The first question we get when talking with CISOs is if Xint/AI replaces human cyber experts because LLMs are so good at bug discovery. Short answer: no xint.io/blog/ai-cybe...

When @jameswilson.io reached out, he was upfront with his criticism for how we disclosed copy fail publicly. But we appreciated his willingness to listen and understand how AI has exposed risks in established disclosure protocals that had been dormant under the surface...

Our co-founders spoke w/Risky Business about what we learned as a result of the disclosure for copy fail and what it says about the reality of established disclosure processes when AI-armed attackers can backwards engineer an exploit in hours with just a CVE and a patch risky.biz/RBFEATURES22/

As a follow up to our copy fail research, here is our post sharing our PoC for container escape of this bug, which is part of why it was so unique xint.io/blog/copy-fa...

Verizon's DBIR is out & it backs up a lot of what we've been saying: -> More breaches are kicking off w/vuln exploitation -> AI tools are being used to automate the stages of an attack -> Orgs are patching fewer vulnerabilities and taking longer to do so. www.databreachtoday.co.uk/verizon-brea...

A huge thanks to Xint by Theori for becoming an OWASP Corporate Supporter! Xint.io brings AI-native AppSec that finds real vulnerabilities and proves exploitability in live apps, helping teams cut false positives, speed up validation, and triage with detailed trigger and impact reporting.

As a follow up to our copy fail research, here is our post sharing our PoC for container escape of this bug, which is part of why it was so unique xint.io/blog/copy-fa...

AI gets a lot of big headlines but lacks in transparency. As practical offensive security researchers we want to know not just if a SOTA model found a bug, but also what was the bycatch and what did it take for human beings to validate the findings xint.io/blog/xints-f...

SAST vendors call every finding a vulnerability because “we found 10,000 vulnerabilities” lands harder in a sales meeting than “we found 10,000 code patterns that might be risky.” But 10k "findings" isn't what product security teams need in the real world xint.io/blog/171258

Here is a brief overview of two kernel-level vulnerabilities uncovered by Xint Code in iOS and iPadOS and now patched: CVE-2026-28972 and CVE-2026-28986 xint.io/blog/kernel-...

What assumptions are you making about how your data is being used and stored when you use LLMs to find bugs in your code? xint.io/blog/zero-da...

CVE-2026-23479 was one of the high severity bugs we found when we won at Wiz's ZeroDay Cloud competition. Be on the lookout soon for the technical deep dive on ZDC blog redis.io/blog/securit...

When a SAST tool reports 10,000 vulnerabilities and a pen tester reports 50, most buyers read that as “the SAST tool is more thorough.” What it actually means is that the two tools are counting different things. xint.io/blog/171258

If you run MariaDB in production, take action now. Any user who can open a SQL session — whether through stolen credentials, SQL injection, or lateral movement — can reach this code path with a single function SQL statement. www.zeroday.cloud/blog/mariadb...

Review of our Mythos research paper. The TLDR: you can get better appsec performance in real-world conditions through scaffolding than with SOTA models that are invite-only www.youtube.com/watch?v=j7Co...

New on the Wiz ZeroDay Cloud blog: our researchers give technical deep dive on PostgreSQL pgcrypto heap buffer overflow leading to RCE. This particular bug had lain hidden in the codebase for over 20 years until we found it in just a few hours with AI. www.zeroday.cloud/blog/postgre...

After AIxCC wrapped in 2025, @DARPA worked with Xint and the other top performers to ensure the innovation continued even after the contest was done to secure the internet's open source infrastructure. Here is story of CVE-2026-31789 xint.io/blog/170315

CISA adds Copy Fail to their known exploited vulnerability (KEV) catalog www.cisa.gov/news-events/...

What did it look like when Xint found copy.fail? What makes Xint findings unique is not just finding a bug + location autonomously but also providing trigger conditions and exploit impact so the teams were able to quickly POC and prioritize as the high severity bug it turned out to be.

Patch your Linux boxes! Copy.Fail is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms. Found by the teams at @theori_io and @xint_official More details below xint.io/blog/copy-fa...

'Before [Xint researcher] started working on automatic bug finding with AI he worked on vuln research, finding 0days & reporting them to maintainers. It used to take weeks or months to find a high-impact vulnerability in a brand-new codebase...now it only takes hours www.theverge.com/ai-artificia...

Our cofounder/CTO and VP of were interviewed as part of this article from @spectrum.ieee.org about what the ramifications are for the launch of #mythos. spectrum.ieee.org/anthropic-cl...

We're excited to join OpenAI's Trusted Access for Cyber program. This selective program ensures frontier capabilities for organizations defending the web's critical infrastructure. For Xint clients this means they are securing their applications and codebases with the most advanced models available

Join award-winning security researcher @tylerni7.bsky.social on @techstronggroup.bsky.social for this hands-on workshop for product security practitioners. webinars.techstronglearning.com/how-to-condu...

Complacency is the biggest risk in cyber. And nothing fosters more complacency than code that looks right and compiles right. Business logic vulnerabilities are particularly nefarious and particularly hard to catch precisely because the rules are being abused, not broken xint.io/blog/what-ar...

Big news: Samsung Electronics selected Xint as a strategic tool to overcome the limitations of traditional manual security audits and to eliminate security blind spots. theori.io/news/316173a...

Don't miss this session on @techstronggroup.bsky.social featuring our VP of Product as he discusses how AppSec needs to be reborn in era of attackers using AI to find vulns in the forgotten corners of apps + codebases faster than defenders could act webinars.techstronglearning.com/appsec-in-20...

There's no one model that is best for each of the tasks and subtasks involved in bug finding, validation, and severity assessment in real world conditions. theori.io/blog/162013

Anthropic is (rightfully) generating a lot of attention for Mythos’s ability to find 0days, BUT the hard problem is not whether an LLM can recognize a bug when pointed at it... go.xint.io/xint-mythos-...

Here's our public bug tracker if you want to stay up to date with all our autonomous findings. All bugs listed here were found using either Xint Code or Xint Web with no human interaction. We work with project maintainers to ensure responsible disclosure xint.io/public-bug-t...

🚨 🚨 A critical #CPython #CVE today took less than 45mins of human work to find, triage & fix because of Xint: 🚄 Xint Code found it in a Fast scan on the repo w/no prompting 💥 Coding assistant reproduced it on first try 🛠️ Maintainers pushed a fix 30 minutes after the report. theori.io/blog/finding...

New from our CEO: Coding agents are scaling software faster than security can scale review. Example: while PRs per author increased 20% year over year, incidents per PR increased 23.5% and change failures increased 30% over the same period. theori.io/blog/156904

You would think scanning 100k code lines would be 2x more than 200k but when it comes to AI linear increases -> to exponential increases in token burn. But w/Xint's well-architected scaffolding our customers know what their pricing will be even for vast volumes. theori.io/blog/154812

Xint not only found high sev bug in a critical open source project (#PostgreSQL) that had gone undetected for over 20 years, but it also provided full trigger conditions and exploit impact narrative so that maintainers could validate faster - all w/out human intervention go.xint.io/xint_oss_res...

Yes, the quality of our results wins head-to-head competitions against the world's best hacker teams, but it's our practical experience in offensive security that makes Xint frictionless and actually useful for product security:

🚨 🚨 NEW: Disclosure + PoC for a remote heap-buffer-overflow in CUPS found autonomously by Xint Code is now public (see link below) github.com/OpenPrinting...

Human judgement excels at using business context to prioritize the vulnerabilities that matter. But time and resource constraints have led to reliance on rigid, rules-based automated code scanners with limited sets of attack vectors they can detect.

Great interview with The AI People's and our co-founder Andrew Wesie + VP of Product going deep into how AI is actually being applied in cybersecurity. www.youtube.com/watch?v=Tw1g...

Anthropic's new model "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” fortune.com/2026/03/26/a...

Buggy code is the easy problem to fix because engineers can see when it doesn’t compile correctly. The much harder problems are those where the code executes correctly but violates the large business context. theori.io/blog/what-ar...

Meet the researchers behind this paper validating human-like ability to validate and prioritize vulnerabilities across entire codebases at @rsaconference.bsky.social booth S-2436 go.xint.io/xint_oss_res...

Meet the security researchers who showed how to achieve human-like assessments of attack paths and business impact using AI-native autonomous code scanning at RSA booth S-2436 go.xint.io/xint_oss_res...

What if you could have the expertise of human pentesters at machine speed and scale? Check out the future of AppSec at the Xint booth this week at RSA booth S-2436 go.xint.io/xint-rsac-2026

New site just launched! Learn about: - Xint Code: Fully autonomous code vulnerability scanner - Xint Web: Fully autonomous AI hacker Find the vulnerabilities that real hackers would exploit, instead of drowning in a sea of false positives and trivial bugs. xint.io

Do you trust your dependencies? Xint Code can see this "invisible" backdoor. arstechnica.com/security/202...

It's official: Xint Code - the same technology that has won some of the most prestigious hacking competitions in the world - is now commercially available. www.businesswire.com/news/home/20...

What does it look like when the world's best hackers rebuild AppSec from the ground up with AI? Check us out at RSAC this year to see. Booth # S2436

What does it take to maintain a critical codebase at scale? How do you get human-like insight when analyzing millions of lines of code? If you're at RSA join us on March 24 for a special happy hour at the Hanwha AI Center. RSVP now before spots fill up. go.xint.io/xint-rsa-hap...

1/3 Finding bugs was never the hard part - for #prodsec teams the real challenge was finding the real exploitable bugs that could hurt the business. go.xint.io/xint_oss_res...

Hackers aren’t breaking the rules — they’re gaming the rules to abuse the system. Business logic flaws hide in legitimate system workflows. Most scanners, even next-gen AI, analyze in isolation and miss this type of exploits. theori.io/blog/119529