Fortinet’s analysis shows threat actors increasingly operating as service-based ecosystems, using readily available tools and stolen data to streamline and scale cyberattacks.
Cybercriminals are now exploiting new vulnerabilities within hours or days, shrinking defender response windows to near zero, as speed, reuse and automation — not exploit sophistication — increasingly define cyber risk across network, cloud, hybrid and endpoint environments, according to Fortinet’s 2026 Global Threat Landscape Report.
The report found that ransomware victims increased 389% year over year, with cybercriminals leveraging artificial intelligence to scale attacks.
According to the company, AI is being used to automate and enhance cyberattacks, contributing to the growing volume and effectiveness of malicious activity.
The findings are based on threat intelligence collected and analyzed by Fortinet’s research teams, providing insight into trends observed across the global threat landscape.
The report also outlines how cybercrime continues to evolve, with attackers adopting new tools and techniques to increase the speed and scale of attacks.
Inside the habits of modern, AI-enabled cybercriminals
The report describes how the most capable threat groups operate as semi-autonomous enterprises, supported by service providers such as access brokers and botnet operators. Key findings include:
- AI-enabled tools lower barriers and accelerate attacks: Dark web intelligence identified offensive AI tools offered as services, including enhanced versions of WormGPT and FraudGPT, along with tools such as HexStrike AI for automated reconnaissance and BruteForceAI for LLM-driven attack execution.
- Fewer attempts, higher efficiency: FortiGate IPS telemetry recorded a 22% decrease in brute force attempts year over year, alongside a 25.49% increase in exploitation attempts. Activity still reached about 67.65 billion brute force events globally, including roughly 185 million per day.
- Shift toward larger stolen datasets: FortiRecon data showed a 79% increase in stolen data availability, with stealer logs accounting for 67.12% of datasets, compared to combolists at 16.47% and leaked credentials at 5.96%.
- Credential-stealer malware remains prevalent: Telemetry showed continued dominance by stealer families, including RedLine with 911,968 infections, Lumma with 499,784 and Vidar with 236,778.
Fortinet said the report is intended to help organizations better understand emerging threats and apply that intelligence to strengthen cybersecurity strategies.