Microsoft Uses AI-Powered Scanning to Find Vulnerabilities Before Attackers


Microsoft is expanding its use of AI-powered vulnerability scanning to find security flaws earlier across Windows, Azure, identity systems, and other complex codebases. The company says its new multi-model agentic system helps researchers discover, validate, and remediate vulnerabilities before attackers can exploit them.

The system is called MDASH, short for Microsoft Security multi-model agentic scanning harness. In its MDASH announcement, Microsoft said the tool helped engineering teams find 16 previously unknown vulnerabilities that were patched in the May 2026 Patch Tuesday release.

Microsoft is not replacing human security engineers with AI. Instead, it is using AI agents to scan large codebases, debate whether findings are real, build proof-of-concept triggers, and push validated issues into normal engineering workflows for review and remediation.

What MDASH Is

MDASH is a multi-model agentic scanning system built by Microsoft’s Autonomous Code Security team. It uses more than 100 specialized agents rather than relying on one large model to perform every task.

The system works as a pipeline. It prepares the target codebase, identifies candidate bugs, validates reachability and exploitability, removes duplicates, and then attempts to prove the issue with triggering inputs when the bug class allows it.

Microsoft said the approach matters because Windows, Hyper-V, Azure, and identity systems contain private, highly complex code that models would not have seen during training. The June MDASH update says the system has moved from early capability validation into active use by Microsoft engineering teams.

MDASH stageWhat it does
PrepareMaps the codebase, attack surface, and relevant context
ScanRuns specialized auditor agents over candidate code paths
ValidateUses other agents to argue for and against exploitability
DedupeCollapses related findings into cleaner reports
ProveAttempts to generate inputs that confirm the vulnerability

What Microsoft Found With AI Scanning

Microsoft’s first public MDASH disclosure included 16 CVEs across Windows networking and authentication components. Four were critical remote code execution vulnerabilities, including issues in tcpip.sys, ikeext.dll, netlogon.dll, and dnsapi.dll.

The same Microsoft Security Blog post said MDASH reached 96% recall against five years of confirmed MSRC cases in clfs.sys and 100% recall in tcpip.sys. It also found all 21 deliberately planted vulnerabilities in a private Microsoft test driver with zero false positives in that run.

Microsoft also reported an 88.45% score on CyberGym, a public benchmark made up of 1,507 real-world vulnerability reproduction tasks from 188 open-source projects. The company said this was the top score on the leaderboard at the time of writing.

MetricMicrosoft result
May Patch Tuesday CVEs found with MDASH16
Critical RCE flaws in that cohort4
Private test driver result21 of 21 planted vulnerabilities found
Historical clfs.sys recall96%
Historical tcpip.sys recall100%
CyberGym score88.45%

Why Microsoft Is Moving Toward Continuous AI Discovery

Microsoft’s message is that vulnerability discovery can no longer remain a slow, occasional activity. Attackers are also using automation and AI, which shortens the time defenders have to find and fix flaws first.

The June update says MDASH findings now move into GitHub Advanced Security, Azure DevOps, and Microsoft Defender workflows. That makes the system part of the software development lifecycle instead of a standalone scanner that creates a separate backlog.

The June 2026 Security Update Guide release notes came after a historically large Patch Tuesday cycle. Several security vendors counted more than 200 Microsoft vulnerabilities addressed in June, which reflects the growing scale of modern patch management.

  • AI can scan more code paths than a small human team can manually review.
  • Agent debate helps reduce noisy findings before they reach engineers.
  • Proof generation helps separate real bugs from speculative reports.
  • Integration with engineering tools helps turn findings into tracked fixes.
  • Human engineers still review and ship the final remediation work.

AI Helps Find Bugs, but Validation Still Matters

AI security tools can create noise if they only flag suspicious code. Microsoft says MDASH focuses on validation because a finding has limited value unless engineers can understand and reproduce it.

That is why the pipeline includes debater agents and a prover stage. The debater stage tests whether a suspected flaw is reachable and exploitable, while the prover stage attempts to build concrete triggering inputs.

The Microsoft follow-up post also explains where the system still fails. In its CyberGym analysis, most misses came from the proof stage, especially when targets required complex structured inputs such as fonts, PDFs, media files, or other difficult binary formats.

Pipeline weakness Microsoft identifiedWhy it matters
Ambiguous vulnerability descriptionsThe scan stage may look in the wrong area of a large project
Speculative reasoningThe validate stage may reject or misread a real path
Complex input formatsThe prover stage may fail to generate a working trigger
Build and environment mismatchA crash may reproduce locally but not in the target harness

How This Changes Patch Tuesday

As AI scanning finds more vulnerabilities earlier, Patch Tuesday may include more fixes. That does not automatically mean Microsoft software is getting less secure. It can also mean Microsoft is uncovering more flaws before attackers do.

The practical impact for IT teams is different. Larger Patch Tuesday releases can create more testing pressure, more prioritization work, and more urgency around deployment rings, compatibility checks, and restart deadlines.

The Microsoft Security Update Guide remains the central place for tracking monthly CVEs, affected products, severity, and remediation details. Security teams should use it alongside endpoint inventory and exploit intelligence to decide what needs urgent action.

  1. Review Patch Tuesday CVEs by severity and exposure.
  2. Identify products present in the environment.
  3. Prioritize exploited, public, and internet-facing vulnerabilities.
  4. Deploy patches through staged rings.
  5. Monitor installation failures and restart compliance.
  6. Expedite updates when a critical vulnerability cannot wait for the normal schedule.

What Enterprises Should Use to Keep Up

Microsoft is pointing enterprises toward automated update and vulnerability management tools because manual patch handling becomes harder as discovery volume rises.

Microsoft Defender Vulnerability Management gives organizations asset visibility, software inventories, vulnerability assessment, risk-based prioritization, and remediation recommendations across multiple device types.

For update deployment, Windows Autopatch automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams. Microsoft says it uses rollout sequencing and signals to reduce disruption while keeping devices current.

ToolHow it helps
Defender Vulnerability ManagementPrioritizes vulnerabilities based on exposure, threat intelligence, and asset context
Windows AutopatchAutomates update deployment across Microsoft products using rollout controls
Microsoft IntuneManages Windows quality updates, update rings, and expedited policies
Known Issue RollbackHelps Microsoft roll back targeted problematic changes without removing the full update

When to Expedite Security Updates

Not every update needs emergency deployment, but some vulnerabilities justify moving faster than the standard monthly rollout. Public exploitation, internet exposure, critical severity, and high-value systems should all influence the decision.

Microsoft Intune expedite policies let admins accelerate the installation of supported Windows security updates. Microsoft says these policies can bypass normal deferral timing without changing future monthly update policies.

That matters in an AI-driven vulnerability environment because attackers may move quickly once a bug becomes public. Enterprises need a way to accelerate selected fixes without abandoning staged deployment for every update.

  • Use normal update rings for routine monthly patching.
  • Use expedite policies for urgent Windows security updates.
  • Track devices that miss deadlines or fail installation.
  • Keep restart policies clear so patches actually apply.
  • Review exception groups that delay security updates.

Update Quality Still Matters

More vulnerability discovery creates a second challenge: Microsoft must ship more fixes without breaking customer environments. That makes validation and rollback mechanisms important.

Known Issue Rollback is one Windows update safety mechanism. Microsoft describes it as a way to revert a targeted problematic change while leaving the rest of the update intact.

This does not remove the need for staged enterprise testing. It gives Microsoft and customers another tool when a regression appears after deployment, especially when removing the full update would weaken security posture.

Update controlPurpose
Deployment ringsTest updates on smaller groups before broad rollout
Compatibility testingCatch application or device issues before mass deployment
Expedite policiesMove urgent security updates faster than normal timing
Known Issue RollbackMitigate selected regressions without uninstalling the entire update

What This Means for Defenders

Microsoft’s AI vulnerability scanning push signals a new phase in software security. More flaws may get found and patched before attackers use them, but enterprises must also handle a higher volume of remediation work.

Defenders should not treat larger Patch Tuesday releases as noise. They should build a repeatable process that combines exposure data, asset criticality, exploit status, and update deployment automation.

Defender Vulnerability Management can help identify which devices and software are exposed, while Windows Autopatch and Intune expedite policies can help organizations move from finding risk to actually installing fixes.

The Bottom Line

Microsoft’s AI-powered scanning effort aims to shift vulnerability discovery in favor of defenders. MDASH gives Microsoft a way to scan difficult proprietary code at a depth and scale that manual review alone cannot match.

The change may lead to larger security update releases and faster remediation cycles. For enterprises, the answer is not to delay patching because the volume looks high. The answer is to modernize update operations so important fixes reach exposed systems quickly.

As Microsoft continues to add AI to vulnerability discovery and remediation, organizations should prepare for a future where Patch Tuesday is more data-driven, more continuous, and more dependent on automated deployment discipline. If a Windows update causes a regression, Known Issue Rollback guidance can also help admins understand how Microsoft handles targeted rollback scenarios.

FAQ

What is Microsoft MDASH?

MDASH is Microsoft Security’s multi-model agentic scanning harness. It uses more than 100 specialized AI agents to discover, validate, deduplicate, and prove software vulnerabilities across complex codebases.

How many vulnerabilities did MDASH help Microsoft find in May 2026?

Microsoft said MDASH helped engineering teams find 16 CVEs that were patched in the May 2026 Patch Tuesday release, including four critical remote code execution vulnerabilities.

Does Microsoft use AI to replace security engineers?

No. Microsoft describes MDASH as a system that expands human-led security review. AI agents help scan, validate, and prove findings, while engineering teams still review, fix, and ship updates.

Will AI make Patch Tuesday larger?

It can. AI-powered vulnerability discovery can find more flaws before attackers do, which may increase the number of fixes Microsoft ships in monthly security updates.

What should enterprises do as Microsoft finds more vulnerabilities with AI?

Enterprises should maintain accurate asset inventories, prioritize vulnerabilities by exposure and exploit status, use staged deployment rings, and use tools such as Defender Vulnerability Management, Windows Autopatch, and Intune expedite policies to keep systems patched.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages