FortiAI Explained — Sub-modules, Capabilities, and India Use Cases (2026)
Published 19 May 2026
· By
Pawan Sharma
· Fortinet AI
· 25 min read
FortiAI is Fortinet's generative-AI augmentation layer for the Security Fabric. At Accelerate 2026 in March 2026, Fortinet expanded FortiAI from a single product code into a family of four sub-modules — Operator, Analyst, Manager, and Cloud — that embed across the existing Fabric rather than sitting alongside it as a separate console. For Indian buyers, the practical question is what each sub-module does, where it lands inside an existing FortiGate / FortiSIEM / FortiAnalyzer estate, how the token-based consumption model works, and where FortiAI is genuinely production-ready versus where Fortinet has flagged H2 2026 as the maturity date.
Sub-modules
4
Operator · Analyst · Manager · Cloud
Licence model
Tokens
Annual pool, top-up available
Where it lives
Embedded
Inside FortiSIEM / SOAR / Analyzer / Manager
India region
H2 2026
Sovereign-cloud inference path
This guide answers each of those questions in turn. It is written for security architects, SOC leads, and procurement teams in India who are deciding whether to add FortiAI to their FY26 budget or wait a cycle for the roadmap items to harden.
What FortiAI actually is
Across the Fortinet portfolio, AI capability has historically meant two distinct things. The first is the inference-driven security analytics that have run inside FortiGuard, FortiSandbox, FortiNDR, and FortiSIEM for years — machine-learning classifiers for malware, anomaly detection on network telemetry, UEBA scoring on identity events. That work continues and is not what FortiAI refers to.
FortiAI is the generative-AI augmentation layer — large-language-model–driven natural-language assistance built into the management and analyst experience of the Fabric products. Instead of an analyst writing a search query to FortiSIEM, the analyst asks a question in English and the layer translates intent into the underlying query, returns the answer, and offers a follow-up. Instead of a SOAR playbook author writing YAML, the author describes the desired flow in natural language and FortiAI drafts the playbook for review. Instead of a FortiManager administrator clicking through twelve panes to apply a policy across a hundred FortiGates, the administrator describes the policy in a sentence and FortiAI proposes the configuration delta for approval.
The augmentation pattern matters more than the technology underneath. Fortinet has been deliberate that FortiAI is not a separate console — there is no dedicated “FortiAI portal” that an analyst logs into. Instead, the capabilities surface where the analyst is already working: inside FortiAnalyzer, inside FortiSIEM, inside FortiSOAR, inside FortiManager. Adoption friction stays low because the workflow does not change.
The four sub-modules
Accelerate 2026 introduced the family naming that buyers should now plan around. The four sub-modules are distinct in scope and licensing but share the underlying GenAI infrastructure.
FortiAI Operator
Auto-orchestration · SOAR-side automation
When a high-severity alert fires, Operator can propose the response playbook, draft the containment steps, suggest the firewall rule change or the EDR isolation command, and present the plan to the analyst for approval. In high-trust environments, Operator can execute approved playbook patterns autonomously and surface the outcome for review.
FortiAI Analyst
SOC analyst augmentation · L1 → L2 amplification
When an L1 analyst opens an incident in FortiAnalyzer or FortiSIEM, Analyst produces a one-paragraph summary of what happened, proposes the next investigation step, suggests related events the analyst should pull, and drafts the customer-facing incident notification once the investigation closes.
FortiAI Manager
Natural-language Fabric administration
An administrator describes a desired policy in English (“block outbound RDP from the contractor VLAN to the internet, allow it inside the data centre, log everything”) and Manager produces the FortiGate policy stanza, identifies which firewalls in the FortiManager ADOM need it applied, and surfaces the change for review.
FortiAI Cloud
SaaS-delivered AI for cloud-first orgs
The SaaS-delivered FortiAI experience for organisations that don't run the heavier on-premises Fabric components. Surfaces a subset of the Operator and Analyst capabilities through Fortinet's cloud-delivered consoles — FortiSASE, FortiSandbox Cloud, FortiCASB — and works for customers whose Fabric footprint is primarily cloud-resident.
Where FortiAI embeds across the Fabric
The product-by-product picture of what FortiAI adds is more useful than the sub-module abstraction once an architect is ready to design. Current state across the major Fabric products:
Five concrete use cases
Use cases are easier to evaluate than abstract capabilities. The five FortiAI applications that buyers in India most consistently ask about:
Natural-language SOC queries
An L2 analyst on a 24×7 shift needs to investigate a FortiGate IPS alert for SMB lateral movement. Instead of writing a multi-line query in the FortiSIEM search syntax, the analyst types “show me all SMB and RDP activity from the source IP in the last six hours, grouped by destination and user”. FortiAI translates, returns the result, offers a follow-up pivot.
Incident auto-summarisation
A critical incident escalates from L1 to L3 mid-investigation. Instead of the L1 analyst writing a five-paragraph summary of what they have done so far, FortiAI generates the summary from the events the L1 has worked on inside FortiSIEM. The L3 analyst arrives with context and the L1 returns to the queue.
SOAR playbook auto-drafting
A new attack pattern emerges — phishing emails with attached HTML smuggling for credential theft, observed across three customers in two weeks. Instead of an analyst hand-writing the FortiSOAR playbook (extract URL → sandbox detonate → IOC enrichment → mailbox sweep → reset accounts → notify users), FortiAI Operator drafts the playbook from a sentence-level description.
Threat-hunting assist
A threat-hunting team wants to investigate whether a recent CVE for a specific Cisco SD-WAN appliance affects any connected partners. FortiAI surfaces the relevant Fabric data sources, drafts the hunt query across FortiSIEM and FortiNDR, suggests hypothesis-confirming follow-up queries.
Compliance-report drafting
An Indian BFSI customer needs the quarterly RBI Cyber Security Framework audit evidence pack — control-by-control mapping of FortiGate, FortiSIEM, and FortiAnalyzer evidence to the RBI control catalogue. FortiAI drafts the pack from underlying data, the compliance team reviews and tunes.
The Indian SOC analyst-shortage problem
Structural, not cyclical
L1 is recruitable. L2 and L3 are scarce, expensive, and aggressively poached.
Indian SOC operations have a hiring problem that is structural rather than cyclical. L1 analysts are recruitable at scale from tier-2 engineering colleges. L2 and L3 analysts — the people who can actually investigate and remediate — are scarce, expensive, and aggressively poached. The shortage is most acute in tier-2 and tier-3 cities. Result: most Indian SOCs run thin at L2 and L3, accept long mean-time-to-investigate on lower-priority alerts, and frequently outsource the L2/L3 layer to an MSSP at premium rates.
FortiAI Analyst lands in this gap directly. The mechanism is not replacement — it is amplification. An L1 analyst with FortiAI Analyst can do work that previously required L2 escalation: pulling the right context, drafting the investigation narrative, suggesting the next pivot. The L2 analyst becomes a reviewer rather than a re-doer, and the throughput per L2 head goes up materially. The L3 analyst spends more time on genuinely complex incidents and less time triaging things an L1 could have closed with better tooling.
Token-based licensing explained
How the consumption model actually works
FortiAI licensing is token-consumption based rather than seat-based or perpetual. For Indian buyers accustomed to per-firewall licensing (FortiGate) or per-user licensing (FortiClient EMS), the consumption model takes a moment to internalise.
The core concept: every FortiAI interaction consumes a quantum of tokens. A natural-language query against FortiSIEM consumes tokens. A drafted SOAR playbook consumes tokens. A summarised incident consumes tokens. The Fortinet platform tracks consumption and surfaces it inside FortiCare for the licence administrator.
Customers purchase token packs in advance — typically annual subscriptions sized to expected consumption, with the option to top up if consumption runs hotter than forecast. Token packs are pooled across the Fabric products the customer runs FortiAI on. The pool can be scoped to ADOM or business unit for chargeback inside large groups.
What drives consumption in practice:
Natural-language queries
Typical SOC at moderate alert load sees query-driven consumption in the low single-digit percentage of the annual pool.
Incident summarisations
Each major incident summarised costs more than a query, but the count is bounded by actual incident volume.
Playbook drafts
Heavy when authoring is active, near-zero once a playbook is in production. Bursts are project-shaped.
Log analysis at scale
The heaviest consumers if turned on. Auto-summarising every alert at high volumes runs a pool down quickly. Default tuning leaves this off.
The sizing exercise is therefore a workload-modelling exercise — query count per analyst per shift, expected incident count per quarter, playbook authoring cadence, and the policy choice on whether to auto-summarise everything or only critical-severity events. Ogma sizes pools based on observed usage from comparable Indian deployments rather than vendor-listed averages, which tend to be optimistic.
Term lengths are typically annual, with 3-year commitments offering material discount. Renewal pricing depends on consumption history — pools that ran light renew at the same tier, pools that hit the ceiling step up to the next tier. There is no per-user incremental cost; an Indian customer can let every analyst on the SOC roster use the platform freely as long as the pool covers the activity.
Four sectoral fits
RBI CSF audit acceleration
Indian banks and NBFCs spend hundreds of analyst-hours per quarter on RBI Cyber Security Framework evidence preparation, RBI Master Direction compliance, and related audit cycles. FortiAI Analyst inside FortiSIEM and FortiAnalyzer drafts the evidence packs from underlying data, with the compliance team reviewing rather than authoring. Accelerates the IS Audit, the RBI on-site inspection prep, and cyber-incident reporting under the RBI 2-6-24 hour rule.
DPDPA Significant-Data-Fiduciary evidence drafting
Indian healthcare groups operating at SDF scale face an evidence-drafting burden under the DPDPA framework heavier per-incident than other sectors. FortiAI drafts the breach-notification narrative, the affected-party list extract, and the regulator-facing evidence pack from underlying data inside FortiSIEM and FortiAnalyzer.
IT/OT log triage at scale
Indian manufacturing groups running OT networks alongside the corporate IT stack frequently struggle with FortiNDR alert volume — OT environments generate enormous flow volumes and most flows are benign-but-unusual to a generic anomaly detector. FortiAI explains why a particular flow was scored anomalous, surfaces the context (recent OT firmware update, scheduled maintenance window, expected protocol behaviour), lets the L1 analyst close benign alerts without escalating.
Multi-tenant SOC operations
Indian IT-services and managed-SOC providers running multi-tenant FortiSIEM and FortiSOAR instances see FortiAI as a margin lever. Same customer-facing service level, fewer L2/L3 heads required to deliver it. Token pools scoped per-tenant for chargeback into customer pricing; MSSP retains the platform-margin advantage on overall efficiency.
Data sovereignty and privacy posture
DPDPA-Significant-Data-Fiduciary considerations
Where FortiAI processes data matters as much as what it processes
The current Fortinet architecture is that FortiAI inference runs in regional Fortinet cloud infrastructure. For Indian customers, the primary regional inference path is the Asia-Pacific region. Data sent to FortiAI for inference (the query, the alert context, the relevant log snippets) is processed for the inference call and not retained beyond the immediate session, per Fortinet's public data-handling policy.
What stays inside the customer's Fabric: the underlying logs, the full event history, the customer's configuration. FortiAI does not exfiltrate the bulk dataset — only the context required for the specific question.
For customers with stricter data-residency mandates (defence contractors, parts of the BFSI sector, certain government-adjacent customers), Fortinet's public roadmap includes an India-region inference path with H2 2026 as the indicated availability. Until that is GA, customers with strict India-only data processing requirements should evaluate FortiAI in a scoped pilot rather than full production.
Where FortiAI is not yet a fit
Several customer profiles should defer FortiAI adoption or scope it narrowly rather than treat it as default 2026 procurement.
Sub-hundred-endpoint shops
The token-pool minimums make FortiAI uneconomic at very small scale. A Fortinet-customer organisation with a single FortiGate, fewer than a hundred endpoints, and no FortiSIEM or FortiSOAR will not see ROI on FortiAI in the current packaging.
Non-Fortinet Fabric customers
FortiAI is not a stand-alone AI-SOC product. Customers running CrowdStrike Falcon for endpoint, Microsoft Sentinel for SIEM, and FortiGate only for perimeter will not get the Analyst or Operator value because the data those sub-modules operate on does not reach FortiAI. Add the Fabric components first or use a different AI-SOC product.
Sovereign-cloud-only customers
Until the India-region inference path is GA, customers under strict sovereign-cloud mandates should not commit to FortiAI in production. Scope a pilot instead.
No FortiSIEM or FortiAnalyzer yet
FortiAI Analyst's value depends on the underlying SIEM and SOAR data. Customers running pure FortiGate-and-FortiClient stacks without the analytics layer should add FortiAnalyzer first and FortiAI second.
None of these are permanent disqualifications — Fortinet's public roadmap addresses several through H2 2026 — but a 2026 procurement decision needs to account for the current state, not the eventual state.
Roadmap — H2 2026 indications
Accelerate 2026 included a forward-looking section that buyers should treat as direction rather than commitment. The headlines Fortinet publicly indicated:
India-region inference path
Sovereign-cloud equivalent for Indian customers under data-residency mandates.
Deeper Operator autonomous execution
Expanded set of pre-approved playbook patterns the Operator sub-module can execute without per-incident analyst approval.
Cross-Fabric correlation in Analyst
Tighter cross-product context so an alert that spans FortiNDR, FortiEDR, and FortiDLP shows up as a single Analyst narrative rather than three separate ones.
Compliance-pack templates for Indian regulators
Out-of-box templates for RBI CSF, SEBI CSCRF, and DPDPA evidence drafting.
Manager expansion to FortiSwitch and FortiAP
Natural-language administration extended beyond FortiGate to the wider Fabric infrastructure surface.
The H2 2026 timeline is Fortinet's indication, not a commitment. Indian buyers should not commit budget against capabilities that have not yet shipped GA.
Procurement and delivery through Ogma
For Indian customers ready to add FortiAI to an existing or in-flight Fabric deployment, the engagement pattern through Ogma is consistent:
Sizing workshop
Map current Fabric footprint, model expected token consumption, pick the sub-modules in scope. Output: a sized token-pack quote and an implementation roadmap.
Token-pack procurement
Ogma quotes in INR with applicable GST, contracts directly with the Indian entity, no FX exposure on annual renewal.
Embed across the existing Fabric
FortiAI lights up inside FortiSIEM, FortiSOAR, FortiAnalyzer, and FortiManager as the sub-modules are activated. No new console for analysts to learn.
Analyst workflow design
Two-week tuning cycle with the customer's SOC team to land the natural-language patterns, the auto-summarisation policy, and the playbook-drafting cadence.
Managed operations handover (optional)
Ongoing managed services optional — Ogma operates the platform with the customer's SOC team or runs the SOC end-to-end as an MSSP.
Pilot-to-production timeline is six to ten weeks for organisations with a mature Fabric. Greenfield customers — Fabric and FortiAI together — sit in a longer engagement that lands FortiSIEM and FortiAnalyzer first and FortiAI second.
Ready to scope FortiAI for your SOC?
Share your current Fabric footprint (FortiSIEM EPS, FortiSOAR playbook count, FortiAnalyzer ADOM count) plus your analyst-team shape, and Ogma returns a sized token-pack quote within two business hours. INR billing with applicable GST.
FortiAI solution page or call +91 80 0979 0979Related: FortiAI India solution page · FortiSIEM Implementation · FortiSIEM Managed Services · Fortinet Partner India
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
