Fortinet released its 2026 Global Threat Landscape Report from FortiGuard Labs, framing cybercrime in 2025 as an industrialized, system-level operation rather than a series of isolated campaigns. Drawing exclusively on FortiGuard telemetry, the report captures a threat environment defined by continuous, machine-speed activity, where exposure is persistently mapped, validated, and exploited without reliance on traditional campaign cycles or manual intervention. The data shows attackers operating across an end-to-end lifecycle, compressing timelines and scaling operations through automation and coordinated tooling.
The scale of activity underscores that shift. Fortinet recorded 640 billion reconnaissance events globally in 2025, alongside 67.65 billion brute-force attempts and 121.99 billion exploitation attempts, the latter rising 25% year-over-year from just over 97 billion in 2024. The findings point to a model where exploitation is driven less by novel vulnerability discovery and more by the rapid operationalization of existing flaws.
In 2025, cybercrime operated at an industrial scale, with 635 vulnerabilities actively exploited and 7,831 organizations extorted. Fortinet shows that impact was defined not by zero-day exploits, but by automation, identity abuse, and delays in patching. Of the vulnerabilities observed under active exploitation, more than half had publicly available proof-of-concept code and nearly a third had fully functional exploit code, highlighting how quickly attackers weaponize disclosed weaknesses once they enter the public domain.
Time-to-exploit is also narrowing sharply. While earlier patterns typically showed exploitation emerging about a week after vulnerability disclosure, Fortinet observed consistent activity within 24 to 48 hours in 2025, outpacing traditional patching and remediation cycles. The report, aligned with the MITRE ATT&CK framework, concludes that cybercrime now operates as a continuous system, where automation, availability of exploit code, and lifecycle integration are redefining both the speed and scale of attacks.
“Cybercrime is one of the world’s most pervasive and costly threats, and our latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks,” Derek Manky, chief security strategist and global vice president of threat intelligence at Fortinet FortiGuard Labs, said in a media statement last week. “As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialized defense and adopt AI-enabled tools that respond at the same velocity as modern threats.”
The 2026 Global Threat Landscape Report indicates that identity exposure has become the upstream fuel of industrialized intrusion, as attackers increasingly rely on stolen credentials to gain initial access. Data from FortiRecon shows 4.62 billion stealer logs were traded or shared on the darknet, marking a 79.07% increase compared to 2024, when roughly 1.7 billion stolen credential records were already in circulation, underscoring the continued expansion of the credential economy.
The Fortinet report finds that weaponization now treats identity and exploits as industrial inventory, as evidenced by 4.62 billion stealer logs and 635 actively exploited vulnerabilities, of which 53.86% have publicly available proof-of-concept code, demonstrating exploit packaging and credential commoditization at scale.
Exploitation has become a race condition, with 121.99 billion exploitation attempts recorded in 2025 and 57.32% of vulnerabilities entering active exploitation, indicating that readiness and automation, rather than CVSS severity, define real-world impact. Time-to-exploit has compressed from a few days to effectively zero, with multiple critical vulnerabilities showing first exploitation signals on the same day or the next day after disclosure.
Post-exploitation activity reflects persistent command infrastructure, with 7.10 billion botnet command-and-control detections, or roughly 19.4 million per day, confirming that compromise is sustained through industrialized command layers rather than isolated access.
The report also shows that ransomware operates as a high-throughput production model, with 7,831 confirmed victims in 2025 concentrated among scalable groups, demonstrating that ransomware functions as a continuous economic engine rather than an episodic campaign.
Cross-threat convergence is increasing, with the same vulnerabilities reused across multiple forms of threat activity. The data shows that 22.83% of vulnerabilities are leveraged only in ransomware campaigns, 19.53% only in advanced persistent threat operations, and 20.47% in both, while 43.15% are exploited at scale, highlighting how single vulnerabilities can simultaneously enable extortion, espionage, and large-scale compromise.
The execution model is increasingly fileless and automation-ready, with 48.96% of activity involving living-off-the-land binaries, around 8% involving injection or process hollowing, and 11.5% enabling immediate access to sensitive data through native tooling rather than bespoke malware.
Across cloud environments, the report finds that identity compromise remains the dominant intrusion vector, with valid credentials functioning as the exploit and APIs acting as the execution engine for follow-on activity, including discovery-heavy operations and monetization through abuse of services such as Amazon Simple Email Service, cryptomining, and resource hijacking, underscoring the industrialization of cloud intrusion.
Fortinet makes clear that not all industrial-scale cyber impact is immediately monetized. Intelligence from FortiRecon identified more than 250 distinct espionage-aligned adversaries active in 2025, highlighting a threat category designed for persistence rather than immediate financial return. These operations consistently target government and public sector organizations, telecommunications providers, critical infrastructure, and technology, defense, and strategic supply-chain industries.
In this model, espionage is not a single breach event but an ongoing condition, manifesting through long-term data exfiltration, intellectual property theft, and sustained visibility into national and industrial capabilities.
The report also finds that hacktivism is evolving into an industrialized model of disruption and visibility. FortiRecon telemetry shows high-volume, message-driven coordination, rapid mobilization around geopolitical events, and a preference for impact through exposure and reputational damage rather than persistence.
Tactics include website defacement, data leaks and doxxing, DDoS (distributed denial-of-service) activity, service disruption, and psychological pressure, with success measured in visibility and disruption rather than dwell time. Targeting patterns varied by campaign, but regional trends consistently aligned with geopolitical tensions rather than purely technical exposure.
A central conclusion of the Fortinet report is that speed has become defining driver of breach impact. As time-to-exploit continues to compress and the potential blast radius expands, organizations that cannot match machine-speed execution risk inheriting machine-speed damage.
Exploitation now activates when exploit material becomes operationally ready, not when a vulnerability is labeled critical. Once proof-of-concept or working exploit code becomes public, exposure turns into a race condition. In this industrialized model, eventual exploitation is the default outcome unless defenders can remove exposure faster than attackers can automate against it.
Identity has emerged as the upstream supply chain, with billions of stealer logs and stolen credentials showing that valid access is continuously harvested, packaged, and reused. In cloud environments, valid credentials function as the exploit while APIs act as the execution engine, meaning that waiting for traditional malware indicators is already too late.
The report also underscores that impact is now industrialized. Ransomware operates as a steady-state production model rather than a series of episodic campaigns, while post-exploitation is sustained through persistent command infrastructure at a global scale. In this environment, compromise is no longer a discrete event but an ongoing operating condition.
