PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Microsoft's MDASH AI Security System Finds 16 Windows Vulnerabilities

MDASH relies on more than 100 specialized agents to find software bugs. It's being used internally, but Microsoft is also previewing the AI system with select enterprise customers.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Photo by Joan Cros/NurPhoto via Getty Images)

Microsoft is responding to the rise of AI programs that can hunt down security vulnerabilities by introducing “MDASH,” a system that harnesses over 100 AI agents to find software bugs. 

Microsoft used MDASH to uncover 16 new vulnerabilities related to Windows, “including four Critical remote code execution flaws in components such as the Windows kernel TCP/IP stack and the IKEv2 service,” the company says. 

MDASH also outperformed other AI models, including Anthropic’s cybersecurity-focused Claude Mythos and OpenAI’s GPT 5.5, Microsoft says, achieving a leading 88.45% score on the CyberGym benchmark, which evaluates AI agents' ability to find software bugs. 

“The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale,” the company writes in the announcement. In addition, Microsoft says its system shows a “durable advantage” by efficiently leveraging multiple models, rather than relying on a single one.

Microsoft doesn’t offer specifics on the AI models it used. But it developed over 100 AI agents, each specialized in finding specific software bugs using a collection of cutting-edge AI models and more efficient, smaller models.

Recommended by Our Editors

Google's Agentic AI Tool Gemini Spark Is Now Available
Google's Agentic AI Tool Gemini Spark Is Now Available
The Best AI Note-Taking Apps for 2026
The Best AI Note-Taking Apps for 2026
Claude Says It Cares About Privacy, But I Still Suggest Checking These 6 Settings
Claude Says It Cares About Privacy, But I Still Suggest Checking These 6 Settings
(Credit: Microsoft)

“No single model is best at every stage. The multi-model agentic scanning harness runs a configurable panel of models,” Microsoft adds.

A key component is that the AI agents will scan the computer code for vulnerabilities and then debate to see if their findings align. “Disagreement between models is itself a signal: when an auditor flags something as suspect and the debater can’t refute it, that finding’s posterior credibility goes up,” Microsoft says.  

Microsoft’s security engineering teams have been using MDASH along with a “small set of customers as part of a limited private preview.” The company is likely doing so to prevent misuse, noting that MDASH “can approximate professional offensive researchers.” Still, Microsoft is opening up access to select enterprise customers that apply

MDASH arrives as hackers have been using AI models to find serious flaws in software or help them orchestrate attacks. As a result, the cybersecurity industry is entering an arms race: although AI tools have the potential to bolster defenses, the same models might also fall into the wrong hands and be used to devastating effect. The big question is whether AI can fortify software systems enough to withstand AI-driven attacks.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio