Microsoft says AI is finding so many Windows bugs, expect bigger Patch Tuesdays
The company is using multiple AI models to hunt vulnerabilities in Windows code, and warns customers will see more fixes each month as a result.

Key points
- Microsoft said on Tuesday that AI-driven scanning is uncovering more Windows security flaws, and customers should expect larger monthly updates.
- The company is running a system called MDASH, which uses several AI models together to find and check possible bugs in critical Windows files.
- Human engineers still review every proposed fix before it ships to users.
- Two days earlier, Reuters reported that the US Cybersecurity and Infrastructure Security Agency has started using Anthropic's Fable model to audit government software.
Microsoft has a warning for Windows users, and it is an unusual one. Patch Tuesday is about to get busier.
In a blog post published this week, the company said its engineers are now using artificial intelligence to hunt through Windows code for security flaws. The AI is finding a lot of them. So the monthly security updates that Windows machines download, known as Patch Tuesday, will likely contain more fixes than before.
"The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code," Microsoft said.
That is a good problem to have, mostly.
What is Microsoft actually doing?
The company is running a tool it calls MDASH, short for Microsoft Security's multi-model agentic scanning harness. Strip the jargon and here is what it does: it points several different AI models at the most important pieces of Windows code, asks each of them to look for weaknesses, and then cross-checks the answers.
A second stage, built specifically for Windows, tries to weed out false alarms before a human engineer ever sees the report. Only after that filter does a real person look at the bug and write a fix.
Microsoft was firm on that last point. Every proposed code change is reviewed by a human before it goes out to customers. The AI suggests. Engineers decide.
The company is also using AI to help its own staff work faster: understanding why something broke, proposing a patch, and checking whether the same mistake was made elsewhere in the Windows codebase. If you have ever fixed one bug only to find three copies of it hiding in nearby files, you get the appeal.
Should ordinary users be worried by bigger updates?
No, and in fact the opposite. More fixes in a Patch Tuesday release means more holes are being closed before criminals find them. A zero-day, meaning a flaw the software maker did not know about, is dangerous precisely because there is no patch yet. Finding these bugs internally, before attackers do, is the whole point.
The practical advice for a home user or a small business is the same as it has always been: let Windows Update run, and do not sit on a pending restart for weeks. If Microsoft is going to be shipping more fixes, ignoring them is a worse bet than it used to be.
For IT teams, the message is a little sharper. Testing and rolling out a fatter monthly patch load is real work, and the load is going up.
The other side of the coin
Microsoft was careful to note that criminals are using AI too. So the company is updating its Secure Development Lifecycle, the internal rulebook for how Windows gets built, to account for AI-assisted attacks and to pull AI checks earlier into the process.
This is not happening in isolation. Two days before Microsoft's announcement, Reuters reported that the US Cybersecurity and Infrastructure Security Agency has started running Anthropic's Fable model over federal software to look for exploitable flaws. Officials said the audits have already turned up bugs, though they would not say how many or how serious.
The pattern first flagged by BleepingComputer is clear enough. Defenders and attackers are both plugging AI into the same job: reading code and looking for cracks. For now, the defenders seem to have the home advantage on their own source tree.
Whoever ships fixes fastest wins the month.



