Cybersecurity researchers have identified an artificial intelligence–based security testing framework known as CyberStrikeAI being used within infrastructure associated with a hacking campaign that recently compromised hundreds of enterprise firewall systems.
The warning follows an earlier report describing an AI-assisted intrusion operation that infiltrated more than 500 devices running Fortinet FortiGate within roughly five weeks. Investigators observed that the attacker relied on several servers to conduct the activity, including one hosted at the IP address 212.11.64[.]250.
A new analysis from the threat intelligence organization Team Cymru indicates that the same server was running the CyberStrikeAI platform. According to senior threat intelligence advisor Will Thomas, also known online as BushidoToken, network monitoring revealed that the address was hosting the AI security framework.
By reviewing NetFlow traffic records, researchers detected a service banner identifying CyberStrikeAI operating on port 8080 of the server. The same monitoring data also revealed communications between the system and Fortinet FortiGate devices that were targeted in the attack campaign. Evidence shows that the infrastructure used in the firewall exploitation activity was still running CyberStrikeAI as recently as January 30, 2026.
CyberStrikeAI’s public repository describes the project as an AI-native penetration testing platform written in the Go programming language. The framework integrates more than 100 existing security tools, along with a coordination engine that can manage tasks, assign predefined roles, and apply a modular skills system to automate testing workflows.
Project documentation explains that the platform employs AI agents and the MCP protocol to convert conversational instructions into automated security operations. Through this system, users can perform tasks such as vulnerability discovery, analysis of multi-step attack chains, retrieval of technical knowledge, and visualization of results in a structured testing environment.
The platform also contains an AI decision-making engine compatible with major large language models including GPT, Claude, and DeepSeek. Its interface includes a password-protected web dashboard, logging features that track activity for auditing purposes, and a SQLite database used to store results. Additional modules provide tools for vulnerability tracking, orchestrating attack tasks, and mapping complex attack chains.
CyberStrikeAI integrates a broad set of widely used offensive security tools capable of covering an entire intrusion workflow. These include reconnaissance utilities such as nmap and masscan, web application testing tools like sqlmap, nikto, and gobuster, exploitation frameworks including metasploit and pwntools, password-cracking programs such as hashcat and john, and post-exploitation utilities like mimikatz, bloodhound, and impacket.
When these tools are combined with AI-driven automation and orchestration, the system allows operators to conduct complex cyberattacks with drastically less technical expertise. Researchers warn that this type of AI-assisted automation could accelerate the discovery and targeting of internet-facing infrastructure, particularly devices located at the network edge such as firewalls and VPN appliances.
Team Cymru reported identifying 21 different IP addresses running CyberStrikeAI between January 20 and February 26, 2026. The majority of these servers were located in China, Singapore, and Hong Kong, although additional instances were detected in the United States, Japan, and several European countries.
Thomas noted that as cyber adversaries increasingly adopt AI-driven orchestration platforms, security teams should expect automated campaigns targeting vulnerable edge devices to become more common. The reconnaissance and exploitation activity directed at Fortinet FortiGate systems may represent an early example of this emerging trend.
Researchers also examined the online identity of the individual believed to be behind CyberStrikeAI, who uses the alias “Ed1s0nZ.” Public repositories linked to the account reference several additional AI-based offensive security tools. Among them are PrivHunterAI, which focuses on identifying privilege-escalation weaknesses using AI models, and InfiltrateX, a tool designed to scan systems for potential privilege escalation pathways.
According to Team Cymru, the developer’s GitHub activity shows interactions with organizations previously associated with cyber operations linked to China.
In December 2025, the developer shared the CyberStrikeAI project with Knownsec’s 404 “Starlink Project.” Knownsec is a Chinese cybersecurity firm that has been reported by analysts to have connections to government-linked cyber initiatives.
The developer’s GitHub profile also briefly referenced receiving a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” on January 5, 2026. The China National Vulnerability Database (CNNVD) has been widely reported by security researchers to operate within China’s intelligence ecosystem and to track vulnerabilities that may later be used in cyber operations. Investigators noted that the reference to this award was later removed from the profile.
At the same time, analysts emphasize that the developer’s repositories are primarily written in Chinese, and interaction with domestic cybersecurity groups does not automatically indicate involvement in state-linked activities.
The rise in AI-assisted offensive security tools demonstrates how threat actors are increasingly using artificial intelligence to streamline cyber operations. By automating reconnaissance, vulnerability detection, and exploitation steps, such platforms significantly reduce the expertise required to launch sophisticated attacks.
This trend is already being observed across the broader threat network. Recent research from Google reported that attackers have begun incorporating the Gemini AI platform into several phases of cyberattacks, further illustrating how generative AI technologies are reshaping both defensive and offensive cybersecurity practices.
