–
fortinet® (NASDAQ: FTNT), a global cybersecurity leader driving the convergence of networking and security, today announced that 2026 Global Threat Landscape Report From FortiGuard Labs. Derived solely from telemetry, FortiGuard Labs’ latest annual report is a snapshot of the active threat landscape and trends from 2025, including comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITER ATT&CK framework. This data reveals that cybercrime no longer operates as a series of isolated campaigns, but as a system in which malicious hackers operate across the end-to-end lifecycle and compress the attack lifecycle with shadow agents.
“Cybercrime is one of the most pervasive and costly threats in the world, and our latest threat is Global Threat Landscape Report “We’re revealing how malicious adversaries are beginning to leverage agent AI to carry out more sophisticated attacks,” said Derek Mankey, chief security strategist and global vice president of threat intelligence at Fortinet FortiGuard Labs. They need to deploy the tools to respond,” said Derek Mankey, chief security strategist and global VP of threat intelligence at Fortinet FortiGuard Labs.
Attack techniques and targeted sectors in today’s threat landscape
Modern cybercrime transcends borders, sectors, and even the traditional definition of crime itself. Latest key findings from FortiGuard Labs as attacks become more sophisticated and interconnected Global Threat Landscape Report reveal:
- Velocity defines risk as time to exploitation (TTE) decreases. As AI accelerates reconnaissance, weaponization, and execution, FortiGuard Intelligence shows that the TTE for significant outbreaks is 24 to 48 hours, a significant increase from a previous report that found the TTE to be 4.76 days. Real-world incidents reflect that outcomes can be determined in minutes. Active exploitation attempts were made within hours of the React2Shell vulnerability being disclosed.
- Ransomware victims are on the rise: FortiRecon’s adversary intelligence has identified 7,831 confirmed ransomware victims worldwide. This is a jump from around 1,600 victims identified worldwide. Fortinet 2025 Global Threat Landscape Report. The availability of crime service kits such as WormGPT, FraudGPT, and BruteForceAI contributed to this 389% year-over-year (YoY) increase. The top three sectors targeted include manufacturing (1,284), business services (824), and retail (682). Geographically concentrated in the United States (3,381 cases), Canada (374 cases), and Germany (291 cases).
- Identity sprawl defines exposure to the cloud. FortiCNAPP Intelligence confirms that the majority of cloud incidents observed throughout 2025 were due to credential theft, compromise, and misuse, rather than infrastructure abuse. Sector analysis shows that hospitals/clinics and retail stores are the primary targets. Their large identity populations, federated access models, and complex cloud integrations make them prime targets for malicious hackers.
Inside the habits of modern cybercriminals, powered by AI
as FortiGuard Labs Cyber Threat Predictions for 2026 Our prediction is that the most capable threat groups will function as semi-autonomous enterprises supported by shadow agents, access brokers, and botnet operators that provide services on demand. Main findings from 2026 Global Threat Landscape Report show:
- Shadow agents reduce operator skill requirements while increasing workflow speed. FortiRecon Dark Web signals the capture of AI-enabled offensive tools being promoted as services and products, including enhanced versions of WormGPT and FraudGPT, and new services such as HexStrike AI, an offensive AI tool with automatic reconnaissance attack path generation. BruteForceAI is a penetration testing tool that integrates large-scale language models (LLM) for intelligent form analysis and can perform advanced multi-threaded attacks.
- AI allows criminals to act smarter. FortiGate IPS telemetry recorded 22% decrease The number of brute force attempts has increased year over year, indicating improved efficiency. Optimized and intelligent brute force techniques allow attackers to make fewer attempts against better-selected targets, increasing the probability of success for each credential tested. This activity equates to approximately 67.65 billion brute force events worldwide, or approximately 185 million attempts per day. 1.3 billion attempts per week. 5.6 billion attempts per month. At the same time, intelligence revealed that it was 25.49%. increase Global exploitation attempts increased year over year.
- Stolen datasets are more popular than leaked credentials. in 2025 Global Threat Landscape ReportFortiGuard Labs observed a 500% increase in logs available from systems compromised by infostealer malware. In 2026, FortiRecon Intelligence found an additional 79% increase, revealing a shift to more comprehensive data set theft enabled by agent AI. Within dark web “database” activity, stealer logs accounted for advertising and sharing datasets (67.12%), ahead of combolists (16.47%) and credential leaks (5.96%). Stealer logs reduce effort for attackers by bundling context artifacts and identity material, such as browser-resident data, allowing for instant replay and faster conversion than brute force or password spray.
- Credential-stealing malware persists. Credential-stealing malware remains a lucrative industry and the primary upstream engine for exposure generation. FortiRecon telemetry shows stealer activity dominated by RedLine: 911,968 infections (50.80%). Luma: 499,784 (27.84%); Vidal: 236,778 (13.19%).
Turning awareness into action: Disrupting the cybercrime ecosystem
Fortinet is committed to stopping cybercrime by collecting and sharing threat intelligence and proactively working to combat cyberthreats globally.
A recent collaboration led by Interpol and supported by Fortinet through the World Economic Forum Cybercrime Atlas disrupted cybercrime networks. Operation Red Card 2.0 devastated the infrastructure and operators behind online fraud, mobile money fraud, and fraudulent loan applications in Africa. Fortinet is a founding member of Cybercrime Atlas, a global public-private partnership hosted by the World Economic Forum. The Atlas uses open-source intelligence to map cybercrime networks, identify infrastructure vulnerabilities, and support joint disruption operations with law enforcement, such as recent Operation Red Card 2.0 and Operation Serengeti 2.0.
of 2026 Global Threat Landscape Report Encouraging the prevention of cybercrime has never been more important. To help defenders stay ahead of cybercriminals, Fortinet and Crimestoppers International launched the Cybercrime Bounty Program to provide a secure, anonymous channel for citizens and ethical hackers to submit information about cyberthreats.
Learn how FortiGuard Labs Advisory Services combines cutting-edge technology and expert services to strengthen your organization’s security posture before threats emerge. FortiGuard Outbreak Alerts provide critical information about ongoing cybersecurity attacks that have a significant impact on businesses, organizations, and industries. When an incident occurs, FortiGuard Labs provides a quick and effective response and detailed forensic analysis to minimize impact, prevent future intrusions, and provide comprehensive protection for today’s increasingly volatile digital environments.
Register for a FortiGuard Labs webinar to hear experts break down the threats that will define 2026 and what they mean for your organization.
additional resources
About Fortinet
fortinet (NASDAQ: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security. Our mission is to protect people, devices, and data everywhere, and today we deliver cybersecurity where you need it with the largest integrated portfolio of more than 50 enterprise-grade products. Well over half a million customers trust Fortinet’s solutions, which are among the most deployed, most patented and most tested in the industry. of Fortinet Training Instituteis one of the industry’s largest and most extensive training programs, dedicated to making cybersecurity training and new career opportunities available to everyone. collaboration with respected organization Collaboration from both the public and private sectors, including CERT, government agencies, and academia, is a fundamental aspect of Fortinet’s efforts to strengthen cyber resilience around the world. Fortiguard InstituteFortinet’s elite threat intelligence and research organization develops and leverages cutting-edge machine learning and AI technology to deliver timely, consistent, and top-rated protection and actionable threat intelligence to our customers. Learn more here https://www.fortinet.com, Fortinet Blogand Fortiguard Institute.
Copyright © 2026 Fortinet Corporation, All Rights Reserved. The ® and ™ symbols indicate federally registered and common law trademarks, respectively, of Fortinet, Inc., its subsidiaries and affiliates. Fortinet trademarks include, but are not limited to: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAgent, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiCNP, FortiConnect, FortiController, FortiConverter, FortiCSPM, FortiCWP, FortiDAST, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiDLP, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFlex FortiFone, FortiGSLB, FortiGuest, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMonitor, FortiNAC, FortiNDR, FortiPAM, FortiPenTest, FortiPhish, FortiPoint, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiScanner, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSRA, FortiSt ack, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM, FortiXDR, and Racework FortiCNAPP.
All other trademarks are the property of their respective owners. Fortinet has not independently verified, and Fortinet does not independently endorse, any statements or certifications herein attributed to third parties. Notwithstanding anything to the contrary herein, nothing in this Agreement shall constitute a warranty, guaranty, covenant, binding specification or other binding undertaking by Fortinet, or any indication of intent with respect to a binding undertaking, and the performance and other specification information herein may be specific to particular environments.
Media Contact: Travis Anderson Fortinet, Inc. 408-235-7700 pr@fortinet.com Investor Contact: Anthony Luscri Fortinet, Inc. 408-235-7700 investors@fortinet.com Analyst Contact: Sarah Goodwin Fortinet, Inc. 408-832-1428 sgoodwin@fortinet.com
