Xbow USA Inc., a startup that helps enterprises find cybersecurity issues in their software, has closed a $120 million funding round at a valuation exceeding $1 billion.

The company disclosed today that DFJ Growth and Northzone were the lead investors. The Series C raise follows a $75 million round that closed last June.

One of the ways companies find vulnerabilities in their infrastructure is by carrying out penetration tests. Those are evaluations in which administrators carry out simulated cyberattacks against an application. A penetration test can uncover exploits that are difficult to spot using other methods, but such assessments are expensive and often take weeks.

Seattle-based Xbow provides a platform that carries out penetration tests automatically using AI agents. According to the company, its software can reduce the duration of cybersecurity evaluations to a few hours or days.

An application has numerous edge cases, user interaction scenarios that it is highly unlikely to encounter but could potentially pose a cybersecurity risk. In a manual penetration test, administrators often can’t cover every single edge case because of time constraints. Xbow says its platform’s speed enables it to analyze such risks in a more comprehensive manner.

After the software finds potential vulnerabilities, it checks whether they can be exploited. That approach enables Xbow to filter false positives without a realistic chance of leading to a breach. The company says that its AI agents can develop highly elaborate, multistep exploit chains.

During one penetration test, Xbow’s platform carried out a simulated cyberattack that comprised 48 different exploits. It used a specially crafted image file to simulate a so-called server-side request forgery attack. That’s a type of breach in which hackers compromise an application and use it to steal data from another system to which it’s connected.

In another test, Xbow successfully decrypted a cookie protected with the industry-standard AES-128 encryption technology. It did so by sending a series of requests to a server that possessed the decryption key. The requests returned error messages that Xbow’s AI agents analyzed to infer the contents of the cookie. The company says that its platform completed the task in 17.5 minutes.

Users can customize how Xbow carries out penetration tests by providing it with instructions. For example, a software-as-a-service startup could ask the platform to test only newly released feature. Engineers can optionally provide Xbow with the source code of an application to give it a more complete view of potential vulnerabilities.

The company offers its platform in three editions. The Plus and Premium versions enable customers to scan a single application for a one-time fee. Xbow Enterprise, the company’s third offering, can continuously scan an organization’s workloads for vulnerabilities. An application programming interface enables engineers to stream the results of penetration tests to their other cybersecurity tools.

Xbow will use its newly raised funding to grow its presence in international markets and the enterprise. The company also plans to invest in feature development.

Photo: Unsplash