Microsoft on May 18 announced an agentic security analysis system called Multi-Model Agentic Scanning Harness, or MDASH, spanning vulnerability discovery through verification, proof and response.

The company said MDASH is a multi-model agentic scanning harness built by Microsoft’s Autonomous Code Security (ACS) team.

To address limitations of single-model approaches, it applies an ensemble architecture combining frontier models and distilled models. It was designed so more than 100 specialised AI agents conduct the full end-to-end process, from vulnerability discovery through verification and discussion to proving exploitability. The company stressed that the system architecture combining multiple models and agents plays the key role, rather than the performance of a single AI model.

Microsoft said it used MDASH to identify 16 new vulnerabilities across Windows networking and authentication stacks. It also confirmed complex defect types that are hard to catch with simple pattern matching, including race condition-based UAF (use-after-free).

MDASH posted the top leaderboard score on the public CyberGym benchmark, with a score of 88.45 percent.

MDASH produces verified and proven results through a five-step automated pipeline that runs from preparation to proof. It starts with source analysis and threat modelling in the preparation step, then finds candidates in the scanning step and performs cross-validation among agents in the verification step. After removing duplication, it builds and runs inputs that can reproduce the vulnerability to ultimately prove it.

Microsoft assessed that AI vulnerability discovery is moving beyond a research phase and shifting into an engineering task. Citing regular security update results and a five-year reproducibility rate from Microsoft Security Response Center cases related to the Common Log File System (CLFS), it said AI vulnerability discovery results can be scaled up.

Taesoo Kim (김태수), vice president of agentic security at Microsoft, said, “MDASH is helping Microsoft engineering teams use commercial AI models to materially improve security outcomes.” He added, “Microsoft will continue efforts to create a safer world for everyone.”