#244: Hopping over the FortiGate
FortiGate's crisis, TheHive, and what we do now
The rapid growth of artificial intelligence in cybersecurity has transformed both defence and attack. While AI tools have allowed organisations to automate detection and improve monitoring, they have also lowered the barrier to entry for attackers. Threat actors no longer need elite technical expertise to launch sophisticated campaigns. Instead, AI systems can assist with reconnaissance, exploit development, phishing, malware generation, and operational planning. One of the clearest examples of this shift was the large-scale FortiGate intrusion campaigns disclosed in 2026, in which attackers used AI-assisted workflows to compromise hundreds of exposed firewall devices across dozens of countries. The campaign demonstrated not only the growing operational role of AI in cybercrime, but also the consequences of fragmented incident response and weak coordination between security teams. Platforms such as TheHive offer an important lesson in how organisations could reduce the impact of these attacks today by improving collaboration, automation, and intelligence-driven response.
The FortiGate campaigns targeted internet-facing Fortinet firewall appliances. Firewalls are one of the most critical security devices in any organisation because they sit directly between internal infrastructure and the public internet. A successful compromise of a firewall can give attackers visibility into network traffic, remote access pathways, and authentication systems. In the 2026 campaigns, attackers exploited weakly protected or vulnerable FortiGate systems at scale. Security researchers observed that many of the affected devices had poor credential hygiene, exposed management interfaces, or delayed patching practices. The attackers were not necessarily highly skilled exploit developers. Instead, they used commercially available AI tools to accelerate and automate many stages of the attack lifecycle.
Framing the Modern Problem of FortiGate
The use of AI changed the scale and speed of the campaign. Traditional cyberattacks often require significant manual reconnaissance. An attacker must identify targets, determine which systems are vulnerable, analyse responses from scans, and decide which exploitation path to attempt. AI systems dramatically reduced this workload. Large language models could interpret scan results, generate scripts for exploitation, suggest likely credential combinations, and even automate follow-up tasks after a successful compromise. Instead of slowly investigating individual targets, attackers could manage hundreds of systems simultaneously.
This represented a major shift in cybercrime economics. In earlier years, large intrusion campaigns generally required either advanced expertise or large criminal organisations with specialised operators. AI compressed those requirements. Threat actors with moderate technical ability could now behave like highly organised intrusion teams because AI handled much of the analytical and scripting burden. The attackers essentially used AI as an operational multiplier.
Scaling up with AI
The consequences of the FortiGate campaign extended beyond the individual compromised devices. Once attackers gained access to firewalls, they could pivot deeper into internal networks. Firewalls often contain VPN configurations, authentication tokens, administrative credentials, and network topology information. This allowed attackers to escalate privileges and expand their access. In some environments, compromised firewalls acted as silent persistence mechanisms because administrators failed to realise the devices themselves had been breached.
One of the most important lessons from the campaign was that many organisations struggled not because they lacked security products, but because they lacked coordinated incident response. Security alerts were often isolated inside separate tools. Indicators of compromise were not correlated quickly enough. Analysts became overwhelmed by the volume of alerts generated during the attack waves. In several cases, organisations treated individual intrusion attempts as isolated incidents rather than recognising they were part of a broader campaign targeting similar infrastructure globally.
Taking Preventive Measures
This is where TheHive could have significantly reduced operational failures. TheHive is an open-source security incident response platform designed to support Security Operations Centres (SOCs), Computer Security Incident Response Teams (CSIRTs), and threat intelligence teams. Unlike traditional antivirus or firewall products, TheHive is not primarily focused on detection. Instead, its purpose is to coordinate investigation, enrichment, collaboration, and response.
TheHive would have been particularly effective against the FortiGate campaigns because the attacks generated enormous numbers of observables and repetitive workflows. Observables are pieces of evidence such as IP addresses, domains, hashes, URLs, usernames, or email addresses that analysts investigate during an incident. In the FortiGate campaign, security teams were flooded with indicators from firewall logs, authentication attempts, scanning activity, and malicious infrastructure. Without a centralised case management platform, analysts often investigated these indicators separately, resulting in duplicated effort and delayed response times.
TheHive’s case-based architecture could have improved this process substantially. When integrated with SIEM systems and detection platforms, alerts relating to suspicious FortiGate behaviour could automatically create incidents inside TheHive. Analysts would then have a shared workspace where all related observables, tasks, notes, timelines, and indicators were collected together. Instead of manually copying data between spreadsheets, emails, and ticketing systems, the investigation would become centralised and collaborative.
The Strength of TheHive
A major advantage of TheHive is its integration with Cortex, an analysis and automation engine. Cortex allows analysts to run automated enrichment tasks against observables. For example, suspicious IP addresses associated with the FortiGate attacks could automatically be checked against threat intelligence databases, passive DNS systems, WHOIS services, and malware repositories such as VirusTotal. The system could automatically add context about whether the infrastructure was linked to known malicious activity. This reduces analyst workload and accelerates triage.
The importance of automation becomes especially clear when considering AI-assisted attacks. Because AI allows attackers to operate at greater scale, defenders cannot rely entirely on manual investigation processes. Human analysts simply cannot process thousands of repetitive alerts fast enough during a rapidly evolving intrusion campaign. TheHive addresses this problem by reducing repetitive labour. Analysts can focus on higher-level reasoning and containment decisions while automated systems handle enrichment and correlation.
Another major strength of TheHive is campaign correlation. During the FortiGate attacks, many organisations failed to recognise broader patterns. An individual failed login attempt or suspicious scan might appear insignificant on its own. However, when similar events occur across multiple devices and regions, they may indicate a coordinated intrusion campaign. TheHive allows analysts to link cases together through shared observables and attack patterns. This creates a more strategic understanding of the threat landscape.
For example, if multiple firewall incidents involved the same command-and-control server or scanning IP range, analysts could identify these relationships quickly inside TheHive. Over time, this produces a campaign-level view rather than isolated incident-level visibility. This distinction is extremely important in modern cybersecurity because attackers increasingly operate as distributed campaigns rather than single-target intrusions.
TheHive also supports integration with MITRE ATT&CK, a widely used framework for classifying adversary tactics and techniques. Mapping the FortiGate attacks to ATT&CK categories would have improved both analysis and reporting. Analysts could identify whether attackers were engaging in credential access, persistence, lateral movement, or privilege escalation. This structured approach improves communication between technical responders, management teams, and external organisations.
In addition, TheHive integrates with threat intelligence sharing platforms such as MISP. During global campaigns, intelligence sharing is essential. If one organisation identifies malicious infrastructure or novel attacker behaviour, other organisations can use that information to strengthen their defences. The FortiGate campaign demonstrated how rapidly attacks can spread when organisations operate in isolation. A shared intelligence ecosystem could have significantly reduced attacker effectiveness.
Positioning TheHive Positively
However, simply deploying TheHive is not enough. Many organisations fail because they treat incident response platforms as passive repositories rather than active operational systems. To avoid repeating the mistakes seen during the FortiGate campaigns, organisations must apply TheHive properly within a mature security workflow.
The first requirement is integration. TheHive should not exist separately from the wider SOC environment. It must integrate with SIEM systems, EDR platforms, firewall telemetry, identity providers, and threat intelligence feeds. If analysts must manually transfer data into TheHive, the platform loses much of its operational value. Automation pipelines are essential because AI-driven attacks operate too quickly for entirely manual processes.
Second, organisations must establish clear incident response playbooks. One of the major problems during the FortiGate campaigns was inconsistent response behaviour. Different analysts handled similar incidents differently, creating confusion and delays. TheHive supports task templates and workflow orchestration, allowing organisations to standardise their response procedures. For example, any alert involving suspicious FortiGate authentication activity could automatically trigger a predefined investigation workflow including credential review, IOC enrichment, log preservation, and device isolation procedures.
Third, organisations must prioritise observability and telemetry quality. TheHive depends on receiving useful data from surrounding systems. If firewall logs are incomplete, poorly configured, or not centralised, incident responders will struggle to reconstruct attacker behaviour. Modern cybersecurity increasingly depends on visibility rather than perimeter strength alone. Security teams need high-quality logging, centralised telemetry collection, and long-term retention policies to support meaningful investigations.
Fourth, organisations must train analysts to think in terms of campaigns rather than isolated alerts. AI-assisted attacks are often highly distributed and adaptive. Attackers may rotate infrastructure, vary payloads, or spread activity across many targets simultaneously. TheHive’s correlation features are most effective when analysts actively search for relationships between incidents. This requires a more intelligence-driven mindset than traditional reactive alert handling.
Fifth, organisations should use TheHive as part of a broader Zero Trust and identity-centric security strategy. The FortiGate attacks often succeeded because exposed management interfaces and weak credentials created unnecessary attack surfaces. Incident response alone cannot compensate for weak preventative controls. Strong MFA policies, restricted administrative exposure, network segmentation, and continuous identity monitoring remain essential. TheHive works best when combined with preventative security architecture rather than replacing it.
Finally, organisations must recognise that AI-driven attacks represent a structural change in cybersecurity rather than a temporary trend. Traditional incident response models assumed that attackers operated at roughly human speed. AI fundamentally changes this assumption. Threat actors can now automate reconnaissance, generate phishing content instantly, and adapt intrusion workflows dynamically. Defensive operations must therefore become more automated, collaborative, and intelligence-driven.
Transition in the Age of AI
Platforms such as TheHive represent part of this transition. They shift security operations away from fragmented alert handling and toward coordinated investigation ecosystems. This does not eliminate the threat of AI-assisted attacks, but it significantly improves organisational resilience. The key lesson from the FortiGate campaigns is not merely that attackers used AI. It is that many organisations were operationally unprepared for attacks occurring at AI scale.
The FortiGate intrusion campaigns demonstrated how artificial intelligence is transforming cybercrime from a specialist activity into a scalable industrial process. Attackers used AI to accelerate reconnaissance, automate exploitation workflows, and manage large-scale intrusion operations with relatively limited human expertise. The resulting overload exposed major weaknesses in incident response coordination, alert correlation, and intelligence sharing. TheHive could have mitigated many of these problems by centralising investigation workflows, automating enrichment, correlating observables, and supporting collaborative incident response. However, effective use of TheHive requires more than simple deployment. Organisations must integrate it deeply into their SOC infrastructure, standardise workflows, improve telemetry quality, and adopt a campaign-oriented security mindset. As AI-assisted cyberattacks continue to evolve, the organisations that succeed will not necessarily be those with the largest number of security tools, but those capable of coordinating intelligence, automation, and human expertise into a unified defensive system.
Further reading
TheHive Project Overview (StrangeBee): Official overview of TheHive platform, including its incident response workflows, collaboration model, and integration capabilities for SOC and CSIRT environments.
CSO Online – Russian Group Uses AI to Exploit Weakly Protected Fortinet Firewalls: A journalistic breakdown of the FortiGate intrusion campaign, explaining how attackers combined AI-assisted workflows with exposed infrastructure and weak credential practices.
AWS Security Blog – AI-Augmented Threat Actor Accesses FortiGate Devices at Scale: Detailed technical commentary and timeline analysis of the attack campaign, including reconnaissance, exploitation methods, and attacker operational patterns.
TheHive Case Management Platform Features: Detailed explanation of TheHive’s case correlation, workflow automation, observables management, and collaborative incident response features.
See Also
This post is our fourth entry in our ongoing series around various open-source tools that we think you should take a look at. You can find the others hereL
#241: How Open-Source Cybersecurity Tools Could Have Helped Prevent the Kido International Cyberattack
Cybersecurity is no longer just a problem for large banks or government agencies. Today, schools, nurseries, hospitals, and small businesses are all targets for cybercriminals. Attackers know that organisations holding personal data—especially children’s data—can be pressured into paying quickly after a breach.
#242: Using Wazuh, Learning from 2025
Learning to use tools which can actually aid in overcoming the adversary is difficult. To begin with, there’s the difficulty of knowing what the adversary is going to do, why they’re going to do it, and the signs that they’re actually doing it now. Not an easy task whatsoever. However, there is also the matter of understanding what
#243: Suricata in Modern Network Defence
Over the last decade, endpoint telemetry, cloud-native security tooling, and identity-driven controls have dominated defensive strategy discussions. Yet the persistence of ransomware, data exfiltration campaigns, and hybrid intrusion operations has reinforced a familiar reality: attackers still have to move data across networks.