The July patch count Microsoft warned would come
Microsoft credited AI discovery for July's record 622-CVE Patch Tuesday. That's the second half of the story the MDASH post previewed a week earlier.
Krebs on Security’s writeup of Tuesday’s Patch Tuesday closed with one sentence that is worth pulling out and looking at on its own: “Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.” No hedge, no anonymous source — Microsoft, on the record, tying the size of the July release to its AI-assisted discovery pipeline. Rapid7’s monthly breakdown puts the total at 622 Microsoft CVEs — of which 416 are Windows — the largest single-cycle count either firm has tracked.
This is the second half of a story we wrote up on 2026-07-09, when Pavan Davuluri, Microsoft’s EVP for Windows and Devices, posted the MDASH framing to the Windows Experience Blog and asked customers to expect “a higher volume of security updates included in each release.” The post itself contained no numbers. Five days later the numbers arrived, and they are consistent with the framing.
Analysis: the framing held
Analysis, not incident reporting. What follows is a reading of two separate pieces of vendor communication — a policy post, then a patch cycle — landing five days apart. It is not a claim about any specific CVE or exploitation event.
The interesting thing about the July release is not the count. Counts fluctuate, and 622 could plausibly turn out to be an anomaly rather than the new baseline; we will not know that from one data point. The interesting thing is that Microsoft has now closed the loop on its own claim in public. A week ago it said the pipeline was accelerating. This week it shipped a record cycle and told a reporter, without qualification, that the acceleration was AI-driven. Both halves of that statement are new information relative to the state of the world a month ago, and both point at the same operational question sitting on the customer end of the pipe.
The three zero-days in this cycle — CVE-2026-56155 in AD FS, CVE-2026-56164 in SharePoint, and CVE-2026-50661 in BitLocker — are not, on the public record, MDASH finds. The first two are credited to Microsoft’s DART incident-response team; the third is publicly disclosed. If MDASH is showing up in the numbers, it is showing up in the long tail of Important-rated bugs that make up the difference between a 200-CVE cycle and a 622-CVE one, not in the headline zero-days. That is a distinction worth keeping straight, because the load MDASH is adding is exactly the load that a well-run change-management program routinely defers, and the load a stretched one lets pile up.
The gatekeepers of this data — Microsoft, and to a lesser extent the security research community that publishes alongside it — control both the discovery pace and the release cadence. When a single vendor moves both in the same month, the operational reality that shifts is not the vulnerability count. It is the ratio of ship-to-remediate. That ratio was already unfavorable in an average month. It gets worse by construction as one side accelerates and the other does not.
What to actually do this cycle
Nothing about the AI-attribution changes the priority order for July’s actual maintenance window. Patch AD FS first, SharePoint next, everything else in the standard channel. Our July Patch Tuesday piece has the sequence and the reasoning.
The planning consequence is separate and worth noting on its own: the assumption that “an average Patch Tuesday is around 100–150 CVEs” is now the wrong assumption for a change-management calendar built after July 2026. Whether the new baseline settles at 300, 400, or 600 is unknowable from a single cycle. What is knowable is that the vendor is signalling, twice, that the direction of drift is up.
Watch what the August and September cycles look like. Two more data points, plus whatever Microsoft says or does not say about the MDASH pipeline in its next quarterly Security Response commentary, will tell a much cleaner story than one record month plus one blog post. The interesting number is the six-month running average, not this one.
Sources
- Krebs on Security — “Microsoft Patches a Record 570 Security Flaws,” 2026-07-14
- Rapid7 — “Patch Tuesday — July 2026,” 2026-07-14
- Windows Experience Blog — “Evolving Windows vulnerability management to meet the speed of AI-powered discovery,” Pavan Davuluri, 2026-07-09
- 0dayNews — MDASH will grow Patch Tuesday numbers, 2026-07-09
- 0dayNews — Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days, 2026-07-14
Found this useful? Share it.


