Microsoft has expanded its use of artificial intelligence for vulnerability discovery, deploying a proprietary multi-model agentic scanning system across the Windows codebase. The system identifies and patches security flaws before adversaries can exploit them, changing the scale and cadence of its monthly Patch Tuesday releases.
The MDASH System and Its Workflow
At the heart of this initiative is MDASH (Microsoft Security Multi-Model Agentic Scanning Harness), an AI-powered pipeline that orchestrates over 100 specialized agents across frontier and distilled models. Rather than relying on a single AI model, MDASH runs a staged workflow: a scanner pipeline first identifies candidate vulnerabilities across critical binaries, multiple agent families then debate whether each finding is genuinely exploitable, and a final prover pipeline constructs proof-of-concept triggers to confirm real bugs, filtering out false positives before any finding reaches the engineering team.
Impact and Results
In May 2026, MDASH’s inaugural public disclosure revealed 16 previously unknown CVEs in Windows, including four critical remote code execution flaws in core components such as the TCP/IP kernel stack, the Internet Key Exchange v2 service, Netlogon, and the DNS API library. Validation tests showed MDASH achieved 96% recall on clfs.sys and 100% recall on tcpip.sys when run against historical MSRC vulnerability cases. The June 2026 Patch Tuesday featured more than 200 patched vulnerabilities, a record for the company. Microsoft is updating its Secure Development Lifecycle to account for AI-enabled attack techniques and has built dedicated cloud infrastructure to run MDASH at Windows scale.
Source: Cyber Security News
