Microsoft has formally expanded its use of artificial intelligence in vulnerability discovery, deploying a proprietary multi-model agentic scanning system across the Windows codebase to identify and patch security flaws before adversaries can exploit them a move that is already reshaping the scale and cadence of its monthly Patch Tuesday releases.
At the center of this initiative is MDASH (Microsoft Security Multi-Model Agentic Scanning Harness), an AI-powered pipeline that orchestrates over 100 specialized agents across an ensemble of frontier and distilled models
Rather than relying on a single AI model, MDASH runs a staged workflow: a scanner pipeline first identifies candidate vulnerabilities across critical binaries, multiple agent families then debate whether each finding is genuinely exploitable, and a final “prover” pipeline constructs proof-of-concept triggers to confirm real bugs, filtering out false positives before any finding reaches the engineering team.
The results speak for themselves. In May 2026, MDASH’s inaugural public disclosure revealed 16 previously unknown CVEs in Windows, including four critical remote code execution (RCE) flaws in core components such as the TCP/IP kernel stack, the Internet Key Exchange (IKE) v2 service, Netlogon, and the DNS API library, all patched in the May 2026 Patch Tuesday.
Validation tests showed MDASH achieved 96% recall on clfs.sys and 100% recall on tcpip.sys when run against historical MSRC vulnerability cases, demonstrating detection-grade reliability.
On the industry benchmark CyberGym, a UC Berkeley-developed test spanning 1,507 tasks from 188 open-source projects, MDASH scored 88.45%, outperforming Anthropic’s Mythos Preview (83.1%) and OpenAI’s GPT-5.5 (81.8%).
Microsoft has built dedicated cloud infrastructure to run MDASH at Windows scale, separating scanning and proving into distinct pipelines to manage volume and reduce review latency.
AI is now also integrated into the remediation workflow itself, helping engineers understand failures faster, propose contextually consistent candidate fixes, surface related issues elsewhere in the codebase, and identify the regression tests most likely to be affected by a given change.
To maintain update quality as discovery velocity increases, Microsoft validates all security updates through the Security Update Validation Program (SUVP) and broad internal compatibility testing before broad release.
The Known Issue Rollback (KIR) mechanism allows targeted reverts of a problematic change without removing the entire security update, preserving customer protections.
Microsoft is updating its Secure Development Lifecycle (SDL) to explicitly account for AI-enabled attack techniques and exploit paths, embedding vulnerability scanning as a continuous engineering practice rather than a discrete activity. MDASH entered expanded preview in June 2026, with integration into Microsoft Defender now available for eligible organizations.
As AI accelerates both offense and defense, Microsoft is signaling a new normal: larger Patch Tuesdays, faster remediation cycles, and a proactive posture where defenders find vulnerabilities first.
The June 2026 Patch Tuesday with more than 200 patched vulnerabilities, a record for the company, is the clearest evidence yet that this strategy is already operational.
For enterprises, the guidance remains consistent: stay current, patch quickly, and leverage tools such as Windows Autopatch, Microsoft Intune, and Defender Vulnerability Management to operationalize a continuous, risk-based update strategy at scale.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide
The post Microsoft Adopts AI-Powered Scanning to Find Vulnerabilities Before Attackers appeared first on Cyber Security News.



