LONDON, May 9, 2026 — XBOW, the Seattle-based autonomous cybersecurity firm founded by GitHub Copilot creator Oege de Moor, has closed a $35 million Series C extension round backed by NVIDIA's NVentures, Samsung Ventures, Accenture Ventures, and SentinelOne S Ventures, bringing the company's total Series C haul to $155 million and overall funding past $270 million. The round, confirmed on 8 May 2026, cements XBOW's unicorn status at a valuation exceeding $1 billion — a milestone reached barely two years after the company's 2024 founding. The capital will fund international expansion, with particular emphasis on the Asia-Pacific region, as XBOW surpasses 100 enterprise customers globally. For readers following the intersection of artificial intelligence and enterprise security, Business20Channel.tv's cybersecurity coverage has tracked the autonomous penetration-testing market since 2024. This analysis examines XBOW's capital strategy, the competitive dynamics against rivals Pentera and Cobalt, and what the participation of chipmaker and defence-adjacent investors signals for the broader security automation sector.

Executive Summary

• XBOW raised a $35 million Series C extension on 8 May 2026, bringing its total Series C to $155 million and lifetime funding above $270 million.
• Strategic investors include NVentures (NVIDIA), Samsung Ventures, Accenture Ventures, SentinelOne S Ventures, DNX Ventures, and Liberty Global Tech Ventures — several are active platform users.
• The company, founded in 2024 by Oege de Moor, the creator of GitHub Copilot, now serves more than 100 customers including Moderna and Seznam.
• XBOW has grown to over 250 employees and is hiring across engineering, go-to-market, and operations.
• Fresh capital targets Asia-Pacific expansion, intensifying competition with Pentera and Cobalt in the autonomous security-testing category.

Key Developments

The Funding Round: Who Invested and Why

The $35 million extension attracted a deliberately strategic syndicate. NVentures, NVIDIA's corporate venture arm, and Samsung Ventures bring hardware-level AI acceleration expertise; Accenture Ventures adds enterprise consulting distribution; SentinelOne S Ventures contributes endpoint-security domain knowledge; DNX Ventures and Liberty Global Tech Ventures round out the cap table with cross-border go-to-market reach. According to the announcement reported by TechFundingNews on 8 May 2026, several backers are also active users of the XBOW platform, a detail that strengthens the signal: these are not purely financial bets. The total Series C now stands at $155 million, and the company's overall funding exceeds $270 million — placing XBOW among the most heavily capitalised start-ups in the autonomous security-testing vertical, having amassed this war chest in roughly 24 months of operation.

Oege de Moor: From GitHub Copilot to Autonomous Pentesting

Oege de Moor's track record is central to XBOW's fundraising narrative. As the engineer who created GitHub Copilot, Microsoft's AI coding assistant now used by millions of developers worldwide, de Moor demonstrated that large language models could be harnessed for practical software-development tasks at scale. XBOW applies a conceptually adjacent philosophy to cybersecurity: instead of relying on periodic human penetration tests — typically conducted at quarterly or annual intervals — the platform probes applications continuously, around the clock, seeking exploitable weaknesses in the manner a real attacker would. The company was founded in 2024, and by May 2026 it serves more than 100 customers globally, including pharmaceutical giant Moderna and Czech search engine operator Seznam. XBOW has grown to more than 250 employees, with active hiring across engineering, go-to-market, and operations functions.

Market Context & Competitive Landscape

Autonomous Penetration Testing: A Crowded but Fast-Growing Niche

XBOW operates in the autonomous security-validation market, a segment that Gartner has identified as one of the fastest-growing sub-categories in cybersecurity. The company's primary competitors include Israel-based Pentera, which raised $150 million in a Series C in January 2024 at a reported $1 billion valuation, and Cobalt, a Node.js-based platform that takes a hybrid approach combining human pentesters with automated tooling. A third emerging competitor, Horizon3.ai, offers NodeZero, a continuous autonomous penetration-testing platform funded to approximately $100 million through 2025. XBOW's differentiation rests on three pillars: its founder's pedigree in AI-assisted code analysis, its continuous-validation methodology (as opposed to point-in-time scanning), and its ability to attract investors who are simultaneously customers — a pattern that lends credibility to product-market fit claims.

Source: TechFundingNews (8 May 2026) for XBOW data; competitor figures from Crunchbase and publicly reported rounds as of Q1 2026. Figures marked * are estimates based on public disclosures and may not reflect current totals.

Honest Assessment of Limitations

XBOW's rapid ascent is impressive, but it is not without risk. The company is barely two years old as of May 2026, and while 100 customers is a credible milestone, it remains a fraction of the addressable enterprise market. Pentera, by contrast, has been shipping product since 2015 and claims hundreds of enterprise deployments. Cobalt's hybrid model — combining AI with human pentesters — may appeal to regulated industries that require human-in-the-loop attestation for compliance. XBOW must also demonstrate that its continuous-validation engine scales across heterogeneous application stacks without generating excessive false positives, a persistent challenge in automated security testing that OWASP has documented extensively.

Industry Implications

Healthcare and Pharmaceutical

XBOW's inclusion of Moderna as a named customer signals traction in the life-sciences vertical, a sector where HIPAA compliance and the FDA's evolving cybersecurity guidance for connected medical devices make continuous security validation increasingly attractive. Pharmaceutical firms handling proprietary research data and patient records face heightened regulatory scrutiny; a platform that probes for exploitable vulnerabilities 24/7 — rather than once per audit cycle — could reduce the window of exposure that regulators and insurers increasingly penalise.

Financial Services and Government

Banking and government agencies are among the largest consumers of penetration-testing services. The European Central Bank's TIBER-EU framework mandates threat-intelligence-led red-teaming for systemically important financial institutions, while the US Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to adopt continuous monitoring. XBOW's model aligns with the direction of travel in both jurisdictions, though the company will need to obtain relevant certifications — including FedRAMP in the United States — to compete for government contracts, a domain where Horizon3.ai already holds a head start with US Department of Defense engagements.

Technology and Software Development

Given de Moor's background with GitHub Copilot, XBOW has a natural affinity with DevSecOps teams. The company's approach — testing applications as a real attacker would — dovetails with the NIST Cybersecurity Framework 2.0 emphasis on continuous assessment. For enterprise technology leaders, the appeal is clear: replace periodic, expensive manual pentests with always-on automated validation that scales with development velocity.

Business20Channel.tv Analysis

The Investor-as-Customer Signal

The most strategically revealing detail in this round is not the dollar amount — $35 million is, by 2026 standards, a modest extension for a company already valued above $1 billion. The signal lies in who wrote the cheques. When NVIDIA, Samsung, Accenture, and SentinelOne invest in a cybersecurity platform they also use operationally, the transaction serves a dual function: it is both a capital allocation and a procurement commitment. This pattern — investors converting into long-term enterprise customers — de-risks revenue projections in a way that purely financial backers cannot. NVIDIA's participation through NVentures is particularly noteworthy. As the dominant supplier of GPUs powering AI inference workloads, NVIDIA has a vested interest in the security of AI-native applications. XBOW's platform, which uses AI to simulate attacker behaviour, presumably runs inference-heavy workloads that benefit from NVIDIA hardware. The alignment creates a flywheel: NVIDIA invests in a company that both consumes its chips and secures the software ecosystem built atop them.

Why $270 Million in Two Years Matters

XBOW has raised more than $270 million in total since its 2024 founding. To contextualise that pace: Pentera, founded in 2015, has raised approximately $215 million over nine years. XBOW's fundraising velocity reflects two converging dynamics. First, the autonomous security-validation market is maturing faster than anticipated, driven by the sheer volume of software vulnerabilities disclosed — NIST's National Vulnerability Database recorded over 28,900 CVEs in 2023, a figure that rose further through 2024 and 2025. Second, de Moor's credibility as the architect of GitHub Copilot gives institutional investors confidence that the AI-driven approach is not vaporware but grounded in demonstrated technical leadership.

Asia-Pacific Expansion: Opportunity and Complexity

XBOW has earmarked the fresh $35 million for international growth, with Asia-Pacific as the priority region. This is a logical but challenging move. The APAC cybersecurity market is projected to exceed $65 billion by 2028, according to estimates from IDC. However, the region's regulatory landscape is fragmented: Japan's NISC framework differs materially from Australia's Essential Eight and Singapore's CSA guidelines. Samsung Ventures' involvement may smooth entry into the South Korean market, but XBOW will need local partnerships and compliance certifications in each target jurisdiction. For readers tracking cybersecurity market expansion, the APAC pivot will be a critical test of XBOW's operational maturity.

Source: TechFundingNews (8 May 2026) for XBOW data. Competitor data sourced from Crunchbase, company websites, and publicly reported figures as of Q1 2026. Items marked * are estimates.

Why This Matters for Industry Stakeholders

Chief information security officers (CISOs) evaluating autonomous pentesting tools should note three developments from XBOW's latest round. First, the participation of SentinelOne — a publicly traded endpoint detection and response (EDR) vendor listed on NYSE under ticker "S" — suggests potential future integration between autonomous pentesting and real-time endpoint protection. If XBOW's findings can feed directly into SentinelOne's detection logic, the combined value proposition becomes compelling for security operations centres. Second, enterprise procurement teams should scrutinise XBOW's approach to false-positive rates. Continuous testing at scale can flood security teams with alerts; the platform's ability to validate whether a vulnerability is genuinely exploitable — not merely theoretically present — is the critical differentiator that justifies the price premium over traditional scanners such as those offered by Tenable or Qualys. Third, boards and risk committees should recognise that autonomous pentesting does not eliminate the need for human red teams. Regulatory frameworks in financial services and healthcare still require human attestation for compliance audits. XBOW's technology is best understood as a force multiplier, not a replacement.

Forward Outlook

XBOW's trajectory over the next 12 to 18 months will be shaped by three variables. The first is execution in Asia-Pacific: penetrating markets such as Japan, South Korea, Australia, and Singapore requires not just sales presence but local-language support, data-residency compliance, and partnerships with regional systems integrators. Samsung Ventures' backing helps, but it is not sufficient on its own. The second variable is the competitive response from Pentera and Horizon3.ai, both of which have significant resources and established customer bases. Pentera's nine-year head start in enterprise sales cannot be dismissed, and Horizon3.ai's US government contracts give it a foothold that XBOW has not yet matched. The third — and perhaps most consequential — variable is whether XBOW pursues an initial public offering. At a $1 billion-plus valuation, with $270 million in funding and 250 employees, the company is approaching the scale at which public-market investors and underwriters begin circling. An IPO in late 2027 or 2028 is plausible, though market conditions and the company's path to profitability will determine timing. For now, the question that should occupy security leaders and investors alike is whether XBOW can convert its fundraising momentum and founder pedigree into durable market-share gains against entrenched competitors — before the window of first-mover advantage in AI-native pentesting closes.

Key Takeaways

• XBOW's $35 million Series C extension, confirmed on 8 May 2026, brings total funding past $270 million and values the company above $1 billion.
• Strategic investors — NVIDIA, Samsung, Accenture, SentinelOne — are also platform users, validating product-market fit beyond financial commitment.
• Founded just two years ago by GitHub Copilot creator Oege de Moor, XBOW has reached 100+ customers and 250+ employees at exceptional pace.
• Competition from Pentera (est. 2015) and Horizon3.ai remains formidable; XBOW must prove its continuous AI-driven approach scales without excessive false positives.
• Asia-Pacific expansion represents both the largest growth opportunity and the steepest operational challenge, given the region's fragmented regulatory landscape.

References & Bibliography

[1] TechFundingNews. (2026, May 8). Cybersecurity unicorn built by GitHub Copilot's creator raises $35M Series C extension from Samsung, NVIDIA. https://techfundingnews.com/xbow-35m-series-c-extension-samsung-nvidia-cybersecurity-unicorn/

[2] GitHub. (2026). GitHub Copilot — Your AI pair programmer. https://github.com/features/copilot

[3] NVIDIA. (2026). NVentures — NVIDIA's venture capital arm. https://www.nvidia.com/en-us/

[4] Samsung Ventures. (2026). Portfolio and investment thesis. https://www.samsungventures.com/

[5] SentinelOne. (2026). Company overview — autonomous cybersecurity platform. https://www.sentinelone.com/

[6] Pentera. (2026). Automated security validation platform. https://www.pentera.io/

[7] Cobalt. (2026). Pentest as a service platform. https://www.cobalt.io/

[8] Horizon3.ai. (2026). NodeZero autonomous penetration testing. https://horizn3.ai/

[9] Moderna. (2026). Corporate overview. https://www.modernatx.com/

[10] Gartner. (2026). Security and risk management research. https://www.gartner.com/en

[11] OWASP. (2026). Open Worldwide Application Security Project. https://owasp.org/

[12] NIST. (2026). National Vulnerability Database. https://nvd.nist.gov/

[13] NIST. (2024). Cybersecurity Framework 2.0. https://www.nist.gov/cyberframework

[14] US HHS. (2026). HIPAA — Health Insurance Portability and Accountability Act. https://www.hhs.gov/hipaa/index.html

[15] FDA. (2026). Cybersecurity guidance for medical devices. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity

[16] ECB. (2026). TIBER-EU framework for threat intelligence-based ethical red-teaming. https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html

[17] CISA. (2026). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/

[18] IDC. (2026). Worldwide cybersecurity spending forecast. https://www.idc.com/

[19] Tenable. (2026). Vulnerability management platform. https://www.tenable.com/

[20] Qualys. (2026). Cloud-based security and compliance. https://www.qualys.com/

[21] Crunchbase. (2026). Startup funding and investor data. https://www.crunchbase.com/

[22] CSA Singapore. (2026). Cyber Security Agency of Singapore guidelines. https://www.csa.gov.sg/

[23] Australian Cyber Security Centre. (2026). Essential Eight maturity model. https://www.cyber.gov.au/

[24] NISC Japan. (2026). National center of Incident readiness and Strategy for Cybersecurity. https://www.nisc.go.jp/eng/

[25] Business20Channel.tv. (2026). Cybersecurity coverage and analysis. https://business20channel.tv/?category=Cyber Security