What FortiSense Will (and Won’t) Alert On

Setting the right expectations from day one

If you’ve ever trialled a security tool and thought “this feels noisy” or “I don’t know what I’m meant to do with this alert”, you’re not alone.

For founders, owners, and IT generalists, the hardest part of security tooling isn’t installation, it’s deciding what actually matters once the alerts start coming in.

This article explains, plainly and honestly:

• what FortiSense does alert on

• what it intentionally doesn’t

• and how to think about alerts without needing a SOC or security team

The goal isn’t to impress you with volume.
It’s to help you spot real risk early, without drowning in noise.

What FortiSense is designed to alert on

FortiSense focuses on risk patterns, not just known bad files.

Instead of asking “Is this malware?” for every event, it asks a more useful early question:

“Does this behaviour look risky in this environment?”

That leads to alerts in a few key areas.

1. Unusual or risky process behaviour

FortiSense watches how processes behave, not just what they’re called.

Examples include:

• Processes consuming abnormally high CPU or memory

• Command shells or scripting engines starting in unexpected contexts

• Suspicious parent → child process chains (for example, a document spawning a shell)

• Executables running from unusual locations rather than standard install paths

On their own, any one of these can be benign.
Together, they often form the earliest visible signs of compromise.

That’s why FortiSense looks at patterns, not single signals.

2. Execution paths that don’t look normal

A surprising number of real-world incidents start with software running from places it shouldn’t.

FortiSense highlights executables launched from:

• temporary directories

• user-writable locations

• paths commonly abused by scripts and loaders

This doesn’t mean “this is malware”.
It means “this deserves attention”, especially on servers or business-critical machines.

3. Resource and network usage that doesn’t match expectations

Rather than waiting for a signature match, FortiSense flags behaviour that stands out:

• sustained CPU usage with no obvious explanation

• memory or network activity from unknown or rarely used processes

• patterns that don’t align with how the device usually behaves

For small teams without full-time security staff, this kind of early visibility is often what’s missing.

4. Known malicious indicators (when confidence is high)

Where FortiSense has high confidence that something is genuinely malicious, it can escalate appropriately.

Depending on your plan and policy settings, this may include:

• clear, high-severity alerts

• optional manual quarantine on a per-alert or per-process basis

• automatic quarantine for premium users when confidence crosses a defined threshold

Importantly: quarantine is never hidden or silent.
You always see why something was flagged and what action was taken.

What FortiSense doesn’t alert on (by design)

This is where expectations matter most.

FortiSense is not trying to alert on everything, and that’s intentional.

❌ It doesn’t alert on every malware signature

FortiSense is not a replacement for traditional antivirus.

Signature-based tools are good at what they do, and FortiSense is designed to complement, not fight them.

If your AV already knows a file is bad and blocks it cleanly, FortiSense doesn’t need to shout about it.

❌ It doesn’t flag every unusual thing as an incident

Unusual does not always mean dangerous.

Developers compile code.
Admins run scripts.
Servers spike CPU during backups.

FortiSense deliberately avoids turning every anomaly into a high-severity alert. Instead, it focuses on context and accumulation.

This is how alert fatigue is avoided.

❌ It doesn’t promise ransomware prevention (yet)

You won’t see claims like “stops ransomware” here.

Today, FortiSense focuses on pre-ransomware behaviour indicators, the early signals that often appear before encryption starts.

That visibility is valuable on its own, especially for teams that currently find out after damage is done.

Prevention is on the roadmap, not a marketing shortcut.

How alerts evolve over time (and why the first week matters)

One of the most important things to understand is this:

The first few days are the noisiest, and that’s normal.

Early on, FortiSense is learning what your environment looks like.

As patterns become familiar:

• expected behaviour fades into the background

• genuinely unusual activity becomes clearer

• ignore decisions and policy tuning reduce repeat alerts

This is not a static rules engine.
It’s a system designed to settle into your environment, not fight it.

What happens if endpoints go offline?

Security tools shouldn’t stop working just because a laptop leaves the office or a server loses connectivity.

FortiSense is designed so that:

• protection and decision-making continue when endpoints are offline

• relevant data is cached locally

• telemetry and findings are sent once connectivity returns

This matters more than people realise, especially for mobile staff, remote servers, and less predictable networks.

How to think about a FortiSense alert

A helpful mindset shift is this:

• Severity ≠ certainty

• An alert is not an accusation

• It’s a signal, not a verdict

Each alert is there to answer one question:

“Is this worth a closer look right now?”

In the next article, we’ll walk through how to tell a false positive from real risk, step by step, without needing a SOC or deep security background.

Try it with the right expectations

FortiSense works best when you understand what it’s trying to show you, and what it isn’t.

If you approach it expecting:

• fewer, clearer alerts

• explainable reasoning

• early visibility rather than late-stage panic

…you’ll get a much more useful experience.

👉 Try FortiSense and see how alerts evolve in your own environment.