Inside the Rise of Autonomous AI Hackers: XBOW's Oege de Moor

you Thank you very much. You've all heard the story about the breach of the Mexican government. Human hackers used OpenAI and Anthropic as assistants in order to achieve a massive data bridge. Well, I want to talk to you About today? is autonomous hacking, where the AI does all the work without any human assistance. The situation in cybersecurity today is akin to the Battle of Nagashino in 1575 in Japan. In this picture on the left hand side is the army of Oda Nobunaga. Nobunaga was an upstart, he was a minor warlord, but he treated warfare as a system to be optimized.

And in particular, he used the very latest weapons, the very latest guns. On the right-hand side is the Takeda clan. The takedeklaan was extremely famous and their cavalry was thought to be invincible. They have many well-known warriors... who had earned their skills in battles before. But guess who won? The situation in cybersecurity is going to be exactly the same. Those with AI will win. Just to set the scene, let me tell you about one particular vulnerability. A couple of weeks ago, Microsoft announced a remote code execution vulnerability in Bing Image Search.

Bing Image Charge, one of the best secured systems in the world, very well secured by the engineers at Microsoft, but also hammered by thousands of hackers from all over the world trying to get it. a remote code execution vulnerability. the very worst kind of vulnerability where you can run arbitrary code on the target system, complete takeover. This vulnerability was found by the product of my company, Expo. and the only input it needed was the URL. Nothing else. And the cost? $3,000. at list price, that's not what it costs us. So it's fast, it's cheap.

and extremely effective. The way Expo works is very much like a human hacker. It starts by reconnaissance, it sends out a bunch of scouts, agents that discover the attack surface. It prioritizes what endpoints look most juicy, most promising for an attack, and then it goes in and tries every... relevant attack type. Despite evidence like this, many human security researchers believe that it's impossible. to completely autonomously carry out this task with a machine. So in order to counter that skepticism, already last year, my company entered our bots expo onto the hacker one platform hacker one is this platform that connects uh companies that want the systems to be tested with ethical hackers who will then go and attack those systems and uh reports what vulnerabilities they find if they report good vulnerabilities they get paid the bounty and they get points Within a few weeks, Expo first became the number one hacker in the United States, and then in August, it became the number one hacker in the world.

And I have to stress, this is completely black box testing. It's just like the big example I mentioned before. You only give it the URL. nothing else, the AI does the work completely autonomously. And that was back in August. The foundation models that we are building on have enormously progressed since then. This is on a set of open source real web applications. These are not some Mickey Mouse cyber benchmarks. And we started back in March last year with Sonnet 3.7 and then it reached the top of the HackerOne leaderboard with an alloy of Sonnet 4-0 and Gemini 2-5.

I can't resist briefly telling you about alloys. So think of these attacks as a sequence of actions at every step. You flip a coin to decide what model to ask. either Oz Gemini or Oz Sonnet. This is much better than either model separately. It's a bit like pair programming. The two models are compensate for each other's mistakes. So, Then shortly after Expo topped the HackerOne leaderboard, GPT-5 came out. Just extrapolating from its performance, it would have done at least three times better. So in August, X-Val was a little bit better than the best human on HackerOne.

With GPT-5, it would have been three times better. And since then, the models have only gotten better. And as you can see, we better collect a new set of benchmarks because it's pretty much saturated. So how should you think about this in relation to muscles? MyFest has mostly been reported as a tool that reads the source code extremely well and points out potential flaws in the code. This is white box testing. It's not like what I was talking about before. purely black box testing, you actually have access to the source code, which of course has a different way you do.

But as an attacker, you don't necessarily. Yeah. The question with this code analysis stuff is, Are the weaknesses actually exploitable in the wild? And if they are exploitable, does it matter? What's the impact? Where can I go if I can-- execute remote, I can do remote code execution on the Bing server, Where else can I get to? I can't tell you. And of course, there's many other vulnerabilities that are configuration or deployment problems. You can't actually use them. from the source code itself. So these are the questions that XBO answers for you.

Thank you. Thank you. If you get to know about an exploit, it's probably already too late. So typically, for the Bing example, people publish a CV. to let the world know that there was a vulnerability Back in 2018, The delay between publication of a CVE and bad actors exploiting it in the wild was almost two and a half years. Today, the number has gone negative. For most CVEs, It is already being exploited. before the CVE is even published. Thank you. So in view of all this evidence, it's incomprehensible to me that whenever there's news about AI and security, traditional cybersecurity stocks drop.

This makes no sense at all. We need every possible defense that we can get against these autonomous AI-powered attacks. So, so far I've been preaching like Nostradamus, telling you about all the bad things that might happen. So let's try and rally the spirit of Nobunaga, what Japanese warrior I talked about at the beginning. and see what can be done. So first of all, All of you, everyone who's working on Frontier models, you must maximize the cyber capabilities. No more talk about whether it's safe to do that or not. We're in an arms race.

We have to make sure that we have the very best models to power this type of work. Secondly, We need to enable human security researchers to use this as an extension of their own work in order to maximize the chances that we find all the vulnerabilities. before the bad guys do. And finally, You need to prioritize with methods. You need to know whether the bugs are truly exploitable and what their impact is going to be, and Expo can help with that. We've got about six to nine months. to do this.

Just extrapolating from the progress, we are software engineering agents. In six to nine months, we will have open weight models that are just as good as my thoughts on similar models. And so if you want to have a nice Thanksgiving dinner with your family, you better start fixing now. Thank you. Thank you.