
Small software bugs that developers once safely ignored can now be strung together by AI into working exploits – and the code to launch those attacks at scale generated on demand. That is the warning from Meerah Rajavel, global CIO of Palo Alto Networks, who spoke to TechCentral during a visit to South Africa this week.
Rajavel’s company was one of a handful given early access to frontier AI models, among them Anthropic’s Mythos and OpenAI’s GPT-5.5-cyber. Testing them against real security problems surfaced three things, she said. The models are adept at finding vulnerabilities, which was expected. Less expected was how good they are at chaining those individual weaknesses into novel attack paths that do not feature in the established attacker playbook, and then, using their code-generation ability, producing the exploits to run those attacks in parallel rather than one by one.
“Small bugs developers used to safely ignore can now be chained into real exploits,” Rajavel said. “The old rankings-based approach to security, where you patch the worst-rated issues first, has been rendered obsolete.”
This is a concern, because if a low-priority bug can become one link in a chain that ends somewhere serious, fixing the worst-rated issues first no longer offers the protection it once did.
Rajavel expects the capabilities she has been testing to be widely available within three to five months. Her message to South African organisations nervous about moving quickly on AI is that the choice to go slow has already gone. “Adversaries are not asking permission,” she said. The productivity case and the defensive case now point the same way: an organisation that is going to invest in AI to protect itself may as well use the same capability to run the business faster. “I’d rather use it for my own benefit, which is a higher ROI than just protecting myself.”
‘Perfect storm’
She argued that organisations in Africa face a particular kind of exposure. Citing industry figures showing African organisations face roughly 60% more attacks than the global average, she described a “perfect storm”: security postures in developing markets that have not yet matured, sitting alongside a concentration of fintech well ahead on digitisation. That combination, she said, means attackers do not have to go scouting – they can go straight to the source. A young population embracing technology “without the fear”, absent infrastructure-level standards and government involvement, compounds the risk.
Her solution involves a sharp pivot to the concept of “zero trust”. Perimeter defences alone are not enough, she said, because anything that slips through then has free rein inside. She was especially pointed on AI agents, which she said behave as though striving for their own existence and will pursue a goal relentlessly, exploiting any vulnerability in their path to reach it. Organisations should not hand an agent their full standing privileges, she said, but scope its permissions to the single action required.
Read: Autonomous AI agents emerge as the next major cybersecurity risk
For all the automation, Rajavel does not believe full autonomy is close. She likened the state of the art to self-driving cars: Waymo works because roads are largely static, whereas the threat landscape changes continuously. AI will take on more of the known work, she said, but a human will stay in the loop for the unknown, the role shifting from builder towards trainer and operator.

The scale is already considerable. Palo Alto’s own security operations centre processes some 90 billion events a day, she said, which around 5 000 AI models distil to roughly 75 actionable alerts, a large share handled without human involvement.
Governance and law have always trailed innovation, she said, but AI is widening that gap faster than cloud ever did – and this time there is no decade in which to think it through. – © 2026 NewsCentral Media
- Subscribe to TechCentral’s daily newsletter
- Get breaking news alerts on WhatsApp




