.svg){kind=spacer}
April 18, 2026
Researchers say an open-source platform called CyberStrikeAI has been observed on infrastructure used in a recent campaign that compromised hundreds of Fortinet FortiGate firewalls. Team Cymru linked the activity to an IP previously tied to the FortiGate intrusions (212.11.64[.]250), where they saw a CyberStrikeAI service banner and NetFlow traffic consistent with targeting FortiGate devices. The article describes CyberStrikeAI as an “AI-native security testing platform” that bundles 100+ offensive security tools (scanning, web testing, exploitation, password cracking, post-exploitation) and then uses an AI “decision engine” (compatible with models like GPT, Claude, and DeepSeek) to orchestrate steps across a full attack chain through a web UI and dashboards.
The key warning is that this kind of AI-driven orchestration can dramatically lower the skill barrier for complex attacks, making it easier to automate rapid targeting of exposed edge devices like firewalls and VPN appliances. Team Cymru reports they observed 21 unique IPs running CyberStrikeAI between January 20 and February 26, 2026, with hosting concentrated in China/Singapore/Hong Kong but also seen in the U.S., Japan, and Europe. They also raise concerns about the tool’s developer (“Ed1s0nZ”), pointing to interactions and signals that may indicate ties to Chinese state-linked ecosystems (e.g., references involving Knownsec/CNNVD), though some profile references were later removed.
