The cybersecurity landscape is facing a new challenge as artificial intelligence tools, initially designed for defensive security testing, are increasingly being adopted by malicious actors. Researchers have discovered that CyberStrikeAI, an open-source AI security testing platform, was utilized by the same threat actor responsible for a recent, extensive campaign that compromised hundreds of Fortinet FortiGate firewalls. This development underscores a growing trend: the democratization of sophisticated hacking techniques through the power of AI, lowering the barrier to entry for even less skilled cybercriminals.
The initial breach, reported last month, saw over 500 FortiGate devices compromised within a five-week period. The attackers leveraged multiple servers, including one identified as 212.11.64[.]250, to carry out the operation. A report by Team Cymru’s Senior Threat Intel Advisor, Will Thomas (aka BushidoToken), revealed a direct connection between this IP address and the operation of CyberStrikeAI. The researchers identified a “CyberStrikeAI” service banner running on port 8080 on the aforementioned IP address, alongside network communications between that server and the targeted Fortinet FortiGate devices. The campaign infrastructure utilizing CyberStrikeAI was last observed on January 30, 2026, according to Team Cymru’s analysis.
AI-Powered Automation in Cyberattacks
CyberStrikeAI, described in its GitHub repository as an “AI-native security testing platform built in Go,” integrates over 100 security tools. It features an intelligent orchestration engine, predefined security roles, and a skills system designed to streamline the security testing process. The platform’s capabilities extend to automating tasks ranging from vulnerability discovery and attack-chain analysis to knowledge retrieval and result visualization, offering a collaborative testing environment. Crucially, CyberStrikeAI incorporates an AI decision engine compatible with large language models such as GPT, Claude, and DeepSeek, alongside a password-protected web UI and a dashboard for managing vulnerabilities and orchestrating attacks.
The tool’s versatility lies in its ability to conduct a comprehensive attack chain. It incorporates tools for network scanning (nmap, masscan), web and application testing (sqlmap, nikto, gobuster), exploitation frameworks (metasploit, pwntools), password cracking (hashcat, john), and post-exploitation activities (mimikatz, bloodhound, impacket). By combining these tools with AI agents and an orchestrator, CyberStrikeAI empowers even relatively unskilled operators to automate complex attacks. Team Cymru warns that this type of AI-native orchestration could lead to a surge in automated attacks targeting vulnerable edge devices, including firewalls and VPN appliances.
The researchers at Team Cymru observed 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026. The majority of these servers were located in China, Singapore, and Hong Kong, with additional infrastructure identified in the United States, Japan, and Europe. This geographically dispersed infrastructure suggests a coordinated and potentially widespread campaign.
The Developer Behind CyberStrikeAI
Further investigation by Team Cymru focused on the developer of CyberStrikeAI, known by the alias “Ed1s0nZ.” Analysis of the developer’s public GitHub repositories revealed operate on other AI-assisted security tools, including PrivHunterAI, designed to detect privilege escalation vulnerabilities, and InfiltrateX, a privilege escalation scanning tool. This suggests a deliberate effort to create a suite of tools that automate various stages of the cyberattack lifecycle.
Perhaps more concerning, Team Cymru’s research indicates potential connections between the developer and organizations linked to Chinese government-affiliated cyber operations. In December 2025, Ed1s0nZ shared CyberStrikeAI with Knownsec 404’s “Starlink Project.” DomainTools Intelligence has previously reported on Knownsec, a Chinese cybersecurity firm, alleging links to the Chinese government. On January 5, 2026, the developer publicly acknowledged receiving a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” on their GitHub profile. The China National Vulnerability Database (CNNVD) is widely believed to be operated by China’s intelligence community, and is reportedly used to identify vulnerabilities for potential exploitation.
While the developer’s GitHub repositories are primarily written in Chinese, suggesting a Chinese-speaking origin, interaction with domestic cybersecurity organizations is not inherently suspicious. However, the combination of these factors – the sharing of CyberStrikeAI with a potentially state-affiliated firm, the recognition from a database linked to Chinese intelligence, and the tool’s capabilities – raises significant concerns about its potential misuse.
Broader Implications of AI in Cybersecurity
The emergence of CyberStrikeAI and its adoption by threat actors highlights a broader trend: the increasing use of commercial AI services to automate cyberattacks. Last month, Google reported that hackers are actively exploiting its Gemini AI model across all stages of cyberattacks, effectively empowering attackers with varying levels of skill. This trend suggests that AI is not only enhancing the capabilities of sophisticated threat actors but likewise lowering the technical barrier to entry for less experienced individuals.
The accessibility of AI-powered tools like CyberStrikeAI means that attackers can automate reconnaissance, vulnerability scanning, exploitation, and post-exploitation activities with greater efficiency and speed. This poses a significant challenge to cybersecurity professionals, who must adapt their defenses to counter these evolving threats. The speed and scale of AI-driven attacks could overwhelm traditional security measures, making it crucial for organizations to invest in proactive threat detection and response capabilities.
As Will Thomas of Team Cymru explains, “As adversaries increasingly embrace AI-native orchestration engines, we expect to see a rise in automated, AI-driven targeting of vulnerable edge devices, similar to the observed reconnaissance and targeting of Fortinet FortiGate appliances.” He further emphasizes that defenders must prepare for a future where tools like CyberStrikeAI, alongside related projects like PrivHunterAI and InfiltrateX, significantly lower the barrier to entry for complex network exploitation.
What This Means for Cybersecurity Professionals
The adoption of AI-powered tools by malicious actors necessitates a shift in cybersecurity strategies. Organizations must prioritize proactive threat hunting, vulnerability management, and incident response planning. Investing in AI-powered security solutions can help automate threat detection and response, but it’s equally crucial to focus on human expertise and training. Security professionals need to understand how AI is being used by attackers and develop strategies to counter these tactics.
Specifically, organizations should focus on securing edge devices, such as firewalls and VPN appliances, which are often targeted by attackers. This includes implementing strong authentication measures, regularly patching vulnerabilities, and monitoring network traffic for suspicious activity. Organizations should consider adopting a zero-trust security model, which assumes that no user or device is inherently trustworthy and requires verification before granting access to resources.
The increasing sophistication of cyberattacks demands a collaborative approach to cybersecurity. Sharing threat intelligence and best practices among organizations and governments is crucial for staying ahead of evolving threats. By working together, the cybersecurity community can better defend against the growing wave of AI-powered attacks.
The next key development to watch will be the response from Fortinet regarding the ongoing vulnerabilities exploited in these attacks and any updates to their security recommendations. Readers are encouraged to share their thoughts and experiences with AI-powered cybersecurity threats in the comments below.