The landscape of cybercrime has fundamentally shifted. What once required significant manual effort, patience, and specialized skills now operates with the efficiency of a modern factory. The industrialization of malicious activity, which began in the 1990s with the rise of organized hacking groups, has now fully matured thanks to artificial intelligence (AI) and automation. A recent analysis from FortiGuard, based on telemetry from millions of sensors worldwide, paints a stark picture: the time-to-exploit for vulnerabilities has collapsed from weeks to mere hours, and in some cases minutes.

AI Speeds the Attack Process

Derek Manky, Chief Security Strategist at FortiGuard Labs, commented, “Our latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks.” The most visible evidence of this shift is the proliferation of AI-enabled malicious tools designed specifically to lower the barrier to entry for cybercriminals. These tools act as force multipliers, reducing the skill and time requirements for launching successful attacks.

Key examples include:

• WormGPT and FraudGPT – These generative AI models are unhindered by typical safety guardrails. They allow attackers to create highly convincing phishing emails, generate malicious code, and automate social engineering campaigns at a scale previously impossible. FraudGPT, for instance, can craft messages that mimic known brands with near-perfect accuracy.
• HexStrike AI – This tool facilitates automated reconnaissance, attack-path generation, and malicious content creation. It systematically maps out network topologies and identifies vulnerable entry points, then generates custom exploit payloads.
• APEX AI – Designed to simulate advanced persistent threat (APT) attacks, APEX AI automates open-source intelligence (OSINT) gathering, attack chaining, and full kill-chain generation. It models end-to-end compromise paths all the way to payload deployment, effectively automating what used to be a highly manual penetration testing process.
• BruteForceAI – A specialized penetration testing tool that identifies login form selectors and executes multi-threaded attacks with human-like behavior patterns. This helps attackers bypass simple rate-limiting defenses and credential stuffing controls.

These tools do not create new types of vulnerabilities; rather, they compress the time required to activate existing exposures. This acceleration has led to a collapse of predictive security, where defenders can no longer rely on traditional patch cycles or threat intelligence timelines.

Automation Finds the Vulnerabilities

Finding exploitable vulnerabilities is now a highly automated process. Cybercriminals rely on the same commercial and open-source scanning tools used by legitimate security teams, but they use them at scale across the internet. Common tools include:

• Qualys – To identify vulnerable software versions and misconfigurations in publicly exposed systems.
• Nmap – For port scanning and service fingerprinting, allowing attackers to map out network services quickly.
• Nessus and OpenVAS – For vulnerability enrichment and detailed reporting on potential exploitation paths.

By automating these scans and chaining the results, criminals can generate prioritized lists of targets within hours of a new vulnerability being disclosed. This process is often fully scripted and can be run repeatedly, ensuring no window of opportunity is missed.

Data Sharing Fine-Tunes the Cybercrime Business

The industrialization of cybercrime extends beyond tools to include a sophisticated supply chain. In many cases, access to targets is already available for purchase on underground markets. “Databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged, forming an upstream supply chain that feeds downstream intrusion activity,” the FortiGuard report notes.

This data is primarily obtained via information-stealing malware (infostealers). The most prolific of these in 2025 were RedLine, Lumma, and Vidar. Once stolen, credentials are often sold by access brokers who have validated that the accounts work for corporate VPNs or Remote Desktop Protocol (RDP) connections. This creates a marketplace where attackers can buy pre-validated entry points into high-value organizations.

Furthermore, cybercriminals actively discuss vulnerabilities on darknet forums. In 2025, 656 vulnerabilities were actively discussed. Among these, 344 (52.44%) had publicly available proof-of-concept (PoC) exploit code, 176 (26.83%) had working exploit code, and 149 (22.71%) had both PoC and working exploit code available. As the report warns, “CVEs become ‘industrial’ when they are sufficiently packaged with scripts, modules, guides, and operational playbooks, so exploitation can run as a repeatable loop rather than a bespoke intrusion.”

The Effect of This Industrialization of Cybercrime

The most immediate effect is the dramatic collapse of the time-to-exploit. Not long ago, attackers typically needed nearly a week to develop and deploy a working exploit after a vulnerability was publicly disclosed. According to Douglas Santos, director of advanced threat intelligence at FortiGuard, “That window has now collapsed to 24 to 48 hours for most critical vulnerabilities, and in some cases, exploitation begins within hours of public disclosure.” He added, “The trajectory is clear: as AI accelerates reconnaissance, weaponization, and execution, it’s only a matter of time before ‘hours or even minutes, not days’ becomes the norm. The reality is, we’re already seeing early signs of it.”

Ransomware remains the most financially damaging and most easily monetized attack type. The report recorded 7,831 confirmed ransomware victims globally in 2025. The three most active ransomware groups were Qilin, Akira, and Safepay. The most targeted geographic areas were the United States (with 3,381 victims), followed by Canada and Europe. The global attack surface, FortiGuard notes, is already mapped, continuously refreshed, and maintained in an operational readiness state by these groups.

Defending Against Industrialized Cybercrime

Business efficiency in the cybercrime sector has increased the speed, scale, and success of attacks. Defenders must respond in kind. The speed of adversarial AI and automation can only be matched by the use of defensive AI and automation. FortiGuard specifically recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers.

This means moving beyond reactive patch management and toward continuous monitoring, automated threat hunting, and AI-driven response orchestration. Organizations should implement security solutions that can analyze network traffic, user behavior, and system logs in real time, flagging anomalies that indicate a breach has already occurred. Automation can then trigger immediate containment actions, such as isolating compromised devices or blocking malicious IPs.

Additionally, a focus on reducing the attack surface is essential. This involves regular vulnerability assessments, timely patching, and adopting zero-trust principles that limit lateral movement even if an attacker gains initial access. Identity-centric detection, such as monitoring for unusual login patterns or privilege escalation attempts, can catch attackers before they cause significant damage. The era of manual, periodic security reviews is over; only continuous, AI-powered defense can keep up with the industrialized threat landscape.

On a broader scale, industry collaboration remains vital. Over the last year, FortiGuard has engaged with international cybercrime disruption efforts, including INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, and partnerships through the Cyber Threat Alliance. These cooperative efforts aim to dismantle the supply chains that fuel industrial cybercrime. However, individual organizations must also invest in the technology and expertise to defend themselves, as the speed of attack continues to accelerate.

Source: SecurityWeek News