Skip to main content
CybersecurityVulnerability Management

AI-Driven Patching Process Spurs Surge in Security Updates

Modern computer workstation with laptop and monitor displaying code, in a clean and bright office setting.

"As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release," wrote Pavan Davuluri, Microsoft's executive veep for Windows + Devices, in a post explaining how the company is changing its internal processes to spot software vulnerabilities using AI.

Microsoft's MDASH pipeline: multi-model scanning at Windows scale

Davuluri laid out the mechanics Microsoft is using to accelerate discovery. The company uses a tool it calls the multi-model agentic scanning harness (MDASH), which "utilizes multiple models including leading third-party AI vulnerability discovery models." To run MDASH at Windows scale, Microsoft "set up dedicated cloud infrastructure for scanning and proving," he said.

According to the post, the MDASH workflow begins with a scanner pipeline that examines critical binaries and performs "multi-model debate across multiple model families" to validate candidate findings. Confirmed candidates then move to a separate, Windows-specific prove pipeline intended to "help eliminate remaining false positives, so only the highest-confidence findings reach the engineering team." Microsoft says that pipeline both increases the volume of potential vulnerabilities handled and "shortens the review window for new ones, shrinking the attack window for zero-day exploits."

Pavan Davuluri on automated patching and product quality

Davuluri tied the technical change to an operational one: customers should expect more security updates. He argued that investment in automated patching tools is "justifiable and sensible" because Microsoft's AI-driven approach produces more findings that can be fixed, improving "overall security."

The post also notes that Microsoft already offers tools to automate patching and that customers who use those tools "will be able to keep pace with increased volumes of patches." Davuluri added that by applying AI "across security analysis, we can identify patterns faster, prioritize risk and scale vulnerability discovery across the Windows codebase." He also allowed that, at times, AI-driven discovery "might mean Microsoft products contain fewer vulnerabilities," as discovery becomes part of how Windows is built and reviewed before new features or updates are released.

Oracle's parallel move and administrators' change windows

Microsoft is not unique: the post points out that Oracle "recently announced AI bug-finders mean it will add a monthly critical patch dump to its current quarterly security update service." That parallel underscores a broader vendor shift toward AI-enabled discovery that can increase the cadence and volume of fixes delivered to customers.

But increased discovery does not automatically change how organizations schedule maintenance. As The Register observed, it is "yet to hear of AI being used to create more or longer change windows that admins can use to implement all these extra patches." In other words, vendors may surface more fixes while the operational windows available for administrators to deploy them remain unchanged.

What this means for Microsoft customers, enterprise admins, and security teams

  • Microsoft customers: Expect a higher volume of security updates in each Microsoft security release; using Microsoft's automation tools will be central to keeping pace.
  • Enterprise IT admins: More frequent or larger patch packages may compress existing change windows; administrators will need to weigh automation and scheduling to avoid falling behind.
  • Security teams: Faster discovery and shorter review windows aim to shrink zero-day attack windows, but teams should monitor false-positive rates and the downstream workload of triage and deployment.

Conclusion: busier releases, unchanged clock?

Microsoft's account frames AI as a force-multiplier for defenders: more models, more cloud scanning, and more high-confidence findings routed to engineers. The practical effect, the company warns, will be "a higher volume of security updates included in each security release." Vendors such as Oracle are making similar moves, yet the scheduling constraints administrators face — the change windows they have to deploy fixes — have not been shown to have expanded in step.

The immediate next question the facts on offer leave open is operational: as vendors scale discovery with tools like MDASH, will organizations adjust maintenance calendars and change-window policies to match? Until administrators gain more or longer windows to absorb additional fixes, Microsoft’s push to find and fix more flaws could mean busier Patch Tuesdays even if the clock for deployment stays the same.

Original story — The Register