When Oege de Moor told investors in January 2024 that AI could “think like a hacker,” most were skeptical. Two years later, his company Xbow just raised $120 million in Series C financing, valuing it at over $1 billion. The validation didn’t come from pitch decks — it came from HackerOne’s leaderboard, where Xbow’s autonomous AI reached the #1 spot after finding vulnerabilities in Disney, AT&T, Ford, and Epic Games.
De Moor isn’t a newcomer to AI-powered development tools. He’s the creator of GitHub Copilot and GitHub Advanced Security (the product that emerged from his company Semmle after Microsoft acquired it). The Copilot team was famously small — just 10 people at launch. Xbow appears to be following that playbook, building with a core group of engineers from the original Copilot team.
The Numbers
The Series C was led by DFJ Growth and Northzone, with participation from Alkeon Capital and Sofina. Previous backers Sequoia Capital, Altimeter Capital, and NFDG also joined. Total funding now stands at $237 million.
Xbow claims over 100 customers, including Moderna and Samsung Electronics, with notably strong demand from South Korea. The company plans to use the funding for expansion, product development, and international growth.
How It Works
Traditional penetration testing is expensive and slow. Companies hire security firms or run bug bounty programs to find vulnerabilities before attackers do. This works, but it scales poorly — there aren’t enough skilled pen testers to keep up with the pace of software development.
Xbow’s approach: train AI to do what human pen testers do. The company validated this through extensive real-world testing on HackerOne, where it found original, exploitable vulnerabilities in production applications. Xbow has submitted nearly 1,060 vulnerabilities to the platform, with 132 confirmed and fixed, and another 303 acknowledged but still in triage.
The company positions this as “autonomous offensive security” — AI that continuously probes applications for weaknesses without human intervention. Whether this scales to catch the kinds of sophisticated vulnerabilities that experienced security researchers find remains an open question, but the HackerOne results suggest it’s already competitive with human bug hunters on many targets.
The Strategic Picture
Two forces are converging to make Xbow’s timing work:
The AI code explosion. GitHub Copilot and its competitors have dramatically increased the volume of code being written. More code means more attack surface, and traditional security audits can’t keep pace. AI-generated code reviewing AI-generated code is becoming the only viable scaling strategy.
The talent shortage. Cybersecurity has faced a persistent skills gap for years. Autonomous security tools don’t replace senior researchers, but they could handle the grunt work of scanning for common vulnerabilities, freeing humans for more sophisticated analysis.
The company’s lineage from GitHub Copilot is also strategically significant. De Moor understands the code generation pipeline intimately — where vulnerabilities get introduced, what patterns indicate security risks, and how to integrate security tooling into developer workflows without creating friction.
Who Wins, Who Loses
Winners:
Enterprise security teams. If Xbow delivers on continuous autonomous testing, security teams get more coverage without proportionally more headcount. The tool becomes a force multiplier.
Bug bounty platforms (probably). HackerOne’s success with Xbow suggests AI participants could actually increase platform value by finding more bugs faster, raising the bar for what human researchers need to compete on.
Losers:
Commodity pen testing firms. Basic vulnerability scanning is increasingly automatable. Security firms that compete on volume rather than expertise face margin pressure.
Attackers (maybe). If defensive AI tools improve faster than offensive AI capabilities, the security balance could shift. But attackers also get access to AI tools, so this could be a wash.
The Open Question:
Can AI find zero-days? Xbow’s HackerOne results are impressive for known vulnerability classes. The real test is whether it can discover novel attack vectors that human researchers haven’t categorized yet. De Moor’s team has the pedigree to attempt it, but “autonomous hacker” is still closer to marketing than reality for truly sophisticated threats.
Still, a billion-dollar valuation for a security company with a working product and paying customers is conservative by 2026 AI standards. If the alternative is another $30 billion round for a company still searching for product-market fit, Xbow looks like a rational bet.