Microsoft Unveils MDASH Agentic System That Found 16 Windows Vulnerabilities
On May 12, 2026, Microsoft Security announced codename MDASH—a multi-model agentic scanning harness of 100+ specialized agents that discover, validate, and help remediate software bugs—after using it to find 16 Windows vulnerabilities (including four critical RCEs) shipped in the same day’s Patch Tuesday, while topping industry CyberGym-style benchmarks in limited private preview.
TLDR
Microsoft Security on May 12, 2026 published “Defense at AI speed,” introducing MDASH (multi-model agentic scanning harness)—an agentic vulnerability discovery and remediation system built by the Autonomous Code Security team. Microsoft said MDASH helped researchers identify 16 new Windows vulnerabilities in networking and authentication components—including four critical remote code execution flaws—that went out in the May 12 Patch Tuesday wave. The system orchestrates 100+ specialized AI agents across an ensemble of models through a structured pipeline; it was in use by Microsoft security engineering and a limited private preview for select customers.
What MDASH is
From Microsoft’s primary Security Blog post and contemporaneous technical write-ups:
- Not a single model: A harness that runs many specialized agents (discovery, validation, exploit proof, remediation assist) over large proprietary codebases (Windows-scale).
- Results cited at launch: 16 Windows vulns found in one cycle; 4 critical RCE-class issues; networking/authentication focus.
- Benchmark claim: Topped a leading CyberGym-style industry leaderboard score at announcement (later June updates cited further score gains and broader internal use).
- Status: Production use inside Microsoft security engineering; small customer private preview (expanded later at Build).
- Why multi-model: Ensemble approach rather than betting on one frontier model for red-team automation.
Why this story matters
Agentic coding tools are dual-use: the same stack that ships features can hunt CVEs. Microsoft putting MDASH next to Patch Tuesday makes “AI found the bugs we fixed today” a hyperscaler security story—not a research demo. It also raises the competitive bar for how OpenAI (Daybreak), Anthropic (Mythos/Glasswing cyber), and others frame defensive agent programs.
Sources
- Microsoft Security Blog: “Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark” (May 12, 2026).
- Microsoft Security follow-ups on MDASH preview/internal use (June 2026 Build and “Beyond the benchmark” posts).
- Independent technical recaps of the May 12 CVE cohort and MDASH pipeline (May–June 2026).
Featured Image Alt Text
Microsoft Security MDASH pipeline diagram with agent nodes finding Windows CVEs for May 12.
Tags
Microsoft, MDASH, Cybersecurity, Agentic AI, Windows, Patch Tuesday, Vulnerability Discovery