Start Secure, Stay Secure: How Microsoft is Closing the Gap from Code to Runtime

Modern software applications composed of hundreds of artifacts, multiple programing languages, and cloud infrastructure provide an extensive attack surface that only continues to expand in the era of AI. According to Microsoft Threat Intelligence and industry research, threat actors are also increasingly leveraging AI-assisted techniques to accelerate vulnerability discovery and exploitation (Source: Digital Defense Report 2025). Rule-based scanning and manual review alone may not keep pace with the speed and scale of these emerging threats.

As AI-generated code grows exponentially, organizations need tools designed to apply security researcher-inspired techniques at scale, keeping pace with new development processes and a rising number of AI-powered threats. That is the challenge we set out to solve.

At Build 2026, we are taking two steps forward: the expanded preview of Codename MDASH, a multi-model agentic scanning system designed to find and validate exploitable vulnerabilities, and the general availability of the Microsoft Defender for Cloud and  GitHub Code Security native integration, which connects runtime risk to code and bridges the gap between security and development teams in a single workflow.

Together, these announcements represent a shift in how organizations should address software security considerations across the development lifecycle, natively integrating into their existing tooling and work processes.

The Problem: Alert Fatigue, Disconnected Tools, and a Widening Gap

Industry data consistently shows that critical and high-severity vulnerabilities take an average of more than 100 days to remediate. Research suggests applications face attacks as frequently as once every three minutes (Source: Digital Defense Report 2025).

Security teams are overwhelmed with alerts they cannot easily prioritize and assign. Developers spend time investigating issues that may never be exploited in production. Both teams often rely on separate, non-integrated tools, making collaboration slower and more difficult. The result is a growing gap between how fast organizations ship code and how fast they can secure it.

The answer is not more alerts, but higher actionable findings, smarter triage, and workflows designed to support more efficient agentic remediation, fostering improved collaboration between security teams and developers.

Codename MDASH: Agentic Vulnerability Discovery (Expanded Preview)

Codename MDASH introduces a new approach to vulnerability discovery and validation. Built by Microsoft's Autonomous Code Security team, which includes members of the DARPA AI Cyber Challenge-winning Team Atlanta, codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and validate exploitable security findings end to end.

Unlike single-model approaches, codename MDASH works as a coordinated system. Different agents scan code for potential vulnerabilities. A separate set of agents debate whether each finding is real and exploitable. A final set constructs proof-of-concept attacks to confirm the bugs exist. The goal is to deliver validated findings, like the test results listed below, intended to help teams focus on security issues that are more likely to be exploitable, rather than theoretical warnings.

Results from internal testing and the public CyberGym benchmark (developed by UC Berkeley researchers, covering 1,507 real-world vulnerability reproduction tasks across 188 open-source projects, as of May 2026):

• 16 New Vulnerabilities Discovered and Patched across the Windows networking and authentication stack, including four critical remote code execution flaws, all patched in the May 2026 Patch Tuesday release. (Source: MSRC CVE disclosures, May 12, 2026.)
• MDASH identified all 21 planted vulnerabilities in a controlled test, with no false positives observed in that test. Results in broader production environments may vary. (Source: Microsoft Security Blog)
• Near-Total Recall on Historical MSRC Cases 96% recall against five years of confirmed MSRC cases in clfs.sys and 100% recall in tcpip.sys. These are retrospective recall benchmarks on internal code with a finite case count; they indicate the system would have been useful had it existed at the time, but do not by themselves predict future performance. (Source: Microsoft Security Blog)
• Codename MDASH recently jumped ~10% in less than three weeks to a new CyberGym industry benchmark score of 96.55%.

o   CyberGym scores are self-reported by participating organizations; the benchmark code is public, but no independent party has verified any of the scores. Benchmark results do not necessarily reflect real-world performance across all environments. (Source: CyberGym public leaderboard, cybergym.ai)

What makes the architecture durable is its model-agnostic design. When a new model becomes available, the targeting, debating, deduplication, and proof stages do not need to be rewritten. That means every improvement in the underlying AI automatically makes your existing scans smarter, without requiring teams to rebuild context, retune plugins, or revalidate proving agents. The work you put in today keeps paying off tomorrow.

Codename MDASH will be in expanded preview at Build 2026. Please reach out to your Microsoft Account rep for more information.

Microsoft Defender for Cloud+GitHub Code Security: Now Generally Available

Codename MDASH brings a new class of multi-model agentic discovery to high-value targets. The Microsoft Defender for Cloud and GitHub Code Security native integration brings runtime context to vulnerability detections that developers already see in their pull requests, so both teams can prioritize what's exploitable and remediate inside the same workflow. This integration, now generally available, connects runtime context to code, so developer and security teams can prioritize and fix what matters.

Here is the core problem it solves: a vulnerability flagged in your codebase might look critical in isolation, but is it running in production? Is it internet-facing? Is it touching sensitive data? Those three questions should drive everything. Until now, getting those answers typically meant jumping between tools, chasing context, and hoping someone on the other team had the right information.

The integration changes that in three ways:

1. Real-time visibility across the app lifecycle so developer and security teams can collaborate in the tools they already use. Security teams can track the status of vulnerabilities detected by GitHub Code Security directly in Defender for Cloud. When remediation is needed, a security campaign alerts GitHub repository owners, and developers can open a GitHub issue straight from Defender for Cloud to track progress from fix to close.
2. Critical alert prioritization By connecting runtime context to code, developer teams will be able to prioritize exploitable issues. Security teams will be able to understand the traceability of the artifact from code to runtime and trace runtime threats directly to the code in GitHub. As a result, the most critical alerts will be fixed first.
3. Remediation time reduction AI-suggested fixes with Copilot Autofix and GitHub Copilot cloud agent will automatically be generated, making it faster for developers to help accelerate remediation.

Together, Defender and GitHub Code Security give security and engineering teams a shared, runtime-prioritized list of vulnerabilities, so the alerts developers see in their pull requests are the ones the security team has already confirmed are deployed, exposed, and worth fixing. Copilot Autofix turns those prioritized findings into review-ready pull requests, with developers in control of what merges.  We believe this combination of runtime-to-code correlation and agentic AI remediation within a single integrated workflow is a meaningful differentiator. Check out our new onboarding videos to help you get started today.

How It All Fits Together: Code to Runtime

Codename MDASH and the Defender and GitHub Code Security integration are two parts of the same vision: enforcing security across the entire software lifecycle, from the first line of code to the running workload. By helping organizations find and fix vulnerabilities faster, development teams can help reduce time spent on security remediation and more time building new products.

At the code level, codename MDASH adds a new layer of multi-model agentic discovery focused on high-value targets like logic flaws, race conditions, and AI-specific risks such as prompt injection and insecure model endpoints. It complements the deep semantic analysis that GitHub Code Security already performs on every pull request with CodeQL. It validates findings using multiple AI models and aims to deliver proven results rather than theoretical warnings.

At the runtime level, Defender provides the context that turns a finding into an actionable priority: is this deployed, is it exposed, and does it matter right now? When a fix is needed, Copilot can assist with remediation, with the developer retaining control over what gets merged.

The developer stays in GitHub. The security team stays in Defender. Both can see how code problems become real security risks, and both can act on them with reduced context switching and fewer handoff delays.

Get Started

• Microsoft Defender for Cloud + GitHub Advanced Security is now generally available. Set up the integration in the Defender for Cloud portal and connect your GitHub organization. [learn.microsoft.com]
• Check out our new onboarding videos here: https://aka.ms/DefenderGHCSOnboardingVideos
• Codename MDASH expanded preview launches at Build 2026. 
• Read the full technical deep dive: Defense at AI speed: Microsoft's new multi-model agentic security system tops leading industry benchmark.
• Read the full Microsoft Security Build update: https://aka.ms/BUILD_SecurityBlog

With AI-powered vulnerability discovery, runtime-to-code context, and AI-assisted remediation built into the developer workflow, these tools are designed to help teams move faster while maintaining a strong security posture

Sources:

1. Microsoft Digital Defense Report 2025, MSRC Patch Tuesday trend data, industry publications on AI-assisted exploit development. Digital Defense Report 2025: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025
2. Microsoft Security Response Center (MSRC), "Security Update Guide — May 2026 Release Notes," May 12, 2026. https://msrc.microsoft.com/update-guide/releaseNote/2026-May
3. Microsoft Security Blog, "Defense at AI Speed: Microsoft's New Multi-Model Agentic Security System Tops Leading Industry Benchmark," May 12, 2026. https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/
4. GitHub and Microsoft internal analysis of enterprise security backlogs. See the Microsoft Defender for Cloud blog (aka.ms/SecureCodetoCloudBlog) for methodology.