The code didn't lie. The press release did.

Microsoft claims its internal AI system, MDASH, found 16 new Windows vulnerabilities and scored 88.45% on the CyberGym benchmark, beating Anthropic’s Mythos and OpenAI’s unnamed security tools. The headline is designed to trigger a single emotional response: "Microsoft is winning the AI security race." But as someone who has spent years tracing the bleed through gateways of blockchain exploits, I know that claims without a verifiable transaction hash are just noise.
Let’s dissect this.
Context
MDASH—likely an acronym for Microsoft Detection and AI for Security—is not a product you can buy. It is an internal tool, probably a composite of static analyzers, fuzzers, and some flavor of large language model fine-tuned on Windows codebase history. The announcement comes through Crypto Briefing, a publication that normally covers blockchain, not enterprise security. That alone is a red flag. Why would a crypto outlet break this news? Because the story is a PR asset, not a technical paper. Microsoft wants to project strength in AI safety, and the crypto community is a convenient amplifier.
But let's be clear: this is not peer-reviewed research. It is not a reproducible benchmark. It is a press release dressed up as journalism.

Core Analysis
I spent the afternoon trying to trace the bleed through the gateway of this announcement. What did I find?
First, the numbers. 16 vulnerabilities. Out of how many total tests? What is the false positive rate? A system that flags 100 potential issues and gets 16 right is very different from one that tests 20 and finds 16. The CyberGym benchmark—what is its composition? CyberGym's platform is proprietary and usually focuses on web application security, not Windows kernel bugs. There is no public leaderboard for MDASH. No CVE identifiers for the 16 vulnerabilities. Without a CVE, we cannot verify if these are real, unpatched 0-days or low-severity bugs that Microsoft already knew about.
Second, the comparison. "Beats Anthropic and OpenAI" is meaningless without a controlled A/B test. Was MDASH tested on the same codebase? Same time budget? Same scoring metric? Anthropic's Mythos is a fine-tuned Claude variant for security. OpenAI has GPT-4 with code interpreter. Both are general-purpose models. MDASH is almost certainly specialized for Windows. This is like comparing a scalpel to a Swiss army knife and declaring the scalpel better at cutting.
Third, the architecture. The article provides zero detail. From my experience auditing smart contracts—where the recursive call vulnerability in TheDAO was ignored by core developers until the $60 million hack—I know that the devil is in the signature verification. Here, the missing signature is the model architecture. Is MDASH a single LLM? A graph neural network for binary analysis? A multi-agent system? The lack of transparency is a bug report in itself. Silence is the loudest bug report.
History is a Merkle tree, not a narrative. The Terra/Luna collapse taught me that the truth is in the on-chain distribution, not the headlines. Similarly, the truth here is in the missing data. If Microsoft wanted the community to trust MDASH, they would release a technical paper, open-source the test suite, or publish the CVE list. They did none of those.
Contrarian Angle
But let me play devil’s advocate. What if the claim is true? What if MDASH genuinely found 16 real vulnerabilities? That would still be a positive signal for the industry. It proves that AI-augmented security audits can discover actual bugs, which is a step toward automated vulnerability discovery. The problem is not the existence of the result—it is the framing of it as a victory in a race that has no finish line.
The bulls might say: "At least Microsoft is investing in AI safety. This will eventually benefit all Windows users." And they are not wrong. The technology is real, even if the PR is inflated. The concern is that investors and enterprise buyers will make purchasing decisions based on this incomplete data. Enterprise security procurement is already a game of checkbox compliance. This article gives them another checkbox: "AI-powered vulnerability detection." That is dangerous.
Takeaway
Precision is the only apology the truth accepts. Microsoft owes the security community a detailed post: architecture, benchmark methodology, false positive rate, and CVE assignments. Until then, treat MDASH as a lab experiment with a very good PR team. The 16 vulnerabilities may exist, but we cannot verify the root. Ignore the branch. Verify the root.
This is not a story about AI beating AI. It is a story about incomplete information masquerading as definitive proof. In blockchain, we call that a rug pull. In security, it is just another Tuesday.