The world of ethical hacking is evolving fast, and leading the charge is XBOW, a top performer on HackerOne’s leaderboard. But XBOW isn’t a person. It’s a hackbots — an AI-driven tool developed by an offensive security firm. Its success has sparked serious questions: Are human hackers becoming obsolete? Or is this just the beginning of a new hybrid era?
What is XBOW?
XBOW is not a self-aware hacker but a specialised AI agent designed to find security flaws at scale. As of now, it has already discovered over 255 vulnerabilities, mostly targeting low to medium-severity flaws. The tool excels in speed and scale, scanning vast codebases and infrastructures far faster than any human.
The Human-AI Divide in Hacking
According to Michiel Prins, co-founder of HackerOne, while hackbots dominate in terms of quantity, humans still lead in quality. Bots uncover surface-level issues quickly. But human minds are best at detecting critical, high-severity bugs that impact business logic.
“Hackbots don’t sleep. They find vulnerabilities fast. But humans still discover the ones that truly matter,” says Prins.
Rise of the Bionic Hacker
The future might not be man vs machine, but man with machine. Prins refers to them as bionic hackers. They are individuals who leverage AI tools to enhance productivity. They do so without replacing critical human judgment.
Many top ethical hackers already integrate AI in their workflows. They use AI to speed up scanning and triage alerts. AI also helps generate potential exploit code. This hybrid model increases efficiency while retaining the nuanced thinking only humans can provide.
Bug Bounties and the Business of Hacking
Despite automation, HackerOne reports that valid vulnerabilities have increased by 12% year over year. Over 78,000 security flaws were reported last year, with 27% classified as high or critical severity.
However, average bounty payouts have declined. In 2021, the average reward was $1,246, compared to $1,116 in 2025. Severe vulnerabilities still fetch thousands, but competition from bots may be driving down the market rate for simpler finds.
AI Hallucinations: The Hidden Risk
As more hackers use AI to write vulnerability reports, false positives and exaggerations are rising. Some AI-generated reports contain hallucinated vulnerabilities — issues that don’t actually exist.
“These models try to please. So instead of facts, they sometimes exaggerate to sound impactful,” warns Prins.
To maintain trust and efficiency, HackerOne requires that all AI-discovered vulnerabilities be validated by humans. Clear, emotion-free documentation is essential.
Why AI Still Needs Humans
Despite advances, AI still struggles with business logic flaws. These are complex vulnerabilities that involve understanding how a process should or shouldn’t work.
“Some of the most interesting high-impact vulnerabilities come from broken business logic,” Prins explains. “Those are very hard for an AI to find.”
Hackbots like XBOW are a powerful addition to the cybersecurity arsenal. But they aren’t replacing humans — they’re augmenting them. Proper oversight, validation, and cooperation are essential. AI can amplify human expertise. It can help defend against the growing complexity of cyber threats.
As AI hacking tools continue to evolve, so too must our understanding of them. The key to staying ahead lies not in resisting change, but in learning to work alongside the machines.
Pingback: ShinyHunters Strike Again: Salesforce Breach Hits 91 Global Companies in 2025 - Tank Seekers