SYDNEY AUSTRALIA, May 1, 2026: Fortinet® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, today released the 2026 Global Threat Landscape Report from FortiGuard Labs. The latest annual report, derived exclusively from FortiGuard Labs telemetry, provides a snapshot of the active threat landscape and trends from 2025, including a comprehensive analysis across all tactics cybercriminals use, as outlined in the MITRE ATT&CK framework. The data reveals that cybercrime no longer functions as a series of isolated campaigns; it now operates as a system, with malicious hackers operating across an end-to-end life cycle and compressing the attack timelines with shadow agents.

Derek Manky, chief security strategist and global VP of threat intelligence, Fortinet FortiGuard Labs, said, “Cybercrime is one of the world’s most pervasive and costly threats, and Fortinet’s latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks. As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialised defence and adopt AI-enabled tools that respond at the same velocity as modern threats.”

Cornelius Mare, Chief Information Security Officer, Australia, Fortinet, said, “Organisations across Australia and New Zealand are facing a step change in how cyber threats operate. Threat activity has shifted from isolated attacks to highly coordinated operations, where adversaries use automation and AI to move faster and scale their impact.”

“Identity has become a primary attack vector, particularly across cloud environments. For local organisations, this highlights the need to focus on fundamentals such as visibility, identity security, and rapid response, alongside adopting AI-enabled defence strategies that operate at the same speed as the threats. The challenge is no longer just stopping individual attacks but disrupting the broader cybercrime ecosystem. This requires a more integrated approach to cybersecurity, where threat intelligence, automation, and collaboration work together to help organisations reduce risk and respond more effectively.”

Attack techniques and targeted sectors in today’s threat landscape

Modern cybercrime crosses borders and sectors, and even traditional definitions of crime itself. As attacks grow more sophisticated and interconnected, key findings from the latest FortiGuard Labs Global Threat Landscape Report reveal:

• Velocity defines risk as time-to-exploit (TTE) shrinks: As AI accelerates reconnaissance, weaponisation, and execution, FortiGuard Intelligence shows that TTE is 24-48 hours for critical outbreaks, a sharp increase from earlier reports that revealed a TTE of 4.76 days. Real-world incidents reflect how minutes can define outcomes: Active exploitation attempts were made within hours of the React2Shell vulnerability public disclosure.
• Ransomware victims skyrocket: FortiRecon adversary intelligence identified 7,831 confirmed ransomware victims globally, skyrocketing from approximately 1,600 identified victims in the Fortinet 2025 Global Threat Landscape Report. Crime service kits like WormGPT, FraudGPT, and BruteForceAI are widely available and contributed to this 389 per cent increase year-over-year (YoY). The top three targeted sectors include manufacturing (1,284), business services (824), and retail (682). Geographic concentration includes the U.S. (3,381), Canada (374), and Germany (291).
• Identity sprawl defines cloud exposure: FortiCNAPP intelligence confirms that throughout 2025, most confirmed cloud incidents originated from stolen, exposed, or misused credentials rather than from infrastructure exploitation. Sector analysis shows hospitals/physician clinics and retail establishments as the #1 target. Large identity populations, federated access models, and complex cloud integrations make these prime targets for malicious hackers.

Inside the habits of modern, AI-enabled cybercriminals

As FortiGuard Labs Cyberthreat Predictions for 2026 projected, the most capable threat groups function as semi-autonomous enterprises, supported by shadow agents, access brokers, and botnet operators who provide services on demand. Key findings from the 2026 Global Threat Landscape Report show:

• Shadow agents reduce operator skill requirements while increasing workflow speed. FortiRecon dark web signals captured AI-enabled offensive tooling advertised as services and products, including enhanced versions of WormGPT and FraudGPT, and novel services like HexStrike AI, an offensive AI tool with automated reconnaissance attack path generation; and BruteForceAI, a penetration testing tool that integrates large language models (LLMs) for intelligent form analysis and can execute sophisticated multi-threaded attacks.
• With AI, criminals work smarter, not harder. FortiGate IPS telemetry recorded a 22 per cent decrease in brute force attempts YoY, pointing to efficiency gains: With optimised, intelligent brute force techniques, threat actors are making fewer attempts against better-selected targets, increasing success probability per credential tested. This activity equals about 67.65 billion brute force events globally, with approximately 185 million attempts per day; 1.3 billion attempts per week; and 5.6 billion attempts per month. At the same time, intelligence revealed a 25.49 per cent increase in global exploitation attempts YoY.
• Stolen datasets are more popular than leaked credentials. In the 2025 Global Threat Landscape Report, FortiGuard Labs observed a 500 per cent increase in logs available from systems compromised by infostealer malware. In 2026, FortiRecon intelligence found an additional 79 per cent increase and revealed a shift toward theft of more comprehensive data sets, enabled by agentic AI. Within dark web “database” activity, stealer logs dominated advertised and shared datasets (67.12 per cent), exceeding combolists (16.47 per cent) and leaked credentials (5.96 per cent). Stealer logs reduce attacker effort by bundling identity material with contextual artifacts, including browser-resident data, enabling immediate replay and faster conversion than brute force or password spraying.
• Credential-stealer malware persists. Credential-stealer malware remains a lucrative industry and primary upstream engine for exposure generation. FortiRecon telemetry shows stealer activity dominated by RedLine: 911,968 infections (50.80 per cent); Lumma: 499,784 (27.84 per cent); and Vidar: 236,778 (13.19 per cent).

Putting awareness into action: disrupting cybercriminal ecosystems.

Fortinet is committed to disrupting cybercrime by collecting and sharing threat intel and actively working to combat cyberthreats on a global scale.

A recent collaborative effort spearheaded by INTERPOL and supported by Fortinet through the World Economic Forum Cybercrime Atlas resulted in the takedown of a cybercriminal network. Operation Red Card 2.0 took down infrastructure and operators behind online scams, mobile money fraud, and fraudulent loan applications in Africa. Fortinet is a founding member of the Cybercrime Atlas, a global public-private collaboration hosted by the World Economic Forum that uses open-source intelligence to map cybercriminal networks, identify infrastructure vulnerabilities, and support joint disruption operations with law enforcement, such as the recent Operation Red Card 2.0 and Operation Serengeti 2.0.

The 2026 Global Threat Landscape Report reveals that incentivising cybercrime disruption has never been more important. To empower defenders to stay ahead of cybercriminals, Fortinet and Crime Stoppers International launched the Cybercrime Bounty program to provide a secure, anonymous channel for citizens and ethical hackers to submit information about cyberthreats.

Discover how FortiGuard Labs Advisory Services combine cutting-edge technology and expert services to help organisations strengthen their security posture before threats emerge. FortiGuard Outbreak Alerts provide key information about ongoing cybersecurity attacks with significant ramifications affecting companies, organisations and industries. In the event of an incident, FortiGuard Labs offers swift, effective response and in-depth forensic analysis to minimise impact and prevent future intrusions, delivering comprehensive protection in today’s increasingly volatile digital landscape.

Register for the FortiGuard Labs webinar to hear experts break down the threats defining 2026 and what they mean for your organisation.

Additional Resources

• Download a copy of the 2026 Global Threat Landscape Report from FortiGuard Labs.
• Learn more about FortiGuard Labs threat intelligence and research and outbreak alerts, which provide timely steps to mitigate breaking cybersecurity attacks.
• Learn more about Fortinet’s roles as a founding member of the Cybercrime Atlas.
• Read about the Fortinet Security Fabric.
• Visit fortinet.com/trust to learn about Fortinet innovation, collaboration partners, product security processes, and enterprise-grade products.
• Read about how Fortinet customers are securing their organisations.
• Learn about Fortinet’s commitment to product security and integrity, including its responsible product development and vulnerability disclosure approach and policies.
• Follow Fortinet on X, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on our blog or YouTube.

About Fortinet

Fortinet (NASDAQ: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security. Our mission is to secure people, devices, and data everywhere, and today we deliver cybersecurity everywhere you need it with the largest integrated portfolio of over 50 enterprise-grade products. Well over half a million customers trust Fortinet’s solutions, which are among the most deployed, most patented, and most validated in the industry. The Fortinet Training Institute, one of the largest and broadest training programs in the industry, is dedicated to making cybersecurity training and new career opportunities available to everyone. Collaboration with esteemed organisations from both the public and private sectors, including CERTs, government entities, and academia, is a fundamental aspect of Fortinet’s commitment to enhance cyber resilience globally. FortiGuard Labs, Fortinet’s elite threat intelligence and research organisation, develops and utilises leading-edge machine learning and AI technologies to provide customers with timely and consistently top-rated protection and actionable threat intelligence. Learn more at https://www.fortinet.com, the Fortinet Blog, and FortiGuard Labs.

Copyright © 2026 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAgent, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiCNP, FortiConnect, FortiController, FortiConverter, FortiCSPM,FortiCWP, FortiDAST, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiDLP, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFlex FortiFone, FortiGSLB, FortiGuest, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMonitor, FortiNAC, FortiNDR, FortiPAM, FortiPenTest, FortiPhish, FortiPoint, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiScanner, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSRA, FortiStack, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM, FortiXDR and Lacework FortiCNAPP.

Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.