.NET 10 Release 1: Performance Boosts, Security Upgrades, and Smarter AI
by DeeDee Walsh, on Sep 15, 2025 2:42:14 PM
The Ice King and the Art of Compounding Gains
In the early 19th century, a Boston merchant named Frederic Tudor embarked on a venture that seemed ludicrous to his contemporaries: selling ice to the Caribbean. His initial attempts were disastrous, with most of his precious cargo melting away. Yet, Tudor persisted, not by discovering a single magical solution, but through a relentless series of small, compounding improvements. He experimented with better insulation like sawdust, designed more efficient double-walled ice houses, and invented new tools to cut ice into perfect, tightly-packable blocks. Each change, from tools to storage to logistics, amplified the last, turning a risky local harvest into a reliable global trade.
This story of the "Ice King" serves as a powerful metaphor for the performance philosophy behind .NET 10. The remarkable speed and efficiency of this latest release do not stem from one sweeping architectural change. Instead, they are the result of hundreds, even thousands, of targeted optimizations carefully engineered into the runtime and Just-In-Time (JIT) compiler. These enhancements, shaving off nanoseconds here and tens of bytes there, compound into a transformative experience that makes every .NET application faster, often without a single line of code being changed.
With the arrival of the .NET 10 Release Candidate 1, the .NET team has delivered more than just a preview; they have provided a production-ready platform. The release is accompanied by a "go-live" support license, a clear signal of confidence that allows development teams to begin deploying .NET 10 applications into production today. Fully supported in the new Visual Studio 2026 Insiders and Visual Studio Code with the C# Dev Kit, the future of .NET is now accessible, stable, and ready for adoption. This report offers a view into the most significant advancements in this release, exploring how they deliver a leap forward in performance, security, and developer productivity.
The Free Performance Boost: How .NET 10 Makes Your Code Faster by Default
The most profound improvements in .NET 10 are the ones developers receive for free. The core runtime and JIT compiler have undergone enhancements that boost the performance of existing codebases upon recompilation. These are features that require no opt-in or new APIs to learn; they are upgrades to the engine that powers every .NET application.
The Magic of Deabstraction: Writing Cleaner Code That Runs Faster
At the heart of .NET is the JIT compiler, the sophisticated engine responsible for translating intermediate language (IL) code into highly optimized machine code at runtime. Historically, high-level programming language features - such as interfaces, iterators, delegates, and lambdas - have carried a small but measurable performance cost known as an "abstraction penalty." These elegant constructs could introduce extra memory allocations or layers of indirection that, in performance-critical code, led developers to choose lower-level, less readable alternatives.
.NET 10 continues to eliminate this penalty through a process called "deabstraction." The JIT compiler has become a lot more intelligent at identifying and optimizing away these layers of abstraction. It performs more aggressive method inlining, de-virtualizes calls made through interfaces on arrays, and optimizes away the state machines generated for iterators and async methods. The result is that idiomatic, modern C# - code that leverages foreach loops, LINQ, and interfaces for clarity and maintainability - runs closer than ever to the raw speed of hand-tuned, low-level code.
This focus is a response to the evolution of the C# language. As language designers introduce more expressive and powerful features, the runtime team ensures that these abstractions don't force a trade-off with performance. This creates a virtuous cycle: developers are empowered to use the best features of the language without fear of performance regressions, knowing the JIT will effectively erase the overhead. This philosophy addresses the long-standing tension in software development between writing "correct" code and writing "performant" code, allowing the two to become one and the same.
A Paradigm Shift: Stack-Allocating Objects to Reduce GC Pressure
Perhaps the most exciting JIT advancement in .NET 10 is the expanded use of escape analysis to enable the stack allocation of small objects. Traditionally, C# developers have been taught a simple rule: value types (struct) can live on the stack, while reference types (class) are allocated on the heap and managed by the Garbage Collector (GC). .NET 10 makes this distinction more nuanced.
Escape analysis is a compiler technique that determines if an object's lifetime is strictly confined to the method in which it is created. If the compiler can prove that an object does not "escape" - meaning it's not returned, stored in a static field, or passed to another thread - it can safely be allocated on the method's stack frame. This is a big performance win for two reasons. First, stack allocation is incredibly cheap, often just a single instruction to move the stack pointer. Second, and more importantly, objects allocated on the stack are not tracked by the GC. Their memory is automatically reclaimed when the method returns, reducing the pressure on the garbage collector and leading to fewer and shorter GC pauses.
While the formal semantics of the C# language remain unchanged, the underlying implementation has become more intelligent. This feature represents a shift in the runtime's memory management strategy, adopting a performance philosophy from systems programming languages like Rust. In Rust, the compiler's "borrow checker" understands object lifetimes to enforce memory safety without a GC. .NET 10's escape analysis brings a similar understanding of object scope into a managed, garbage-collected environment. It is a form of "compiler magic" that provides the best of both worlds: the high-level productivity of a managed language with the low-level performance characteristics of compiler-managed lifetimes, all delivered transparently to the developer.
Under the Hood: More Runtime and GC Enhancements
Beyond the JIT, the core .NET runtime has received several other upgrades. .NET 10 introduces support for AVX 10.2 intrinsics, a set of advanced vector instructions for modern CPUs. While disabled by default until compatible processors are widely available, this prepares the .NET platform for the next wave of high-performance hardware, enhancing its capabilities for demanding workloads in scientific computing, financial modeling, graphics, and artificial intelligence.
In addition, the background garbage collector is optimized to combat memory fragmentation more effectively. Through enhanced memory compaction algorithms, the GC can better organize the heap, reducing wasted space and improving memory locality. For long-running server applications and services that manage large memory footprints, this translates to lower latency, higher throughput, and predictable performance. The performance gains observed by users migrating from the older .NET Framework to modern .NET - with some reporting a 50% reduction in compute resource usage - are a powerful testament to the compounding value of these continuous, deep-seated runtime investments.
Fortifying the Future: .NET 10's Quantum-Resistant Security
While performance improvements are a hallmark of every .NET release, .NET 10 introduces an investment in security with far-reaching implications: a comprehensive suite of post-quantum cryptography (PQC) APIs. This is a proactive measure to secure data against a future threat.
The Looming Threat: "Harvest Now, Decrypt Later"
The foundation of modern public-key cryptography, including algorithms like RSA and Elliptic Curve Cryptography (ECC), rests on mathematical problems that are computationally infeasible for classical computers to solve. However, a sufficiently powerful quantum computer, running algorithms like Shor's algorithm, could break this encryption in a matter of hours, not millennia.
This creates an urgent and insidious vulnerability known as a "harvest now, decrypt later" attack. Adversaries and nation-states can intercept and store vast quantities of encrypted data today - financial transactions, classified government documents, private healthcare records - with the expectation that they will be able to decrypt it in the future once a viable quantum computer is built. For any data that must remain confidential for more than a decade, the quantum threat is already here. This is why national security agencies and standards bodies like the U.S. National Institute of Standards and Technology (NIST) have mandated a transition to quantum-resistant algorithms.
By integrating PQC directly into the .NET 10 Base Class Library, Microsoft is positioning .NET as a platform for building applications with long-term, future-proof security guarantees. This is a strategic alignment with a global cybersecurity imperative, signaling to enterprises in sensitive sectors like finance, healthcare, and government that .NET is a secure foundation for their most critical applications.
Introducing ML-DSA: .NET's Quantum-Safe Digital Signature
The .NET 10 cryptography libraries are now declared "API Complete" for Post-Quantum Cryptography, with a primary focus on ML-DSA (Module-Lattice-based Digital Signature Algorithm). Standardized by NIST as FIPS 204, ML-DSA is the official name for the algorithm formerly known as CRYSTALS-Dilithium.
Unlike traditional cryptography, ML-DSA is based on lattice-based mathematics. In simple terms, this involves creating cryptographic problems based on finding the shortest path within a complex, multi-dimensional grid of points called a lattice. These lattice problems are believed to be extremely difficult for both classical and quantum computers to solve. ML-DSA offers an excellent balance of strong security guarantees, fast performance for both signing and verification, and key and signature sizes that, while larger than their classical counterparts, are manageable for most applications.
Within .NET 10, these new algorithms are exposed through new types like System.Security.Cryptography.MLDsa. In a deliberate design choice, these types do not inherit from the traditional AsymmetricAlgorithm base class. This decision acknowledges that the fundamental characteristics of post-quantum algorithms, such as their key structures and parameter sets, differ from classical algorithms, warranting a fresh and distinct API design.
Table: ML-DSA At a Glance: Security vs. Size
Choosing the right PQC parameters involves a trade-off between security level and the size of the resulting keys and signatures. Larger sizes provide stronger security but can impact bandwidth and storage, a critical consideration for constrained devices or high-throughput protocols. The following table provides a practical reference for the NIST-standardized ML-DSA parameter sets available in .NET 10.
| NIST Security Level | Equivalent Classical Security | Public Key Size | Private Key Size | Signature Size |
| ML-DSA-44 (Level 2) | AES-128 | ~1.3 KB | ~2.8 KB | ~2.4 KB |
| ML-DSA-65 (Level 3) | AES-192 | ~1.9 KB | ~4.0 KB | ~3.3 KB |
| ML-DSA-87 (Level 5) | AES-256 | ~2.6 KB | ~5.4 KB | ~4.6 KB |
A Tour of the Stacks: What's New for Your Application
Beyond the core runtime, .NET 10 delivers updates across its major application frameworks, providing developers with new tools to build more observable, secure, and intelligent applications.
Web & APIs (ASP.NET Core): Built-in Observability and Security
ASP.NET Core in .NET 10 introduces a comprehensive new set of metrics for ASP.NET Core Identity, its flagship framework for authentication and user management. Exposed through the Microsoft.AspNetCore.Identity meter, these metrics provide out-of-the-box observability into the security and performance of an application's authentication system. The new telemetry includes counters and duration histograms for user management operations (create, update, delete), password verification attempts, token generation, and the entire sign-in flow, including two-factor authentication events.
This is more than just a monitoring feature; it's a powerful security enhancement. By providing this data by default, ASP.NET Core lets developers easily detect and alert on common security threats. Previously, instrumenting an application to detect a brute-force or credential stuffing attack required custom code and expertise. Now, it's as simple as monitoring the aspnetcore.identity.sign_in.check_password_attempts counter for an anomalous spike in failures. This democratization of security telemetry lowers the barrier to implementing robust monitoring, aligning with the industry-wide push to shift security "left" and make it an integral part of the DevOps lifecycle.
Table: ASP.NET Core Identity: Your New Security Dashboard
The new Identity metrics transform abstract events into actionable intelligence. This table translates the raw metric names into practical security and performance monitoring use cases that can be immediately implemented in any ASP.NET Core 10 application.
| Metric Name | Purpose | Practical Monitoring Use Case |
| aspnetcore.identity.sign_in.check_password_attempts | Counts failed password checks during sign-in. | Detect brute-force/credential stuffing attacks by alerting on a high rate of failures. |
| aspnetcore.identity.user.generated_tokens | Counts generated tokens (e.g., password reset). | Identify abuse of the password reset feature by alerting on an unusual spike in token generation. |
| aspnetcore.identity.sign_in.authenticate.duration | Measures the time taken for user authentication. | Monitor for performance degradation in the login process or potential timing-based denial-of-service attacks. |
| aspnetcore.identity.sign_in.two_factor_clients_remembered | Counts remembered 2FA clients. | Understand user adoption and usage patterns of two-factor authentication features. |
Data & AI (Entity Framework Core): Embracing Modern Data
Entity Framework Core 10 makes a significant leap forward in its support for modern data workloads, particularly those driven by artificial intelligence. The release introduces first-class support for SQL Server vector search and native SQL Server JSON type support, two features that directly address the needs of today's intelligent applications.
Vector search is a technique for finding data based on semantic or conceptual similarity, rather than exact keyword matches. It works by converting data like text, images, or audio into numerical representations called vectors (or embeddings). By finding vectors that are "close" to each other in a multi-dimensional space, an application can perform powerful searches, such as finding documents that discuss similar concepts even if they use different words. This capability is the backbone of AI-powered features like recommendation engines, image search, and the Retrieval-Augmented Generation (RAG) patterns used to build sophisticated chatbots. EF Core 10 integrates this functionality directly into the ORM for SQL Server, allowing developers to execute similarity searches using familiar LINQ queries.
Complementing this is enhanced native support for the JSON data type in SQL Server. While previous versions of EF Core offered ways to work with JSON, this release provides deeper integration, allowing developers to more seamlessly map, query, and update semi-structured data stored within a relational database. This creates a powerful hybrid model, blending the flexibility of a document database with the transactional integrity and querying power of SQL Server.
These two features are not independent but are part of a unified strategy. Modern AI applications frequently need to store unstructured source data (a perfect use case for JSON columns) alongside the vector embeddings generated from that data. By providing native, high-performance support for both within a single framework, EF Core 10 positions itself as a comprehensive data platform for building the next generation of AI applications. This eliminates the architectural complexity and operational overhead of managing separate relational, document, and vector databases, allowing developers to build powerful AI backends on a unified and familiar stack.
Cross-Platform UI (.NET MAUI): Pinpointing Performance Bottlenecks
For developers building cross-platform applications, UI performance is paramount. A slow or janky user interface can be a significant source of user frustration. .NET MAUI in .NET 10 directly addresses this challenge with the introduction of a new core diagnostics and metrics tracking infrastructure.
This new system, exposed through a meter named "Microsoft.Maui", is specifically designed to instrument the two most fundamental operations in the UI layout process: IView.Measure(), which determines the size of an element, and IView.Arrange(), which determines its position. The infrastructure records precise, low-overhead telemetry, including counters for how many times these operations are called and histograms that measure their duration in nanoseconds.
This is a game-changer for debugging and optimizing UI performance. Previously, diagnosing a slow layout was often a process of trial and error. With these new metrics, developers can now get quantitative, data-driven insights into exactly what is happening in their UI. For example, a high value for the maui.layout.measure_count metric might indicate an overly complex or deeply nested layout that is forcing the system to perform redundant measurement passes. A long maui.layout.arrange_duration could pinpoint a specific custom control that is computationally expensive to position on the screen. This empowers developers to move from guesswork to a scientific approach, using concrete data to identify bottlenecks and make targeted optimizations that improve application responsiveness and stability.
.NET MAUI: Your New UI Performance Toolkit
The new .NET MAUI metrics provide a powerful diagnostic toolkit. This table serves as a quick reference guide, helping developers translate the raw telemetry data into actionable insights for improving the performance of their cross-platform applications.
| Metric Name | What It Measures | Potential Problem Indicated | Developer Action |
| maui.layout.measure_count | The number of times the layout system measures UI elements. | Excessive remeasuring, often due to complex or deeply nested layouts. | Simplify the XAML visual tree; use more efficient layout containers like Grid. |
| maui.layout.measure_duration | The time spent measuring UI elements (in nanoseconds). | A specific control or layout is computationally expensive to measure. | Identify the slow controls using profiling tools and optimize or replace them. |
| maui.layout.arrange_count | The number of times the layout system arranges (positions) UI elements. | Unnecessary layout updates triggered by property changes. | Review data bindings and update logic to minimize layout invalidations. |
| maui.layout.arrange_duration | The time spent arranging UI elements (in nanoseconds). | A specific control or layout is computationally expensive to position. | Profile the arrangement phase to find the culprit; consider custom layouts for complex scenarios. |
Writing Better Code: Highlights from C# 14
Alongside the platform-wide updates, the C# language itself continues to evolve. C# 14 introduces several new features aimed at improving developer productivity, reducing boilerplate, and enhancing performance.
Flexible Collections with params Span<T>
The params keyword, which allows a method to accept a variable number of arguments, has been a staple of C# for years. However, it was historically limited to accepting arguments as an array. C# 14 removes this limitation, extending params to work with any recognized collection type, most notably System.Span<T> and System.ReadOnlySpan<T>.
This is both a quality-of-life and a significant performance improvement. Span<T> is a high-performance type that provides a memory-safe view over a contiguous region of memory, often on the stack, thus avoiding heap allocations. Previously, to call a method that operated on a span with a variable number of elements, a developer would first have to create an array on the heap to hold those elements. With params Span<T>, this friction is eliminated. The compiler can now handle the creation of the span directly, allowing for cleaner call-site syntax and, more importantly, avoiding the unnecessary intermediate heap allocation. This change is a natural evolution of the language's focus on performance, making it easier and more intuitive for developers to adopt high-performance patterns in their everyday code.
Simplifying Properties with the field Keyword
One of the most common refactoring tasks in C# is converting a simple auto-implemented property into a property with custom logic in its getter or setter. This traditionally required manually declaring a private backing field to store the property's value. C# 14 streamlines this process with the introduction of the contextual field keyword.
When implementing a property accessor, the field keyword can now be used to directly access the compiler-generated backing field. This removes the need to declare an explicit private field, reducing boilerplate code and the potential for naming errors.
For example, a property that trims whitespace from its value before setting it can now be written concisely as:
public class Person { public string Name { get => field; set => field = value.Trim(); // Custom logic using the 'field' keyword } }
This is a pure developer productivity enhancement. While a small change, it addresses a frequent pain point in day-to-day coding, demonstrating the C# language design team's continued commitment to refining the language for elegance and practicality.
Get Started with the Future of .NET
.NET 10 is a landmark release that delivers on multiple fronts. It provides a substantial performance boost through a more intelligent runtime, making existing applications faster and more efficient. It takes a proactive and strategic stance on security, future-proofing applications against the quantum threat. It provides deep, built-in observability across the stack, empowering developers to build more secure and performant web and cross-platform applications. It embraces the data patterns required for the next generation of AI-powered software. And it continues to refine the C# language to make the developer experience smoother and more productive.
The.NET 10 Release Candidate 1 is production-ready and available now. Developers are encouraged to begin exploring its capabilities and planning their migration.
- Install the .NET 10 SDK: https://get.dot.net/10
- Download Visual Studio 2026 Insiders: https://aka.ms/vs/insiders
- Use with Visual Studio Code: https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csdevkit
