2026年全球网络威胁态势报告

Insights from FortiGuard Labs 2026 Global ThreatLandscape Report A Report by FortiGuard Labs Arturo Torres:Director, FortiGuard LATAMDouglas Santos:Director, Advanced Threat IntelligenceDerek Manky:VP, Global Threat Intelligence Collaborators Mark Robson:Principal Threat Analyst (IR Team)Ankit Chauhan:Lead Cyberthreat Intelligence Analyst R&D (FortiRecon Team)Christopher Hall:Principal Cloud Security Researcher (FortiCNAPP Team)Vijay Dontharaju:Director, Security Engineering (FortiNDR Cloud Team)Motti Elloul:Director of Product Management & Incident Response, FortiMail Workspace Security ■Foreword4■About This Report42026 Global Threat Landscape Report4Audience and Objectives4Methodology and Telemetry Sources4■The FortiGuard SecOps Kill Chain Framework5■Prevention through Disruption: Breaking the Industrial Cybercrime Supply Chain7■Executive Summary9■Executive Synthesis: Industrialized Cybercrime at Machine Speed13■Exposure as an Industrial Input: How Cybercrime Industrializes Opportunity14Darknet Landscape: Exposure Already Harvested (FortiRecon Intelligence)14■Weaponization: Industrialized Preparation and Adversary Enablement27Vulnerability Commoditization: Exploits as Stock, Not Events30Exploit Readiness vs. Exploit Novelty31Packaging, Reuse, and Automation32■Exploitation: Intrusion at Scale—The Industrialization of Execution35IPS Intelligence, FortiEDR / MDR Intelligence, FortiRecon Intelligence35Time-to-Exploit (TTE) and Automation39Critical Outbreak Patterns and Rapid Weaponization40■Post-Exploitation: When Cybercrime Takes Control at Machine Speed44Botnet C2, Living-off-the-Land, and Native Tooling45Sustaining Control at Scale48■Industrialized Cloud Intrusions: Identity, Automation, and Control at Machine Speed51Cloud Control Plane Abuse51Identity as the Control Plane52Regional and Sectoral Observations53API Abuse, Resource Hijacking, and Monetization Patterns55■Impact: How Industrialized Cybercrime Converts Capability into Damage(FortiRecon Intelligence)59Victim Volume and Economic Optimization60Cross-Threat Convergence (Ransomware, APT, Mass Exploitation)63SOC, DFIR, and CISO Decision Frameworks63■Conclusion: Restoring Defender Advantage in an Industrial Threat Era67■About the Fortinet Threat Landscape Report70■About FortiGuard Labs70■About Fortinet71 Table of Contents 2026 Global ThreatLandscape Report This report is derived exclusively fromFortiGuardLabs threat intelligence, leveraging telemetry frommillions of sensors deployed worldwide since 2002.It covers data gathered in 2025 (or the most recent12-month window available per dataset) acrossmultiple security domains and vectors of compromise.Each insight includes a Source Tag that indicates thetelemetry origin and is mapped to MITRE ATT&CK toensure a defensible, repeatable analytical baseline.Findings and recommendations are prioritized byprobability and prevalence in observed activity, with adirect focus on detection, response, and automationoutcomes for SOC, DFIR, and CISO audiences. In 2026, the threat landscape cannot be accurately described through isolatedindicators or single-domain trends. Adversaries operate across an end-to-endlifecycle that begins well before intrusion through exposure discovery, accessbrokerage, and industrialized preparation, and continues through exploitation,persistence, monetization, and operational impact. To reflect this reality, the2026 Global Threat Landscape Reportintroduces theFortiGuard SecOps Kill Chain, a telemetry-driven model built on a foundationaladvantage. Fortinet delivers SecOps technologies across the attack lifecycle,generating real-world visibility across multiple vectors of compromise. Thisunified, multi-domain telemetry enables a defensible threat narrative groundedin evidence. The framework provides a consistent analytical structure anchoredin MITRE ATT&CK as a common language, while translating telemetry intodecisions aligned with continuous threat exposure management (CTEM). FortiGuard Security Operations (SecOps) chain phasesand how to read them The model describes threat activity across six repeatable stages: This structure provides a consistent method forcorrelating telemetry across domains andensures that each insight can be mapped toATT&CK techniques, validated with evidence,and operationalized through SecOps workflows. Introducing FortiGuard SecOps action boxes To ensure the report delivers operational outcomes, not just insight, everyphase of the FortiGuard SecOps Kill Chain is anchored by a standardizedFortiGuard SecOps action box. The action box is the primary execution artifactof the report and represents the point where telemetry-driven intelligence isconverted into concrete, role-specific action. The action box is intentionally visual, modular, and reusable. It is designed tobe consumed independently of the surrounding narrative and to be directlyrepurposed into: ■SOC playbooks■DFIR investigation checklists■CISO briefings and CTEM planning To reduce repetition