to stay ahead. Read the full announcement:

Full talk is now available! https://t.co/i9oGJrZEGH

"The ChatGPT moment of cyber hacking hasn't happened yet, it will happen, and offensive actors will use AI we need players like XBOW to help keep the world safe." - @apoorv03, Partner at Altimeter Capital. As attackers arm themselves with AI, we can't afford to fall behind.