{"id":14315,"date":"2025-06-26T01:19:38","date_gmt":"2025-06-26T01:19:38","guid":{"rendered":"https:\/\/newestek.com\/?p=14315"},"modified":"2025-06-26T01:19:38","modified_gmt":"2025-06-26T01:19:38","slug":"the-top-red-teamer-in-the-us-is-an-ai-bot","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14315","title":{"rendered":"The top red teamer in the US is an AI bot"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>AI is getting so good that it\u2019s outperforming human red teamers.<\/p>\n<p>The hacker \u201cXbow\u201d now tops an eminent US security industry leaderboard that ranks red teamers based on reputation \u2014 and it\u2019s an AI chatbot.<\/p>\n<p>On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, Xbow scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities. It\u2019s a first in bug bounty history, according to the company that operates the eponymous bot.<\/p>\n<p>The development indicates just how far AI has come in cybersecurity in just a short time , but also how easily it can be scaled by adversaries, too.<\/p>\n<p>\u201cUnfortunately, this use of artificial intelligence favors attackers over defenders in this scenario, because the process is required, particularly for large organizations, to validate patches for critical parts of services that still aren\u2019t easy to automate,\u201d said David Shipley of Beauceron Security.<\/p>\n<h2 class=\"wp-block-heading\" id=\"discovered-more-than-1000-vulnerabilities\">Discovered more than 1,000 vulnerabilities<\/h2>\n<p>Xbow is a fully autonomous AI-driven penetration tester (pentester) that requires no human input, but, its creators said, \u201c<a href=\"https:\/\/xbow.com\/blog\/top-1-how-xbow-did-it\/\" target=\"_blank\" rel=\"noreferrer noopener\">operates much like a human pentester<\/a>\u201d that can scale rapidly and complete comprehensive penetration tests in just a few hours. According to its website, it passes 75% of web security benchmarks, accurately finding and exploiting vulnerabilities.<\/p>\n<p>Xbow submitted nearly 1,060 vulnerabilities to <a href=\"https:\/\/hackerone.com\/leaderboard\/country\" target=\"_blank\" rel=\"noreferrer noopener\">HackerOne<\/a>, including remote code execution, information disclosures, cache poisoning, SQL injection, XML external entities, path traversal, server-side request forgery (SSRF), cross-site scripting, and secret exposure. The company said it also identified a previously unknown vulnerability in Palo Alto\u2019s GlobalProtect VPN platform that impacted more than 2,000 hosts.<\/p>\n<p>Of the vulnerabilities Xbow submitted over the last 90 days, 54 were classified as critical, 242 as high and 524 as medium in severity. The company\u2019s bug bounty programs have resolved 130 vulnerabilities, and 303 are classified as triaged.<\/p>\n<p>Notably, though, roughly 45% of the vulnerabilities it found are still awaiting resolution, highlighting the \u201cvolume and impact of the submissions across live targets,\u201d Nico Waisman, Xbow\u2019s head of security, wrote in a blog post this week.<\/p>\n<p>The company performed what he described as \u201crigorous benchmarking,\u201d first testing its bot with \u201ccapture the flag\u201d challenges with providers like PortSwigger and Pentesterlab, then building its own benchmark that simulates real-world scenarios. They then set out to discover zero-day vulnerabilities in open source projects, giving the AI access to source code to simulate a white-box pentest.<\/p>\n<p>Xbow eventually began \u201cdogfooding\u201d its bot in public and private bug bounty programs hosted on HackerOne. \u201cWe treated it like any external researcher would: No shortcuts, no internal knowledge \u2014 just Xbow, running on its own,\u201d Waisman wrote. To further hone the technology, the company developed \u201cvalidators,\u201d \u2014 automated peer reviewers that confirm each uncovered vulnerability, Waisman explained.<\/p>\n<p>He noted that the company was essentially challenged to test its bot on HackerOne. \u201cThe community raised a key question: How would Xbow perform in real, black-box production environments? We took up that challenge, choosing to compete in one of the largest hacker arenas, where companies serve as the ultimate judges by verifying and triaging vulnerabilities themselves.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"defenders-need-to-rethink-their-approach\">Defenders need to rethink their approach<\/h2>\n<p>While Xbow is now besting human red-teamers, and at a rapid clip, defenders still have a long way to go to keep up with the onslaught of AI-perpetrated attacks, experts say.<\/p>\n<p>\u201cHackers are quickly adopting new tools that allow them to move faster, hit harder, and target more precisely than ever before,\u201d said Erik Avakian, technical counselor at Info-Tech Research Group.<\/p>\n<p>He noted that automated systems are not only launching attacks at scale, but crafting highly convincing fake content, including voice, video, and emails, that \u201cblur the line between what\u2019s real and what\u2019s not.\u201d This represents a \u201cleap\u201d in capability, as opposed to just a step forward.<\/p>\n<p>\u201cSecurity teams are no longer just defending against individuals behind keyboards,\u201d said Avakian. \u201cThey\u2019re up against a system or a team that can scan, exploit, and adapt in near real time.\u201d<\/p>\n<p>Automating discovery can also, paradoxically, introduce dangers, noted Beauceron\u2019s Shipley. \u201cFurther speeding up exploit discovery and use will lead to more data breaches, ransomware incidents, and critical infrastructure disruption,\u201d he said.<\/p>\n<p>Ultimately, this is going to shove the gas pedal down on an \u201calready extremely difficult scenario\u201d for defenders, who today still aren\u2019t able to keep up with the demands for patching software, said Shipley. He lamented that one long-term solution to this threat was US President Joe Biden\u2019s executive orders around cybersecurity, but those have since been gutted by the Trump administration.<\/p>\n<p>In this shifting landscape, Avakian urged defenders to rethink how they prepare. \u201cIt\u2019s no longer enough to rely on manual monitoring or traditional tools,\u201d he said, noting that organizations need to work with partners and vendors who have built tools to detect and respond at machine speed, and across all layers of the enterprise environment.<\/p>\n<p>Organizations also need structure, not just tools, including a well-defined security roadmap with clear policies and risk protocols, he said. Training is equally critical.<\/p>\n<p>\u201cTeams that understand how these new technologies work and how attackers are using them will be better positioned to respond with speed and confidence,\u201d said Avakian. \u201cThis shift isn\u2019t coming; it\u2019s already here.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>AI is getting so good that it\u2019s outperforming human red teamers. The hacker \u201cXbow\u201d now tops an eminent US security industry leaderboard that ranks red teamers based on reputation \u2014 and it\u2019s an AI chatbot. On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, Xbow scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities&#8230;. <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14315\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14315","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14315"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14315\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}