Full Report
According to the 2025 Global Threat Landscape Report from FortiGuard, threat actors are executing 36,000 scans per second
Analysis Summary
# Industry News: Surge in Automated Scanning Signals Rising Threat Sophistication
## Summary
Global automated scanning activity increased by 16.7% in 2024, reaching approximately 36,000 scans per second, targeting critical infrastructure services like SIP, RDP, and IoT protocols. This trend, fueled by the convergence of AI and Cybercrime-as-a-Service (CaaS), is accelerating the success and speed of cyberattacks, coupled with a significant rise in the availability of compromised credentials on darknet markets.
## Key Details
- Date: Announced in the 2025 Global Threat Landscape Report (specific announcement date is April 28, 2025, based on article date context).
- Companies Involved: FortiGuard Labs (authors of the report), Mimoto (CEO quoted).
- Category: Threat Landscape Analysis / Trend Observation.
## The Story
FortiGuard Labs' 2025 report highlights a substantial increase in automated reconnaissance efforts across the internet, showing a 16.7% year-over-year growth in scanning activity. Attackers are utilizing sophisticated automation to probe for weaknesses in services like Session Initiation Protocol (SIP), Remote Desktop Protocol (RDP), and industrial controls (Modbus TCP). This increased activity coincides with a 39% surge in new vulnerabilities cataloged by the NVD (over 40,000 added last year) and a massive influx of stolen credentials (1.7 billion records shared online), often facilitated by initial access brokers who sell access packages through darknet forums. Experts attribute this scaling capability directly to the proliferation of AI-driven tools and the CaaS economy.
## Business Impact
### For the Companies Involved
- **FortiGuard Labs:** Reinforces their position as a leading threat intelligence authority, driving demand for their research and related security solutions.
- **Mimoto:** Provides context for executive commentary, stressing the need to address speed and sophistication in threat vectors.
### For Competitors
- Other security vendors will need to validate or contrast these findings, potentially accelerating their own development cycles for detection and response tools capable of handling higher volumes of automated enumeration.
### For Customers
- Organizations face a significantly higher baseline of automated probing, meaning their external-facing assets are under near-constant assault. Reduced "dwell time" for attackers is now threatened by the increased speed of initial reconnaissance.
### For the Market
- The data suggests that the "attack surface hardening" market segment (vulnerability management, asset discovery, and continuous monitoring) will see increased investment as organizations try to shrink the window exploited by these rapid scans.
## Technical Implications
The report explicitly calls out increased targeting of foundational protocols (SIP, RDP) and Operational Technology (OT) protocols (Modbus TCP), indicating that threat actors are broadening their scope beyond standard web application exploits. Furthermore, the 500% rise in infostealer malware logs confirms that effective credential harvesting remains a primary vector supporting these scanning efforts.
## Strategic Analysis
- **Market Positioning:** The threat landscape is shifting from human-driven targeted attacks to high-volume, low-cost, automated persistent attack preparation. Security vendors positioned on proactive defense and automated triage will gain market leverage.
- **Competitive Advantage:** Companies that can demonstrate superior correlation between automated scanning detection and immediate, automated mitigation hold a clear advantage.
- **Challenges:** The sheer volume and diversity of targets (from web servers to IoT devices) increase the complexity of maintaining comprehensive security visibility and posture management for defenders.
## Industry Reactions
- **Analyst opinions:** Analysts are likely to view this as confirmation of the "industrialization" of cybercrime, where easily accessible tools lower the barrier to entry for sophisticated, high-volume reconnaissance.
- **Expert commentary:** Expect emphasis on the immediate need for strong, non-guessable credentials and robust network segmentation, especially for operational technology environments now explicitly targeted.
- **Market response:** Increased focus on automated patch management, network access control, and continuous vulnerability assessment prioritization tools.
## Future Outlook
- We can expect automated scanning activity to continue its upward trajectory, likely becoming more specialized (e.g., tailored botnets focusing only on Modbus). Threat intelligence reporting will increasingly need to focus on the *quality* of automated reconnaissance rather than just the volume.
## For Security Professionals
Security teams must urgently review their external-facing assets for known vulnerabilities and ensure strict access controls (MFA, least privilege) are in place for RDP and critical OT gateways. Prioritizing security tools that can filter out and rapidly respond to massive volumes of automated probes is now crucial for effective resource allocation.