Machine-speed attacks are coming in 2026. NZ needs to be ready.
Cybercriminals are gearing up to launch more attacks at unprecedented speed in 2026 – and security teams will only keep up if they can defend at machine speed.
Fortinet’s new Cyberthreat Predictions for 2026 report warns cybercrime is entering its “industrial age” with attackers operating more like integrated industries than loose-knit gangs, powered by automation, cloud infrastructure and AI.
That industrialisation is reshaping the economics of cybercrime. Fortinet cites estimates that the global cost of attacks will exceed NZ$40 trillion by 2027, putting cybercrime on par with the world’s largest economies.
“When you think about it, it’s crazy, big numbers,” says Glenn Maiden, Chief Security Officer, Fortinet Australia and Director of Threat Intelligence Operations, FortiGuard Labs ANZ. He contrasts that figure with the current combined gross domestic product (GDP) of New Zealand and Australia – NZ$3.6 trillion.
AI agents accelerate attack volume and speed
Fortinet expects the defining change in 2026 to be “purpose‑built, autonomous cybercrime agents” designed to handle key stages of the attack chain – from credential theft and phishing to lateral movement – with minimal human input.
These AI agents will build on the first wave of underground tools such as FraudGPT and WormGPT, dramatically lowering the barrier to entry and allowing experienced actors to scale across thousands of targets in parallel.
Maiden says there is still no confirmed case of AI-generated malware breaching a network and causing real damage – but the threat is accelerating. AI is already speeding up the early stages of an attack, particularly the development of exploit code.
“On average, it used to take several days for attackers to produce proof-of-concept code after a vulnerability was disclosed,” he says. “We’re now seeing that window shrink to less than five days, meaning criminals can move faster and exploit weaknesses before many organisations have applied a patch.”
Social engineering at human – and machine – scale
The most immediate AI impact is in social engineering, where criminals can generate convincing, localised phishing and fraud lures at scale.
“AI’s got to the point where most people can’t tell the difference between genuine and synthetic content. Traditional phishing awareness training is not very effective when the lure is indistinguishable from a real message,” Maiden says.
As attackers use AI to automate research and target selection, both the quality and volume of social engineering campaigns will climb. AI agents will also mine massive credential dumps and dark web sites to build rich profiles for tailored scams.
Machine‑speed attacks meet machine‑speed defence
Fortinet’s report argues that the core risk metric for 2026 will be “velocity”: how quickly attackers can move from reconnaissance to ransom, and whether defenders can compress detection and response from hours to minutes.
“Security operations designed for linear response can no longer keep pace,” the Fortinet report warns, calling for integrated security operations that tie together exposure management, endpoint and network detection and automated response.
“The technology is actually already there to defend at machine speed,” Maiden says.
Best practice centres on security operation centres (SOCs) that correlate activity across firewalls, endpoints and cloud services, then trigger pre-defined playbooks automatically.
Maiden says modern security operations should automatically respond when suspicious activity is detected across multiple systems, shutting down affected ports or devices before threats can spread. “If my firewall, endpoint and cloud tools all start flagging suspicious activity, that should automatically trigger a response,” he says.
Identity and zero-trust as the new perimeter
Maiden points out that a huge percentage of breaches are still done through credential abuse.
AI will supercharge attackers’ ability to correlate leaked passwords and personal data across multiple breaches.
That reality, he says, reinforces the need for “hardcore segmentation, role‑based access, multi‑factor authentication and a zero-trust approach”, so that even if an internal system is abused – including an organisation’s own AI models – attackers struggle to move or exfiltrate data.
Critical infrastructure and converged crime
Fortinet expects cybercriminals to target critical infrastructure like manufacturing, healthcare and utilities, blending data theft, operational disruption and extortion in a single playbook.
As satellite-to-mobile infrastructure and industrial internet of things (IoT) expand, techniques once reserved for state actors – firmware corruption, device “bricking” – will increasingly be weaponised for profit.
Maiden says around three‑quarters of malicious cyber activity hitting New Zealand and Australia is now organised crime rather than nation‑state operations. He points to the rise of “industrialised cybercrime scam centres” in Southeast Asia, run by organised crime groups that traffic people into fraud compounds, as a stark example of how physical and cybercrime have fused.
Fortinet sees disruption campaigns and new incentive models as crucial to rebalancing the ecosystem, highlighting INTERPOL’s Operation Serengeti 2.0, supported by Fortinet, which has combined intelligence sharing, infrastructure takedowns and coordinated arrests.
A new partnership between Fortinet and Crime Stoppers International dubbed the Cybercrime Bounty programme will pay rewards for tip‑offs that lead to the arrest and conviction of cybercriminals.
What organisations must do in 2026
Fortinet’s central message is that defenders and attackers now share the same tools – AI, cloud and automation – and the contest is becoming “a race of systems, not individuals”.
The report urges organisations to adopt threat‑informed defence, continuously mapping their posture against real‑world tactics and using the best technology to convert intelligence into containment “in minutes”.
If there’s a key theme for 2026 from Fortinet’s perspective, Maiden suggests it is this: “We must prepare now for a higher volume and higher velocity of attacks – before it is too late”.
View the full report: Cyberthreat Predictions for 2026.