Cybersecurity solutions provider Fortinet is warning that the continuing trend of cybercriminals using artificial intelligence (AI) and automation will grow in 2026, according to its 2026 Cyberthreat Predictions Report.
The Fortinet report finds that cybercrime is evolving into an organized industry, because of automation, specialization, and AI. Success in both attack and defense will depend less on creating new tools and more on how quickly information can be turned into action.
“The findings clearly show that cybercrime is no longer an opportunistic activity, it is an industrialized system operating at machine speed,” said Jonas Walker, director of Threat Intelligence APAC & Middle East, FortiGuard Labs. “As automation, specialization, and AI redefine every stage of the attack lifecycle, the time between compromise and consequence continues to collapse.”
Fortinet says AI and automation will make attacks faster and easier, allowing criminals to focus on refining existing techniques rather than inventing new ones. AI systems will handle tasks such as reconnaissance, intrusion, parsing stolen data, and generating ransom messages. Autonomous cybercrime agents on the dark web may begin executing attacks with minimal human oversight.
These changes will expand attacker capacity. A ransomware operator that previously managed a few campaigns could soon run dozens simultaneously, and the time from intrusion to impact could drop from days to minutes, making speed the main risk factor for organizations.
“For defenders, the shift we are seeing is profound. Static configurations and periodic assessments can’t keep pace with an environment where attackers automate reconnaissance, privilege escalation, and extortion in minutes,” said Bambi Escalante, country manager, Fortinet Philippines.
FortiGuard Labs predicts specialized AI agents will help cybercriminals in stages like credential theft, lateral movement, and data monetization. AI will also speed up monetization of stolen data by quickly analyzing databases, prioritizing victims, and generating personalized extortion messages.
The underground economy will become more structured in 2026. Botnet and credential-rental services will offer more tailored access based on industry, location, and system type. Black markets may adopt customer service, reputation scores, and automated escrow, pushing cybercrime toward full industrialization.
“Cybersecurity has become a race of systems, not individuals, and organizations will need integrated intelligence, continuous validation, and real-time response to stay ahead of adversaries who measure success by throughput, not novelty,” Walker said.
Security operations are expected to move toward “machine-speed defense,” compressing detection and response from hours to minutes. Tools like continuous threat exposure management (CTEM) and MITRE ATT&CK frameworks will help defenders map threats, identify exposures, and prioritize actions in real time. Managing non-human identities, such as AI agents and automated processes, will become crucial to preventing large-scale data breaches.
The report also calls for global collaboration. Initiatives like INTERPOL’s Operation Serengeti 2.0 and the Fortinet-Crime Stoppers International Cybercrime Bounty program show how intelligence sharing and coordinated efforts can disrupt criminal networks. Education programs aimed at young or at-risk populations are expected to remain important in preventing the next generation of cybercriminals.
Also, FortiGuard Labs predicts that by 2027, cybercrime will operate on a scale similar to legitimate global industries. AI-driven agents could coordinate tasks semi-independently, while supply-chain attacks may target AI and embedded systems.
“What organizations need is a unified, adaptive security posture, one that brings together threat intelligence, exposure management, and incident response into a continuous, AI-enabled workflow,” Escalante said.