AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Plummets to 24-48 Hours
The landscape of cybercrime has evolved dramatically, with industrialized methods now enabling attacks that are faster, larger in scale, and more successful than ever before. As cybercriminals increasingly leverage artificial intelligence (AI) and automation, defenders must adopt similar technologies to keep pace with these evolving threats.
The industrialization of cybercrime traces its roots back to the 1990s, when criminal activities began to mirror the operational efficiencies of legitimate businesses. This shift has transformed cybercrime into a structured enterprise, where efficiency is paramount. Today, cybercriminals utilize AI, automation, and streamlined data sharing to maximize their returns while minimizing effort.
FortiGuard has conducted an extensive analysis of the current threat landscape, utilizing telemetry from millions of sensors deployed globally since 2002. This analysis encompasses data collected in 2025, providing insights across various security domains and vectors of compromise.
AI Speeds the Attack Process
Derek Manky, Chief Security Strategist at FortiGuard Labs, highlights that the latest Global Threat Landscape Report indicates a significant shift in how malicious actors are employing agentic AI to execute more sophisticated attacks.
Cybercriminals now have access to a variety of AI-enabled tools, including WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI. These tools serve as force multipliers, reducing the skill and time needed for attacks, allowing perpetrators to operate at unprecedented speeds.
FraudGPT and WormGPT are particularly effective in crafting convincing phishing attacks. By circumventing traditional security measures, these tools enable attackers to refine their scams, generate malicious code, and conduct large-scale social engineering campaigns.
HexStrike AI facilitates automated reconnaissance, attack-path generation, and malicious content creation. Meanwhile, APEX AI simulates advanced persistent threat (APT) attacks, incorporating automated open-source intelligence (OSINT), attack chaining, and kill-chain generation to model comprehensive compromise paths.
BruteForceAI functions as a penetration testing tool, identifying login form selectors and executing multi-threaded attacks that mimic human behavior patterns.
The deployment of these malicious tools does not introduce new vulnerabilities; rather, they expedite the exploitation of existing ones, contributing to a significant collapse in predictive security.
Automation Finds the Vulnerabilities
The identification of vulnerabilities is increasingly automated through global scanning using standard commercial tools. Solutions like Qualys are employed to detect vulnerable software versions and misconfigurations, while Nmap is utilized for port scanning and service fingerprinting. Nessus and OpenVAS further enrich vulnerability assessments.
Data Sharing Fine-Tunes the Cybercrime Business
Access to targets is often readily available on underground markets. FortiGuard reports that databases, credentials, validated access paths, and attacker tools are continuously advertised and exchanged, creating an upstream supply chain that supports downstream intrusion activities.
This data is primarily harvested through infostealers like RedLine, Lumma, and Vidar. Access brokers then sell validated access to enterprises, with corporate VPNs and Remote Desktop Protocol (RDP) being the most frequently advertised access types.
The cybercriminal ecosystem is further bolstered by extensive discussions among operatives. FortiGuard notes that 656 vulnerabilities were actively discussed on the darknet in 2025. Among these, 344 (52.44%) had publicly available proof-of-concept (PoC) exploit code, while 176 (26.83%) had working exploit code, and 149 (22.71%) featured both PoC and operational exploit code.
The report warns that Common Vulnerabilities and Exposures (CVEs) become “industrial” when packaged with scripts, modules, guides, proof code, and operational playbooks, allowing exploitation to occur in a repeatable manner rather than as a one-off intrusion.
The Effect of This Industrialization of Cybercrime
One of the most significant impacts of this new cybercrime paradigm is the drastic reduction in time-to-exploit. Previously, the average time-to-exploit for critical vulnerabilities was nearly a week. This window has now shrunk to 24 to 48 hours, with some exploits occurring within hours of public disclosure.
Douglas Santos, director of advanced threat intelligence at FortiGuard, emphasizes that the trajectory is clear: as AI accelerates reconnaissance, weaponization, and execution, it is only a matter of time before exploitation occurs in “hours or even minutes, not days.” Early signs of this trend are already evident.
Ransomware continues to be the most alarming attack vector, offering the highest potential for monetization. In 2025, there were 7,831 confirmed ransomware victims globally. The most active ransomware groups included Qilin, Akira, and Safepay, with the United States, Canada, and Europe being the most targeted regions.
FortiGuard asserts that the global attack surface is continuously mapped, refreshed, and maintained in a state of operational readiness.
Defending Against Industrialized Cybercrime
The efficiency of the cybercrime sector has significantly increased the speed, scale, and success of attacks. Consequently, defense mechanisms must also evolve, particularly in terms of detection and response speed. The rapid pace of adversarial AI and automation necessitates the implementation of defensive AI and automation.
FortiGuard recommends prioritizing identity-centric detection, exposure reduction, and automation to match the operational tempo of attackers.
In its commitment to combat industrial cybercrime, FortiGuard has engaged in several international disruption efforts over the past year. These initiatives include INTERPOL’s Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative in collaboration with the World Economic Forum, partnerships with cybersecurity peers through the Cyber Threat Alliance, and a new Cybercrime Bounty program launched in conjunction with Crime Stoppers International.
Source: www.securityweek.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
