Microsoft Warns AI Will Flood Future Patch Tuesdays
Do you feel like Patch Tuesdays are getting heavier and heavier? This is only the beginning. On July 9, 2026, Microsoft published a post to warn us: the volume of security fixes is set to surge over the coming months. Is Windows code getting worse and worse? I wouldn't go that far, since it is mainly AI that is accelerating vulnerability discovery.
Table of Contents
MDASH, the machine finding flaws in Windows
To identify vulnerabilities, Microsoft relies on MDASH: Multi-model agentic scanning harness. This system was introduced on May 12, 2026 on the Microsoft Security blog, and I already covered it in a previous article.
The idea is to orchestrate many specialized AI agents spread across multiple models, including third-party models, rather than relying on a single model. Microsoft therefore has a complete pipeline to ingest and index code, scan it (audit), and then validate findings (exploitability, etc.) before building proofs of concept.
To tackle Windows security, Microsoft explains that it has built a dedicated cloud infrastructure. One pipeline analyzes critical binaries and validates potential candidates using debates between model families, then a second pipeline, specific to Windows, removes the remaining false positives. Only the strongest findings are escalated to the engineers in Redmond.
Microsoft says it is fully satisfied with MDASH's performance. In fact, a recent Patch Tuesday has already served as a showcase: 16 CVEs fixed in the Windows networking stack were found with MDASH.
Denser updates, and a tougher patching contract
Microsoft makes no secret of it. "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each release.", says Pavan Davuluri at Microsoft. The Redmond company presents this increase as a sign of progress rather than a symptom.
AI is also used downstream: it helps engineers understand failures faster, suggest fixes, and spot similar bugs elsewhere in the source code. Rest assured: Microsoft says humans still review all proposed code and validate fixes before production.
The trend is already visible. In fact, the June 2026 Patch Tuesday already fixed 200 vulnerabilities, notably thanks to MDASH work. Next week's July 2026 Patch Tuesday could be heavy, and this is only the beginning.
AI is on both sides of the line
Microsoft acknowledges it: AI-accelerated discovery is a double-edged sword. Attackers also have AI and, even if it may not be as sharp as MDASH, Mythos 5 or others, it shortens the window between the appearance of a flaw and its exploitation.
At the same time, Microsoft has evolved its SDL practices (Secure Development Lifecycle) to account for AI-assisted attack techniques, and to introduce AI earlier in the development cycle, before features are even released. The goal is no longer to treat vulnerability research as a separate activity, but as an integrated step in building Windows.


