"The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis," Microsoft said.
Microsoft on AI-driven vulnerability discovery
In a blog post published today, Microsoft said advances in artificial intelligence have significantly accelerated the company's ability to find security flaws in Windows. The company told readers that AI now makes it possible "to find more issues, faster, across more code," and that engineers are identifying more security issues before they can be exploited in zero-day attacks. Microsoft warned that this change in pace will translate into a higher volume of fixes: "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release," the company said.
MDASH: Microsoft's multi-model agentic scanning harness
Microsoft said it is using Microsoft Security's multi-model agentic scanning harness (MDASH), an AI-powered vulnerability discovery system it has previously described, to scan critical Windows binaries. According to the company, MDASH scans those binaries for vulnerabilities and validates potential findings using multiple AI models. Candidates that survive that step are passed through a second, Windows-specific validation pipeline designed to eliminate false positives before engineers begin manual investigation.
AI in triage, repair suggestions, and human oversight
Beyond discovery, Microsoft says it is deploying AI to help engineers understand failures more quickly, to suggest possible bug fixes, and to identify similar bugs elsewhere in the Windows source. The company emphasized that human engineers will continue to oversee and review all proposed code and to validate fixes before those fixes are released into production.
Updating the Secure Development Lifecycle to account for AI
Microsoft also announced changes to its Secure Development Lifecycle (SDL). The company plans to update SDL practices both to account for AI-enabled attack techniques and to use AI earlier in the software development process so security issues are found before features ship. Microsoft flagged a dual reality: AI helps defenders discover and fix vulnerabilities, and threat actors are also using AI to power attacks and to exploit zero-day flaws before they are fixed.
How Microsoft, CISA, and customers are positioned
- Microsoft — The company is deploying MDASH and other AI tools to accelerate discovery and triage, and says engineers will continue to review and validate fixes before production. Microsoft expects the increased use of AI for vulnerability discovery to result in more security updates appearing in each monthly Patch Tuesday release.
- CISA — Reuters reported that the U.S. Cybersecurity and Infrastructure Security Agency has begun using Anthropic's Fable AI model to scan government software for vulnerabilities. According to Reuters, those AI-assisted code audits have "already uncovered numerous vulnerabilities," though officials did not disclose how many or provide details on their severity.
- Customers (Windows users) — Microsoft warns that customers should expect a higher volume of security updates in each security release as AI enables defenders to find more issues. At the same time, Microsoft noted that attackers are also leveraging AI to exploit zero-day flaws, creating competing pressures on patching and risk management.
Microsoft's announcements frame a concrete trade-off: faster, broader discovery of flaws driven by tools such as MDASH will likely mean more frequent and voluminous Patch Tuesday updates, even as the same AI techniques accelerate attackers' ability to weaponize newly found weaknesses. Reuters' reporting that CISA is using Anthropic's Fable to scan government code — and has already found "numerous vulnerabilities" without disclosing counts or severity — underscores the practical effect of AI-assisted audits in both public and private codebases.
Two quantifiable points remain unfilled in the public record supplied by these statements: Microsoft has described the mechanisms it is using and forecast a higher volume of updates, but it did not publish figures showing how much the monthly Patch Tuesday load will increase; and CISA's Reuters-sourced audits reportedly found "numerous vulnerabilities" but officials did not disclose how many or how severe they were. Those gaps matter for defenders and procurement planners deciding how to budget time for testing and deployment of the expected increase in security fixes.
Read the original report: Microsoft expects more Windows security updates from AI-discovered flaws — BleepingComputer




