|
 |
The rapid growth of artificial intelligence in cybersecurity has transformed both defence and attack. While AI tools have allowed organisations to automate detection and improve monitoring, they have also lowered the barrier to entry for attackers. Threat actors no longer need elite technical expertise to launch sophisticated campaigns. Instead, AI systems can assist with reconnaissance, exploit development, phishing, malware generation, and operational planning. One of the clearest examples of this shift was the large-scale FortiGate intrusion campaigns disclosed in 2026, in which attackers used AI-assisted workflows to compromise hundreds of exposed firewall devices across dozens of countries. The campaign demonstrated not only the growing operational role of AI in cybercrime, but also the consequences of fragmented incident response and weak coordination between security teams. Platforms such as TheHive offer an important lesson in how organisations could reduce the impact of these attacks today by improving collaboration, automation, and intelligence-driven response.
The FortiGate campaigns targeted internet-facing Fortinet firewall appliances. Firewalls are one of the most critical security devices in any organisation because they sit directly between internal infrastructure and the public internet. A successful compromise of a firewall can give attackers visibility into network traffic, remote access pathways, and authentication systems. In the 2026 campaigns, attackers exploited weakly protected or vulnerable FortiGate systems at scale. Security researchers observed that many of the affected devices had poor credential hygiene, exposed management interfaces, or delayed patching practices. The attackers were not necessarily highly skilled exploit developers. Instead, they used commercially available AI tools to accelerate and automate many stages of the attack lifecycle.
Framing the Modern Problem of FortiGate
The use of AI changed the scale and speed of the campaign. Traditional cyberattacks often require significant manual reconnaissance. An attacker must identify targets, determine which systems are vulnerable, analyse responses from scans, and decide which exploitation path to attempt. AI systems dramatically reduced this workload. Large language models could interpret scan results, generate scripts for exploitation, suggest likely credential combinations, and even automate follow-up tasks after a successful compromise. Instead of slowly investigating individual targets, attackers could manage hundreds of systems simultaneously.
This represented a major shift in cybercrime economics. In earlier years, large intrusion campaigns generally required either advanced expertise or large criminal organisations with specialised operators. AI compressed those requirements. Threat actors with moderate technical ability could now behave like highly organised intrusion teams because AI handled much of the analytical and scripting burden. The attackers essentially used AI as an operational multiplier.
Scaling up with AI
The consequences of the FortiGate campaign extended beyond the individual compromised devices. Once attackers gained access to firewalls, they could pivot deeper into internal networks. Firewalls often contain VPN configurations, authentication tokens, administrative credentials, and network topology information. This allowed attackers to escalate privileges and expand their access. In some environments, compromised firewalls acted as silent persistence mechanisms because administrators failed to realise the devices themselves had been breached.
One of the most important lessons from the campaign was that many organisations struggled not because they lacked security products, but because they lacked coordinated incident response. Security alerts were often isolated inside separate tools. Indicators of compromise were not correlated quickly enough. Analysts became overwhelmed by the volume of alerts generated during the attack waves. In several cases, organisations treated individual intrusion attempts as isolated incidents rather than recognising they were part of a broader campaign targeting similar infrastructure globally.
Taking Preventive Measures
This is where TheHive could have significantly reduced operational failures. TheHive is an open-source security incident response platform designed to support Security Operations Centres (SOCs), Computer Security Incident Response Teams (CSIRTs), and threat intelligence teams. Unlike traditional antivirus or firewall products, TheHive is not primarily focused on detection. Instead, its purpose is to coordinate investigation, enrichment, collaboration, and response.
TheHive would have been particularly effective against the FortiGate campaigns because the attacks generated enormous numbers of observables and repetitive workflows. Observables are pieces of evidence such as IP addresses, domains, hashes, URLs, usernames, or email addresses that analysts investigate during an incident. In the FortiGate campaign, security teams were flooded with indicators from firewall logs, authentication attempts, scanning activity, and malicious infrastructure. Without a centralised case management platform, analysts often investigated these indicators separately, resulting in duplicated effort and delayed response times.
TheHive’s case-based architecture could have improved this process substantially. When integrated with SIEM systems and detection platforms, alerts relating to suspicious FortiGate behaviour could automatically create incidents inside TheHive. Analysts would then have a shared workspace where all related observables, tasks, notes, timelines, and indicators were collected together. Instead of manually copying data between spreadsheets, emails, and ticketing systems, the investigation would become centralised and collaborative.
The Strength of TheHive
A major advantage of TheHive is its integration with Cortex, an analysis and automation engine. Cortex allows analysts to run automated enrichment tasks against observables. For example, suspicious IP addresses associated with the FortiGate attacks could automatically be checked against threat intelligence databases, passive DNS systems, WHOIS services, and malware repositories such as VirusTotal. The system could automatically add context about whether the infrastructure was linked to known malicious activity. This reduces analyst workload and accelerates triage.
The importance of automation becomes especially clear when considering AI-assisted attacks. Because AI allows attackers to operate at greater scale, defenders cannot rely entirely on manual investigation processes. Human analysts simply cannot process thousands of repetitive alerts fast enough during a rapidly evolving intrusion campaign. TheHive addresses this problem by reducing repetitive labour. Analysts can focus on higher-level reasoning and containment decisions while automated systems handle enrichment and correlation.