Microsoft MDASH: Multi-Model Agentic Scanning Harness for Production-Scale Vulnerability Discovery

Microsoft's Autonomous Code Security team unveiled MDASH (multi-model agentic scanning harness) on May 12, 2026, a system that orchestrates over 100 specialized AI agents across frontier and distilled models to autonomously discover, validate, and prove exploitable defects in complex codebases. MDASH uses a structured pipeline: threat modeling, auditor agents to flag candidate issues, debater agents to validate findings, semantic deduplication, and proof-of-concept generation. In May 2026 Patch Tuesday, MDASH discovered 16 Windows vulnerabilities, including critical RCEs in ikeext.dll (IKEv2 double-free, CVE-2026-33824, CVSS 9.8) and tcpip.sys (IPv6/IPsec race condition, CVE-2026-33827, CVSS 8.1). Microsoft reported 96–100% recall on heavily audited Windows components and strong CyberGym benchmark performance.

MDASH demonstrates that multi-agent orchestration across heterogeneous models produces higher-fidelity vulnerability findings than single-model approaches. The ability to leverage disagreement between auditor and debater agents as a credibility signal is architecturally novel. The real-world results (16 critical/high-severity findings in a single patch cycle, including previously-unknown Windows networking flaws) validate agentic security as a production-grade capability shift. This will likely accelerate industry-wide adoption of agentic vulnerability scanning, driving a spike in disclosed vulnerabilities as other vendors follow Microsoft's lead.

Microsoft Patch Tuesday vulnerabilities affect all Windows-dependent organizations. Organizations should prioritize CVE-2026-33824 (IKEv2 RCE) and CVE-2026-33827 (TCP/IP RCE) for immediate patching, especially VPN/IPsec endpoints, DNS clients, and domain controllers. Larger enterprises and security vendors should evaluate agentic scanning systems (MDASH competitors will emerge) as part of their own vulnerability discovery pipelines. The lesson for defense: agentic vulnerability discovery is now a capability multiplier; competitors and defenders alike will deploy these systems at scale.