Alvaro Muñoz
@pwntester
Followers
13K
Following
633
Media
219
Statuses
5K
Security Researcher with @XBOW. CTF #int3pids. Opinions here are mine! bluesky: https://t.co/9HRRzpBECt
Madrid 🇪🇸
Joined December 2008
This is not our talk, DEFCON screens didn't work during our time slot. We recorded and uploaded the full talk ourselves. Our talk:
Prompt Scan Exploit AI’s Journey Through 0Days and 1000 Bugs - https://t.co/JUncypFqAp at @defcon D. Jurado & J. Nogue Hi, it’s me, XBOW, the AI offensive agent—a smart cyber detective on a mission to find bugs in the digital world. In the past few months, I've discovered over
1
4
21
Security tools catch issues. But do they matter? Join @GeekMasher + @pwntester with @GitHub tomorrow as they show how AI agents: → Exploit like experts → Ship findings in minutes → Validate vulns scanners miss 🗓️Live @ 11:15am PT | 2:15pm ET https://t.co/u9l03t749R
0
4
17
Fun times with Telerik UI and DoS by default (it will hit for a long time I think). Sometimes it may lead to more fun, like RCE :) Gadgeting inspired by @pwntester, Oleksandr and @steventseeley
Today, we publish our analysis of CVE-2025-3600 that we discovered in Telerik UI, a prolific library used in hundreds of thousands of applications. Tagged as a Denial of Service vulnerability, today we go deeper and demonstrate RCE scenarios.. https://t.co/RzHmW1Mrgu
2
8
53
Do not miss this live session from my teammates @moyix and @pwntester. Today, 10 am PT/ 1pm ET. You will learn about: - AI agents validating real vulnerabilities at scale - How can AI agents autonomously uncover and validate exploits using runtime behaviors - Techniques for
200+ real vulns. 0 false positives. XBOW agents ran autonomous exploits across Docker Hub webapps, and uncovered vulnerabilities traditional tools miss. Systematic. Validated. No assumptions. 🗓️ This Thurs — @moyix + @pwntester lead a live breakdown https://t.co/Wztoo32YGs
0
2
13
When I read the trace for this bug it reminded me of the almost identical finding by @artsploit in Datahub
github.blog
The GitHub Security Lab audited DataHub, an open source metadata platform, and discovered several vulnerabilities in the platform's authentication and authorization modules. These vulnerabilities...
XBOW found a new zero-day in Apache Druid. It wasn't just a lucky guess. XBOW is trained to think like a human attacker, using historical CVE knowledge to find a novel SSRF (CVE-2025-27888). This is how AI-powered pentesting turns old knowledge into new findings. Read the
0
2
24
Join @moyix and yours truly in a fireside chat about all things @Xbow and our validators. If you haven’t registered yet, secure your seat here: https://t.co/InSQS9fITz More info at:
linkedin.com
200 real vulns. 0 false positives. All exploited. This Thursday, join Brendan Dolan-Gavitt and Alvaro Muñoz to see how XBOW ran autonomous AI agents across Docker Hub apps to uncover 200+ validated...
0
2
12
200+ real vulns. 0 false positives. XBOW agents ran autonomous exploits across Docker Hub webapps, and uncovered vulnerabilities traditional tools miss. Systematic. Validated. No assumptions. 🗓️ This Thurs — @moyix + @pwntester lead a live breakdown https://t.co/Wztoo32YGs
2
5
43
GitHub even offers a built in suite of CodeQL detections for Actions that @pwntester wrote that easily catch things like those. Yet we still see the most obvious misconfigurations with critical impact. Vibe coding actions will get you wrecked.
1
1
16
What a PR https://t.co/zdMt9Ilq4r by @NxDevTools This one was written by AI and introduces a critical PR title injection that could allow anyone to steal their NPM token with a little privesc. How is stuff like this still shipping?
github.com
Current Behavior Currently, there is no automated check to ensure that PR titles follow our conventional commit format. This can lead to inconsistent PR titles that don't match our commit c...
6
8
86
@moyix Dutch saying: Tall trees catch a lot of wind. Congrats, xbow is a tall tree :)
0
1
3
Back at summer hacker camp, it’s been a while! Will be at @Xbow booth (3257) all morning. Come say hi!
0
0
10
🚀 Excited to announce our partnership with @TrustVanta ! With XBOW’s autonomous penetration testing now in Vanta, startups can meet the highest security standards with speed and confidence—finding and validating real vulnerabilities in hours, not weeks. Learn more:
0
2
29
The new episode of @ctbbpodcast is out! Huge thanks to @Rhynorater and @rez0__ for having me. I had a great time chatting with you about XBOW and HackerOne’s Ambassador World Cup. It was a blast! 🫶🏼
New episode is out! — https://t.co/hX8NbjfgXO Releasing the episode on Monday so you have something to listen to during your travel to DEFCON =) Diego Djurado joins us to discuss XBOW's architecture, hunting approach, hallucination challenges, and AI's future in bug bounty. He
2
7
54
If you have some time today, check out @moyix highlights or @pwntester full blogpot on this amazing vulnerability and how it was exploited by XBOW. See you all in BH/Defcon next week!
YES! THIS one is my favorite :D Some details in thread below...
0
4
11
Ingenious. A gripping detective story, with the plot devised by @XBOW, and told by @pwntester.
XBOW pulled off the perfect digital heist: stealing files by hiding them in plain sight. Disguised arbitrary file content as satellite imagery pixels. TiTiler processed the "images" while XBOW extracted secrets from the compression data. Mission details:
0
1
8
YES! THIS one is my favorite :D Some details in thread below...
XBOW pulled off the perfect digital heist: stealing files by hiding them in plain sight. Disguised arbitrary file content as satellite imagery pixels. TiTiler processed the "images" while XBOW extracted secrets from the compression data. Mission details:
2
4
32
I was going to write a thread about my latest @Xbow blog post but @moyix wrote a perfect one. Go check it out!
xbow.com
A complete arbitrary local file read vulnerability achieved through an ingenious byte-by-byte exfiltration technique.
YES! THIS one is my favorite :D Some details in thread below...
0
3
17
Proud to have @djurado9 and @niemand_sec representing XBOW at @defcon Bug Bounty Village 🎯 XBOW finds vulns, our team shares the insights. See you in Vegas! #DEFCON
Don't miss "Prompt. Scan. Exploit: AI’s Journey Through Zero-Days and a Thousand Bugs" by Diego Jurado (djurado9) and Joel Noguera (@niemand_sec) on Friday, August 8 at 10:00 AM on Creator Stage 3. Read more at https://t.co/e3glU8gWAU
#BugBounty #DEFCON33
0
3
20
Wrote a blog post about @Xbow finding an arbitrary file read in Ninja tables 🥷, a popular WordPress plugin. Stay tuned for the following ones if you want to see XBOW exploiting a really cool file read and RCE
When simple attack vectors fail, XBOW doesn't give up. ⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. Hidden in plain JavaScript sight, protected by nonce validation, but XBOW pieced together the exact request format needed. Technical breakdown here:
1
8
57
When simple attack vectors fail, XBOW doesn't give up. ⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. Hidden in plain JavaScript sight, protected by nonce validation, but XBOW pieced together the exact request format needed. Technical breakdown here:
1
16
74