Attackers are expected to use AI agents for reconnaissance

Fortinet’s 2026 Cyberthreat Predictions Report forecasts cybercrime evolving into a fully industrialised ecosystem driven by AI, automation and specialised tools, where the speed of converting intelligence into action will determine the effectiveness of both attacks and defence.

Fortinet has released its 2026 Cyberthreat Predictions Report, warning that the coming year will mark a dramatic shift in the global cyber landscape. According to FortiGuard Labs, cybercrime is rapidly evolving into an organised, AI-driven industry where attackers will prioritise speed and throughput over novel techniques.

The report says that advances in automation, artificial intelligence and a maturing cybercrime supply chain will allow attackers to launch multiple campaigns simultaneously, drastically shrinking the time from intrusion to impact. Attackers are expected to use AI agents for reconnaissance, intrusion, credential theft and ransom negotiations, transforming cyber operations into high-volume, industrial-scale processes.

“The findings clearly show that cybercrime is no longer an opportunistic activity, it is an industrialized system operating at machine speed. As automation, specialization, and AI redefine every stage of the attack lifecycle, the time between compromise and consequence continues to collapse. The road ahead will be shaped by how quickly defenders can adapt to this reality. Cybersecurity has become a race of systems, not individuals, and organizations will need integrated intelligence, continuous validation, and real-time response to stay ahead of adversaries who measure success by throughput, not novelty,” says Rashish Pandey, Vice President – Marketing & Communications, APAC, Fortinet

“For defenders, the shift we are seeing is profound. Static configurations and periodic assessments can’t keep pace with an environment where attackers automate reconnaissance, privilege escalation, and extortion in minutes. What organizations need is a unified, adaptive security posture, one that brings together threat intelligence, exposure management, and incident response into a continuous, AI-enabled workflow. At Fortinet, our focus is on helping customers build this level of resilience so they can act at the same speed as the threats they face and strengthen their ability to contain attacks before disruption occurs,” says Vivek Srivastava, Country Manager, India & SAARC, Fortinet

The Next Generation of Offense

FortiGuard Labs expects to see the emergence of specialized AI agents designed to assist cybercriminal operations. Although these agents will not yet operate independently, they will begin to automate and enhance critical stages of the attack chain, including credential theft, lateral movement, and data monetization.

At the same time, AI will accelerate the monetization of data. Once attackers gain access to stolen databases, AI tools will instantly analyze and prioritize them, determine which victims offer the highest return, and generate personalized extortion messages. As a result, data will become currency faster than ever before.

The underground economy will also become more structured. Botnet and credential-rental services will become increasingly tailored in 2026. Data enrichment and automation will enable sellers to offer more specific access packages based on industry, geography, and system profile, replacing the generic bundles that dominate today’s underground markets. Black markets will adopt customer service, reputation scoring, and automated escrow. Due to these innovations, cybercrime will accelerate its evolution toward full industrialization.

Defensive strategies must evolve just as quickly. Future-ready organizations will rely heavily on continuous threat exposure management frameworks, MITRE ATT&CK mapping, identity-first security, and automated validation workflows to reduce detection and response times to minutes. Managing non-human identities—including bots, automated agents, and AI models—will become central to preventing privilege escalation and large-scale data compromise.

Vivek Srivastava, Country Manager, India & SAARC at Fortinet, emphasized the need for an adaptive posture: “Static configurations and periodic assessments can’t keep pace with attackers who automate reconnaissance, privilege escalation, and extortion in minutes. What organizations need is a unified, adaptive security posture—one that fuses threat intelligence, exposure management, and incident response into a continuous, AI-enabled workflow.”

 By - Aaradhay Sharma