Microsoft has detailed a new internal artificial intelligence system called MDASH, short for Multi-Model Agentic Scanning Harness, which the company says is designed to discover security flaws autonomously across large codebases such as Windows. The company says the platform already identified 16 vulnerabilities that were fixed as part of the May 2026 Patch Tuesday release.
The announcement matters because it pushes AI-assisted vulnerability discovery beyond the experimental stage. Rather than acting as a simple code assistant, MDASH is being framed as an operational system that can scan software, reason through security conditions, test competing interpretations, and help analysts determine whether a flaw is credible enough to warrant engineering attention.
How MDASH worksAccording to Microsoft, MDASH relies on a large multi-agent architecture involving more than 100 specialized AI agents. Different models are assigned different roles inside the workflow: some inspect code paths, some validate potential findings, some try to disprove earlier conclusions, and others attempt to demonstrate whether a vulnerability can be turned into a real exploit path.
That disagreement-based design is central to the system. Microsoft says confidence rises when one agent identifies a possible flaw and other agents cannot successfully refute it. In practice, MDASH is being positioned less as a single model and more as a structured adversarial review process built out of multiple model roles.
What it found in WindowsMicrosoft said the system detected vulnerabilities in sensitive Windows components including Netlogon, DNS Client, tcpip.sys, http.sys, and IKEEXT. Some of the issues addressed in May were remote code execution flaws, which remain among the most severe categories of enterprise software vulnerability because they can allow attackers to run code without direct user interaction.
The company also published internal retrospective performance claims, saying MDASH reached 96% recall on historical clfs.sys vulnerabilities and 100% on tcpip.sys in its own replay testing. Those figures should be read as vendor-reported metrics rather than independent benchmarks, but they still suggest Microsoft sees the system as materially useful for real defensive workflows.
Why this changes the security equationThe broader implication is that vulnerability discovery is becoming automatable on both sides of the security divide. If defenders can use systems like MDASH to surface flaws earlier and more consistently, patch development and remediation may become faster. But the same underlying progress in model capability also raises concern that attackers will use similar approaches to accelerate exploit research.
That dual-use tension is already shaping the market. Enterprises are under pressure to shorten the gap between bug discovery, validation, patching, and deployment. A system like MDASH is valuable not just because it finds bugs, but because it may help compress the timeline in which a dangerous flaw can move from hidden condition to mitigated issue.
From research novelty to enterprise security toolingFor now, Microsoft is presenting MDASH as evidence that AI-driven code security is entering a new phase. What was once treated as an interesting research direction is increasingly being turned into a practical engineering capability embedded inside large software development and security programs.
If that trend holds, organizations may soon need to assume that high-volume, semi-autonomous vulnerability discovery is normal. That would affect not just software vendors, but also customers who must absorb more findings, patch more quickly, and operate with the expectation that both defenders and attackers are working at machine speed.
Original source: The Hacker News.