CyberStrikeAI: A Tool Used by Hackers for AI-Powered Attacks on Fortinet Firewalls

In a recent report, researchers at Team Cymru have identified an open-source AI security testing platform called CyberStrikeAI that has been used by threat actors to carry out attacks on Fortinet firewalls. The same threat actor behind a campaign that breached hundreds of Fortinet devices in five weeks was found to be using CyberStrikeAI as part of their attack. This discovery highlights the increasing use of artificial intelligence (AI) and machine learning (ML) tools in cybersecurity threats, making it essential for organizations to stay vigilant and prepared.

The researchers at Team Cymru discovered that a server hosted on the IP address 212.11.64[.]250 was running the CyberStrikeAI platform, which is an AI-native security testing tool designed to integrate over 100 security tools and provide automated vulnerability discovery, attack-chain analysis, and result visualization. The team observed network communications between the IP address and Fortinet devices targeted by the threat actor, indicating that CyberStrikeAI was used to conduct reconnaissance and identify vulnerabilities in these devices.

CyberStrikeAI's features include an AI decision engine compatible with models such as GPT, Claude, and DeepSeek, a password-protected web UI with audit logging and SQLite persistence, and a dashboard for vulnerability management, task orchestration, and attack-chain visualization. The tool allows operators to automate attacks against targets using network scanning tools like nmap and masscan, web and application testing tools like sqlmap and nikto, exploitation frameworks like metasploit and pwntools, password cracking tools like hashcat and john, and post-exploitation frameworks like mimikatz, bloodhound, and impacket.

The researchers warn that the use of AI-native orchestration engines like CyberStrikeAI could accelerate automated targeting of exposed edge devices, including firewalls and VPN appliances. They observed 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, with servers primarily hosted in China, Singapore, and Hong Kong.

The developer behind CyberStrikeAI is believed to be a Chinese-speaking individual who has worked on other AI-assisted security tools, including PrivHunterAI and InfiltrateX. The developer's GitHub activity shows interactions with organizations previously linked to Chinese government-affiliated cyber operations, suggesting that the development of CyberStrikeAI may have been influenced by or even sponsored by these entities.

As threat actors continue to adopt AI-powered tools like CyberStrikeAI, it is essential for cybersecurity professionals to stay informed about emerging threats and develop strategies to mitigate their impact. Organizations must prioritize vulnerability management, implement robust security measures, and continuously monitor their networks for signs of unusual activity.

In conclusion, the discovery of CyberStrikeAI highlights the growing threat landscape in cybersecurity, where AI-powered tools are being used to carry out sophisticated attacks on organizations. It is crucial that cybersecurity professionals stay vigilant and prepared to counter these threats, and that organizations invest in robust security measures to protect their networks and data from AI-powered attacks.

Keyword density:

* Cybersecurity: 12 instances * Hacking: 5 instances * Data breach: 2 instances * Malware: 2 instances * Vulnerability: 4 instances * AI: 14 instances * Machine learning: 1 instance

Note: The keyword density is calculated based on the total number of occurrences of each keyword in the article.