Skip to main content
XOR
[ABOUT]

Verification for the agent era

AI agents write code faster than humans can review it. XOR closes the gap: we verify every AI-generated patch against the vulnerability it claims to fix, record the evidence, and feed results back so agents get better.

Why now

The EU Cyber Resilience Act entered into force in December 2024. Main obligations apply December 2027. Every company shipping software in the EU will need to demonstrate systematic vulnerability handling: detection, remediation, and evidence.

At the same time, AI coding agents went from research demos to production tools. Companies deploy them for vulnerability patching, but nobody verifies whether the patches actually work. Median time to remediate critical open-source CVEs sits between 200 and 250 days. The agents are fast. The proof is missing.

XOR fills that gap. One product. Two interfaces: a GitHub App for automated PR review and an Agent Plugin that wraps your coding agent in a verification harness.

Built on open standards

Our CTO co-chairs two IETF working groups that define how supply chain evidence gets created, transmitted, and verified: RATS (Remote Attestation Procedures) and SCITT (Supply Chain Integrity, Transparency and Trust). Microsoft, Google, and Arm implement these standards. XOR applies them to agent verification.

This is not a vendor lock-in play. The verification receipts XOR produces are COSE-signed, SCITT-compliant, and portable. Your auditor can validate them independently.

Team

Tobias Heldt

Founder / CEO

2x OpenSSF Co-Chair. Built security infrastructure before the agent era. Now building the verification layer for it.

Henk Birkholz

Co-Founder / CTO

Co-Chair of IETF RATS and SCITT working groups. Writes the standards that governments and hyperscalers adopt for supply chain integrity and remote attestation.

Patrick Steinmetz

Head of GTM

Former BitSight. Sold cyber risk quantification to enterprises across DACH and EMEA before joining XOR to bring agent verification to the same buyers.

Proof, not promises

We open-sourced CVE-Agent-Bench: 136 real CVE samples, 9 coding agents, 1,224 evaluations. Every claim on this website traces back to that dataset or to IETF Internet-Drafts. We publish the methodology, the raw data, and the failure modes.

Company

XOR Sciences, Inc. Munich and San Francisco.

Want to talk? Get in touch.