COMMENTARY: CyberStrikeAI does not reveal a story about a new kind of attack. It tells a story about speed.First appearing on GitHub in November 2025, it bundles more than 100 offensive security tools — for reconnaissance, exploitation, reporting — into a single AI-orchestrated workflow.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Researchers flagged it. And then, within weeks, threat actors were running it against live infrastructure. Operational deployment, in weeks, and last week, security researchers detected its use in a successful attack against Fortinet’s Fortigate appliances.We've seen this cycle before. Metasploit. Cobalt Strike. BloodHound. Sliver. Each started as a legitimate security research project, iterated over many years before they became standard attacker infrastructure.They were commercially sold, in part to limit them getting into criminal hands. CyberstrikeAI appears largely the work of one individual who made the tool freely available, meaning developers can easily fork and make variants of the code. A skilled criminal could tailor it for their needs, and sell it privately to less technical cybercriminals. None of this bodes well for security teams.The tools CyberStrikeAI contains aren't new. What's new is the orchestration layer. AI-assisted workflows let operators execute complex attack chains without manually stitching together dozens of utilities. Reconnaissance, vulnerability discovery, exploitation — these now run as structured, repeatable sequences rather than commands that require real technical knowledge to chain correctly. It’s a powerful innovation — now the gap between "knows how to find a framework on GitHub" and "can run a sophisticated attack against exposed infrastructure" has narrowed considerably.Security researchers tracked at least 21 unique IP addresses running CyberStrikeAI infrastructure over a five-week window in January and February 2026. Early targeting focused edge devices. Firewalls and VPN appliances — the perimeter devices standing between attackers and everything else. They are often the least patched and least monitored assets in the environment. That they were targeted first wasn't incidental.The 2025 Verizon DBIR reported exploitation of edge devices jumping from 3% to 22% of all breaches in a single year, with fewer than half ever getting fully patched. Microsoft's threat intelligence data broadens the picture: nation-state groups are now using generative AI across the full attack lifecycle — not just for malware, but for identity fabrication, infrastructure setup, and phishing. Operational uses, not experiments.Our 2026 Offensive Security Benchmark Report, which analyzed verified exposure data across more than 300 organizations, puts hard numbers to the problem. Only 0.47% of risks detected by vulnerability scanners are real and require action. Security teams aren't overwhelmed because they miss exposures — they're overwhelmed because almost none of what they see actually matters. The signal gets buried in noise.Remediation timelines tell the same story. Ninety-four percent of security teams report remediating zero-day vulnerabilities within five days. Verizon's data puts the actual median at 38 days. Meanwhile, 32% of known exploited vulnerabilities in 2025 showed evidence of exploitation before the CVE was even published. For edge devices — firewalls, VPNs, the exact infrastructure CyberStrikeAI hits first — public disclosure is a lagging indicator, not a warning.The path forward isn't complicated, but it does require some honest recalibration. Here are three steps to consider:None of this requires a complete overhaul. It requires understanding what's actually changed. As attacks become more autonomous, defense must move in the same direction.Welcome to tomorrow.Klaas Meinke, Head of AI, HadrianSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Shift from visibility to verification: Most security programs are built to find issues. We need to know which ones matter. Prioritizing exploitability confirmation over vulnerability presence separates teams clearing real risk from teams generating tickets.
- Speed-up remediation at the edge: Exploitation of edge devices and VPNs rose from 3% to 22% of intrusion chains year-over-year. These aren't sophisticated intrusions — they’re fast, automated, and opportunistic. Continuous monitoring of internet-facing assets, with pre-authorized response protocols, is no longer optional.
- Increase testing cadence: Quarterly pentests were designed for environments that changed quarterly. Most enterprise environments change daily. The organizations that fared best weren't the ones with the most tools — 93% already use vulnerability scanners — they were the ones running continuous, automated validation instead of periodic snapshots.
