The race between attackers and defenders has entered a critical phase. With AI enabling bad actors to discover and exploit vulnerabilities at unprecedented speed, traditional human-led penetration testing is falling behind.
Xbow USA Inc., an autonomous offensive security firm, says the industry is now entering what Chief Information Security Officer Nico Waisman calls a “chaos phase.”
“The benefit and the problem of AI is now [bad actors] can do all of that at scale,” Waisman said. “We’re seeing a reduction between the moment that the vulnerability is found to the moment that it’s being exploited.”
Founded by GitHub Copilot co-creator Oege de Moor, Xbow uses swarms of coordinated AI agents to simulate large-scale attacks while minimizing false positives. Its platform provides full observability-showing every network packet sent and every action taken by the underlying large language model.
“What was the LLM thinking? What was the action that was performed?” Waisman explained. “You can see everything that happened.”
The company recently raised $120 million in Series C funding, achieving unicorn status, and plans to integrate its tools into continuous integration pipelines by mid-2026.
Waisman emphasized that as organizations become engineer-led-with even sales and marketing teams writing code via AI-the role of the CISO must evolve from perimeter guardian to code governance enforcer.
“You need to build the right security guardrails for people to innovate fast-but not go outside those guardrails,” he said. “And then testing, testing, testing at engineer speed.”