
On June 18, 2026, a security researcher stumbled onto an open directory sitting unprotected on the public internet. It belonged to no security vendor and no research lab. It belonged to the attackers. Inside were the working files of FortiBleed — what researchers now describe as the first publicly documented, global-scale agentic AI cyberattack: target lists, connection strings, GPU cracking jobs, harvested credentials, and the operators’ own scripts.
For once, the curtain was pulled back. And what sat behind it wasn’t the familiar picture of a few operators grinding through machines by hand. It was a machine that ran with far less human hands-on-keyboard than a campaign this size normally needs.
Disclosure. One of the open-source tools referenced in this operator’s infrastructure was CyberStrike — our own project. We’re not going to pretend otherwise; we address it directly in the final section, Where We Stand.
The operators had built an isolated offensive lab — virtual machines on a private subnet, hardened routing, shared sessions so multiple people could watch the console at once. But the center of gravity wasn’t the humans. It was an autonomous agent, automatically provisioned across every machine in the fleet. The recovered artifacts pointed beyond static scripting — including AI-generated “harvest summaries” — consistent with a workflow built on a reasoning model rather than a fixed sequence.
According to SOCRadar’s Dismantling FortiBleed report, the campaign scanned a target universe of more than 430,000 FortiGate firewalls and surfaced over 110 million credentials. [1] Its real significance, though, isn’t the scale. It’s what researchers describe as a threshold crossed: threat actors operating in the agentic era.
What is an agentic AI cyberattack? An intrusion campaign driven by an autonomous AI agent that reasons over targets, writes its own tooling, and chains reconnaissance into exploitation with minimal human input.
Anatomy of an Agentic AI Cyberattack: The Five-Stage Attack Chain
Strip away the AI for a moment and, per SOCRadar’s reporting, FortiBleed looks like a textbook Initial Access Broker operation: financially motivated, opportunistic, relentlessly automated. SOCRadar reports it has been running since at least February 2026, and at the time of its report was still actively sniffing more than 19,000 devices out of 80,553 identified targets. [1] What makes it remarkable is not any single zero-day. There isn’t one. It’s the assembly line.
SOCRadar describes a methodical five-stage attack chain — a self-feeding loop: [1]
FortiBleed five-stage agentic AI cyberattack kill chain diagram
Stage 1 — Credential Sourcing & Reconnaissance
The actors begin with vast lists of previously collected credentials and scan the internet — SOCRadar cites tools such as Masscan and Shodan — for exposed FortiGate firewalls. [1]
Stage 2 — Pairing & Initial Access
Collected credentials are paired to the discovered devices through credential stuffing and brute-forcing, then used to gain access. Weak, reused, and never-rotated admin accounts do most of the work — no exploit required. [1]
Stage 3 — FortigateSniffer Deployment & Credential Harvesting
This is the engine. SOCRadar reports that on each compromised firewall the actors deploy a custom Golang tool (“FortigateSniffer”). To deploy it, the operators load a list of FortiGate SSH credentials — in one batch SOCRadar observed, 6,127 devices were loaded, with a 90% SSH validation success rate. The tool then abuses the FortiOS built-in diagnose sniffer packet command to passively capture authentication traffic across 24 protocols from every network behind the device, extracting both cleartext and hashed credentials from traffic that was never meant to leave the perimeter. [1]
Stage 4 — GPU Hash Cracking & Active Directory Reuse
Captured hashes are written into hashcat-ready files and cracked at scale. SOCRadar reports the operators rented decentralized GPU capacity (vast.ai) to work through the volume; recovered credentials are then validated and reused against Active Directory domains and other exposed services. [1]
Stage 5 — Collection & Exfiltration
Fresh credentials feed straight back into Stage 1, widening the blast radius with every cycle. SOCRadar reports more than 659 harvesting pipelines were launched this way. Among the victims it attributes to the campaign is a company it describes as a NATO-aligned defense contractor. [1]
The result is a machine that gets bigger as it runs. Each compromised edge device becomes a listening post; each listening post produces credentials that compromise the next wave. No exotic exploit chain — just hygiene failures harvested at industrial scale and at machine speed.
When Automation Starts to Think: Why Agentic Attacks Change the Economics
Attackers have automated for decades. Worms, botnets, mass scanners, credential-stuffing frameworks — none of that is new. So it would be easy to file FortiBleed under “more of the same, but bigger.” That would be a mistake. The difference between a script and an agent is the difference between a player piano and a musician.
Diagram contrasting a fixed script with a goal-driven AI agent
Traditional automation does exactly what it was told, in the order it was told, and breaks the moment reality diverges from the script. An agentic system is built on top of a reasoning model. It takes a goal — get credentials, move deeper, exfiltrate — and figures out the steps itself. It reads error messages and adapts. It writes its own tooling when the off-the-shelf option doesn’t fit. The human sets intent; the machine handles the path.
This is what collapses the economics. For most of cyber history, sophisticated intrusion was gated by scarce, expensive human expertise — a skilled operator could only be in one place at a time. Agentic systems dissolve that ceiling: a standard, off-the-shelf LLM subscription becomes tireless red-team labor that runs in parallel across an entire fleet, at a rounding-error cost compared to a human team.
The barrier to a global-scale operation just dropped from a team of experts to a few operators and an API key.
And that turns time into the weapon. Defenders have always relied, implicitly, on time — time to patch, to rotate credentials, to notice. Agentic operations compress that window toward zero. The hygiene gaps FortiBleed exploited were survivable for years largely because exploiting them at scale was slow and labor-intensive. Remove the labor, and every unpatched edge device becomes reachable in the time it takes a model to reason through it.
Researchers describe FortiBleed as among the first global-scale campaigns where agentic tooling sat at the core of the operation — but the conditions that produced it are not unique to one group. The same models, the same frameworks, the same economics are available to everyone. What was demonstrated here will be repeated, refined, and specialized. The relevant question for defenders is no longer whether attackers will run agentic operations. It’s whether defense will move at the same speed.
On CyberStrike Appearing in the FortiBleed Toolkit — and Where Defense Goes Next
There is one more detail in the FortiBleed reporting we won’t step around, because it concerns us directly. SOCRadar reports that the campaign’s harvest summaries carried the name of our own open-source, agentic penetration-testing framework — CyberStrike. We’d rather state that plainly than have anyone find it for us.
Dual-use is the nature of serious security tooling. Every meaningful offensive capability the industry has ever produced — port scanners, exploitation frameworks, credential crackers — has been used by both the people defending networks and the people attacking them. Nmap and Metasploit were built to make defenders stronger, and both have at times been turned against the systems they were meant to protect. That a tool appears in an attacker’s kit is not evidence the tool is illegitimate; it is evidence the tool is capable — and capability has never chosen a side. But the people who build it still make choices, so here are ours.
Our stance
So here is where we stand, plainly.
We have no connection to this campaign or its operators, we were not involved in it in any way, and we condemn the criminal misuse of security tooling. That our own project was part of it is not something we shrug off — the harm here was real, and it is unwelcome.
CyberStrike is, and will remain, fully open source under AGPL-3.0. That is a deliberate choice. The same code an adversary could pick up is the code every defender can read, audit, run, and learn from. We won’t pretend openness has no cost — a campaign like this is part of that cost. We still believe the alternative — capability that exists, but only the well-resourced can see — leaves defenders worse off. That is the trade we’ve weighed, with eyes open.
Our terms say what we mean: CyberStrike is for authorized security testing only — “only test systems you own or have explicit written authorization to test,” and never for unauthorized access. That line sits in our code of conduct, and every contributor builds on it.
We can’t choose who downloads an open-source project; no one can. What we can do is be honest about what the tool is, who it’s for, where we draw the line, and that its misuse here was real — and then keep building it in the open.
What this means for defenders
The reason an agentic framework is dangerous in an attacker’s hands is the same reason it matters in a defender’s: it operates at the speed and scale this new threat landscape demands. You cannot meet agentic offense with manual defense. When attackers can reason over an entire attack surface at machine speed, organizations still testing their environments by hand — once a quarter, one finding at a time — are running a different race entirely.
The lesson of FortiBleed is not that this technology should not exist. It already exists, on both sides, and it is not going back in the box. The lesson is that the hygiene failures it turned into stolen credentials — old hashes, missing MFA, exposed management interfaces — were all findable. Every one of them. The only question any organization should be asking is who finds them first — and whether defense moves at the same speed.
CyberStrike is open source — read it, audit it, run it: github.com/CyberStrikeus/CyberStrike
FAQ
What is FortiBleed? FortiBleed is a large-scale credential-harvesting campaign targeting internet-facing FortiGate firewalls, which SOCRadar attributes to a financially motivated Initial Access Broker active since at least February 2026. Researchers describe it as the first publicly documented global campaign with agentic AI tooling at its core.
How many credentials did FortiBleed expose? Per SOCRadar’s reporting, the campaign launched 659 harvesting pipelines and surfaced more than 110 million credentials across a target universe of roughly 430,000 FortiGate firewalls.
What makes an attack “agentic”? An agentic attack is driven by an autonomous AI agent that reasons toward a goal, writes its own tooling, and chains attack stages together — rather than replaying a fixed script.
How can defenders respond to agentic attacks? Close the hygiene gaps agentic attackers harvest at scale — rotate credentials, enforce MFA, remove exposed management interfaces — and adopt autonomous, agentic testing that runs at the same speed as the threat.
References
All campaign facts in this article are attributed to the following public reports. Inline [1] markers link to SOCRadar’s Dismantling FortiBleed report, the source for every statistic (430,000 firewalls, 110M credentials, 6,127 devices / 90%, 24 protocols, 659 pipelines, 19,000 / 80,553, the NATO-aligned defense contractor).
- SOCRadar Threat Research Unit — Dismantling FortiBleed (report PDF): https://socradar.io/wp-content/uploads/2026/06/Dismantling-FortiBleed.pdf
- SOCRadar — FortiBleed 2026: Fortinet Firewalls Compromised (blog): https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
- SpyCloud — What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure: https://spycloud.com/blog/what-spycloud-found-inside-the-fortibleed-threat-actor-infrastructure/
- BleepingComputer — FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
- CSO Online — FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide: https://www.csoonline.com/article/4186790/fortibleed-campaign-exposes-75000-fortinet-firewalls-worldwide.html
- Arctic Wolf — Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries: https://arcticwolf.com/resources/blog/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/
