Fortinet has announced the availability of FortiSOC, a unified SOC platform delivered as a cloud service and supported by AI agentic technology. The solution aims to bring together multiple functions that many organizations currently manage with separate tools: SIEM, SOAR, threat intelligence, behavior analysis, case management, identity threat detection, and AI-assisted operations in a single experience.
The company presents FortiSOC as a way to reduce the fragmentation experienced by many security operations centers. The pressure on SOC teams continues to grow: more alerts, more identities, more endpoints, more cloud environments, more tools, and attacks moving at faster speeds. In this scenario, Fortinet’s promise is clear: fewer consoles, less manual integration, and more supervised automation.
FortiSOC leverages well-known technologies from Fortinet’s catalog, such as FortiAnalyzer, FortiSIEM, FortiSOAR, and FortiTIP, but brings them into a SaaS model with a single console, a subscription, and a common operational flow. The company assures that existing products will remain available and continue to evolve, so FortiSOC does not replace their portfolio outright but adds a pathway for those who prefer consuming SOC as a unified cloud platform.
A cloud SOC to reduce fragmentation
The issue FortiSOC aims to address is familiar to any mature security team: each new need often results in a new tool—one for events, another for orchestration, one for threat intelligence, another for case management, one for identities, endpoints, and reporting. The outcome can be a powerful stack but difficult to operate.
Fortinet seeks to condense this experience into a single platform. FortiSOC integrates SIEM capabilities for event collection and correlation, SOAR for automation and response, UEBA for user and entity behavior analysis, ITDR for identity threats, case management, threat intelligence from FortiGuard Labs, and AI-guided operations.
| Features integrated into FortiSOC | Role within the SOC |
|---|---|
| SIEM | Event collection, normalization, and correlation |
| SOAR | Response workflow automation |
| UEBA | Detection of anomalous behaviors |
| ITDR | Identity-related threat detection |
| Threat Intelligence | Threat context, indicators, and alerts |
| Case Management | Investigation and evidence management |
| FortiAI-Assist | Autonomous investigation, playbooks, and analyst support |
| Third-party Connectors | Integration with security, IT, and business tools |
The phrase “a single dashboard” is often repeated in cybersecurity, but it doesn’t always translate into a real reduction in workload. The difference lies in the depth of integrations and FortiSOC’s ability to connect network, endpoint, identity, cloud, and application data without forcing teams to rebuild processes from scratch.
Fortinet also aims to serve organizations at different maturity levels. For small teams, FortiSOC can provide a more organized entry into SecOps. For advanced SOCs, the proposal is to expand automation, correlation, and AI-assisted analysis without maintaining multiple separate pieces.
AI agentic for investigation, correlation, and response
The most visible aspect of the announcement is FortiAI-Assist. Fortinet differentiates it from traditional generative assistants because it not only summarizes events or answers questions but also coordinates tasks across investigations, threat hunting, case management, and response actions. The company discusses autonomous research, playbook generation, and agent coordination using Model Context Protocol, known as MCP.
In practice, this suggests a model where AI helps navigate the entire cycle of an alert: interpret the event, enrich it with context, relate it to assets and identities, formulate hypotheses, propose an action, and—under analyst supervision—execute or prepare it.
| SOC process stage | Role of AI agentic |
| Alert triage | Group events, filter noise, prioritize |
| Investigation | Relate assets, identities, indicators, and context |
| Threat hunting | Create queries and find suspicious patterns |
| Playbooks | Generate or adapt automated responses |
| Cases | Maintain context and evidence during investigation |
| Response | Recommend or execute actions with human oversight |
| MCP coordination | Connect agents, tools, and workflows with persistent context |
This approach addresses a real need: the SOC bottleneck isn’t just in detection but in thorough investigation and timely action. Many alerts require reviewing events, checking inventories, verifying identities, assessing reputations, examining logs, opening tickets, consulting other teams, and documenting decisions. Much of this repetitive work can be supported by automation.
However, human oversight remains essential, especially for high-impact actions: isolating an endpoint, revoking credentials, blocking an account, cutting traffic, changing rules, or activating responses affecting critical users and services. AI can accelerate processes, but an enterprise SOC cannot delegate unlimited authority.
FortiGuard Labs and ready-to-use content from day one
Fortinet emphasizes that FortiSOC incorporates best practice content based on its global SOC experience. This includes detection methods, playbooks, threat intelligence, outbreak alerts, and monthly content updates. The goal is to minimize the time needed for an organization to start operating with useful use cases.
This is important because a SOC platform without content is essentially a blank tool. Rules, detections, playbooks, and response models largely determine value. For resource-strapped teams, ready-made content can accelerate deployment. For mature teams, it provides a foundation to tailor their own processes.
| Included element | Value for SOC team |
| Predefined playbooks | Faster, consistent responses |
| Ready detections | Less initial configuration |
| FortiGuard Labs | Integrated threat intelligence |
| Outbreak alerts | Alerts on active campaigns |
| Monthly updates | Adaptation to new attack techniques |
| Customizable workflows | Alignment with internal processes |
FortiSOC also integrates with Fortinet Security Fabric and thousands of third-party connectors, as the company states. This openness will be crucial for clients with hybrid environments, as few SOCs operate with a single vendor. The reality usually includes firewalls, EDR, identities, email, cloud, ITSM tools, data platforms, SASE, and SaaS applications from multiple providers.
Why does Fortinet invest in SOC as a service?
This aligns with a broader trend: moving security operations to integrated cloud platforms. Over the years, many organizations implemented SIEM and SOAR in complex architectures with high infrastructure, maintenance, data ingestion, and staffing costs. The SaaS model promises to reduce some of that burden and facilitate scaling.
Fortinet adds a commercial layer: a console and subscription. For customers, this can simplify procurement, licensing, and renewal processes. For Fortinet, it reinforces their platform strategy and brings FortiSOC closer to users already leveraging FortiGate, FortiAnalyzer, FortiSIEM, FortiSOAR, FortiEDR, FortiSASE, or other portfolio components.
| Traditional model | Fortinet’s FortiSOC approach |
| Multiple separate tools | Unified cloud platform |
| Manual integrations | Built-in workflows and connectors |
| Per-product licensing | Single subscription |
| Fragmented operation | Shared investigation and response model |
| AI as a helper | Integrated AI agentic within the SOC flow |
| Custom content from scratch | Initial playbooks and detections |
The claimed return on investment should be viewed cautiously, as with any vendor claim. Reducing tools doesn’t always cut costs if migration is complex, data is costly to transfer, or internal processes require significant adaptation. However, the market trend favors platforms that reduce overlap and assist understaffed teams.
FortiSOC does not replace FortiSIEM or FortiSOAR
A key point in the announcement is coexistence with the current portfolio. Fortinet states that FortiSOC complements and extends their SOC platform composed of FortiAnalyzer, FortiSIEM, and FortiSOAR. Thus, existing customers can continue using those solutions while FortiSOC offers a unified cloud experience for those seeking greater integration.
This nuance is significant for large deployments. Switching SIEM or SOAR involves data, rules, connectors, playbooks, compliance workflows, training, and operational dependency. Fortinet aims to avoid framing this as a disruptive change and presents FortiSOC as a natural evolution within their existing catalog.
For new or modernization-focused organizations, FortiSOC may be more appealing, as it eliminates the need to select, integrate, and maintain separate components. For existing clients, migration will depend on specific needs, costs, regulations, data volume, and cloud preferences.
Agentic SOC still requires governance
Integrating AI agentic technology into the SOC offers opportunities but also introduces controls. An agent that investigates and recommends responses can save time, but one that executes actions without limits could cause operational errors if misinterpreted or if responses are over-applied.
This is why analyst oversight remains a crucial aspect of the announcement. Fortinet mentions recommendations or actions under human control. The key will be defining trust levels: what can the platform automate, what requires approval, and what remains merely advisory.
| Response action | Recommended control level |
| Enrich indicator | Automatable |
| Group related alerts | Automatable |
| Create case | Automatable |
| Propose blocking | Requires review |
| Isolate endpoint | Requires explicit approval |
| Revoke credentials | Requires approval and logging |
| Change critical policies | Requires human validation |
AI in the SOC must be auditable. Teams need to understand what data was used, what hypotheses were generated, what actions were recommended, and who approved each step. Without this traceability, automation risks becoming another opaque process in an area that demands transparency and control.
A piece in the race for a unified SOC
Fortinet is not alone in this direction. Microsoft, Palo Alto Networks, CrowdStrike, Google, Cisco, SentinelOne, Splunk, and others are integrating generative AI, automation, and agentic capabilities into their security platforms. The difference will be in how they incorporate telemetry, third-party ecosystems, detection quality, analyst experience, and deployment ease.
Fortinet has a clear advantage with clients already utilizing its Security Fabric and security solutions. If FortiSOC can leverage this telemetry seamlessly, it could shorten investigation times in environments where Fortinet already has a strong presence. The challenge will be to convince organizations with very heterogeneous architectures.
The overarching trend is clear: future SOCs will feature fewer isolated screens and more contextual automation. They won’t be fully autonomous, but will be more assisted, interconnected, and workflow-oriented. AI agentic technologies can help transform alerts into context-rich investigations—provided companies maintain control over high-impact decisions.
FortiSOC is Fortinet’s step toward that future: a cloud, unified SOC with integrated AI into the operational flow. Its success will depend less on marketing and more on its ability to genuinely reduce noise, shorten investigations, integrate external tools, and enable analysts to focus less on data movement and more on security decisions.
Frequently Asked Questions
What is FortiSOC?
FortiSOC is a unified, cloud-delivered SOC platform that consolidates functions such as SIEM, SOAR, threat intelligence, UEBA, ITDR, case management, and AI-guided operations.
What does FortiAI-Assist bring?
FortiAI-Assist applies AI agentic technology to investigations, threat hunting, playbook creation, case management, and response actions, with MCP-based coordination and analyst oversight.
Does FortiSOC replace FortiSIEM or FortiSOAR?
Not necessarily. Fortinet states that FortiSOC complements and extends its current SOC portfolio, with FortiAnalyzer, FortiSIEM, and FortiSOAR remaining available and evolving.
Who is FortiSOC designed for?
Fortinet targets both resource-constrained teams seeking basic SOC capabilities and mature organizations aiming for more automation, correlation, and unified operations.
via: Fortinet
