Fortinet: Speed to define cyber offence and defence in 2026

Fortinet has today published its 2026 Cyberthreat Predictions Report, presenting a picture of a landscape increasingly driven by speed. Each year, FortiGuard Labs examines how technology, economics, and human behaviour influence global cyber risk.

The 2026 report signals a turning point: cybercrime is evolving into a fully organised industry powered by automation, specialisation, and artificial intelligence (AI). In the coming year, success in both attack and defence will hinge less on innovation and more on throughput, the speed at which intelligence can be converted into action.

From innovation to throughput

Advances in AI, automation, and the maturing cybercrime supply chain will make intrusion faster and simpler than ever. Attackers will spend less time creating new tools and more time perfecting and automating methods that already deliver results.

AI systems will increasingly handle reconnaissance, accelerate break-ins, analyse stolen data, and craft ransom negotiations. In parallel, autonomous cybercrime agents operating on the dark web will begin executing major phases of attacks with limited human intervention.

These developments will dramatically expand attacker capacity. A ransomware affiliate previously capable of running a handful of campaigns will soon be able to operate dozens in parallel. The interval between compromise and impact will shrink from days to minutes, making speed the defining risk factor for organisations in 2026.

The next generation of offence

FortiGuard Labs anticipates the emergence of specialised AI agents built to assist cybercriminal workflows. While these agents may not operate fully independently, they will automate and enhance crucial stages of the attack chain such as credential theft, lateral movement, and data monetisation.

AI will also accelerate the value extraction from stolen data. Once attackers access a database, AI tools will instantly analyse and prioritise it, identify the victims offering the highest return, and even generate tailored extortion messages. Data will convert into cashflow faster than ever before.

Meanwhile, the underground economy will grow increasingly structured. In 2026, botnet and credential-rental services will become more precisely targeted.

Through data enrichment and automation, vendors will offer highly specific access packages based on industry, geography, and system profile, replacing today’s generic offerings. Black markets will adopt customer service functions, reputation systems, and automated escrow services. These developments will further accelerate the industrialisation of cybercrime.

The evolution of defence

Defenders will need to match attackers in efficiency and coordination. In 2026, security operations will shift towards what FortiGuard Labs describes as “machine-speed defence” a continuous cycle of intelligence, validation, and containment that reduces detection and response times from hours to minutes.

To enable this, organisations will need to leverage frameworks such as Continuous Threat Exposure Management (CTEM) and MITRE ATT&CK, allowing them to map active threats, identify exposures, and prioritise remediation based on live intelligence.

Identity will become the cornerstone of security operations: defenders must authenticate not only people but also automated agents, AI processes, and machine-to-machine interactions. Effective management of these non-human identities will be essential to prevent widespread privilege escalation and data leaks.

Collaboration and deterrence

The industrialisation of cybercrime will also require a more unified global response. Initiatives such as INTERPOL’s Operation Serengeti 2.0, supported by Fortinet and other private-sector organisations, demonstrate the impact of coordinated intelligence sharing and targeted disruption.

New efforts, including the Fortinet–Crime Stoppers International Cybercrime Bounty Programme, will help communities worldwide report cyberthreats safely, supporting broader deterrence and accountability.

FortiGuard Labs also expects increased investment in education and prevention programmes aimed at vulnerable groups who may be drawn into cybercrime. Redirecting potential offenders before they enter the ecosystem will be crucial to reducing the next generation of cybercriminal activity.

Looking ahead

By 2027, cybercrime is expected to operate at a scale comparable to legitimate global industries. FortiGuard Labs predicts further advances in agentic AI, with swarm-based agents coordinating tasks semi-autonomously and adapting in real time to defender behaviour. More sophisticated supply-chain attacks targeting AI and embedded systems are also expected.

Defenders will need to evolve in parallel, using predictive intelligence, automation, and exposure management to contain incidents rapidly and anticipate adversary tactics. The future of cybersecurity will depend on how effectively humans and machines can function together as adaptive systems.

Velocity and scale will define the coming decade. Organisations that successfully integrate intelligence, automation, and human expertise into a cohesive, responsive ecosystem will be best positioned to withstand the challenges ahead.

Rashish Pandey, Vice President, Marketing & Communications, APAC, Fortinet,“The findings clearly show that cybercrime is no longer an opportunistic activity, it is an industrialised system operating at machine speed. As automation, specialisation, and AI redefine every stage of the attack lifecycle, the time between compromise and consequence continues to collapse.

He added,"The road ahead will be shaped by how quickly defenders can adapt to this reality. Cybersecurity has become a race of systems, not individuals, and organisations will need integrated intelligence, continuous validation, and real-time response to stay ahead of adversaries who measure success by throughput, not novelty.”

Vivek Srivastava, Country Manager, India & SAARC, Fortinet noted, “For defenders, the shift we are seeing is profound. Static configurations and periodic assessments can’t keep pace with an environment where attackers automate reconnaissance, privilege escalation, and extortion within minutes.

What organisations need is a unified, adaptive security posture, one that brings together threat intelligence, exposure management, and incident response into a continuous, AI-enabled workflow. At Fortinet, our focus is on helping customers build this level of resilience so they can act at the same speed as the threats they face and contain attacks before disruption occurs.