For the last few years, cybersecurity experts have warned that artificial intelligence would eventually be able to hunt for software vulnerabilities faster than humans. That future now appears to be arriving, and Microsoft wants to be the company leading it rather than reacting to it.
This week, the tech giant revealed a new internally developed system called MDASH, short for “multi-model agentic scanning harness”, a sprawling network of specialized AI agents designed to identify security flaws in software code. Unlike conventional AI systems that rely on a single large model, MDASH operates more like a coordinated cyber-investigation team, with dozens of AI agents handling different stages of vulnerability detection simultaneously.
The announcement was not just theoretical. Microsoft said the system had already uncovered 16 previously unknown vulnerabilities across Windows systems, including four critical remote code execution flaws affecting components such as the Windows kernel TCP/IP stack and the IKEv2 service. The vulnerabilities were patched as part of this month’s Patch Tuesday security updates.
Why Microsoft is betting on AI teams instead of one giant model
The most interesting part of MDASH is not simply that it found vulnerabilities, but how it found them.
Microsoft’s approach emphasizes that cybersecurity may require multiple AI systems working together rather than a single, highly capable model doing everything alone. The company built MDASH as a pipeline of specialized agents, each responsible for a different task in the vulnerability discovery process.
One group scans software code searching for suspicious behavior. Another set evaluates whether the findings are genuine security risks or harmless anomalies. A final stage attempts to build proof-of-concept exploits to confirm whether the bug can actually be triggered in practice.
That collaborative structure has given Microsoft an edge on CyberGym, a benchmark created by researchers at the University of California, Berkeley. The benchmark measures how effectively AI systems can reproduce real-world vulnerabilities using unpatched software projects.
Microsoft said MDASH achieved an 88.45 percent score on the benchmark, outperforming Anthropic’s cybersecurity-focused Mythos Preview model, which scored 83.1 percent, and Anthropic OpenAI GPT-5.5, which followed with 81.8 percent. The results, however, remain self-reported by the participating companies. No independent organization formally verified the rankings.
The growing fear around AI-powered hacking
The rapid progress also raises uncomfortable questions for the cybersecurity industry.
The same AI systems capable of discovering vulnerabilities for defensive purposes can just as easily be adapted for offensive cyberattacks. Researchers have increasingly warned that AI may drastically reduce the time required for attackers to identify exploitable weaknesses in widely used software.
Anthropic’s Mythos already sparked debate earlier this year after demonstrating advanced capabilities for vulnerability discovery and exploitation. Access to the model was restricted through a limited consortium known as Project Glasswing, which notably includes Microsoft itself.
Now, Microsoft is signaling that vulnerability discovery at machine speed may soon become the norm in enterprise security operations.
The company said MDASH will initially remain an internal tool for Microsoft’s security engineering teams before expanding into a limited private preview for selected customers.
Microsoft also hinted that organizations should prepare for larger and more frequent security updates in the future as AI accelerates the pace of vulnerability discovery. For an industry already struggling to patch systems quickly enough, that warning may prove just as significant as the benchmark scores themselves.
