Microsoft’s MDASH AI System Found 16 Windows Flaws Before Hackers Could

Microsoft just showed the world what happens when you point state-of-the-art AI at your own codebase and tell it to find every way in. The result: 16 previously unknown vulnerabilities in Windows, including four Critical-severity remote code execution flaws in the Windows kernel TCP/IP stack and the IKEv2 service — exactly the kind of bugs that nation-state hackers spend months hunting. Microsoft found them first, using an AI system called MDASH, and the implications for how security works from here are profound.

What Is Microsoft MDASH?

MDASH stands for Microsoft’s Autonomous Code Security system — an internal multi-model agentic scanning harness built by Microsoft’s dedicated Autonomous Code Security team. The system was announced on May 12, 2026 alongside a release of its benchmark results, making it one of the most significant cybersecurity research announcements of the year.

MDASH is not a single AI model. It’s an orchestration layer that coordinates more than 100 specialized AI agents — each focused on a specific class of vulnerability, code pattern, or exploitation technique — running across an ensemble of frontier and distilled AI models simultaneously. The agents debate each other’s findings, cross-validate potential vulnerabilities, and prove exploitability end-to-end before flagging an issue to human researchers.

This multi-agent approach is deliberate. Single AI models hallucinate and generate false positives at rates that make them impractical for security research at scale. By having agents debate and cross-validate each other’s findings — essentially running an AI red team against an AI blue team — MDASH dramatically reduces false positives while increasing recall of genuine vulnerabilities.

The Results: 16 Windows Flaws Found, Including 4 Critical RCEs

The headline result is stark: MDASH found 16 new vulnerabilities across the Windows networking and authentication stack. Four of these are rated Critical — the highest severity designation — and are remote code execution vulnerabilities. RCE flaws in the Windows kernel TCP/IP stack and IKEv2 service represent exactly the kind of pre-authentication, network-accessible bugs that sophisticated threat actors have historically used to compromise entire organizations without any user interaction.

To appreciate what this means, consider the context. The Windows kernel TCP/IP stack has been scrutinized by security researchers, vulnerability researchers, and threat actors for decades. Every major security conference features research on Windows internals. Microsoft runs its own security team, bug bounties, and fuzzing programs. And yet MDASH found four Critical RCEs that all of that human effort missed.

According to Help Net Security’s analysis, the 16 vulnerabilities have all been reported to Microsoft’s Security Response Center (MSRC) and are being patched in the standard monthly release cycle. Patches are expected in the June and July Patch Tuesday releases.

Beyond the new vulnerability discoveries, MDASH achieved a 96% recall rate across five years of confirmed MSRC vulnerabilities in clfs.sys (the Windows Common Log File System driver) and a remarkable 100% recall rate in tcpip.sys — meaning it found every single vulnerability that human researchers had identified in those components over a five-year period, with zero false positives.

How MDASH Works: 100+ AI Agents in Concert

The architecture of MDASH is as important as its results. Traditional automated security tools — fuzzers, static analyzers, symbolic execution engines — are powerful but limited. They excel at finding specific classes of bugs (memory corruption, integer overflows) but struggle with the complex logic chains that characterize the most severe vulnerabilities.

MDASH takes a fundamentally different approach. The system:

Decomposes the security research task into hundreds of specialized subtasks, each handled by a purpose-built agent. One agent analyzes authentication flows. Another examines memory management patterns. A third looks for improper input validation in network-facing code. Each agent operates with the knowledge and focus of a specialist.

Runs multi-model consensus across an ensemble of AI models — both large frontier models for complex reasoning and smaller distilled models for high-speed pattern matching. This hybrid approach captures the reasoning depth of the largest models without being bottlenecked by their computational cost.

Proves exploitability end-to-end before flagging results. This is the critical differentiator from traditional vulnerability scanners. MDASH doesn’t just identify potentially vulnerable code — it reasons through the full exploitation chain: can this be reached by an unauthenticated attacker? What preconditions are required? What’s the worst-case impact? This dramatically reduces false positives and ensures findings are actionable.

Planted 21 vulnerabilities in a private Windows driver test environment as a blind validation test. MDASH found all 21 with zero false positives — a result that would be extraordinary for any security tool and suggests the system’s recall and precision claims are genuine.

Beating the Industry Benchmark

MDASH achieved an 88.45% success rate on the CyberGym benchmark — a comprehensive evaluation covering more than 1,500 real-world vulnerabilities. This placed MDASH at the top of the CyberGym leaderboard, approximately five percentage points ahead of the next-best system.

According to GeekWire, MDASH specifically outperformed Anthropic’s Claude Mythos on this benchmark — significant because Claude Mythos had previously set the bar for AI security capability. The competitive dynamic between AI companies on security benchmarks is intensifying rapidly, and the results are directly relevant to real-world security outcomes.

The CyberGym benchmark result matters beyond bragging rights. It provides the security community with a standardized, reproducible way to evaluate AI security tools — enabling meaningful comparison between different approaches and tracking progress over time. As more organizations consider deploying AI-assisted security tools, benchmark performance on CyberGym will likely become a standard procurement criterion.

What This Means for Security Teams

The MDASH announcement has immediate practical implications for enterprise security teams, even those who won’t directly use Microsoft’s internal tooling:

The patch urgency just increased. MDASH found 16 Windows vulnerabilities including 4 Critical RCEs. Microsoft knows about them. The security community knows Microsoft found them. Sophisticated threat actors will be watching for patch releases and working to reverse-engineer the fixes to reconstruct the underlying vulnerabilities. Patch Tuesday in June and July 2026 are going to be critical months for Windows patch management. Don’t be the organization that’s still running unpatched systems in August.

AI-assisted security research is now mainstream. If Microsoft is using 100+ AI agents to audit Windows, you should be using AI-assisted tools to audit your own code. Commercial versions of AI-powered security scanning are already available from vendors like GitHub (Advanced Security), Snyk, and Semgrep — and their capabilities are accelerating rapidly. Manual code review alone is no longer sufficient for securing complex codebases.

The vulnerability discovery rate is accelerating. MDASH is Microsoft’s internal tool. OpenAI, Google, Anthropic, and other major AI companies are building similar systems. The rate at which vulnerabilities will be discovered — by defenders and attackers alike — is about to increase dramatically. Security programs that aren’t built for rapid response to a higher-velocity vulnerability landscape are going to struggle. See our coverage of how AI is accelerating attacks for the offensive side of this equation.

The attack surface of AI systems themselves is the next frontier. This week’s Pwn2Own Berlin 2026 results demonstrated that AI products like OpenAI Codex and LiteLLM fall to researchers just as easily as traditional software. As organizations deploy AI systems with MDASH-like capabilities, the security of those AI systems becomes critical. An attacker who compromises your AI security tool has access to your entire vulnerability inventory.

AI vs. AI: The New Cybersecurity Reality

MDASH crystallizes a trend that every security professional needs to internalize: we are entering the era of AI vs. AI in cybersecurity. On the defensive side, systems like MDASH find vulnerabilities before attackers can. On the offensive side, AI tools are being used to discover and exploit vulnerabilities at machine speed. The human researchers on both sides are increasingly becoming orchestrators and validators rather than primary actors.

This has profound implications for how security organizations are structured, staffed, and funded. The premium on researchers who can build, configure, and interpret AI security systems is going to increase sharply. The value of traditional manual penetration testing — while still important — will shift toward testing AI-resistant controls and validating AI-generated findings rather than primary vulnerability discovery.

Organizations that understand this shift and invest accordingly will be dramatically better positioned than those that continue to treat AI as an add-on to traditional security programs. For more on building AI-integrated security workflows, check out our guide to building AI agents in 2026.

Conclusion

Microsoft’s MDASH announcement is one of the most consequential cybersecurity developments of 2026 — not because of any specific vulnerability it found, but because of what it represents. When a 100+-agent AI system can find 16 unknown vulnerabilities in one of the most scrutinized codebases in software history, the fundamental economics of security research have changed. The question for every organization is no longer whether to use AI for security, but how quickly you can build the capability to use it effectively. Microsoft just raised the bar for what “effective” looks like.