XBOW

Funding, Product Roadmap & Offensive Security Competitors

Autonomous AI agents that continuously pentest web apps and validate exploits end to end.

Technology

|

Offensive Security

|

Series C

|

Valuation:

~$1B+

Company Overview

XBOW is an AI security platform that runs autonomous penetration tests against production web applications and validates real exploits. Customers include Moderna (pharma), Samsung (consumer electronics), Seznam (tech), and SentinelOne (security).

What They're Building

The company's public product roadmap & what they're committed to building.

Autonomous Pentest Platform

A cloud-only agentic AI that simulates attacker behavior and validates exploitability with zero false positives.

Public API

Programmatic access for integrating XBOW into security and developer workflows, launched February 2026.

CI/CD Integration

Continuous testing triggered on code changes to shift security left, planned for 2026.

Model Alloying

Dynamic routing across frontier LLMs to optimize attack reasoning per task.

Latest Intelligence

Zeitgeist tracks private signals to determine where the company is heading strategically.

May 11, 2026
|
Enterprise Readiness
|
Confidence:
Medium

New Intel: Formal SLOs, follow-the-sun incident response, and public status dashboards are coming online. That is the procurement checklist for Fortune 500 security contracts, not startup theater.

May 11, 2026
|
Platform Expansion
|
Confidence:
High

New Intel: A full Console product is forming with hybrid and on-prem deployment paths, despite public cloud-only messaging. The real competitor set is Snyk and GHAS, not Horizon3 or Pentera.

May 11, 2026
|
Vertical Expansion
|
Confidence:
High

New Intel: APAC is being built as a real sales theater with local PoV capacity and a Seoul GM structure. The Samsung round was a distribution deal dressed as a strategic investment.

Add To Your Portfolio

Founder and Key Execs

Oege de Moor

CEO (DPhil Oxford, founded Semmle, built GitHub Copilot and Advanced Security)

Nico Waisman

CSO (ex-Lyft Head of Security, Immunity researcher)

Niroshan Rajadurai

CRO (ex-GitHub, Perforce)

Founder Force Multiplier

Oege de Moor built the two most important AI-for-code products of the last decade: Semmle's CodeQL and GitHub Copilot. That gives him rare credibility with both security and developer buyers, which is the exact audience XBOW sells to. Nico Waisman adds deep offensive research chops from Lyft and Immunity. That trio combines security depth and Copilot-grade AI shipping experience.

Funding History

2024 | Seed round led by Sequoia
2024 | NSF grant
2025 | $75M Series B led by Altimeter
2026 | $120M Series C led by DFJ Growth
2026 | $35M Series C extension with NVIDIA

Notable Open Roles

Technical Account Manager - Application & Offensive Security

GTM role tied to Api in strategic role description.

Solutions Architect - Offensive/Application Security (South Korea)

GTM role tied to Api in strategic role description.

Solutions Architect - Offensive/Application Security (Australia)

GTM role tied to International expansion: solutions + australia.

Competitors

Pentera:

Automated security validation focused on internal network breach-and-attack simulation, less LLM-native.

Horizon3.ai:

NodeZero platform targets infrastructure and AD exploitation rather than web app agentic testing.

Synack:

Hybrid crowdsourced model with human researchers plus automation, higher-touch delivery.

XBOW

's Moat:

Proprietary agent scaffolding combined with deterministic exploit validation produces findings rivals cannot match on false-positive rate, backed by a #1 HackerOne ranking and 200+ disclosed zero-days. Validation is what makes pentest output usable; XBOW is the only one shipping it reliably.

How They're Leveraging AI

Autonomous Penetration Testing

Autonomous security agents perform offensive testing by finding, exploiting, and validating vulnerabilities in web applications.

AI Use Overview:

XBOW runs autonomous security agents with AI-driven attack reasoning, deterministic exploit validation that produces zero false positives, model alloying that routes between frontier LLMs based on task type, and real offensive tooling against live web applications.

More
Legal, Compliance, Privacy, and Regulated Ops

Harvey AI

Generative AI platform automating legal workflows for law firms and in-house counsel

A category-defining wedge into a $1T legal services market with deep enterprise penetration, OpenAI alignment, and workflow lock-in that incumbents cannot easily replicate.

SolveAI

Natural-language platform for building production-grade enterprise apps without code.

Forward-deployed delivery produces proprietary pattern libraries that feed back into the product, a data advantage pure self-serve competitors cannot replicate without the same embedded model.

Horizon3.ai

Autonomous penetration testing platform that finds and verifies exploitable attack paths

Autonomous pentesting compounds as attack surfaces grow, and federal traction combined with MSSP distribution give Horizon3 a defensible wedge against legacy breach-and-attack simulation vendors.

Upwind Security

Runtime-powered cloud security platform using eBPF sensors and AI agents for detection and response.

Runtime context is the wedge against agentless-only CNAPP incumbents like Wiz and Orca, and Upwind is extending into AI-driven response and SAST before the category consolidates.

Back To All Companies >