Sign up to save your podcasts
Or
Share An AI Agent That Found 28 Zero-Days in Windows — And What Made It Work
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
An AI Agent That Found 28 Zero-Days in Windows — And What Made It Work
An AI Agent That Found 28 Zero-Days in Windows — And What Made It Work
Source: Agentic Vulnerability Reasoning on Windows COM Binaries
Paper was published on May 06, 2026
This episode was AI-generated on May 7, 2026. The script was written by an AI language model and the host voices were synthesized by Eleven Labs. The producer is not affiliated with Anthropic or Eleven Labs.
Microsoft just paid $140,000 in bug bounties to an autonomous agent that found 28 previously unknown vulnerabilities in shipping Windows services and wrote working exploits for them. The same frontier models verified zero exploits with their default scaffolding and 26 with the right one — making this as much a story about tool design as about security.
Key Takeaways
A walkthrough of the SetPrintTicket example showing how unlocked shared-pointer access in a multi-threaded service produces use-after-free and double-free primitives.
Why fuzzers can't reliably hit race windows, why pattern-based static analyzers like COMRace miss bugs, and why manual reverse engineering doesn't scale.
How the binary explorer, COM inspector, and dynamic debugger embed the mechanical work so the model spends tokens on semantic reasoning.
How stage one produces a structured vulnerability report from binary exploration and stage two iterates compile-debug cycles to land a working exploit.
slyp hits 0.97 F1 on discovery and solves 27 of 40 exploit cases, while default coding agents on the same models verify zero — and the gap widens further on weaker models.
28 confirmed vulnerabilities, 16 CVEs, $140,000 in bounties across nine services, including three direct low-integrity-to-SYSTEM escalations.
Benchmark circularity, the in-house static analyzer comparison, the gap between verified crash and weaponized exploit, and the per-case token cost.
Why closed-source binary analysis is now in reach for agents, what the offense-defense math implies, and what the scaffolding result means for anyone building agents.
Recommended Reading
View all episodes
By paperdive.aiAn AI Agent That Found 28 Zero-Days in Windows — And What Made It Work
Source: Agentic Vulnerability Reasoning on Windows COM Binaries
Paper was published on May 06, 2026
This episode was AI-generated on May 7, 2026. The script was written by an AI language model and the host voices were synthesized by Eleven Labs. The producer is not affiliated with Anthropic or Eleven Labs.
Microsoft just paid $140,000 in bug bounties to an autonomous agent that found 28 previously unknown vulnerabilities in shipping Windows services and wrote working exploits for them. The same frontier models verified zero exploits with their default scaffolding and 26 with the right one — making this as much a story about tool design as about security.
Key Takeaways
A walkthrough of the SetPrintTicket example showing how unlocked shared-pointer access in a multi-threaded service produces use-after-free and double-free primitives.
Why fuzzers can't reliably hit race windows, why pattern-based static analyzers like COMRace miss bugs, and why manual reverse engineering doesn't scale.
How the binary explorer, COM inspector, and dynamic debugger embed the mechanical work so the model spends tokens on semantic reasoning.
How stage one produces a structured vulnerability report from binary exploration and stage two iterates compile-debug cycles to land a working exploit.
slyp hits 0.97 F1 on discovery and solves 27 of 40 exploit cases, while default coding agents on the same models verify zero — and the gap widens further on weaker models.
28 confirmed vulnerabilities, 16 CVEs, $140,000 in bounties across nine services, including three direct low-integrity-to-SYSTEM escalations.
Benchmark circularity, the in-house static analyzer comparison, the gap between verified crash and weaponized exploit, and the per-case token cost.
Why closed-source binary analysis is now in reach for agents, what the offense-defense math implies, and what the scaffolding result means for anyone building agents.
Recommended Reading