Federico Kirschbaum on XBOW, AI Hackers, and the Future of Pen Testing

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Federico Kirschbaum, founder of Ekoparty and now head of Security Lab at XBOW, talks about what happens to offensive security when an autonomous AI hacker can find and exploit real vulnerabilities. Fede walks through XBOW's "Tales from the Trace," the surreal experience of watching a non-human adversary reason its way to an ASLR bypass, and why he believes pen-testing isn't dying but finally becoming accessible to far more than the world's biggest companies.

Plus, where humans still matter in the loop, whether an LLM-discovered bug is public by definition, the looming reckoning over software liability, and Halvar Flake's very honest fear of getting lazy.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Federico Kirschbaum.

Timestamps:
0:00 Fede's move to XBOW
2:20 What's XBOW building? An AI hacker for real vulnerabilities
5:53 Where the human stays in the loop
6:35 The Exim bug: a craftsman races the LLM to an ASLR bypass
10:49 Does bug discovery still need a human asking the right question?
16:24 A short history: Satan, CORE, Metasploit, bug bounties
18:48 An LLM-discovered bug is public by definition
24:12 Halvar Flake's laziness worry & the assembly-to-C parallel
29:47 Rising tides: script kiddies get the full gamut
41:02 The economics: does pentesting get cheap?
43:18 Argentina, Ekoparty, and an untapped talent pipeline

Links:

• Transcript
• Federico Kirschbaum on a life in the Argentina hacking scene
• Federico Kirschbaum on LinkedIn
• Federico Kirschbaum
• XBOW | Autonomous Offensive Security Platform
• Mythos for Offensive Security: XBOW's Evaluation
• Tales from the Trace: How Agentic AI Merges Static and Dynamic Testing
• Ekoparty Miami
• TLPBLACK