In 90 days, an artificial intelligence system identified 1,060 vulnerabilities at companies on the HackerOne bug bounty platform, including 54 critical ones. More remarkably, it did something no autonomous system had ever done before: it topped the U.S. leaderboard, beating thousands of human hackers competing for the same bounties. That system was XBOW. That achievement, which happened in 2025, explains why on May 6, 2026, six of the world's largest technology and security companies decided to write checks to the Seattle startup not just as venture investors but as strategic customers doubling down on their own bets. XBOW closed a $35M extension to its Series C financing, just seven weeks after raising the initial $120M tranche in March. The round brought total Series C funding to $155M and lifetime capital above $270M. The investors were NVIDIA, Samsung, Accenture, SentinelOne, Liberty Global, and DNX Ventures. Notice what they all have in common: they are not financial investors waiting for a liquidity event. They are all either customers, resellers, or integration partners with XBOW. Ramin Sayar, joining XBOW's board as part of the earlier Series C from DFJ Growth, put it plainly: the company is operating at "massive scale" with teams that now number more than 250. The startup, founded by Oege de Moor (the engineer who created GitHub Copilot), has moved past proof-of-concept. It is now moving distribution and capital toward Asia-Pacific expansion, with Samsung designated as the preferred South Korean reseller and DNX Ventures handling regional go-to-market. The mechanics of XBOW's platform matter to understand why this matters. The company does not conduct point-in-time penetration tests every quarter. Instead, it deploys a persistent coordinator that directs thousands of parallel AI agents across a customer's infrastructure continuously. Each agent receives fresh context and a focused objective. They attack, adapt, learn, and report findings back to the coordinator, which validates every vulnerability before it reaches the customer's security team. The reports themselves meet SOC2, ISO 27001, and other compliance framework requirements. This is not a tool for checking a box; it is a tool for finding what human-led penetration tests miss because they happen once or twice a year and are bound by time, budget, and human attention span. The HackerOne validation created the permission structure for enterprise spending at scale. In a head-to-head matchup across 104 real-world vulnerability scenarios, a seasoned human penetration tester required 40 hours of work. XBOW completed the same objectives in 28 minutes, an 85x speed advantage. The vulnerabilities it found were validated by HackerOne's own researchers and the target companies themselves, not just claimed by XBOW in a press release. One finding: a zero-day in Palo Alto's GlobalProtect VPN platform that exposed more than 2,000 hosts. That is the kind of result that gets circulated in security leadership meetings. It proves the system does not just run fast; it finds things that matter. Of the nearly 1,060 submissions across a 90-day window, 242 were rated high severity and 524 medium. Only a fraction were critical, but the sheer volume and consistency of valid findings is what moved the needle. What created the conditions for this funding round was not just XBOW's product progress but the capital structure of the security market itself. The World Economic Forum's Global Cybersecurity Outlook 2026, produced with Accenture, reports that two-thirds of organizations expect AI to have the most significant impact on cybersecurity in the year ahead. Yet only 37 percent have processes in place to assess the security of AI tools before deployment. That gap between expectation and readiness creates an opening for vendors that can demonstrate both capability and safety. XBOW's customers now include more than 100 organizations worldwide, including Moderna and the Czech internet company Seznam. When those customers are also your investors, they are not hedging their bets. They are betting their own security posture on the premise that XBOW's autonomous agents will not break things, will find real vulnerabilities, and will scale faster than hiring human security teams. Here is what the investor composition actually signals: large enterprises have moved from viewing autonomous offensive security as a pilot project to viewing it as essential infrastructure. NVIDIA gains native AI-native tooling for its own customers. Samsung gains a product it can integrate into its security services business across South Korea and beyond. Accenture gains a capability to embed into its managed security services and consulting. SentinelOne gains continuous vulnerability discovery that feeds its EDR platform. These are not portfolio bets on a promising startup. These are stake-in-the-ground moves on a capability that competitors are also moving toward. If you are not in, your customers will hear about it from a rival who is. The real read: XBOW has already won the fundamental question, which was whether autonomous penetration testing could actually work without creating false positives or missing material findings. The HackerOne leaderboard proved it. What remains is not a technical proof but a distribution and scaling problem, and XBOW's investor composition tells you that large enterprises have moved past the "should we" and into the "how fast can we." The company's founder lives in Malta, its official address is a Pioneer Square coworking mailbox, and it is raising hundreds of millions in capital to put AI agents on the networks of Fortune 500 companies. That asymmetry is the actual story. The company that matters operationally is not the one with the glossy headquarters. It is the one that customers will bet their own capital on. XBOW is that company. Watch three things. First, the Microsoft integration that launched in public preview at RSAC 2026: if it gains adoption across Microsoft's installed base, that moves XBOW from point solution to ecosystem component, which is when competitive moats start to form. Second, the Asia-Pacific expansion timeline: DNX Ventures and Samsung's reseller arrangement will show whether XBOW can replicate its North American playbook in markets where local security vendors have entrenched relationships. Third, the next Series C update in customer count and contract sizes: the round came seven weeks apart, which suggests the company is raising not on a predetermined schedule but on observed traction. If that pattern holds and customer growth accelerates, you will see follow-on capital within 12 months, likely north of $100M. If it does not, the investors just wrote large checks based on enterprise momentum they believed would continue. That is the bet.