Strengthening secure software at global scale: How MSRC is evolving with AI

Cybersecurity has always been a race between defenders and attackers, constrained by human time, attention, and scale. What is changing now is the level of capability available to apply security fundamentals with far greater reach and speed.

At Microsoft, AI is already deeply embedded in how we secure our own environment, how security operates within our core platforms and services, and how customers protect their organizations using our security solutions. New generations of AI are extending that foundation and expanding what cyber defense can achieve by allowing defenders to operate with greater reach, speed, and consistency than was previously possible.

This moment matters because it reflects a broader shift in how cyber defense is evolving across the industry. Microsoft’s focus is to evaluate emerging capabilities rigorously, apply them deliberately, help ensure responsible use, and use them to augment our security and development toolsets so customers can use them safely to improve security outcomes. 

We appreciate Anthropic providing private research preview early access to their latest model, Claude Mythos Preview, which allows us to better understand emerging capabilities, identify and mitigate risk, and strengthen protections for our customers and the broader ecosystem. We also look forward to participating in Project Glasswing, an initiative focused on applying these advances responsibly and reducing cyber risk across the industry.

One place these advances are especially relevant is vulnerability discovery and response. This work sits at the heart of the Microsoft Security Response Center (MSRC), where we focus on identifying vulnerabilities, coordinating fixes, and reducing risk before issues can be exploited at scale. 

What follows is a closer look at the role the MSRC plays in this work, how we are applying these capabilities to vulnerability discovery and response, and our plans to help customers use these models safely.

Software bugs have existed for as long as software itself, with impacts that range from minor defects to serious vulnerabilities. The MSRC exists to reduce risk for customers by discovering and mitigating those vulnerabilities as quickly and responsibly as possible. Each year, our team processes thousands of vulnerability reports from Microsoft engineers and independent security researchers around the world, assessing, validating, prioritizing, and mitigating through tightly coordinated workflows that balance technical rigor, speed, and transparency.

We do this work in partnership with the global research security community, engaging researchers through worldwide forums like BlueHat, and incentivizing research and disclosure through the industry’s biggest bug bounty programs and targeted events such as Zero Day Quest.

Once vulnerabilities are identified, we work with teams across Microsoft to address them quickly, feeding what we learn into Microsoft’s Secure Future Initiative (SFI) so improvements can be applied continuously across our portfolio.  Those same learnings also inform the Secure Development Lifecycle (SDL), and where possible, our development tooling, helping prevent vulnerabilities from being introduced in the first place.

Recent advances in AI have made it clear that these systems can meaningfully improve cybersecurity outcomes, while also introducing new considerations for how vulnerability discovery and response must evolve. As part of this work, Microsoft evaluated an early snapshot of Claude Mythos Preview using CTI-REALM,  an open-source benchmark we created to evaluate AI agents on real-world detection engineering tasks. The results showed substantial improvements relative to prior models, and we are continuing to test how these capabilities can be applied within our internal processes. As Anthropic has noted, this level of capability will not remain unique to a single model or provider, and its broader adoption underscores the need for the industry to adapt. 

One immediate impact is discovery at scale. AI can discover more issues, more quickly, across a broader surface area than previous methods. When paired with advanced security tooling, recent models are demonstrating the ability to find software vulnerabilities at a level approaching experienced human security researchers. 

Because these systems can work 24x7, limited only by available resources, we will discover a greater volume and diversity of vulnerabilities and address them earlier in the lifecycle before they create risk for customers.  

Within MSRC, we are evolving our processes to meet this reality. We are introducing additional automation to validate the quality and severity of the vulnerabilities and support remediation at AI speed, while keeping human developers in the loop to maintain correctness and quality.  

In parallel, Microsoft is using agentic red teaming, embedding these capabilities directly into software development processes so issues can be identified and addressed as code is written and shipped. 

Together, these changes allow us to do more of the important work we do, and to do it earlier and more effectively. Insights from AI-assisted discovery flow back through SFI to improve the security of everything we build and deliver—strengthening our software by design, by default, and in our operations. 

Those same insights and learnings also help us build new solutions to help developers build more secure software, protect customers from attacks that will inevitably occur, and enable security practitioners to discover and disrupt these attacks.

As we adapt our processes to incorporate AI-led vulnerability discovery and remediation, we plan to augment our security and developer toolset, integrating these new models natively in the software development cycle and enabling customers to take advantage of them safely. 

As we enable defenders through our own products and teams, we also enable customers to leverage advanced AI capabilities directly through our premier AI platform, Microsoft Foundry. 

Through Microsoft Foundry, we are enabling research preview access to Claude Mythos Preview for Azure customers who are part of Project Glasswing. Access to project and model is granted by Anthropic and subject to Anthropic access terms. By using the model on Foundry, customers benefit from Foundry’s unified platform for building, deploying, and governing AI systems at scale. 

The opportunity to improve cybersecurity and reduce risk at scale, by engaging and collaborating with AI vendors and others to drive responsible use of AI in security, is unprecedented. Even as attackers adopt AI, continued advances in AI‑accelerated vulnerability discovery, mitigation, and AI‑first cybersecurity solutions can help reduce the attack surfaces they depend on and limit the impact of inevitable attacks.

We are entering a phase where cybersecurity is no longer bound by purely human capacity, and we look forward to partnering with Anthropic and the broader industry to evaluate emerging models, validate their effectiveness, encourage responsible use, and improve security outcomes for all.

Tom Gallagher, VP Engineering, MSRC