Xbow Raises $120M in Series C to Expand Autonomous Offensive Security Platform

Security used to be a game of reaction. Find the bug after it bites, write the report, patch the wound, repeat like it’s a ritual nobody questioned. XBOW looked at that loop and decided it was a little too comfortable. So they built something that doesn’t wait its turn. An autonomous hacker that moves continuously, thinking, probing, validating, the way a real adversary would, except this one doesn’t get tired, sloppy, or distracted. It just keeps going until it finds what matters.

That’s the lane XBOW is carving out, and the market just placed a $120M Series C bet on it. Co-led by DFJ Growth and Northzone, with Sofina and Alkeon Capital stepping in and Altimeter, NFDG Ventures, and Sequoia Capital doubling down, this round pushes XBOW past the $1B+ mark. Not bad for a company that showed up in 1/2024 and decided to teach machines how to think like adversaries instead of dashboards.

Credit where it’s due. Oege de Moor built GitHub Copilot, so teaching machines how developers think was already handled. Now he’s flipped the perspective and asked a better question. What if the machine thinks like the person trying to break the code instead?

Alongside Oege de Moor, Nico Waisman brought the operator’s edge from Lyft, assembling a team that understands real-world attack surfaces, not theoretical ones. Add Niroshan Rajadurai driving revenue as CRO, Jonaki Egenolf shaping the narrative as CMO, Dean Breda locking down the legal spine as GC, and WonLae Lee opening doors in South Korea, and you start to see the pattern. This isn’t a lab experiment. It’s a system designed to move.

XBOW’s platform doesn’t just scan and flag. It probes, adapts, validates. It proves something is broken before it bothers you with the alert. Proof over probability. Less noise, more signal. In a world drowning in false positives, that alone feels like someone finally turned the lights on.

The takeaway for founders is sitting right there in plain sight. They didn’t chase “AI for security” as a headline. They picked a specific pain, continuous offensive testing, and went deep enough to make the output undeniable. Then they surrounded it with credibility. Builders, operators, investors who’ve seen enough cycles to know when something actually has teeth.