FortiSense
Log inCreate account
← BlogRSS

How FortiSense detects risk without relying on signatures alone

17/01/2026·FortiSense·
explainable securitysecurity alertsthreat detectionfalse positivesalert fatiguesecurity visibilitySOC-less teams

Most endpoint security still revolves around one core idea:
identify something known to be bad, then block it.

That approach works, until it doesn’t.

FortiSense was built around a different question:

What signals appear before something is clearly malicious?

This post explains how FortiSense detects risk without relying solely on file signatures, and why that matters in modern environments.

Why signatures alone aren’t enough anymore

Signature-based detection is effective against known threats.

But many modern attacks deliberately avoid that territory by:

  • Using legitimate system tools

  • Running from temporary or user-writable locations

  • Living entirely in memory

  • Executing scripts instead of binaries

  • Changing hashes frequently

In these cases, there may be no known “bad” file to match against, at least not initially.

By the time a signature exists, the opportunity for early intervention may already be gone.

What FortiSense looks at instead

Rather than asking “is this file known to be malicious?”, FortiSense asks:

Does this behaviour make sense for this system, at this moment?

It does this by combining several classes of signals.

1. Behaviour and resource signals

Sudden changes often matter more than absolute values.

FortiSense monitors signals such as:

  • Unexpected CPU or memory spikes

  • Unusual outbound network activity

  • Processes behaving differently from their normal baseline

These don’t automatically mean compromise, but they can be early indicators that something is wrong.

2. Execution paths

Where something runs from matters.

Examples of higher-risk paths include:

  • Temporary directories

  • User-writable locations

  • Unexpected subdirectories

  • Mismatches between process name and location

A legitimate binary running from an unusual path can be more concerning than an unknown binary running from a standard one.

FortiSense surfaces this context directly in alerts.

3. Parent-child process chains

Processes don’t appear out of nowhere.

Understanding how something was launched is often more revealing than what it is.

FortiSense records:

  • The parent process

  • The launch chain where relevant

  • Whether the relationship is common or unusual

For example:

  • A shell launched by a system service may warrant scrutiny

  • A script launched by a known installer may not

This context helps differentiate abuse from normal activity.

4. Known-bad intelligence (when it exists)

Signatures still matter, just not exclusively.

FortiSense maintains a database of known malicious hashes and process names. When a match exists, it’s used.

The difference is that detection doesn’t stop there.

If no signature exists, behaviour still matters.

5. Signature and trust validation

System binaries are expected to behave, and be signed, in predictable ways.

FortiSense checks:

  • Whether binaries are digitally signed

  • Whether signatures are valid and verifiable

  • Whether trust expectations match reality

An unsigned or tampered system binary may indicate compromise, even if the file itself isn’t “known malware”.

Scoring instead of absolutes

Rather than making binary “good / bad” decisions, FortiSense assigns risk scores based on combined signals.

Each alert shows:

  • What contributed to the score

  • Why it crossed a threshold

  • What behaviour triggered concern

This avoids overconfidence while still surfacing meaningful risk.

Not everything unusual is malicious, but unusual things are worth seeing.

Why this matters for ransomware

Ransomware rarely starts with an obvious payload.

Early stages often include:

  • Script execution

  • Reconnaissance

  • Process chaining

  • Privilege escalation attempts

  • Unusual resource usage

These steps can happen minutes or hours before encryption begins.

Signature-based tools may not flag them.

Behavioural signals can.

FortiSense is designed to surface these early indicators, when there’s still time to intervene.

Detection that works offline

Many tools quietly assume always-on connectivity.

Real environments don’t.

FortiSense agents:

  • Cache critical intelligence locally

  • Continue evaluating behaviour while offline

  • Store telemetry securely

  • Upload data when connectivity resumes

This ensures detection doesn’t stop just because a system temporarily loses network access, especially important for servers and remote endpoints.

Why this approach stays lightweight

Behavioural detection doesn’t have to mean heavyweight agents or massive data collection.

FortiSense focuses on:

  • Key signals, not exhaustive telemetry

  • Local evaluation where possible

  • Short, purposeful retention windows

The result is meaningful visibility without the operational cost of full EDR.

Closing thoughts

Modern threats don’t announce themselves with signatures.

They blend in, misuse legitimate tools, and rely on silence.

Detecting them early requires context, not just databases.

FortiSense is built to surface that context, clearly, transparently, and without overwhelming the people using it.

Want to see what early signals look like on your own systems?
FortiSense is free to evaluate, install the agent and observe real behaviour in your environment.

Want early access?

Join Founders Access for beta features and direct support during development.

Learn more →