Researchers report that the open-source AI security testing platform CyberStrikeAI was observed running on the same IP infrastructure used by the threat actor who breached hundreds of Fortinet FortiGate devices. Team Cymru’s analysis links CyberStrikeAI to automated, AI-driven orchestration that lowers the skill required to perform full attack chains and warns this could accelerate targeting of exposed edge devices. #CyberStrikeAI #FortiGate
Keypoints
- CyberStrikeAI was observed on IP 212.11.64[.]250, the same infrastructure tied to a campaign that compromised over 500 FortiGate appliances.
- The platform integrates 100+ security tools and AI agents to automate vulnerability discovery, exploitation, and attack-chain orchestration.
- Team Cymru detected 21 unique IPs running CyberStrikeAI across China, Singapore, Hong Kong, the US, Japan, and Europe between Jan 20 and Feb 26, 2026.
- The developer alias “Ed1s0nZ” has other AI-assisted tools (PrivHunterAI, InfiltrateX) and showed links to organizations previously associated with Chinese government–affiliated operations.
- Researchers warn AI-native orchestration engines like CyberStrikeAI lower the barrier for attackers and could drive automated targeting of firewalls, VPNs, and other edge devices.