Is XBOW\u2019s success the beginning of the end of human-led bug hunting? Not yet. | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Is XBOW\u2019s success the beginning of the end of human-led bug hunting? Not yet.\"> <meta property=\"og:description\" content=\"XBOW\u2019s AI bug-hunter landed a big funding round while dominating HackerOne\u2019s leaderboards. But even its founder says it hasn\u2019t fully replaced the need for humans to be involved in the bug-hunting process.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-07-14T12:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg\"> <meta property=\"og:image:width\" content=\"7920\"> <meta property=\"og:image:height\" content=\"6120\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1750115417g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1752075323g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85156\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85156\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fis-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fis-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85156 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.319327731092\">\n<div class=\"single-article__header-content\" readability=\"35.615384615385\">\n<p> XBOW\u2019s AI bug-hunter landed a big funding round while dominating HackerOne\u2019s leaderboards. But even its founder says it hasn\u2019t fully replaced the need for humans to be involved in the bug-hunting process. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85156\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"494\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet.jpg?resize=640%2C494&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg 7920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=300,232 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=768,593 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=1024,791 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=1536,1187 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=2048,1583 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=600,464 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=217,168 217w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=436,337 436w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=874,675 874w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-2.jpg?resize=1091,843 1091w\" sizes=\"(max-width: 874px) 100vw, 874px\"><figcaption> XBOW\u2019s AI bug-hunter landed a big funding round while dominating HackerOne\u2019s leaderboards. But even its founder says it hasn\u2019t fully replaced the need for humans to be involved in the bug-hunting process. (Image source: Getty) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"138.48984651712\"><body readability=\"278.15099925981\"><\/p>\n<p>When news broke that an AI agent named XBOW was leading the HackerOne bug bounty leaderboards, it quickly raised several concerning questions for the cybersecurity industry.<\/p>\n<p>Have large language models evolved enough to partially or fully replace human bug hunting? How precisely does XBOW \u2014 built by a startup with the same name \u2014 work? Were humans involved in producing the output, and if so, to what extent? And ultimately: what does this mean for the future of cybersecurity and the humans who have traditionally performed these jobs?<\/p>\n<p>In interviews with CyberScoop, experts from XBOW, HackerOne, and the cybersecurity industry note that the rapid evolution of large language models is evident in tools like XBOW. These models have quickly become highly effective at core tasks like vulnerability research, threat hunting and adversarial red-teaming. Unlike humans, these models can work continuously \u2014 though at significant costs \u2014 and solve bugs at much faster rates. <\/p>\n<p>At the same time, they stressed that managing an AI bug hunter or red-teaming program still requires a certain amount of human input and intervention. Others have said that XBOW\u2019s work, while impressive, appears to be from racking up wins on low-level, low-impact bugs and that the model would likely struggle on more complex vulnerabilities. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While most said XBOW\u2019s capabilities fall short of an existential crisis for human bug hunters and red-team leaders, they also acknowledge that the balance between human and automation in cybersecurity is shifting rapidly underneath the industry\u2019s feet.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-more-machine-than-man\"><strong>More machine than man<\/strong><\/h2>\n<p>In a June 24 <a href=\"https:\/\/xbow.com\/blog\/top-1-how-xbow-did-it\/\">blog<\/a>, XBOW head of security Nico Waisman claimed that the tool operates with \u201cno human input\u201d but also acknowledges that, given the hundreds of thousands of potential targets on HackerOne\u2019s platform, the startup \u201cbuilt infrastructure on top of XBOW to help us identify high-value targets and prioritize those that would maximize our return on investment.\u201d<\/p>\n<p>Guiding XBOW and its resources also involved manual curation of bug bounty scopes and policies, a custom-scoring system for the agent to follow, <a href=\"https:\/\/spotintelligence.com\/2023\/01\/02\/simhash\/\">SimHash fingerprinting techniques<\/a> and a headless browser.<\/p>\n<p>XBOW founder Oege de Moor, who previously led GitHub Next, the company\u2019s software research and development division, told CyberScoop that his startup is staffed primarily by researchers and experts in three fields: security, artificial intelligence and scalable systems. He described human involvement mainly at the start of the process to guide and prompt, and at the end to validate the tool\u2019s findings, a HackerOne requirement for AI-bug bounty reports.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cXBOW is a completely autonomous system, but you need to decide what you point it at, so you have to give it a URL to start with, possibly you might want to give it some additional information like credentials \u2026 at the very beginning,\u201d de Moor said. \u201cFrom that point, you select the target, you might give it some optional configuration but that\u2019s it. Off it goes and it reports a bunch of exploits.\u201d<\/p>\n<p>HackerOne tracks top-performing bug hunters in a variety of ways, including whether they focus on vulnerability disclosure programs or bug bounty programs, and the number of bugs they\u2019ve discovered and validated. The leaderboards also award \u201creputation points\u201d based on the quantity and complexity of bugs resolved and assign each bug an \u201cimpact score\u201d between 1 and 50 to convey its severity and reach.<\/p>\n<p>Michiel Prins, co-founder and senior director of product management at HackerOne, told CyberScoop that some hackers and bug hunters earn a living solving lots of small bugs, while others focus on fewer, critical flaws that offer higher payouts and reputation rewards. XBOW\u2019s output thus far, Prins said, is similar to the former group, with a high number of bugs solved but a reputation score of around 17, reflecting a focus on lower- to medium-severity issues.<\/p>\n<p>Speaking generally about tools like XBOW, Prins said \u201cwhat we see is that they excel in volume \u2026 [but] it does not yet excel in business impact.\u201d<\/p>\n<p>\u201cIt\u2019s a workflow, and there\u2019s a loophole in the workflow so that an adversary can accomplish something that is unintended,\u201d he continued. \u201cThat is very hard for an AI to find, because the AI needs to really understand the intent of the application, the business context it operates in, and the whole environment around it.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>That sentiment was shared by some other cybersecurity practitioners. Am\u00e9lie Koran, who has worked on cybersecurity for Walmart, Electronic Arts and the federal government, said the tool\u2019s record doesn\u2019t suggest that it can replace humans to solve more difficult cybersecurity problems. <\/p>\n<p>\u201cLooking at their profile on HackerOne, their badges are some of the more basic things you can find with automation: data leaks, XML exposure, cross-site scripting, command injection and access control,\u201d she told CyberScoop. \u201cI wouldn\u2019t be so mean as to say these are rudimentary finds, but all of this is much more \u2018surface material\u2019 as opposed to more in-depth campaigns.\u201d<\/p>\n<p>For his part, de Moor disagrees with this characterization, saying the company intends to release examples of higher-complexity bugs XBOW has found in the coming weeks. <\/p>\n<p>While XBOW sits atop the U.S. HackerOne leaderboards, multiple sources critiqued the idea of comparing the work of a tool managed by a company with the output of individual bug hunters. Even HackerOne has had to grapple with this problem: the company recently altered its leaderboards to split out bounty rankings from individuals and companies like XBOW in an effort to deal with similar complaints.<\/p>\n<p>\u201cXBOW is a company, [and] there\u2019s multiple people working behind it,\u201d Prins said, explaining the decision. \u201cThere\u2019s venture funding behind the company, there\u2019s AI involved \u2014 that\u2019s not unique, lots of hackers have AI in their toolkit \u2014 but it\u2019s a company, it\u2019s not just one person.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Right now, XBOW is operating in the red. While many projects and payouts remain in the pipeline, de Moor said the earnings it has generated hunting bugs thus far is less than the cost it takes to run the tool, which is \u201cquite compute intensive and not cheap.\u201d<\/p>\n<p>For this reason, the program is given a \u201ctime budget\u201d for solving certain tasks, and if a task takes more than 100 attempts, that\u2019s a sign that the model needs some tweaking by engineers \u2014 what de Moor calls \u201cAI magic\u201d \u2014 to make it more efficient. Like others, he believes this will change as improved data center infrastructure makes AI tools like XBOW more affordable and practical.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-capture-the-bag\"><strong>Capture the bag<\/strong><\/h2>\n<p>So how did XBOW get to the top of the leaderboards to begin with? It stems from improvements in LLMs\u2019 ability to solve cybersecurity-specific problems.<\/p>\n<p>Most cyber professionals have taken part in \u201cCapture the Flag\u201d (CTF) challenges, where they are given a series of security-related puzzles and exploit vulnerabilities to \u201ccapture\u201d a piece of data. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>XBOW was originally trained on CTFs, and de Moor and others told CyberScoop that LLM technology has come a long way in solving these types of challenges. He estimated that a year ago, cutting-edge LLM programs were only capable of solving around 16% of CTF challenges they were given, and \u201conly really quite simple ones.\u201d<\/p>\n<p>But that has rapidly changed over the past year, and some AI cybersecurity experts said they believe that CTF-like challenges provide excellent foundational training for cybersecurity models.<\/p>\n<p>A recent study from DreadNode, an offensive security machine-learning platform, exemplifies this progress. The study found that some frontier LLMs like Anthropic\u2019s Claude can now solve complex CTF challenges \u201cwith remarkable efficiency \u2014 competing in minutes what typically takes humans hours or days.\u201d<\/p>\n<p>Many of the capabilities demonstrated across these challenges translate to different functions in cybersecurity, including AI red-teaming and penetration testing, bug-bounty hunting, vulnerability management and more effective monitoring of LLM-driven security threats. They\u2019re far from dominating \u2014 Claude was only able to solve 43 of the 70 measured challenges \u2014 but their success rate has steadily improved in ways that make these tools more useful across different cybersecurity tasks.<\/p>\n<p>Will Pearce, DreadNode\u2019s founder, told CyberScoop that the findings are reflective of how automation and AI tools are becoming commonplace in many cybersecurity jobs and functions, converging around a process that is \u201cstill human directed\u201d but at a higher level of abstraction.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWhether it\u2019s red-teaming or whether it\u2019s bug hunting, whether it\u2019s network ops or vulnerability discovery \u2026 anything you might want to do in cyber, you really just have this slow march towards an outcome that you want,\u201d Pearce said.<\/p>\n<p>Notably, all the models tested flunked the two tasks that are the most time-consuming for humans to solve, suggesting that some aspects of security still require human ingenuity.<\/p>\n<p>De Moor said XBOW was also trained on CTF challenges, and the company developed a custom scoring system that allowed them to port that overall process to XBOW\u2019s broader work hunting for vulnerabilities.<\/p>\n<p>Because CTF challenges tend to have binary results \u2014 you either obtain the flagged data or you don\u2019t \u2014 it helps cut down on one of the biggest problems LLMs bring to the table: hallucination.<\/p>\n<p>But it doesn\u2019t eliminate them. De Moor said XBOW\u2019s false-positive rate now flutters between 0-10% depending on the type of vulnerability it\u2019s working on, but stressed that every bug reported to HackerOne has been validated.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"h-the-future-of-cybersecurity\"><strong>The future of cybersecurity?<\/strong><\/h2>\n<p>Tools like XBOW represent a notable milestone for the cybersecurity industry, demonstrating substantive capabilities that could potentially offer real business tradeoffs \u2014 provided compute costs come down \u2014 in the near future.<\/p>\n<p>But veteran bug hunters aren\u2019t stressing or rushing to branch out into other fields.<\/p>\n<p>Casey Ellis, founder and adviser at BugCrowd, another major bug bounty platform, told CyberScoop that XBOW appears to have been primarily designed as a web application penetration testing tool, with a workflow that is \u201cautonomous within the scope you set for it.\u201d<\/p>\n<p>\u201cIn general, the kinds of vulnerabilities it [and other semi-autonomous hacking agents] can find vary pretty wildly in impact, but they share a common attribute: They are relatively easy to test for, and easy to programmatically confirm,\u201d Ellis said. \u201cAI-driven hacking tools are naturally inclined to being effective at this broad characteristic within vulnerabilities, mostly because LLMs are very good at working with firm instructions and clear feedback loops.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Ellis doesn\u2019t downplay the value of that kind of work. He noted that the internet is full of errors that allow for cross-site scripting, server-side request forgeries, exposed secrets and other programmatically predictable bugs. These programs do best when placed in \u201ctarget rich environments for systems that can run 24\/7 without sleep, and that are 100% optimized for their discovery.\u201d<\/p>\n<p>Ellis believes that systems like XBOW will create more competition for human bug hunters at the initial discovery phase, comparing it to the emergence of external attack surface management platforms a decade ago that made it easier for practitioners to automate attack surface monitoring<\/p>\n<p>But he doesn\u2019t see AI bug hunting completely replacing humans anytime soon, noting that the discovery phase of bug-bounty work \u201cisn\u2019t the hard part\u201d and the internet and software will remain riddled with security vulnerabilities to keep both man and machine occupied.<\/p>\n<p>\u201cThere\u2019s plenty left behind and new vulnerabilities being introduced daily,\u201d he said, \u201cand the role for bounty hunters and researchers is to learn and understand what these systems are good at, what they aren\u2019t, and where there\u2019s an opportunity to complement human with machine.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5963302752294\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is XBOW\u2019s success the beginning of the end of human-led<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,105,2492,78,4570,256,310,1173,1],"tags":[236,111,2494,86,4571,262,311,1177,325],"class_list":["post-7795","post","type-post","status-publish","format-standard","hentry","category-ai","category-artificial-intelligence","category-bug-bounty","category-cybersecurity","category-red-team","category-research","category-technology","category-threat-hunting","category-uncategorized","tag-ai","tag-artificial-intelligence","tag-bug-bounty","tag-cybersecurity","tag-red-team","tag-research","tag-technology","tag-threat-hunting","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence\/\" rel=\"category tag\">artificial intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bug-bounty\/\" rel=\"category tag\">bug bounty<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/red-team\/\" rel=\"category tag\">red team<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-hunting\/\" rel=\"category tag\">Threat hunting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7795"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7795\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7795,"date":"2025-07-14T07:00:00","date_gmt":"2025-07-14T12:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85156"},"modified":"2025-07-14T07:00:00","modified_gmt":"2025-07-14T12:00:00","slug":"is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/07\/14\/is-xbows-success-the-beginning-of-the-end-of-human-led-bug-hunting-not-yet\/","title":{"rendered":"Is XBOW\u2019s success the beginning of the end of human-led bug hunting? Not yet."},"content":{"rendered":"