In a report by Team Cymru, Senior Threat Intel Advisor Will Thomas says researchers observed the open source AI security testing platform CyberStrikeAI running on the same server used in a campaign that breached more than 500 Fortinet FortiGate devices and that 21 unique IPs ran the platform between January 20 and February 26, 2026.
KEY FACTS
- Incident More than 500 FortiGate devices were breached
- Tool CyberStrikeAI is an open source AI native security testing platform
- Infrastructure 21 unique IPs observed running the platform from January 20 to February 26, 2026
- Known host Server 212.11.64.250 showed a CyberStrikeAI service banner on port 8080
- Developer Alias Ed1s0nZ associated with public GitHub repositories
NetFlow analysis identified a “CyberStrikeAI” service banner on port 8080 on 212.11.64.250 and network communications between that IP and targeted FortiGate devices. The FortiGate campaign infrastructure was last seen running the platform on January 30, 2026.
The project GitHub Ed1s0nZ lists the platform as an AI native security testing tool built in Go. Descriptions include integration of more than 100 security tools, an AI decision engine compatible with models such as GPT, a password protected web UI with audit logging, and a dashboard for vulnerability management and attack chain visualization.
Tooling in the platform covers a full attack chain with network scanners and scanners like nmap and masscan, web testing tools such as sqlmap and nikto, exploitation frameworks including metasploit, password cracking tools like hashcat and john, and post exploitation utilities such as mimikatz and bloodhound.
By combining those tools with AI agents and an orchestration engine the platform can enable operators with limited skills to automate reconnaissance and exploitation. Researchers noted 21 servers running the platform between January 20 and February 26, 2026, with hosting primarily in China, Singapore, and Hong Kong and additional infrastructure in the United States, Japan, and Europe.
Developer activity under the alias Ed1s0nZ includes other AI assisted security projects named PrivHunterAI and InfiltrateX. Public repositories and activity show interactions with organizations previously linked to Chinese government affiliated operations. A December 2025 sharing with Knownsec 404’s Starlink Project and a January 2026 GitHub profile entry referencing a CNNVD award were recorded and the CNNVD reference was later removed.
WHY IT MATTERS
AI native orchestration platforms that integrate many offensive tools can lower the barrier to complex network exploitation and accelerate automated targeting of exposed edge devices. Organizations should prioritize patching and reduce public exposure of firewalls and VPN appliances to limit risk.