AI and automation shift the cybersecurity balance toward attackers

Threat actors are increasingly harnessing automation, commoditized tools, and AI to systematically erode the traditional advantages held by defenders, according to Fortinet.

“Our latest Global Threat Landscape Report makes one thing clear: Cybercriminals are accelerating their efforts, using AI and automation to operate at unprecedented speed and scale,” said Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, Fortinet FortiGuard Labs.

“The traditional security playbook is no longer enough. Organizations must shift to a proactive, intelligence-led defense strategy powered by AI, zero trust, and continuous threat exposure management,” Manky added.

Threat actors shift left, driving record scanning levels

To capitalize on newfound vulnerabilities, cybercriminals are deploying automated scanning at a global scale. Active scanning in cyberspace reached unprecedented levels in 2024, rising by 16.7% worldwide year-over-year, highlighting a sophisticated and massive collection of information on exposed digital infrastructure. FortiGuard Labs observed billions of scans each month, equating to 36,000 scans per second, revealing an intensified focus on mapping exposed services such as SIP and RDP and OT/IoT protocols like Modbus TCP.

In 2024, cybercriminal forums increasingly operated as sophisticated marketplaces for exploit kits, with over 40,000 new vulnerabilities added to the National Vulnerability Database, a 39% rise from 2023. In addition to zero-day vulnerabilities circulating on the darknet, initial access brokers are increasingly offering corporate credentials (20%), RDP access (19%), admin panels (13%), and web shells (12%). Additionally, researchers observed a 500% increase in the past year in logs available from systems compromised by infostealer malware, with 1.7 billion stolen credential records shared in these underground forums.

Threat actors are harnessing AI to enhance phishing realism and evading traditional security controls, making cyberattacks more effective and difficult to detect. Tools like FraudGPT, BlackmailerV3, and ElevenLabs are fueling more scalable, believable, and effective campaigns, without the ethical restrictions of publicly available AI tools.

Industries such as manufacturing, healthcare, and financial services continue to experience a surge in tailored cyberattacks, with adversaries deploying sector-specific exploitations. In 2024, the most targeted sectors were manufacturing (17%), business services (11%), construction (9%), and retail (9%). Both nation-state actors and Ransomware-as-a-Service (RaaS) operators concentrated their efforts on these verticals, with the United States bearing the brunt of attacks (61%), followed by the United Kingdom (6%) and Canada (5%).

Cloud environments continue to be a top target, with adversaries exploiting persistent weaknesses such as open storage buckets, over-permissioned identities, and misconfigured services. In 70% of observed incidents, attackers gained access through logins from unfamiliar geographies, highlighting the critical role of identity monitoring in cloud defense.

In 2024, cybercriminals shared over 100 billion compromised records on underground forums, a 42% year-over-year spike, driven largely by the rise of “combo lists” containing stolen usernames, passwords, and email addresses. More than half of darknet posts involved leaked databases, enabling attackers to automate credential-stuffing attacks at scale.

Well-known groups like BestCombo, BloddyMery, and ValidMail were the most active cybercriminal groups during this time and continue to lower the barrier to entry by packaging and validating these credentials, fueling a surge in account takeovers, financial fraud, and corporate espionage.

CISO playbook for adversary defense

This report highlights a few strategic areas to focus on:

• Shifting from traditional threat detection to continuous threat exposure management: This proactive approach emphasizes continuous attack surface management, real-world emulation of adversary behavior, risk-based remediation prioritization, and automation of detection and defense responses. Utilizing breach and attack simulation (BAS) tools to regularly assess endpoint, network, and cloud defenses against real-world attack scenarios ensures resilience against lateral movement and exploitation.
• Simulating real-world attacks: Conduct adversary emulation exercises, red and purple teaming, and leverage MITRE ATT&CK to test defenses against threats like ransomware and espionage campaigns.
• Reducing attack surface exposure: Deploy attack surface management (ASM) tools to detect exposed assets, leaked credentials, and exploitable vulnerabilities while continuously monitoring darknet forums for emerging threats.
• Prioritizing high-risk vulnerabilities: Focus remediation efforts on vulnerabilities actively discussed by cybercrime groups, leveraging risk-based prioritization frameworks such as EPSS and CVSS for effective patch management.
• Leveraging dark web intelligence: Monitor darknet marketplaces for emerging ransomware services and track hacktivist coordination efforts to preemptively mitigate threats like DDoS and web defacement attacks.