XBOW, a fully autonomous penetration testing tool using AI, finally surpasses humans to become number one in HackerOne's rankings

HackerOne , a platform where companies pay rewards to hackers who discover security vulnerabilities, publishes a leaderboard that ranks security researchers based on their contributions and achievements. XBOW , a Seattle-based AI security engineering company, announced that its eponymous AI tool has reached number one on the HackerOne leaderboard.

XBOW – The road to Top 1: How XBOW did it
https://xbow.com/blog/top-1-how-xbow-did-it/

HackerOne Leaderboard
https://hackerone.com/leaderboard

This AI Is Outranking Humans as a Top Software Bug Hunter | PCMag
https://www.pcmag.com/news/this-ai-is-outranking-humans-as-a-top-software-bug-hunter

HackerOne displays the global rankings of all users, monthly and yearly contributions, ratings in specific categories, contributions to bug reports for specific companies, as well as the rankings of hackers by country on the leaderboard. Rankings are determined based on the number of vulnerabilities reported, the total amount of bounties received, a confidence score that takes into account the quality and number of errors in bug reports, and an impact score that measures how important the bugs were.

On this HackerOne leaderboard, XBOW, an 'autonomous penetration tester' that uses AI to fully automatically perform penetration tests to discover vulnerabilities and generate reports, ranked first in the Vulnerability Disclosure Program Institutions category from April to June 2025, beating out human hackers.

Below are the rankings as of June 25, 2025. Although it ranks first in the United States, it only ranks sixth in the world in the overall rankings, including bug bounty programs, which means it is behind the world's top human experts.

XBOW is an enterprise service that uses AI to automatically discover vulnerabilities, attack, and submit proof reports. It is highly scalable, as it handles report generation without human intervention, making it easy to scan thousands of web apps at the same time. On the other hand, while AI is surprisingly efficient at discovering vulnerabilities, automated AI scanning has long been plagued by false positives, and the challenge is not detection but 'accuracy.' To ensure accuracy, XBOW has developed the concept of an 'automatic review function' that verifies each discovered vulnerability.

XBOW reported approximately 1,060 vulnerabilities, of which 130 were resolved through reporting, and 303 were marked as 'reviewing the content and considering whether to respond.' From April to June 2025, XBOW said that 54 of the submitted vulnerabilities were classified by the program owner as 'critical,' 242 as 'high,' 524 as 'medium,' and 65 as 'low,' indicating that the reports had a sufficient impact.

Nico Weissman, head of security at XBOW, emphasized the achievement, saying, 'For the first time in bug bounty history, an autonomous penetration tester has taken the top spot in the United States.' Nat Friedman, former CEO of GitHub, commented on XBOW's achievement, 'It's exciting to see an AI vulnerability testing tool now working properly, but it's also a little scary, considering we're in an era where machines are hacking machines.'

HackerOne co-founder Mihir Prince said about XBOW, 'AI hackbot companies like XBOW are bringing incredible innovation to the security field, accelerating the discovery and response of vulnerabilities. But AI doesn't learn to hack on its own. Hackers train it. In this feedback loop, human researchers remain important partners, and while AI is leading in volume, it's still humans who provide the discoveries that have the greatest business impact. Hackbots are just the next step in an evolution driven by human ingenuity with the power of automation.' He acknowledged XBOW's achievements while also expressing respect for human hackers.

More details about how XBOW identifies security vulnerabilities and avoids the large number of false positives typical of AI autonomous penetration testers will be presented at the Black Hat Briefings security conference, which will be held from August 2 to 5, 2025.
Related articles
18-year-old vulnerability attracts attention in PS5 & PS4 jailbreak community - GIGAZINE

5.4 million Twitter account details leaked and hacker sold them for 4 million yen - GIGAZINE

OpenAI discovered that its internal messaging system had been hacked and information related to AI technology had been stolen, and the information was kept secret from the FBI and general users without notice - GIGAZINE

What is the 'Darwin-Gödel Machine', an AI that rewrites its own code and gets smarter and smarter? - GIGAZINE

MIT research team announces 'SEAL', a framework that realizes 'self-learning AI', AI edits new information by itself, reinforces learning and becomes smarter - GIGAZINE