CyberStrikeAI tool adopted by hackers for AI-powered attacks
Team Cymru links CyberStrikeAI, an open-source AI attack platform, to the threat actor who breached 500+ FortiGate firewalls. The tool automates scanning, exploitation, and post-exploitation using AI orchestration.
Security researchers at Team Cymru have linked an open-source AI security testing platform called CyberStrikeAI to the threat actor who breached over 500 Fortinet FortiGate firewalls in five weeks. The tool automates the entire attack chain, from reconnaissance to exploitation, using AI orchestration.
What is CyberStrikeAI
CyberStrikeAI is an AI-native security testing platform built in Go. It integrates over 100 security tools including nmap, sqlmap, metasploit, and hashcat with an AI decision engine that supports GPT, Claude, and DeepSeek models.
The tool chains these together automatically. Give it a target, and it handles scanning, vulnerability discovery, exploitation, and post-exploitation. A web UI with audit logging makes it accessible even to operators with limited technical skills.
The Fortinet connection
Team Cymru identified a CyberStrikeAI service running on the same IP address (212.11.64.250) used in the FortiGate breach campaign. NetFlow data confirmed communications between that server and targeted FortiGate devices. Between January 20 and February 26, 2026, researchers found 21 unique IPs running CyberStrikeAI, primarily in China, Singapore, and Hong Kong.
The developer behind CyberStrikeAI also maintains PrivHunterAI (privilege escalation detection) and InfiltrateX (privilege escalation scanning). Their GitHub activity shows interactions with organizations previously linked to Chinese government-affiliated cyber operations.
WAFplanet take
This is a preview of where attacks are heading. AI-orchestrated tools that chain together reconnaissance, exploitation, and post-exploitation lower the skill barrier dramatically. A WAF sitting in front of your application is no longer optional, it is your first line of automated defense against automated attacks.
The FortiGate breaches specifically targeted Fortinet edge devices. If you run FortiGate appliances, patch immediately. For application-layer protection, a dedicated WAF like Cloudflare, Imperva, or a self-hosted option like ModSecurity adds a critical layer that network firewalls alone cannot provide.
AI-powered attacks demand AI-powered defenses. Expect WAF vendors to accelerate their own AI detection capabilities in response to tools like CyberStrikeAI.
