The industrialization of cybercrime began in the 1990s, when illicit activities started to mirror the efficiency of legitimate businesses. Today, that evolution has accelerated dramatically. Cybercriminals are no longer lone operators; they function as organized enterprises, applying the same principles of automation, data sharing, and efficiency that drive modern corporations. The result is a threat landscape where attacks are faster, more scalable, and more successful than ever before. According to FortiGuard’s latest Global Threat Landscape Report, the window between a vulnerability’s disclosure and its exploitation has shrunk from nearly a week to just 24 to 48 hours—and in some cases, mere hours.

The Rise of Agentic AI in Cybercrime

The primary catalyst for this shift is the adoption of agentic AI—autonomous systems capable of planning and executing complex tasks without human intervention. Derek Manky, Chief Security Strategist at FortiGuard Labs, notes that malicious actors are beginning to leverage these tools to execute more sophisticated attacks. A range of AI-enabled malicious tools, such as WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI, are now openly available on underground forums. These tools act as force multipliers, reducing the skill requirements and time needed for an attack while allowing criminals to operate at machine speed.

FraudGPT and WormGPT are particularly effective for creating compelling phishing campaigns. Unlike legitimate language models, these tools lack safety guardrails, enabling attackers to refine scams, generate malicious code, and conduct social engineering on a massive scale. HexStrike AI automates reconnaissance, attack-path generation, and malicious content creation. APEX AI offers advanced simulation capabilities, including automated OSINT, attack chaining, and full kill-chain generation that models end-to-end compromise paths. BruteForceAI, a pentesting tool, identifies login form selectors and executes multi-threaded attacks with human-like behavior patterns to evade detection.

Automation and Data Sharing: The New Normal

Finding vulnerabilities to exploit is now a fully automated process. Cybercriminals use standard commercial tools like Qualys to locate vulnerable software versions and misconfigurations, Nmap for port scanning and service fingerprinting, and Nessus and OpenVAS for vulnerability enrichment. This automation, combined with AI, creates a powerful feedback loop that continuously maps the global attack surface.

Data sharing among cybercriminals further fine-tunes their operations. In many cases, access to targets is already available on underground markets. FortiGuard reports that databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged, forming an upstream supply chain that feeds downstream intrusion activity. Infostealers such as RedLine, Lumma, and Vidar are the primary sources of this data. Access brokers then sell validated access into enterprises, with corporate VPNs and RDP being the most frequently advertised access types.

The Collapse of Time-to-Exploit

One of the most alarming effects of this industrialization is the collapse of time-to-exploit. Douglas Santos, director of advanced threat intelligence at FortiGuard, explains that what once took nearly a week now often happens within a day or two. For critical vulnerabilities, exploitation can begin within hours of public disclosure. Santos warns that as AI accelerates reconnaissance, weaponization, and execution, it is only a matter of time before “hours or even minutes” becomes the norm across all attack vectors. The report notes that 656 vulnerabilities were actively discussed on the darknet in 2025, with 344 having publicly available proof-of-concept code and 176 having working exploit code. CVEs become “industrial” when they are sufficiently packaged with scripts, modules, guides, and operational playbooks, enabling exploitation to run as a repeatable loop rather than a bespoke intrusion.

Ransomware Remains the Top Threat

Ransomware continues to be the most easily monetizable attack type. FortiGuard’s data shows that globally there were 7,831 confirmed victims in 2025. The three most active ransomware groups were Qilin, Akira, and Safepay, with the United States being the most targeted region (3,381 victims), followed by Canada and Europe. The global attack surface is already mapped, continuously refreshed, and maintained in an operational readiness state, making it easier for ransomware groups to strike quickly and effectively.

Defending Against Industrialized Cybercrime

To counter this industrialized threat, defenders must adopt a similar approach—scaling their operations through AI and automation. The speed of adversarial AI can only be matched by defensive AI. FortiGuard specifically recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers. This includes deploying AI-powered tools for threat detection, automated incident response, and continuous vulnerability management.

FortiGuard has also been active in global disruption efforts. Over the past year, the firm has engaged with INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, the Cyber Threat Alliance, and a new Cybercrime Bounty program in partnership with Crime Stoppers International. These collaborative efforts aim to dismantle the infrastructure that supports industrial cybercrime.

The message from FortiGuard is clear: the industrialization of cybercrime is here, and it is evolving rapidly. Defenders must embrace AI and automation not as optional enhancements, but as essential components of any effective cybersecurity strategy. The days of relying on manual processes and slow response times are over. The only way to survive in this new landscape is to fight fire with fire—by deploying machine-speed defenses against machine-speed attacks.

Source: SecurityWeek News