Imagine a world where hackers wield AI tools designed for defense, turning them into weapons of attack. That's the chilling reality we're facing with CyberStrikeAI, an open-source AI security testing platform that's been hijacked by malicious actors. But here's where it gets controversial: while CyberStrikeAI was intended to fortify cybersecurity, it's now being used to breach hundreds of Fortinet FortiGate firewalls, raising questions about the dual-use nature of AI technologies.
Last month, BleepingComputer shed light on a startling AI-assisted hacking campaign that compromised over 500 FortiGate devices in just five weeks. The mastermind behind this operation utilized multiple servers, including one at the IP address 212.11.64[.]250. Fast forward to a recent report by Team Cymru, and we discover that this very same IP address was running CyberStrikeAI, a relatively new AI-powered security testing platform. Will Thomas, Senior Threat Intel Advisor at Team Cymru (aka BushidoToken), highlights the alarming connection between this tool and the FortiGate breaches.
By analyzing NetFlow data, Team Cymru identified a 'CyberStrikeAI' service banner running on port 8080 at the aforementioned IP address. They also detected network communications between this IP and the targeted FortiGate devices. The campaign's infrastructure was last seen using CyberStrikeAI on January 30, 2026. And this is the part most people miss: CyberStrikeAI isn't just another tool—it's a full-fledged AI-native security testing platform built in Go, integrating over 100 security tools, an intelligent orchestration engine, and advanced features like vulnerability discovery and attack-chain visualization.
Described on its GitHub repository (https://github.com/Ed1s0nZ), CyberStrikeAI boasts capabilities like end-to-end automation, conversational commands, and compatibility with AI models such as GPT, Claude, and DeepSeek. Its tooling covers everything from network scanning (nmap, masscan) to post-exploitation frameworks (mimikatz, bloodhound), making it a one-stop-shop for cybercriminals. By combining these tools with AI agents, even low-skilled operators can automate sophisticated attacks, a trend that Team Cymru warns could accelerate the targeting of exposed edge devices like firewalls and VPNs.
Between January 20 and February 26, 2026, researchers observed 21 unique IP addresses running CyberStrikeAI, primarily hosted in China, Singapore, and Hong Kong, with additional infrastructure in the U.S., Japan, and Europe. Thomas predicts a surge in AI-driven attacks on vulnerable edge devices, emphasizing that tools like CyberStrikeAI are lowering the barrier to entry for complex network exploitation. But here's the kicker: the developer behind CyberStrikeAI, known as 'Ed1s0nZ,' has also created other AI-assisted tools like PrivHunterAI and InfiltrateX, further amplifying the threat landscape.
Digging deeper, Team Cymru found that Ed1s0nZ has interacted with organizations linked to Chinese government-affiliated cyber operations. For instance, in December 2025, the developer shared CyberStrikeAI with Knownsec 404's 'Starlink Project,' a Chinese cybersecurity firm with alleged ties to the Chinese government. Additionally, Ed1s0nZ's GitHub profile briefly mentioned a 'CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award,' hinting at connections to China's intelligence community, which reportedly uses the China National Vulnerability Database (CNNVD) to identify vulnerabilities for its operations.
While the developer's GitHub repositories are primarily in Chinese, suggesting they are a Chinese-speaking individual, these interactions raise questions about the tool's origins and intentions. Is CyberStrikeAI a double-edged sword, or was it designed with malicious intent from the start? We’d love to hear your thoughts in the comments.
This isn't an isolated incident. Last month, Google reported that threat actors are abusing Gemini AI across all stages of cyberattacks, democratizing advanced hacking capabilities. Meanwhile, the Red Report 2026 highlights how malware is evolving, using mathematical techniques to evade detection and hide in plain sight. With 1.1 million malicious samples analyzed, the report uncovers the top 10 techniques attackers are using—techniques that might be slipping past your security stack.
As AI continues to blur the lines between defense and offense, one thing is clear: the cybersecurity landscape is evolving faster than ever. Are we prepared for a future where AI tools like CyberStrikeAI become the norm for both defenders and attackers? Let us know what you think.
