Pavan Davuluri says AI will raise patch volume in every Windows security release
Microsoft warns “busier Patch Tuesdays” ahead by changing how it discovers, validates, and prioritizes vulnerabilities.

Pavan Davuluri, Microsoft’s executive vice president for Windows + Devices, says AI helps Microsoft discover more issues, increasing the volume of security updates per release. For decision-makers, it means patching operations and governance must be ready for more frequent, higher-volume change windows.
Microsoft’s Windows security outlook just got more intense. In a Thursday post, Pavan Davuluri, executive vice president for Windows + Devices, warned customers to expect a higher volume of security updates in each security release because “AI helps defenders discover more issues.” In plain English: if the defenders find more flaws, the patch pipeline produces more patches, and Patch Tuesday looks less like a predictable rhythm and more like a growing workload.
Davuluri’s argument is not that Microsoft wants to make admins life harder. It is that the underlying process changes should improve security and shrink exposure time. “By applying AI across security analysis, we can identify patterns faster, prioritize risk and scale vulnerability discovery across the Windows codebase,” he wrote. He also said that this tighter discovery and prioritization workflow should shorten the review window, “shrinking the attack window for zero-day exploits.”
So what is actually changing inside Microsoft? Davuluri described an internal shift from treating vulnerability discovery as a separate activity to integrating it into how Windows is built, reviewed, and improved before new features or updates ship. “We continue to evolve our internal systems and practices so that vulnerability discovery is not treated as a separate activity, but as part of how we build, review and improve Windows before new features or updates are released,” he wrote. The logic here is straightforward: if security findings come earlier and get processed faster, there is less time for attackers to exploit whatever is found.
The operational center of gravity in the post is a tool Microsoft calls the multi-model agentic scanning harness (MDASH). Davuluri said MDASH “utilizes multiple models including leading third-party AI vulnerability discovery models.” Microsoft then uses dedicated cloud infrastructure to run MDASH at Windows scale. According to the post, a scanner pipeline scans “critical binaries” and validates candidates using multi-model debate across multiple model families. Confirmed candidates then flow to a separate, Windows-specific prove pipeline intended to eliminate remaining false positives, so that “only the highest-confidence findings reach the engineering team.” That last detail matters for more than engineering comfort. False positives are what traditionally turn security triage into a time-sink for teams. The whole point of the prove step, per Davuluri, is to keep the workload closer to real engineering signals.
In the meantime, Microsoft is also telegraphing how it expects customers to respond. Davuluri’s post later emphasizes that Microsoft offers “many fine tools to automate patching,” and he argues that customers using those tools can keep pace with the increased patch volumes. He is effectively making a case to boards, CISOs, and IT leadership: automation plus earlier AI-driven discovery should be a workable strategy, because the expected benefit is improved security outcomes and a smaller window of risk. If the system finds more issues, it also has to prevent those findings from turning into a chaotic flood of low-confidence change.
But there is a tension that matters for the executives who sign off on budgets for IT reliability and security governance. More patches can be good, and it can also be operationally brutal. The source points out that The Register has “yet to hear of AI being used to create more or longer change windows that admins can use to implement all these extra patches.” That is the heart of the second-order problem: even if AI shortens discovery and review cycles, the org still has to schedule deployments, validate compatibility, and manage downtime or rollback risk. If governance processes assume fewer patches per release, the mismatch can create stress, not because the security team is wrong, but because operational reality does not scale automatically.
This is not happening in a vacuum. Microsoft is not alone in using AI to deliver more patches. The source notes that Oracle recently announced AI bug-finders mean it will add a monthly critical patch dump to its current quarterly security update service. That is a concrete example of how “AI finds more flaws” can translate into more update cadence, not just better detection. The competitive implication is simple: vendors are moving toward continuous or more frequent security outputs, and customers will have to meet that pace with staffing, automation, and deployment discipline.
One more response from the ecosystem underscores the practical stake. The Register describes VMware’s reaction to the “harsh reality” that more patches can create pressure on admins. VMware introduced an offering called “Express Patches” that ship independently of and more frequently than its product updates, and they can be applied in any order rather than requiring an upgrade before a patch will work. That design choice is telling: it is an attempt to reduce coupling between routine maintenance and urgent security fixes, giving administrators more control over sequencing when patch volumes rise.
For boards and leaders, the takeaway is not “more patches are bad.” It is “more patches are a new operating condition.” Davuluri is describing a process where AI scales vulnerability discovery across the Windows codebase, increases volume of updates included in each security release, and aims to shrink the window in which zero-day attackers can act. If that model spreads across major vendors, the companies that win will be the ones that treat patching as an operational system, not a monthly event. The strategic stakes for every CISO and IT chief are immediate: can your change management, automation tooling, and deployment workflows absorb the higher volume without turning security releases into business disruption?
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business

China lands a reusable Long March booster, a first that matches SpaceX and Blue Origin
A barge landing and net-based recovery move China from theory to proof, reshaping the reusability race and satellite ambitions.
AstraZeneca $27B wipeout as Wainua late trial misses cardiovascular target
A failed late-stage heart study triggered a swift market punishment, forcing investors and boards to reset timelines and risk.

Comcast shares jump 25% as it plans to split NBCUniversal and Sky
The tax-free spin-off could reshape focus, funding, and competition across media and tech for years.

