Fortinet said in its 2026 cyber threat outlook report published on the 8th that cybercrime is rapidly being reorganized into an organized industry based on artificial intelligence (AI), automation, and specialization.
It particularly noted that next year, how quickly threat intelligence is executed will determine the success or failure of offense and defense. The report said, "Due to AI, automation, and a cybercrime supply chain that has reached a mature stage, the intrusion process is being shortened at a rapid pace, and attackers are focusing on automating and advancing techniques already proven effective instead of creating new tools," adding, "AI systems are broadly automating attack stages such as reconnaissance, accelerated infiltration, data analysis, and generation of negotiation messages, and on the dark web, autonomous criminal agents capable of carrying out a series of attack procedures with minimal intervention are even emerging."
As a result, the processing capacity of attackers is expanding exponentially, the report analyzed. Cybercriminals who used to run only a few ransomware campaigns are becoming able to execute dozens of attacks in parallel, and the time from intrusion to actual damage is shrinking from days to minutes. Fortinet projected that this attack speed will become the most significant risk factor facing organizations in 2026.
There was also an analysis that the presence of specialized AI agents supporting cybercrime operations is becoming pronounced. The report said, "They have not yet achieved full autonomy, but they are automating key stages of the attack chain—credential theft, lateral movement, and data monetization—thus intricately underpinning organized criminal activity," adding, "Furthermore, AI performs analysis of stolen data, prioritization of victims, and generation of personalized extortion messages, creating an environment where data is quickly converted into monetary value like digital 'currency.'"
The underground criminal market is also showing a trend of becoming more structured. Fortinet explained that as customized access-rights packages tailored to industries, regions, and system environments spread, and as transactions are refined through data augmentation and automation, the industrialization of cybercrime is rapidly advancing.
Fortinet emphasized that in the midst of these changes it is essential for organizations to establish a machine-speed defense system. Machine-speed defense is an operating model that continuously automates the collection, validation, and isolation of threat intelligence, compressing detection and response times from hours to minutes.
It also said that as communications among AI systems, automation agents, and machines inside organizations surge, management of non-human identity is taking root as a new core pillar of security operations. This means that not only people but also interactions among automated processes and machines must be authenticated and controlled to prevent large-scale privilege escalation and data exposure.
Fortinet predicted that by 2027, cybercrime will reach a scale comparable to global legitimate industries. It expected attackers to deploy operations by adapting to defenders' behavior using swarm-based automation, in which multiple AI agents collaborate like a cluster. Supply chain attacks targeting AI and embedded systems are also expected to become more sophisticated.
The report said, "Speed and scale will define the next 10 years," adding, "Only organizations that integrate intelligence, automation, and the capabilities of security personnel into a single responsive system will be able to gain the upper hand in the future threat environment."