Automation to drive global cybercrime industrial age by 2026
Fortinet has forecast a significant shift in the evolution of global cybercrime by 2026, predicting that the sector will enter what it calls its "industrial age," characterised by automation, artificial intelligence (AI) agents, and expanded capacity for malicious activities.
Automation focus
The report anticipates a move away from novel cyber tools toward improved throughput. With AI systems streamlining reconnaissance, accelerating intrusions, and managing negotiations, attackers are expected to prioritise speed and efficiency over invention. Automation will increase the scale at which criminal groups can operate, with a single affiliate potentially able to launch dozens of campaigns simultaneously. The gap between breach and impact is expected to narrow from days to only minutes.
AI agents emerge
Specialised AI agents are projected to play an integral part in upcoming cybercriminal operations. These agents will be tasked with handling specific steps in attack sequences, such as credential theft and data monetisation. While not yet fully autonomous, their arrival could further lower barriers to large-scale attacks by reducing the need for direct oversight at every stage.
AI tools will also play a role in monetising stolen data rapidly. Once malicious actors acquire data, AI can analyse and sort it, identifying victims that offer higher potential returns. Personalised extortion messages could be generated automatically, increasing the speed at which criminal enterprises can benefit from a breach.
Underground economy changes
The underground cybercrime economy is expected to become more organised. Botnet and credentials-rental offerings may shift towards more tailored and specific packages, based on targeted characteristics like industry or geography. Black markets are predicted to adopt features such as customer service, reputation scoring, and automated escrow systems, further professionalising illicit operations.
Defensive response
As attackers adopt faster and more coordinated strategies, defenders are advised to respond in kind. Security operations are expected to transition towards what Fortinet terms "machine-speed defence", relying on constant intelligence gathering, validation, and rapid containment to compress detection and response times.
Defence frameworks such as continuous threat exposure management (CTEM) and MITRE ATT&CK are likely to be central to this transition. These frameworks will be utilised to systematically identify, prioritise, and remediate vulnerabilities based on real-time intelligence. The importance of identity as a security foundation is highlighted, with organisations needing to authenticate not just users, but also automated agents and machine-to-machine interactions. Managing these identities, particularly non-human, is expected to be crucial to preventing privilege escalation and large-scale data exposure.
Global coordination
The industrialisation of cybercrime is forecast to require a globally coordinated response. The report references ongoing initiatives that combine intelligence sharing between private and public sectors, along with targeted disruption campaigns to dismantle criminal infrastructures. Community reporting and cybercrime bounty programs are being adopted as additional measures to scale deterrence and raise accountability.
Investment in educational and deterrence programmes is also anticipated as a key method for preventing younger or vulnerable individuals from being drawn into cybercrime ecosystems. There is an ongoing focus on intervention and redirection before these individuals enter criminal networks.
"Velocity and scale will define the decade ahead. Organisations that unify intelligence, automation, and human expertise into a single, responsive system will be the ones best able to withstand what comes next," said Derek Manky, Chief Security Strategist & Global Vice President Threat Intelligence, Fortinet.
