Automation, AI, and Scale Will Define the Next Phase of the Global CyberthreatLandscapeBy Derek Manky, Chief Security Strategist and Global Vice-President, Threat Intelligence, FortinetEach year, FortiGuard Labs analyzes how technology, economics, and human behavior shapeglobal cyber risk. The 2026 Cyberthreat Predictions Report outlines a turning point in that evolution.Cybercrime will continue to evolve into an organized industry, built on automation, specialization,and artificial intelligence (AI). But in 2026, success in both offense and defense will be determinedless by innovation than by throughput: how quickly intelligence can be turned into action.From Innovation to ThroughputBecause AI, automation, and a mature cybercrime supply chain will make intrusion faster andeasier than ever, attackers will spend less time inventing new tools and more time refining andautomating techniques that already work. AI systems will manage reconnaissance, accelerateintrusion, parse stolen data, and generate ransom negotiations. At the same time, autonomouscybercrime agents on the dark web will begin executing entire attack stages with minimal humanoversight.These shifts will exponentially expand attacker capacity. A ransomware affiliate that once manageda handful of campaigns will soon be able to launch dozens in parallel. And the time betweenintrusion and impact will shrink from days to minutes, making speed the defining risk factor fororganizations in 2026.The Next Generation of OffenseFortiGuard Labs expects to see the emergence of specialized AI agents designed to assistcybercriminal operations. Although these agents will not yet operate independently, they will beginto automate and enhance critical stages of the attack chain, including credential theft, lateralmovement, and data monetization.At the same time, AI will accelerate the monetization of data. Once attackers gain access to stolendatabases, AI tools will instantly analyze and prioritize them, determine which victims offer thehighest return, and generate personalized extortion messages. As a result, data will becomecurrency faster than ever before.The underground economy will also become more structured. Botnet and credential-rental serviceswill become increasingly tailored in 2026. Data enrichment and automation will enable sellers tooffer more specific access packages based on industry, geography, and system profile, replacingthe generic bundles that dominate today’s underground markets. Black markets will adopt
customer service, reputation scoring, and automated escrow. Due to these innovations,cybercrime will accelerate its evolution toward full industrialization.The Evolution of DefenseDefenders will need to respond with the same efficiency and coordination. In 2026, securityoperations will move closer to what FortiGuard Labs describes as machine-speed defense—acontinuous process of intelligence, validation, and containment that compresses detection andresponse from hours to minutes.Frameworks such as continuous threat exposure management (CTEM) and MITRE ATT&CK will needto be leveraged so defenders can quickly map active threats, identify exposures, and prioritizeremediation based on live data. Identity will also need to become the foundation of securityoperations, as organizations will need to not only authenticate people but also automated agents,AI processes, and machine-to-machine interactions.Managing these non-human identities will become critical to preventing large-scale privilegeescalation and data exposure.Collaboration and DeterrenceIndustrialized cybercrime will also demand a more coordinated global response. Initiatives such asINTERPOL’s Operation Serengeti 2.0, supported by Fortinet and other private-sector partners,demonstrate how joint intelligence sharing and targeted disruption can dismantle criminalinfrastructure. New initiatives, such as the Fortinet-Crime Stoppers International CybercrimeBounty program, will enable global communities to safely report cyberthreats, helping to scaledeterrence and accountability.FortiGuard Labs also expects to see continued investment in education and deterrence programsthat target young or at-risk populations who are being drawn into online crime. Preventing the nextgeneration of cybercriminals will depend on redirecting them before they enter the ecosystem.Looking AheadBy 2027, cybercrime is expected to function at a scale comparable to legitimate global industries.FortiGuard Labs predicts further automation of offensive operations through agentic AI models,where swarm-based agents will begin coordinating tasks semi-autonomously and adapting todefender behavior, alongside increasingly sophisticated supply-chain attacks targeting AI andembedded systems.Defenders will need to evolve as well, leveraging predictive intelligence, automation, and exposuremanagement to contain incidents faster and anticipate adversary behavior. The next stage ofcybersecurity will depend on how effectively humans and machines can operate together asadaptive systems.
Velocity and scale will define the decade ahead. Organizations that unify intelligence, automation,and human expertise into a single, responsive system will be the ones best able to withstand whatcomes next.Read the full Fortinet 2026 Cyberthreat Predictions report to explore detailed forecasts, sector-specific insights, and strategies for building resilience in the era of industrialized cybercrime
Inside the Industrialization of Cybercrime: What to Expect in2026
