AI
AI
AI
Offensive security is entering a full-fledged ‘chaos phase’ as AI speeds up attacks
The window between vulnerability discovery and exploitation is shrinking fast, with autonomous penetration testing emerging as the only way for defenders to keep pace with AI-powered attackers.
As engineering teams ship software faster than ever and attackers probe systems continuously at scale, traditional human-led penetration testing can no longer keep pace. Xbow USA Inc., an autonomous offensive security startup, has emerged as one of the companies making that case most aggressively. The reason its claims are drawing attention is that the company has posted visible industry milestones, including its autonomous agents reaching the top of the HackerOne global leaderboard. But the stakes have only grown since, according to Nico Waisman (pictured), chief information security officer of Xbow.
“The benefit and the problem of AI is now [bad actors] can do all of that at scale,” Waisman said. “We’re seeing a reduction between the moment that the vulnerability is found to the moment that it’s being exploited. That, to us, is a huge concern. Obviously this is our business, but also from an industry point of view, I think that we are going to a chaos phase where offensive [activity] — especially on the bad actor side — is going to get faster, is going to get more accurate and we are not ready.”
Waisman spoke with theCUBE’s Dave Vellante and John Oltsik at the RSAC 2026 Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed autonomous penetration testing and the growing urgency for enterprises to match attacker speed. (* Disclosure below.)
Autonomous penetration testing at machine speed
Xbow was founded by GitHub Copilot and GitHub Advanced Security creator Oege de Moor with a core group of engineers from the original Copilot team, while Waisman himself assembled experienced human hackers to help train the company’s autonomous system, he explained. The resulting platform is designed to coordinate large-scale attacks against web applications while built-in validation helps reduce false positives, he added.
“The real trick is how you do that at scale,” Waisman said. “What we have built is basically a tool … that manages the coordination of a penetration test. It’s a tool that sends a swarm of agents against your environment and makes sure that the agents are not stepping [on] each other’s toes [and] they’re running in a safe way. They’re not attacking your database and basically dropping your tables … they’re actually finding the needle in the haystack — the real vulnerabilities from the false positives.”
A key differentiator is full observability into every action the large language model performs during an autonomous penetration testing exercise, replacing the opaque report that a traditional human engagement delivers. That transparency gives security teams the ability to verify findings and replay attack chains step by step, Waisman noted.
“With an AI autonomous penetration test, what you’re getting is full observability of every network package that we send your way and every action that the LLM performed,” he said. “What was the LLM thinking? What was the action that was performed? What was the output of that action? You can see everything that happened.”
Xbow recently raised $120 million in a Series C funding round, valuing the business at more than $1 billion, and is preparing to shift left into continuous integration and continuous delivery pipelines between the second and third quarters of 2026. Now, as every organization becomes an engineering-led company, the role of the CISO is evolving from guardian of the perimeter to governor of an ever-expanding code base, according to Waisman.
“Every CISO now needs to understand that the organization is an engineer-led organization because everyone from sales to marketing is using Claude Code or Codex to write code,” he said. “You need to make sure that you build the right security guardrails for people to innovate fast, but [don’t] go outside of those guardrails. And then testing, testing, testing at engineer speed.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSAC 2026 Conference:
(* Disclosure: Xbow sponsored this segment of theCUBE. Neither Xbow nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Photo: SiliconANGLE
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
