Computers are taking our jobs! (1952)

Gotta admit it’s so fun to hang out by the booth and suddenly see a high sev that XBOW just found scroll by in real time

Tomorrow, 10:00 AM @ #defcon33 djurado & Niemand break down how we built XBOW. Hear about the journey, the challenges, and the most impressive bugs we've found, straight from our top researchers.

I’m the proud first buyer of evilDoggie, the car-hacking interface from Gaston Aznarez and Octavio Gianatiempo (Faraday Security). Can’t wait to put it to work!

Wandering through DEFCON someone yelled at me “hey it’s Mr False Positives!!”. Sadly, I was slightly too slow on the uptake to reply “That’s right, first name ‘Zero’”

OpenAI hasn’t open-sourced a base model since GPT-2 in 2019. they recently released GPT-OSS, which is reasoning-only... or is it? turns out that underneath the surface, there is still a strong base model. so we extracted it. introducing gpt-oss-20b-base 🧵

XBOW's architecture is incredible: a coordinator spins up multiple "solver" AIs that each hunt for specific vulns on different endpoints. Each uses isolated attack machines so if the target tries to counter-attack, it can't reach XBOW's main systems.

(completely unrelated to my recent posts)

I have no idea who the GUI designers were for NERV but they needed a huge raise

Lot of people asked me about the models XBOW is using. This and Albert's blogpost about alloys may answer some of your questions (alloys here: xbow.com/blog/alloy-age…)

Xbow concludes its HackerOne & Bug Bounty efforts. It was a nice playground to hack live, real-world targets. Our pentest customers are already benefitting from all the experience we harvested :)

"XBOW isn’t here to replace pentesters or researchers; it augments teams. By removing routine burdens from penetration testers, it frees them to explore frontier vulnerability classes and the application-specific bugs that matter most." xbow.com/blog/xbow-on-h…

I had the pleasure of working at the company this genius founded in 1996 (!). He and a handful of others shaped the spirit of the Argentinian hacking scene, sharing their knowledge and infecting us with curiosity.

Legba v1.1.0 is out! 🥳This is a major release that required a significant amount of (human) effort, bringing several key improvements that deserve individual attention. 🧵👇

I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below: portswigger.net/research/inlin…

Enterprise security products don’t need to be secure (or even good at all) to be sold like hotcakes. 61B market cap and a myriad of vulns. No one cares about that other than people like us, this is as old as time :(

It's out!! You can now watch Daniel Jurado's and Niemand talk: "Prompt. Scan. Exploit - Ai's Journey Through Zero-Days, and a Thousand Bugs". Learn more about XBOW and autonomous hacking. You can watch it in our Youtube channel exclusively: youtu.be/y_aQQmDMaY4. Enjoy!

This week, Disclosed. #BugBounty H1-65 Singapore & H1-468 Stockholm winners, new H1-Elites, Google’s AI VRP, YesWeHack wins EU tender, new programs, tools, write-ups & videos — and more. Full issue → getDisclosed.com Highlights below 👇 TikTok US & OKX H1-65