Microsoft Uses AI-Powered Scanning to Find Vulnerabilities Before Attackers
Microsoft is expanding its use of AI-powered vulnerability scanning to find security flaws earlier across Windows, Azure, identity systems, and other complex codebases. The company says its new multi-model agentic system helps researchers discover, validate, and remediate vulnerabilities before attackers can exploit them.
The system is called MDASH, short for Microsoft Security multi-model agentic scanning harness. In its MDASH announcement, Microsoft said the tool helped engineering teams find 16 previously unknown vulnerabilities that were patched in the May 2026 Patch Tuesday release.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft is not replacing human security engineers with AI. Instead, it is using AI agents to scan large codebases, debate whether findings are real, build proof-of-concept triggers, and push validated issues into normal engineering workflows for review and remediation.
What MDASH Is
MDASH is a multi-model agentic scanning system built by Microsoft’s Autonomous Code Security team. It uses more than 100 specialized agents rather than relying on one large model to perform every task.
The system works as a pipeline. It prepares the target codebase, identifies candidate bugs, validates reachability and exploitability, removes duplicates, and then attempts to prove the issue with triggering inputs when the bug class allows it.
Microsoft said the approach matters because Windows, Hyper-V, Azure, and identity systems contain private, highly complex code that models would not have seen during training. The June MDASH update says the system has moved from early capability validation into active use by Microsoft engineering teams.
| MDASH stage | What it does |
|---|---|
| Prepare | Maps the codebase, attack surface, and relevant context |
| Scan | Runs specialized auditor agents over candidate code paths |
| Validate | Uses other agents to argue for and against exploitability |
| Dedupe | Collapses related findings into cleaner reports |
| Prove | Attempts to generate inputs that confirm the vulnerability |
What Microsoft Found With AI Scanning
Microsoft’s first public MDASH disclosure included 16 CVEs across Windows networking and authentication components. Four were critical remote code execution vulnerabilities, including issues in tcpip.sys, ikeext.dll, netlogon.dll, and dnsapi.dll.
The same Microsoft Security Blog post said MDASH reached 96% recall against five years of confirmed MSRC cases in clfs.sys and 100% recall in tcpip.sys. It also found all 21 deliberately planted vulnerabilities in a private Microsoft test driver with zero false positives in that run.
Microsoft also reported an 88.45% score on CyberGym, a public benchmark made up of 1,507 real-world vulnerability reproduction tasks from 188 open-source projects. The company said this was the top score on the leaderboard at the time of writing.
| Metric | Microsoft result |
|---|---|
| May Patch Tuesday CVEs found with MDASH | 16 |
| Critical RCE flaws in that cohort | 4 |
| Private test driver result | 21 of 21 planted vulnerabilities found |
| Historical clfs.sys recall | 96% |
| Historical tcpip.sys recall | 100% |
| CyberGym score | 88.45% |
Why Microsoft Is Moving Toward Continuous AI Discovery
Microsoft’s message is that vulnerability discovery can no longer remain a slow, occasional activity. Attackers are also using automation and AI, which shortens the time defenders have to find and fix flaws first.
The June update says MDASH findings now move into GitHub Advanced Security, Azure DevOps, and Microsoft Defender workflows. That makes the system part of the software development lifecycle instead of a standalone scanner that creates a separate backlog.
The June 2026 Security Update Guide release notes came after a historically large Patch Tuesday cycle. Several security vendors counted more than 200 Microsoft vulnerabilities addressed in June, which reflects the growing scale of modern patch management.
- AI can scan more code paths than a small human team can manually review.
- Agent debate helps reduce noisy findings before they reach engineers.
- Proof generation helps separate real bugs from speculative reports.
- Integration with engineering tools helps turn findings into tracked fixes.
- Human engineers still review and ship the final remediation work.
AI Helps Find Bugs, but Validation Still Matters
AI security tools can create noise if they only flag suspicious code. Microsoft says MDASH focuses on validation because a finding has limited value unless engineers can understand and reproduce it.
That is why the pipeline includes debater agents and a prover stage. The debater stage tests whether a suspected flaw is reachable and exploitable, while the prover stage attempts to build concrete triggering inputs.
The Microsoft follow-up post also explains where the system still fails. In its CyberGym analysis, most misses came from the proof stage, especially when targets required complex structured inputs such as fonts, PDFs, media files, or other difficult binary formats.
| Pipeline weakness Microsoft identified | Why it matters |
|---|---|
| Ambiguous vulnerability descriptions | The scan stage may look in the wrong area of a large project |
| Speculative reasoning | The validate stage may reject or misread a real path |
| Complex input formats | The prover stage may fail to generate a working trigger |
| Build and environment mismatch | A crash may reproduce locally but not in the target harness |
How This Changes Patch Tuesday
As AI scanning finds more vulnerabilities earlier, Patch Tuesday may include more fixes. That does not automatically mean Microsoft software is getting less secure. It can also mean Microsoft is uncovering more flaws before attackers do.
The practical impact for IT teams is different. Larger Patch Tuesday releases can create more testing pressure, more prioritization work, and more urgency around deployment rings, compatibility checks, and restart deadlines.
The Microsoft Security Update Guide remains the central place for tracking monthly CVEs, affected products, severity, and remediation details. Security teams should use it alongside endpoint inventory and exploit intelligence to decide what needs urgent action.
- Review Patch Tuesday CVEs by severity and exposure.
- Identify products present in the environment.
- Prioritize exploited, public, and internet-facing vulnerabilities.
- Deploy patches through staged rings.
- Monitor installation failures and restart compliance.
- Expedite updates when a critical vulnerability cannot wait for the normal schedule.
What Enterprises Should Use to Keep Up
Microsoft is pointing enterprises toward automated update and vulnerability management tools because manual patch handling becomes harder as discovery volume rises.
Microsoft Defender Vulnerability Management gives organizations asset visibility, software inventories, vulnerability assessment, risk-based prioritization, and remediation recommendations across multiple device types.
For update deployment, Windows Autopatch automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams. Microsoft says it uses rollout sequencing and signals to reduce disruption while keeping devices current.
| Tool | How it helps |
|---|---|
| Defender Vulnerability Management | Prioritizes vulnerabilities based on exposure, threat intelligence, and asset context |
| Windows Autopatch | Automates update deployment across Microsoft products using rollout controls |
| Microsoft Intune | Manages Windows quality updates, update rings, and expedited policies |
| Known Issue Rollback | Helps Microsoft roll back targeted problematic changes without removing the full update |
When to Expedite Security Updates
Not every update needs emergency deployment, but some vulnerabilities justify moving faster than the standard monthly rollout. Public exploitation, internet exposure, critical severity, and high-value systems should all influence the decision.
Microsoft Intune expedite policies let admins accelerate the installation of supported Windows security updates. Microsoft says these policies can bypass normal deferral timing without changing future monthly update policies.
That matters in an AI-driven vulnerability environment because attackers may move quickly once a bug becomes public. Enterprises need a way to accelerate selected fixes without abandoning staged deployment for every update.
- Use normal update rings for routine monthly patching.
- Use expedite policies for urgent Windows security updates.
- Track devices that miss deadlines or fail installation.
- Keep restart policies clear so patches actually apply.
- Review exception groups that delay security updates.
Update Quality Still Matters
More vulnerability discovery creates a second challenge: Microsoft must ship more fixes without breaking customer environments. That makes validation and rollback mechanisms important.
Known Issue Rollback is one Windows update safety mechanism. Microsoft describes it as a way to revert a targeted problematic change while leaving the rest of the update intact.
This does not remove the need for staged enterprise testing. It gives Microsoft and customers another tool when a regression appears after deployment, especially when removing the full update would weaken security posture.
| Update control | Purpose |
|---|---|
| Deployment rings | Test updates on smaller groups before broad rollout |
| Compatibility testing | Catch application or device issues before mass deployment |
| Expedite policies | Move urgent security updates faster than normal timing |
| Known Issue Rollback | Mitigate selected regressions without uninstalling the entire update |
What This Means for Defenders
Microsoft’s AI vulnerability scanning push signals a new phase in software security. More flaws may get found and patched before attackers use them, but enterprises must also handle a higher volume of remediation work.
Defenders should not treat larger Patch Tuesday releases as noise. They should build a repeatable process that combines exposure data, asset criticality, exploit status, and update deployment automation.
Defender Vulnerability Management can help identify which devices and software are exposed, while Windows Autopatch and Intune expedite policies can help organizations move from finding risk to actually installing fixes.
The Bottom Line
Microsoft’s AI-powered scanning effort aims to shift vulnerability discovery in favor of defenders. MDASH gives Microsoft a way to scan difficult proprietary code at a depth and scale that manual review alone cannot match.
The change may lead to larger security update releases and faster remediation cycles. For enterprises, the answer is not to delay patching because the volume looks high. The answer is to modernize update operations so important fixes reach exposed systems quickly.
As Microsoft continues to add AI to vulnerability discovery and remediation, organizations should prepare for a future where Patch Tuesday is more data-driven, more continuous, and more dependent on automated deployment discipline. If a Windows update causes a regression, Known Issue Rollback guidance can also help admins understand how Microsoft handles targeted rollback scenarios.
FAQ
MDASH is Microsoft Security’s multi-model agentic scanning harness. It uses more than 100 specialized AI agents to discover, validate, deduplicate, and prove software vulnerabilities across complex codebases.
Microsoft said MDASH helped engineering teams find 16 CVEs that were patched in the May 2026 Patch Tuesday release, including four critical remote code execution vulnerabilities.
No. Microsoft describes MDASH as a system that expands human-led security review. AI agents help scan, validate, and prove findings, while engineering teams still review, fix, and ship updates.
It can. AI-powered vulnerability discovery can find more flaws before attackers do, which may increase the number of fixes Microsoft ships in monthly security updates.
Enterprises should maintain accurate asset inventories, prioritize vulnerabilities by exposure and exploit status, use staged deployment rings, and use tools such as Defender Vulnerability Management, Windows Autopatch, and Intune expedite policies to keep systems patched.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages