AI models that find software vulnerabilities in minutes expose the gap in South Africa's patching infrastructure

Three cybersecurity practitioners argue that audit-driven security and weekly patching cycles cannot keep pace with automated vulnerability discovery, and that the country's readiness is uneven at best

NEC XON’s Armand Kruger. 

Anthropic, the San Francisco-based AI company that develops the Claude model family, announced Claude Mythos Preview on 7 April,  a model whose red-team documentation indicates it can identify software vulnerabilities in minutes. That capability sits against a specific backdrop: according to the Adaptiva State of Patch Management 2025 report, 77% of organisations globally need more than a week to deploy patches. The distance between those two timelines, automated discovery measured in minutes, human remediation measured in days or weeks, is what three South Africa-based cybersecurity practitioners say the country is not equipped to handle.

Armand Kruger, head of cybersecurity at NEC XON, a South African IT services and infrastructure company, said the development changes the basis of how organisations need to approach software security. "It fundamentally shifts security from periodic assurance to continuous exposure management," Kruger said. "The challenge is no longer finding vulnerabilities. It's how quickly you can prioritise and remediate them."

Kruger's position is that the response has to be structural, not incremental. "Our approach moves away from audit-driven security towards architecture-led security, where systems are designed to limit blast radius, enforce least privilege and reduce the impact of inevitable flaws." On the state of the South African market specifically, he was direct. "The South African market is not fully prepared for this shift. Most organisations still operate on periodic testing models and fragmented tooling, which will struggle in a world of continuous discovery." He acknowledged pockets of maturity, particularly in financial services, but said the broader picture is uneven. "The risk is not a lack of tools. It's a lack of architectural thinking and operational readiness."

Phaphani Boya, head of information security and risk at Sanlam, one of South Africa's largest financial services groups, pointed to recent compromises at government entities as evidence the country is already behind. Speaking at a Cape Town event hosted by TrendAI,  the rebranded enterprise division of Trend Micro, a Japanese-headquartered cybersecurity company, Boya said the breaches were not isolated cases. "As a South African industry, if we were prepared, we wouldn't have seen that much."

Boya also raised a problem with remediation timelines that many organisations have not yet confronted. Standard industry windows of seven to 90 days for patching were already under pressure. When discovery is automated and operates at machine speed, those windows compress further. A seven-day remediation cycle, Boya said, is now effectively the window in which exploitation happens, not the window in which it is prevented.

Zaheer Ebrahim, solutions engineer at TrendAI covering the Asia-Pacific, Middle East and Africa region, demonstrated the practical risk through a simulation targeting OpenClaw, an open-source AI agent framework with known susceptibility to adversarial prompts. In the scenario, an attacker embedded a malicious instruction inside an ordinary email. When an AI agent processed the message, it executed the instruction rather than simply reading the content. "It extracted the passwords and replied to our e-mail and gave us all the passwords," he said.

The economics of the shift compound the problem. Kruger noted that vulnerability discovery is becoming cheap while remediation remains the most expensive and time-constrained activity in the security chain. His recommendation is to move security into the development lifecycle rather than treat it as a check applied after production. Boya sees the same logic from the other direction, embedding automated analysis into the development pipeline before code reaches production, catching weaknesses before they become liabilities. An AI that can "assess that code before they even compile, before they even put it into the testing environment, which is able to find all the weaknesses and also give the developer an opportunity for what to fix."

On whether CISOs should be alarmed, Kruger resisted the framing. "Panic is not useful. But urgency is required." For organisations still running delayed patching cycles and periodic audit models, his message was unambiguous. "This is not a future problem. It's an acceleration of what is already happening."