Inside the Rise of Autonomous AI Hackers: XBOW's Oege De Moor

The presentation highlighted the emergence of fully autonomous AI hackers, focusing on Xbo, a system built by XBOW that can locate, exploit, and report vulnerabilities without human input. Xbo’s most notable achievement was discovering a remote code execution flaw in Microsoft’s Bing image search for a modest $3,000 cost, then climbing to the top of HackerOne’s global leaderboard by conducting black‑box testing solely from a URL. Key insights included the speed at which AI‑driven attacks now outpace traditional vulnerability disclosure: many CVEs are exploited before they are publicly reported. Xbo leverages a hybrid “alloy” of Gemini and Sonnet models, a pair‑programming approach that mitigates individual model errors and delivers performance three times better than the best human hackers, with future GPT‑5‑level models expected to be even more potent. The speaker invoked historical analogies, likening today’s AI arms race to Oda Nobunaga’s gun‑armed forces defeating the cavalry‑centric Takeda clan. He warned that the lag between CVE publication and exploitation has turned negative, and urged defenders to adopt AI tools now, noting that without rapid action, even a Thanksgiving dinner could be jeopardized. Implications are clear: cybersecurity firms must treat AI as both a weapon and a shield, accelerating defensive model development within the next six to nine months. Failure to do so risks a market shift where traditional security stocks tumble as autonomous AI attackers dominate the threat landscape.