FortiDLP — Complete Feature Walkthrough + 12 Real-World Use Cases (2026)

Pawan Sharma Published 19 May 2026  ·  By Pawan Sharma  ·  Data Protection  ·  22 min read

Fortinet's entry into the standalone data-loss-prevention market is, by acquisition, eighteen months old. The product — FortiDLP — is the rebranded version of the Next DLP technology Fortinet bought in August 2024 and integrated into the Security Fabric in October that year. The January 2026 data sheet is the third revision since launch, and the engineering story has moved fast: FortiAI augmentation, expanded SIEM connectors, Microsoft Purview label support, and (as of Accelerate 2026) a confirmed roadmap to roll FortiDLP into a future single-agent FortiEndpoint product alongside EDR, ZTNA, EPP, and SASE.

Architecture

SaaS + agent

Win / macOS / Linux desktop · on-agent ML

Tiers

Core · Advanced · Managed

Plus Premium Hosting variant for KSA

Endpoint MOQ

100

Practical floor ~150–200 for the economics

Heritage

Next DLP

Acquired Aug 2024, IRM heritage intact

For Indian buyers — particularly in BFSI, healthcare, manufacturing, and software companies — FortiDLP is the first time Fortinet has shipped a serious, behaviour-first, endpoint-resident DLP product. Procurement-side detail (tiers, SKUs, INR pricing) lives on the FortiDLP solution page.

Architecture — three components, one data model

The agent

Lightweight Win / macOS / Linux desktop agent. Inspects content at the point of access — file open, clipboard copy, USB write, print queue, browser upload, email compose. ML runs on the agent, so policies enforce regardless of network connectivity, raw data never leaves the endpoint, and decision latency is sub-millisecond.

The cloud console

SaaS-only management plane. Policies authored once propagate across all agents. Events arrive enriched (already classified, already tagged with Data Origin where relevant). Hosts the policy editor, incident queue, investigation timeline, case-management module, analytics, and cloud-drive connector configuration.

Cloud-drive connectors

Separate connectors into Microsoft 365 (OneDrive / SharePoint), Google Workspace (Drive), and Box tenants. Captures activity from unmanaged devices — a contractor signing into your SharePoint from a personal laptop is observed because the connector watches the cloud side. Closes the endpoint-only gap.

Inline DLP at the point of access

Real-time content inspection

Risk-adaptive policy actions, not binary block-or-allow

Real-time content inspection across web (browser uploads, browser-based webmail), email (Outlook), printers (every print job), clipboard (copy from sensitive doc → paste into ChatGPT), removable media (USB writes), and applications.

Legacy DLP gives binary block-or-allow. FortiDLP's policy action set is risk-adaptive, climbing from observation to lockout:

01Log onlyObservation mode, the default during baseline period
02Nudge the userSlack, Teams, endpoint dialog or email message
03Require justificationUser must type a business reason before proceeding
04BlockHard prevention — the policy halts the action
05Screen captureAutomatic forensic screenshot for the case file
06File copyEvidence Store captures the file involved
07Kill processTerminate the offending application
08Isolate endpointPull the device off network except for management
09Lock deviceFull lockout for highest-severity cases
How this plays in practice: A clipboard copy from a "Confidential" document gets a nudge. The same content typed into ChatGPT triggers an inline block plus screen capture. A USB-write of a Workday-originated payroll file fires kill-process + endpoint-isolate + create-case in one chain. Each response is configurable per policy.

Data Origin and Data Lineage

Data Origin

Tag follows the file through manipulation

Legacy DLP classifies data on content — regex (credit-card pattern), exact-data-match, document fingerprinting. The moment content changes — a rename, a recompression, a screenshot, a re-encode — the classification breaks.

FortiDLP's Data Origin feature tags each file based on where it came from. Downloaded from Salesforce? Carries a "Salesforce" origin tag. Came from your M&A SharePoint site? Tagged accordingly. Came out of a source-code repository? Tagged accordingly. The tag stays with the file through manipulation.

Data Lineage

The audit trail that comes with the tag

For any file, an analyst sees: downloaded from Workday at 14:32, opened by user X, renamed from compensation_q3.xlsx to q3_notes.xlsx at 14:33, copied to USB device at 14:34, uploaded to personal Gmail attachment at 14:38. The whole journey on a single timeline.

Three operational consequences:

  1. Policies can be conditional on origin. "Block any Salesforce-originated file from going to a personal-email destination." No content patterns needed; the rule works on tag plus destination.
  2. Renames and re-encodes don't break enforcement. The classic exfil trick — rename customer_master.csv to recipe.txt and zip it — fails, because the origin tag travels with the file.
  3. Forensic investigation collapses from days to minutes. The "where did this file go" question resolves in a single-screen drill-down.

Insider Risk Management with on-agent ML

Insider Risk Management gates to the Advanced tier and above. Three sub-features power it:

IRM #1 · Per-user baselining

ML runs per-user, not per-population

The agent runs an ML model that learns each individual user's normal behaviour pattern over time — which apps they use, what data they touch, what times they're active, what the typical egress volume looks like for them. The model is per-user, not per-population. An engineer with 50 GB of weekly code-repo downloads is baselined differently from the receptionist with 100 MB of email attachments.

IRM #2 · Novel-behaviour detection

Risk-scored signal when activity deviates from baseline

When a user's activity deviates from baseline — a sudden three-hour run of file downloads, a USB write at midnight when the user has never touched USB before, the first-ever upload to a personal cloud drive — FortiDLP fires a risk-scored signal. These aren't hard rules; they're statistical anomalies in the context of that specific user.

IRM #3 · Sequence Detection

Chains of actions describing an exfiltration campaign

FortiDLP looks for chains: Collection (volume of file access from a sensitive source) → Defence Evasion (renaming files, disabling logging, using personal browser) → Exfiltration (write to USB, upload to personal cloud, paste to GenAI). When the chain is present, even if no single step is obviously bad, FortiDLP scores the sequence as a high-priority incident.

Analyst impact: One investigation against the sequence rather than thousands of atomic alerts to triage.

MITRE Insider Threat TTP mapping

Mapped to MITRE Center for Threat-Informed Defense Insider Threat TTP Knowledge Base

Insider-threat-specific MITRE catalogue (not ATT&CK)

Every detection tags automatically to the MITRE Insider Threat TTP framework — the insider-threat-specific catalogue, not the more familiar MITRE ATT&CK (which is adversary-external). Covers behaviours like Credential Sharing, Data Hoarding, and Defence Evasion via Account Switching.

Analysts get tactic and technique context per alert, and the SOC builds playbooks against the MITRE library rather than against vendor-specific rule names. SOCs already using ATT&CK for adversary work get a sibling framework — same nomenclature, different threat class.

GenAI and shadow-AI controls

Discovery + real-time prompt inspection

Corporate-account vs personal-account differentiation

FortiDLP discovers AI and GenAI tools in use across the estate — ChatGPT, Gemini, Claude, Copilot, Perplexity, and roughly 40 others — and assigns each a risk score based on observed data flows. Per tool, policy options are log-only, nudge to a sanctioned alternative, require justification, or block.

Prompt-level inspection is the differentiator. When a user types content into a ChatGPT prompt, FortiDLP inspects what's being typed (and pasted, and uploaded) in real time. Sensitive data — Aadhaar, PAN, credit-card, source code, sensitivity-labeled documents — triggers the policy.

Same domain, different policy: FortiDLP distinguishes corporate-account from personal-account use of the same tool. ChatGPT-via-corporate-SSO can be sanctioned; ChatGPT-via-personal-Gmail can be blocked.

During a Microsoft 365 Copilot rollout, FortiDLP's endpoint-side prompt control pairs with Purview DSPM for AI for the Microsoft-side angle. FortiDLP observes what employees type into any GenAI tool; Purview DSPM observes what Copilot does inside the M365 tenant.

Risk-informed user education

Real-time nudge channels

Observation + nudge before hard-block

When FortiDLP detects risky behaviour, it delivers a real-time nudge — endpoint dialog, Slack DM, Teams DM, or email — naming the risk and pointing to the acceptable alternative. The user can acknowledge, justify, or proceed depending on policy.

Indian enterprises rarely start a DLP project with a hard-block posture. The political cost of locking sales spreadsheets in the first week of deployment is too high. Risk-informed education enables observation-plus-nudge mode initially, with hard blocks introduced only for high-confidence policy violations after weeks of baselining. Response telemetry — acknowledge, justify, or override — gives the security team measurable evidence of training effectiveness.

Cloud-drive integration — M365, Google, Box

Advanced tier and above

Native sensitivity-label support across all three

Three connectors gate to the Advanced tier and above. Each watches activity in the corresponding corporate cloud-drive tenant — uploads, downloads, sharing, label changes, sensitivity-label respect. Activity from unmanaged devices is captured: full-time employees with FortiDLP agents on corporate laptops are covered by the endpoint side, while contractors, vendors, and personal-device users are covered by the cloud-drive side as soon as they log into the tenant.

Sensitivity-label support is native: Microsoft Purview labels, Google labels, and Box labels are all respected. A document classified "Highly Confidential" inside the Microsoft estate is enforced against without re-labelling.

Evidence Store and case management

Forensic captures + case file

SaaS Evidence Store or on-prem Evidence Store

Forensic captures — file copies, clipboard captures, GenAI prompt captures, screen captures — flow into the Evidence Store. Two deployment options:

  • SaaS Evidence Store (default) — captures live in Fortinet's cloud, encrypted at rest.
  • On-prem Evidence Store — captures live in your own S3-compatible object storage. Picks up the data-sovereignty crowd; popular with BFSI and government in India.

The case-management module ties evidence to incidents. Each high-risk incident becomes a case with a timeline, evidence artifacts, case notes, and an audit trail of analyst actions. FortiAI augmentation (separate token licence) auto-summarises the case, suggests root cause, and drafts the executive-summary section.

Compliance policy library

Out-of-the-box templates

Indian PII coverage including Aadhaar, PAN, CIN, GSTIN

Out-of-the-box templates ship for PCI DSS, HIPAA, ISO 27001, NIST CSF, GDPR, CCPA, plus the global PII / PHI / PCI pattern libraries. The library is updated centrally by Fortinet; tenants pick up updates automatically.

Indian PII coverage includes Aadhaar (12-digit with Verhoeff checksum), PAN (5-letter + 4-digit + 1-letter format), CIN, GSTIN, Indian credit-card formats, and Indian bank-account patterns. The DPDPA framework template was added in 2025. RBI CSF and SEBI CSCRF templates are partial; Ogma deployments supplement them with sector-specific tuning.

Fortinet Security Fabric integration

Native plumbing across the Fabric

SIEM, SOAR, messaging, cross-product

  • SIEM: native connectors for FortiSIEM, Splunk, and Microsoft Sentinel.
  • SOAR: FortiSOAR plus standard webhook patterns to third-party SOAR.
  • Messaging: Microsoft Teams and Slack.
  • Cross-product: FortiEDR endpoint actions can be triggered from FortiDLP detections via FortiSOAR playbooks.

Twelve deployment patterns — real Indian use cases

BFSI

Customer-data exfiltration in banking

Indian banks, NBFCs, and capital-markets entities under RBI Cyber Security Framework and SEBI CSCRF cannot let customer KYC data, account masters, or trading positions leak. The recurring pattern: a relationship-manager exports customer book to Excel "for analysis," then attaches it to personal Gmail "to work from home." Most legacy DLP fires nothing because the content technically belongs to a user with legitimate access.

FortiDLP config: Data Origin tags on core-banking exports → policy blocks any Salesforce / core-banking-origin file from leaving for a non-corporate email destination → Insider Risk Sequence Detection picks up the unusual-hour + unusual-volume + personal-domain-destination chain even when the file has been renamed.
Healthcare

PHI protection in hospitals + pharma

Hospitals, diagnostic chains, and pharma R&D under DPDPA-as-Significant-Data-Fiduciary controls. PHI in lab systems, EMRs, and pharma research repositories cannot flow to personal email or shadow AI.

FortiDLP config: Data Origin tags lab + pharma exports; Insider Risk Sequence Detection catches the "lab tech taking patient data home" pattern; Real-time content inspection blocks PHI uploads into ChatGPT prompts.
Manufacturing

IP and engineering-drawing protection

Engineering CAD files, BOMs, process documents. Most leakage happens at the engineer-resignation window — the engineer who's already signed with a competitor downloads the entire engineering folder in the last fortnight.

FortiDLP config: ML baselines each engineer's normal volume; when a sudden 5–10× spike in file access starts, the Sequence Detection engine fires before the laptop walks out the door.
Product Eng

Source-code protection for product companies

Engineering teams downloading from GitHub Enterprise or GitLab. Risk: push to personal GitHub, push to ChatGPT-as-code-assistant, write source to USB.

FortiDLP config: Tags repo downloads with Data Origin; policy blocks any repo-tagged file going to a non-corporate destination; Real-time content inspection on browser uploads catches paste-into-ChatGPT.
M365 Copilot

Microsoft 365 Copilot rollout

Companies rolling out Copilot need visibility into which data Copilot is touching and what users are typing into it.

FortiDLP config: GenAI inventory plus real-time prompt inspection sits alongside Microsoft Purview DSPM for AI. Purview observes Copilot inside the M365 tenant; FortiDLP observes the endpoint. Both correlate in the same Sentinel SOC.
M&A

M&A data-room hygiene

During M&A both buy-side and sell-side teams handle massively sensitive data inside a small window.

FortiDLP config: Data Lineage tracks each diligence document; Sequence Detection catches unusual exfiltration patterns; Case Management produces audit-ready forensics for post-close investigation. Indian PE / VC firms increasingly require this as a diligence-period control.
Government / PSU

Sovereign-data control

CERT-In's 180-day log-retention requirement is the floor; many PSUs need year-plus retention for audit.

FortiDLP config: 1-year incident retention exceeds CERT-In; Evidence Store on-prem hosting keeps forensic captures sovereign; FortiSIEM integration feeds the wider SOC. Compliance Manager templates cover ISO 27001 + NIST CSF + custom CERT-In control framework.
Contractor

Extended-workforce protection

Indian enterprises lean heavily on contractor workforces — IT services partners, BPO staff, business consultants. These users have corporate data access but typically work on unmanaged personal devices.

FortiDLP config: Cloud-drive connectors observe contractor activity inside M365 / Google / Box regardless of device posture; real-time file-sharing controls prevent external-share violations during the access window.
Legal

Privilege protection in legal services

Indian law firms and in-house legal teams handle privileged documents that must not leak. The pattern: a paralegal exporting case files to a personal cloud drive "for weekend work."

FortiDLP config: Data Origin tags Legal-folder content; policy enforces corporate-only egress; Insider Risk Sequence Detection scores the chain of access + manipulation + exfiltration.
KPO

Research-services IP protection

Indian KPO firms run on intellectual product they produce for global clients. The deliverables are billable IP and the client contracts mandate strict data-control.

FortiDLP config: Endpoint DLP + cloud-drive coverage + screen-capture forensics gives the KPO the evidence trail to satisfy client audits.
Insurance

Customer + actuarial data control

Indian insurers under IRDAI guidance plus DPDPA. Actuarial datasets, customer health records, and policy databases must not leave the corporate boundary.

FortiDLP config: Indian PII pattern library catches Aadhaar / PAN / policy-number formats; Insider Risk Sequence Detection handles the actuarial-leak pattern; cloud-drive coverage catches the broker-portal data flow.
Education

Student-data protection

Universities and edtech platforms handle student PII at scale. Under DPDPA, students are minors or near-minors with elevated protection requirements.

FortiDLP config: PII templates plus cloud-drive coverage of Google Workspace (the dominant Indian edu stack) plus real-time content inspection on edtech-internal applications fits this profile cleanly.

Where FortiDLP doesn't fit

Six limitations worth knowing before procurement:

No mobile agent

iOS / Android endpoints need Intune, MAM, or a CASB pattern. FortiDLP covers desktop only.

No on-prem console option

Customers with a hard "no SaaS for security tooling" policy can't deploy. Evidence Store can sit on-prem; the management plane cannot.

MOQ of 100 endpoints

Sub-100-seat shops can't buy. Practical floor is ~150–200 for the economics to make sense.

BPS mandatory in Year 1

Cannot be self-deployed by the customer's own team in Year 1. Renewals are flexible.

FortiAI is a separate licence

Case-management AI summarisation is not bundled; FortiAI tokens billed separately.

Fingerprint threshold is fixed

Power users from Symantec / Forcepoint backgrounds may find the similarity threshold rigid.

Buying through Ogma

Ogma is an authorised Fortinet partner with an NSE-certified engineering bench for FortiDLP delivery in India. The typical engagement runs in four stages:

Sizing workshop

90 minutes to fix tier, endpoint band, and BPS-versus-Managed choice. Output: INR quote with applicable GST.

Pilot deployment

Two weeks. Tenant up, agents on a pilot group, observe-mode policies live, ML baseline running.

Tenant-wide rollout

Four to eight weeks depending on size. Enforcement phased in by business unit. Cloud-drive connectors plumbed in.

Managed operations (optional)

24×7 SOC monitoring on high-severity DLP and IRM incidents, monthly tuning, integration with FortiSIEM / Sentinel / Splunk, FortiSOAR playbook automation.

Pricing is per-endpoint per-year in INR with GST. The FortiDLP solution page carries the SKU and tier breakdown; the lead form there returns a sized quote within two hours during IST business hours.

FortiEndpoint consolidation

Accelerate 2026 announcement

Five agents per endpoint → one

At Accelerate 2026 (March 2026), Fortinet announced FortiEndpoint — a future single-agent product consolidating ZTNA, SASE endpoint controls, EPP, EDR, and DLP into one lightweight agent. FortiDLP is one of the products being merged in. No firm GA date; H2 2026 is the expected window.

Fortinet has committed to licence migration rather than rip-and-replace. Existing FortiDLP investment carries through to the FortiEndpoint era. Compared with alternatives, this is a structural advantage: the five-agents-per-endpoint problem disappears under FortiEndpoint, whereas Microsoft Purview still requires Defender for Endpoint as a separate agent, and Forcepoint and Symantec each require their own.

Quote in 2 hours

Ready to size a FortiDLP deployment?

Share endpoint count, tier preference (Core / Advanced / Managed), and any non-Microsoft data-flow specifics. Ogma engineers return a sized INR quote within two business hours, including BPS-versus-Managed recommendation.

Request sized quote or compare against Purview / Forcepoint / Symantec

Related: FortiDLP India solution page · 2026 DLP comparison — FortiDLP vs Purview vs Forcepoint vs Symantec · Microsoft Purview DSPM for AI · Fortinet Partner India

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

Related Posts

FortiDLP — Complete Feature Walkthrough + 12 Real-World Use Cases (2026)

Every FortiDLP feature at engineer depth — Data Lineage, Insider Risk Sequence Detection, GenAI controls — plus 12...

FortiDLP vs Microsoft Purview vs Forcepoint vs Symantec — 2026 DLP Comparison

2026 comparison of FortiDLP vs Purview vs Forcepoint vs Symantec — features, pricing model, deployment time, India...

Search
Talk to an Expert

Get a free consultation from Ogma's certified IT & cybersecurity engineers.

Get in Touch
Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution