Today, we are pleased to announce a major step forward in our cybersecurity offering: AI‑Augmented Pentesting of web applications, delivered by Bureau Veritas Cybersecurity in partnership with XBOW.

The model is simple: AI tests at scale, our experts test where judgment matters most, and the combination delivers results that neither can achieve alone.

This new human-in-the-lead service represents the next evolution of our long‑standing expertise in penetration testing. It strengthens what Bureau Veritas has always stood for, trusted assurance, expert judgment and rigorous governance, now extended with the scale and speed of autonomous, AI‑driven exploration.

Why Bureau Veritas is Leading This Shift

For decades, Bureau Veritas Cybersecurity has helped organizations secure their digital systems through deep, human‑led penetration testing grounded in expertise, governance and the four‑eyes principle. As web applications and APIs have grown dramatically in complexity, we recognized the need to evolve: not by replacing human expertise, but by extending it.

Applications today change faster than traditional pentesting cycles can keep pace with. Attack surfaces expand. Threat actors use automation and AI to increase their reach. Organizations are under pressure to achieve more assurance in the same test window.

AI‑Augmented Pentesting is our strategic response: a model designed and led by Bureau Veritas, in which AI amplifies human capability rather than replacing it.

Why AI‑Augmented Pentesting?

As application architectures evolve, security teams face challenges that traditional or AI‑only approaches cannot solve alone:

1. Difficulty assessing pentesting quality

Pentesting suffers from what economists call a “market for lemons”, where buyers cannot reliably distinguish thorough testing from adequate-but-shallow work, whether traditional or AI-driven. Quality marks validate organizations and certifications validate individuals, but they cannot guarantee the creativity, depth and completeness of an individual pentest.

2. Time‑boxed pentesting can never be exhaustive

Even the most experienced pentesters must prioritize and triage: which areas look most promising. There is simply more surface area than a human can explore in a fixed timeframe. These are professional judgments, but also trade-offs.

3. The AI pentesting quality gap

AI‑only pentesting tools vary widely in quality. Some produce unvalidated or hallucinated findings and require significant human effort to assess. Without the oversight of an experienced security expert, separating signal from noise is nearly impossible.

AI‑Augmented Pentesting addresses all three challenges, safely, responsibly and under Bureau Veritas’ expert stewardship.

A Hybrid Model Designed by Experts

AI‑Augmented Pentesting integrates two complementary strengths. Our experts lead every engagement from scoping through testing to advisory call:

AI‑Driven Exploration (Scale)

Powered by XBOW’s autonomous agents, the model delivers:

•    Systematic exploration of thousands of endpoints

•    Coverage of multi‑step workflows

•    Zero false positives through evidence‑based validation

•    A consistent baseline for known vulnerability classes

Human Expertise (Judgment)

With AI providing scale, Bureau Veritas' expert pentesters bring independent judgment where it matters most:

• Context-driven testing: threat modeling, business logic analysis, workflow abuse, authorization flaws and creative attack paths that require understanding your organization and how your application is used. Our pentesters identify these and other vulnerabilities independently.
   
• Investigating promising leads: XBOW's commitment to zero false positives means every reported finding is confirmed with a working exploit. Promising leads that do not meet that evidence threshold are investigated by our experts, converting them into confirmed findings or systematically ruling them out.
   
• Actionable reporting: connecting findings into attack chains that demonstrate real-world impact, with risk prioritization and remediation guidance in your organizational context.

This is not AI replacing human testers. It is AI augmenting Bureau Veritas' expertise. Clients benefit from the scale and speed of AI testing combined with the expertise, judgment and governance that define Bureau Veritas' approach to assurance.

Why This Partnership Matters

Bureau Veritas Cybersecurity

"Our pentesters have always excelled at the work that requires human judgment: understanding how your application works, how your users behave, and where real-world abuse can occur. AI now handles the repetitive parameter-level testing at scale, which means our experts spend more of their time on that high-value work. They pick up the promising leads that AI flagged but couldn't confirm or couldn't safely pursue, and focus on the judgment, creativity and organizational understanding that turn findings into real-world impact. Time saved and time better spent compounds into better outcomes for our clients."

— Paul Pols, CTO, Bureau Veritas Cybersecurity Europe

Bureau Veritas Cybersecurity

"This partnership allows us to offer our clients something genuinely new: wider visibility across their applications, backed by human expertise delivering business-relevant insight. It's a future-focused way to increase assurance without increasing cost."

— Erwin Jansen, Managing Director, Bureau Veritas Cybersecurity Europe

XBOW

"We’re excited to be working with Bureau Veritas to scale security testing across their European customer base. AI has changed the game for attackers. This partnership enables defenders to now keep pace."

— Oege de Moor, CEO, XBOW

“With XBOW, every agent becomes a new member of the security team. Together with Bureau Veritas, we’re helping more enterprises meet the demands of the AI era.”

— Mike Henroid, Head of GSI and MSSPs, XBOW
 

Key Benefits for Organizations

✔ Scale without compromise

AI covers more of the attack surface, allowing our experts to focus on high‑value testing.

✔ Every finding validated, every lead investigated

Every reported finding comes with evidence. AI confirms every finding with a working exploit. Our pentesters investigate the promising leads that don't meet that threshold and independently identify vulnerabilities through context-aware pentesting of the application.

✔ Governed adoption of AI in offensive security

Adopt AI in offensive security through a human-in-the-lead model with your trusted expert partner. Human supervision throughout, defined scope, non-destructive validation, full audit logs and senior review under the four-eyes principle. All security-sensitive data and AI model inference stored and processed in the EU.
 

Who AI‑Augmented Pentesting Is For

This new service is designed for organizations that:

• Operate complex web applications and APIs
   
• Seek broader assurance within fixed budgets
   
• Want an expert-led governed route to adopting AI

For scopes where AI-augmented testing is not the right fit, such as internal networks, OT/IoT, mobile or full cloud infrastructure, Bureau Veritas continues to offer established, high‑quality traditional pentesting services.

Learn More or Get Started

To discover how AI‑Augmented Pentesting can strengthen your application security program, contact us at cybersecurity@bureauveritas.com or visit our service page.

📞 Europe: +31 (0) 88 888 31 00
📞 United States: +1 877 839 7598

Bureau Veritas Cybersecurity × XBOW
AI scale. Human judgment. Assured outcomes.