Microsoft warns AI bug-hunting will bloat Patch Tuesdays
TL;DR
- Microsoft EVP Pavan Davuluri says AI-assisted vulnerability discovery will push a higher volume of fixes into each monthly security release.
- Microsoft's internal tool MDASH, a multi-model agentic scanning harness, runs on dedicated cloud infrastructure and uses third-party AI vulnerability models to cross-check findings.
- Oracle is adding a monthly critical patch dump to its quarterly cadence and VMware has launched 'Express Patches' that ship independently and can be applied in any order.
The interesting bit in this month's Patch Tuesday briefing is not the bug count, it is Microsoft telling customers the count is about to keep climbing. In a post surfaced by The Register, Pavan Davuluri, Microsoft's Executive Vice President for Windows and Devices, wrote that "as AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release." Read plainly, that is Microsoft telling its enterprise base to plan for a bigger monthly patch load, indefinitely.
The mechanism has a name. Davuluri describes an internal tool called MDASH, the multi-model agentic scanning harness, which he says "utilizes multiple models including leading third-party AI vulnerability discovery models" and runs on dedicated cloud infrastructure set up specifically for scanning Windows at scale. The design idea is cross-checking findings across model families before an engineer ever looks at them, which is meant to hold the false-positive rate down while volume climbs. Take the specifics as reported, not settled. The Register does not publish a CVE-per-month delta showing MDASH is actually flooding the pipeline yet, only that Microsoft expects it to.
The pattern is visible on more than one vendor. Oracle has said AI bug-finding is why it will add a monthly critical patch dump on top of its existing quarterly cycle, and VMware has shipped a scheme it calls "Express Patches" that ship independently of product updates and can be applied in any order rather than requiring an upgrade first. All three vendors are optimizing supply. None of them, per the reporting, are giving admins more or longer change windows to absorb it, and that is the part that actually determines whether the extra fixes turn into faster protection or a growing backlog.
The honest caveat is that a busier Patch Tuesday is not automatically a worse one. If the extra fixes are real bugs that would otherwise have sat in Windows unnoticed, defenders come out ahead on net. What the reporting does not give you is the shape of the trade, no numbers on how much MDASH has lifted throughput, no view of severity mix, no signal on whether the traditional human research pipeline slows as AI takes more of it.
The forward-looking read is that pressure now moves to the deployment side of the industry. Patch-orchestration tooling, VMware-style any-order packaging, and internal risk committees willing to widen maintenance windows are about to matter more than they did a year ago, because the vendors have decided the fire hose is being turned up whether operators are ready or not.
Originally reported by theregister.com
Read the original article →Original headline: Microsoft Warns Customers AI Will Mean Busier Patch Tuesdays — Discloses 'MDASH' Multi-Model Agentic Scanning Harness Finding More Windows Vulnerabilities