Fortinet Inc.

Company Overview

Business Model: Fortinet is a leader in cybersecurity, focused on the convergence of networking and security to secure people, devices, and data everywhere. Its core offering is the Fortinet Security Fabric, an integrated platform encompassing secure networking, unified Secure Access Service Edge (SASE), and artificial intelligence (AI)-driven security operations (SecOps). Revenue is primarily generated from sales of hardware and software products, and the amortization of deferred revenue from FortiGuard and other security subscriptions and FortiCare technical support services. Fortinet also derives revenue from cloud security solutions, professional services, and training. The company primarily utilizes a two-tier distribution model, selling to distributors who then sell to resellers, service providers, and managed security service providers (MSSPs). Direct sales are also conducted with large service providers, major systems integrators, and large end users.

Market Position: Fortinet holds a leadership position in cybersecurity, evidenced by its recognition in over 140 enterprise analyst reports for its vision and execution across security and networking products. Key competitive differentiators include:

• FortiOS: A unified operating system enabling the convergence of networking and AI-powered security.
• FortiASIC: Proprietary Application-Specific Integrated Circuit (ASIC)-based security processing units (SPUs) that enhance speed, scale, efficiency, and reduce power consumption.
• FortiCloud: An organically built global cloud infrastructure providing a private cloud Software-as-a-Service (SaaS) platform.
• FortiAI: A dual-layered AI defense framework supporting Network Operations Center (NOC) and Security Operations Center (SOC) teams and protecting AI infrastructure.
• FortiEndpoint: A single agent solution converging secure connectivity, endpoint protection, and Universal Zero Trust Network Access (ZTNA).
• OT Security: A purpose-built platform for securing operational technology (OT) and Cyber-Physical Systems (CPS). Fortinet anticipates that the demand for secure networking will surpass the pure networking market by 2030, presenting a significant growth opportunity.

Recent Strategic Developments:

• AI Integration: Fortinet has made significant investments in integrating AI and machine learning (ML) into its solutions, including the acquisition of Lacework Inc. in 2024 to enhance its Cloud-Native Application Protection Platform (CNAPP) offerings. FortiAI provides generative and agentic AI assistance for security operations and protects AI infrastructure.
• SASE Expansion: The company continues to develop core SASE capabilities within FortiOS, integrating Next-Gen Firewall, SD-WAN, ZTNA, secure web gateway, cloud access security broker, and Data Loss Prevention (DLP). Its global cloud network, comprising over 190 Points of Presence (PoPs), supports seamless secure access.
• OT Security Focus: Fortinet has developed a purpose-built OT Security Platform to address the unique security needs of critical infrastructure and supply chains.
• Acquisitions:
  • In January 2025, Fortinet acquired the remaining 49.2% ownership of Linksys Holdings, Inc. for $20.8 million in cash, achieving 100% ownership.
  • In 2025, other acquisitions totaled $38.3 million in cash.
  • In December 2024, Fortinet acquired certain assets and liabilities of Perception Point Ltd., specializing in advanced collaboration and email security, for $33.7 million in cash.
  • In August 2024, Fortinet acquired Next DLP Holdings Limited for approximately $105.0 million in cash to strengthen its position in the enterprise DLP market.
  • In August 2024, Fortinet acquired Lacework Inc. for $152.3 million in cash to offer CNAPP solutions.
• Product Innovation: The company launched the SP5 ASIC and FortiGate-90G model, highlighting energy efficiency, and has obtained Environmental Product Declarations for its FortiGate 50G family.

Geographic Footprint: Fortinet serves end-customers in over 100 countries, with its corporate headquarters in Sunnyvale, California, and research and development centers primarily in the United States and Canada. It maintains a global network of support and centers of excellence.

• Revenue Distribution (2025):
  • Americas: 40% of total revenue
  • EMEA: 42% of total revenue
  • APAC: 18% of total revenue
• Employee Distribution (as of December 31, 2025): Approximately 30% in the United States, 20% in Canada, and 50% outside the U.S. and Canada (primarily EMEA).
• Owned Facilities (as of December 31, 2025): Includes 2,400 thousand square feet in the United States, 1,000 thousand square feet in Canada, 910 thousand square feet in EMEA, and 40 thousand square feet in APAC, comprising headquarters, data centers, R&D, sales, support, and warehousing.

Financial Performance

Revenue Analysis

Profitability Metrics (2025):

• Gross Margin: 80.5%
• Operating Margin: 30.7%
• Net Margin: 27.3%

Investment in Growth:

• R&D Expenditure: $815.5 million (12.0% of revenue)
• Capital Expenditures: $364.8 million
• Strategic Investments: In 2025, Fortinet made cash payments of $20.8 million for the acquisition of Linksys Holdings, Inc. and $38.3 million for other acquisitions. Additionally, $255.8 million was spent on real estate purchases in the United States, Canada, Germany, the Netherlands, and the United Kingdom.

Capital Allocation Strategy

Shareholder Returns:

• Share Repurchases: In 2025, Fortinet repurchased 28.7 million shares of common stock for an aggregate purchase price of $2.29 billion under its Share Repurchase Program.
• Dividend Payments: Fortinet has never declared or paid cash dividends on its capital stock and does not anticipate doing so in the foreseeable future.
• Future Capital Return Commitments: As of December 31, 2025, approximately $738.6 million remained available for future share repurchases under the program, which was extended to February 28, 2027. In January 2026, the board approved an additional $1.0 billion increase, bringing the total authorized amount to $10.25 billion through February 28, 2027.

Balance Sheet Position (as of December 31, 2025):

• Cash and Equivalents: $2,495.3 million
• Total Debt: $996.3 million (comprising $499.7 million in current portion of long-term debt and $496.6 million in long-term debt)
• Net Cash Position: $1,499.0 million
• Credit Rating: Not disclosed in the filing.
• Debt Maturity Profile: Includes $500.0 million aggregate principal amount of 1.0% notes due March 15, 2026, and $500.0 million aggregate principal amount of 2.2% notes due March 15, 2031. Fortinet expects to repay the 2026 Senior Notes at maturity.

Cash Flow Generation (2025):

• Operating Cash Flow: $2,590.6 million
• Free Cash Flow: $2,211.8 million
• Cash Conversion Metrics: Deferred revenue stood at $7.12 billion as of December 31, 2025, representing a 12% increase year-over-year, indicating strong future revenue recognition. Total billings (non-GAAP) for 2025 were $7.55 billion, a 16% increase from 2024.

Operational Excellence

Production & Service Model: Fortinet outsources the manufacturing of its security appliance products to various contract manufacturers and original design manufacturers. Approximately 87% of its hardware is manufactured in Taiwan. Proprietary ASICs are built by contract manufacturers, including Toshiba America Electronic Components, Inc. and Renesas Electronics America, Inc., utilizing foundries in Taiwan and Japan. After manufacturing, products are sent to warehouses in California, the Netherlands, or a logistics partner in Taoyuan City, Taiwan, for accessory packaging and quality-control testing. Service delivery includes FortiGuard and other security subscriptions and FortiCare technical support services, offered globally 24x7 with flexible add-ons and priority hardware replacement. Cloud-based subscription offerings are provided through Fortinet-owned data centers and PoPs, as well as colocation arrangements and public cloud providers.

Supply Chain Architecture: Key Suppliers & Partners:

• Contract Manufacturers: Accton Technology, IBASE Technology, Inc., Micro-Star International Co., Senao Networks, Inc., Wistron Corporation, and other manufacturers.
• ASIC Manufacturers: Toshiba America Electronic Components, Inc. and Renesas Electronics America, Inc.
• Component Suppliers: Intel Corporation (CPUs, network/wireless chips, memory devices), Advanced Micro Devices, Inc. (CPUs), Broadcom Inc. (network/wireless chips), Marvell Technology Group Ltd. (network/wireless chips), Qualcomm Incorporated (network/wireless chips), Micron Technology (memory devices), ADATA Technology Co., Ltd. (memory devices), Toshiba Corporation (memory devices), Samsung Electronics Co., Ltd. (memory devices), and Western Digital Technologies, Inc. (memory devices). Some components are sourced from limited or sole suppliers.
• Logistics Partner: Located in Taoyuan City, Taiwan. Fortinet operates a Trusted Supplier Program (TSP) in accordance with NIST SP 800-161 to ensure supply chain security and component integrity. Facility Network:
• Manufacturing: Primarily outsourced, with significant hardware manufacturing in Taiwan. ASIC production in Japan and Taiwan.
• Research & Development: Centered in the United States and Canada, with teams also in India, Israel, Japan, and Taiwan. No R&D activities are conducted in Russia or China.
• Distribution: Warehouses in California and the Netherlands, and a logistics partner in Taoyuan City, Taiwan. Global cloud infrastructure includes over 190 PoPs. Operational Metrics:
• Fortinet Security Fabric platform supports over 50 products.
• FortiGuard Labs monitors the worldwide attack surface using millions of global network sensors and AI.
• The Fortinet Training Institute has issued approximately two million certifications.
• Fortinet maintained ISO 14001 certification for its largest company-owned warehouse in Union City, California, in 2025.
• The company has demonstrated energy efficiency leadership with the launch of its SP5 ASIC and FortiGate-90G model and has Environmental Product Declarations for its FortiGate 50G family.

Market Access & Customer Relationships

Go-to-Market Strategy: Distribution Channels:

• Direct Sales: Fortinet's sales teams engage directly with large enterprise and service provider customers to address unique security and deployment requirements.
• Channel Partners: The primary sales model is a two-tier distribution system, involving technology distributors such as Arrow Electronics, Inc., Exclusive, Ingram Micro, and TD Synnex, who then sell to resellers, service providers, and MSSPs.
• Digital Platforms: Cloud-based subscription offerings are delivered through Fortinet-owned data centers and PoPs, colocation arrangements, and public cloud providers including Amazon Web Services, Microsoft Azure, and Google Cloud. Customer Portfolio: Enterprise Customers: Fortinet serves a diverse global customer base across over 100 countries, including small, medium, and large enterprises, as well as government organizations in various sectors such as financial services, government, manufacturing, retail, technology, education, healthcare, and telecommunications.
• Customer Concentration: In 2025, approximately 50% of Fortinet's billings originated from seven countries, with the remaining 50% distributed across over 100 countries, each contributing less than 3%.
  • Distributor A accounted for 28% of total revenue and 32% of net accounts receivable in 2025.
  • Distributor B accounted for 15% of total revenue and 12% of net accounts receivable in 2025.
  • Distributor C accounted for 12% of total revenue and 9% of net accounts receivable in 2025. Geographic Revenue Distribution (2025):
• Americas: 40% of total revenue
• EMEA: 42% of total revenue
• APAC: 18% of total revenue
• Growth Markets: Fortinet's strategy includes increasing sales to large- and medium-sized businesses, service providers, and government organizations.

Competitive Intelligence

Market Structure & Dynamics

Industry Characteristics: The network security market is highly competitive and dynamic, driven by rapid technological advancements. Modern networks are increasingly complex, spanning multiple edges and hybrid cloud/on-premises environments. The escalating threat landscape, a persistent cybersecurity skills shortage, and the proliferation of siloed security tools are driving demand for integrated cybersecurity platforms. Fortinet anticipates that the secure networking market will exceed the pure networking market by 2030, and an upcoming firewall refresh and upgrade cycle presents a strategic opportunity for market expansion.

Competitive Positioning Matrix:

Direct Competitors

Primary Competitors: Check Point Software Technologies Ltd., Cisco Systems, Inc., CrowdStrike Holdings, Inc., F5 Networks, Inc., Hewlett-Packard Enterprise, Huawei Technologies Co., Ltd., Microsoft Corporation, Netskope Inc., Palo Alto Networks, Inc., SonicWALL, Inc., Sophos Group Plc, and Zscaler, Inc. Emerging Competitive Threats: The market faces threats from new entrants, disruptive technologies (including AI-driven threats), and alternative solutions, particularly from cloud-based security providers such as CrowdStrike Holdings, Inc. and Zscaler, Inc. Competitive Response Strategy: Fortinet competes by emphasizing its products' security performance, throughput, reliability, breadth, and interoperability. It focuses on integrating new networking and security features and leveraging its technological expertise. The company's platform approach, the Fortinet Security Fabric, is designed to capitalize on firewall refresh cycles by driving opportunities across its broader portfolio, including LAN, SD-WAN, SASE, CNAPP, and SecOps solutions.

Risk Assessment Framework

Strategic & Market Risks

• Market Dynamics: Fortinet's operating results are subject to significant variability and unpredictability due to adverse economic conditions (e.g., recession, inflation, stagflation, changing interest rates), tariffs, trade policies, reduced IT spending, and geopolitical instability (e.g., war in Ukraine, tensions between China and Taiwan, conflicts in the Middle East). The company also faces risks related to customer demand for platform solutions versus point solutions and its ability to anticipate and respond to market changes concerning cloud-based and AI solutions.
• Technology Disruption: The network security market is rapidly evolving, requiring continuous development of new products and enhancements to counter increasingly sophisticated attack techniques. There is a risk that new products or services may not achieve sufficient market acceptance. The growing demand for cloud-based subscription services may outpace Fortinet's ability to deliver these solutions effectively. Additionally, the integration of similar functionality into existing network infrastructure products by larger competitors could reduce demand for Fortinet's appliances.
• Customer Concentration: Fortinet relies heavily on third-party channel partners for substantially all of its revenue, with a small number of distributors accounting for a large percentage of revenue and accounts receivable (e.g., Distributor A represented 32% of net accounts receivable as of December 31, 2025). Sales to large- and medium-sized end-customers, service providers, and government organizations involve unique risks such as longer sales cycles, increased competition, stringent support requirements, and budget constraints.

Operational & Execution Risks

• Supply Chain Vulnerabilities: Fortinet is susceptible to supply chain constraints, shortages, and disruptions due to its reliance on limited or sole sources for key components (e.g., CPUs, network/wireless chips, memory devices) and third-party contract manufacturers, with approximately 87% of its hardware manufactured in Taiwan. Geopolitical events, such as tensions between China and Taiwan or conflicts in the Middle East, could significantly impact manufacturing and shipping. The rapid global build-out of AI infrastructure has led to a global shortage of memory chips, affecting Fortinet's production and costs.
• Geographic Concentration: A majority of Fortinet's revenue is generated from sales outside the United States (EMEA 42%, Americas 40%, APAC 18% in 2025), exposing the company to risks associated with international operations, including currency fluctuations, political and economic instability, challenges in contract enforcement, difficulties in staffing foreign operations, and varying intellectual property protection laws.
• Capacity Constraints: Risks are associated with Fortinet's real estate investments, including potential construction delays, lack of equipment availability, budget overruns, increased material prices, labor availability issues, and permitting delays for data centers and office buildings. Inventory management is complex, requiring a balance between maintaining competitive lead times and mitigating the risk of obsolescence.
• Internal Systems & Processes: Fortinet relies heavily on information technology for critical functions such as order configuration, pricing, revenue recognition, and supply chain management. Delays or failures in improving and expanding these systems, controls, and processes could negatively impact operations and financial reporting accuracy.
• AI Risks: The integration of AI technology introduces new risks, including an evolving regulatory landscape, intense competition, the potential for AI to generate inaccurate or copyrighted content, data privacy risks if customer data is used for training, and ethical concerns related to bias and discrimination.

Financial & Regulatory Risks

• Demand Volatility: Fortinet's operating results are inherently volatile due to customer buying patterns, a concentration of sales orders and billings at quarter-end, and seasonal trends.
• Foreign Exchange: The company is exposed to fluctuations in foreign currency exchange rates, particularly the Euro, Japanese yen, Canadian dollar, and British pound, as a significant portion of its operating expenses are incurred in these currencies.
• Credit & Liquidity: Fortinet faces credit and liquidity risk from its channel partners. Its outstanding indebtedness of $996.3 million as of December 31, 2025, and any future debt, could adversely affect its financial condition.
• Regulatory & Compliance Risks: Fortinet is subject to a wide array of federal, state, regional, local, and foreign governmental regulations covering areas such as employment, workplace safety, product safety, environmental protection, consumer protection, anti-bribery, data privacy (e.g., GDPR, CCPA, EU Data Act, DORA), import/export controls, securities, and tax laws. Non-compliance can lead to investigations, sanctions, fines, and reputational damage. Export controls on encryption technology and sanctions (e.g., against Russia and Belarus) can limit distribution and sales.
• Legal Proceedings: Fortinet is regularly involved in litigation, including ongoing securities class actions and stockholder derivative complaints alleging false or misleading statements and breaches of fiduciary duty. The company is also subject to ongoing tax audits in several foreign jurisdictions.

Geopolitical & External Risks

• Geographic Dependencies: Fortinet's global operations and manufacturing, particularly the high concentration of hardware manufacturing in Taiwan, expose it to geopolitical instability, including tensions between China and Taiwan, the war in Ukraine, and conflicts in the Middle East.
• Trade Relations: Changes in international trade agreements, tax policies related to global manufacturing and sales, or the imposition of new tariffs or economic sanctions could adversely affect Fortinet's financial condition.
• Sanctions & Export Controls: U.S. export control laws and economic sanctions restrict the shipment of certain products to embargoed or sanctioned countries, governments, and persons. Foreign countries also regulate the import of encryption technology. Changes in these regulations or non-compliance could limit Fortinet's ability to distribute or sell its products internationally.
• Catastrophic Events: Fortinet's business is vulnerable to natural disasters (e.g., earthquakes, fires, floods, typhoons, virus outbreaks) and manmade problems (e.g., civil unrest, war, labor disruption, critical infrastructure attacks, terrorism). Its corporate headquarters in the San Francisco Bay Area and a key R&D/data center in Burnaby, Canada, are in seismically active regions, with the latter also facing flood risk.

Innovation & Technology Leadership

Research & Development Focus: Fortinet's R&D efforts are concentrated on developing new hardware and software products and services, and enhancing existing offerings. Core Technology Areas:

• FortiOS: The unified operating system is the foundation of the Fortinet Security Fabric, enabling the convergence of networking and AI-powered security, and includes advanced encryption and quantum-resistant cryptographic capabilities.
• FortiASIC: Proprietary Application-Specific Integrated Circuits (ASICs) are developed in-house to accelerate performance, scale, and efficiency of solutions.
• FortiAI: Focuses on a dual-layered defense, leveraging generative and agentic AI to support security operations and protect AI infrastructure, including large language models (LLMs) and Application Programming Interfaces (APIs).
• OT Security: Dedicated R&D for purpose-built solutions to protect operational technology and cyber-physical systems.
• Secure Networking, Unified SASE, AI-Driven SecOps: Continuous development across these three solution pillars, including next-generation firewalls, SD-WAN, ZTNA, SIEM, SOAR, and XDR. Innovation Pipeline: Fortinet is making significant investments in integrating AI and ML technology into its solutions, as demonstrated by the acquisition of Lacework Inc. to enhance its Cloud-Native Application Protection Platform (CNAPP). The company's R&D is primarily conducted in the United States and Canada, with additional teams in India, Israel, Japan, and Taiwan. Approximately two-thirds of engineers focus on software development, and the remainder on hardware. Intellectual Property Portfolio:
• Patent Strategy: Fortinet relies on patent, trademark, copyright, and trade secret laws to protect its technology. As of December 31, 2025, it held 1,064 U.S. patents and a total of 1,405 global patents, including 321 AI-related patents, with 365 pending U.S. and foreign patent applications.
• Licensing Programs: Fortinet engages in discussions with third parties regarding IP licensing and has taken legal action to protect its IP, which has resulted in licensing fees. It also licenses software from third parties, including open source software.
• IP Litigation: The company operates in an industry characterized by frequent IP disputes and is currently involved in ongoing patent lawsuits, with an expectation of future infringement claims. Technology Partnerships: Fortinet leverages public cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud for its cloud-based offerings and services.

Leadership & Governance

Executive Leadership Team

Leadership Continuity: Fortinet's future success is dependent on the continued services and contributions of its senior management, including its co-founders. The company emphasizes succession planning and leadership development initiatives. Board Composition: As of December 31, 2025, approximately 40% of Fortinet's board of directors were women, and approximately 60% were from underrepresented communities. The board actively oversees corporate sustainability initiatives. In July 2024, a dedicated Cybersecurity Committee was formed within the board to oversee cybersecurity risk management.

Human Capital Strategy

Workforce Composition (as of December 31, 2025):

• Total Employees: 15,109 employees, representing a 7% increase from 14,138 in 2024.
• Geographic Distribution: Approximately 30% of employees are in the United States, 20% in Canada, and 50% are located outside of the United States and Canada, primarily in Europe, Middle East and Africa (EMEA). Fortinet does not conduct manufacturing or research and development activities in China.
• Skill Mix: Approximately two-thirds of the engineering workforce is dedicated to software development, with the remainder focused on hardware development.

Talent Management: Acquisition & Retention:

• Hiring Strategy: Fortinet prioritizes attracting and retaining highly skilled personnel, particularly in engineering, sales, and marketing roles within the network security sector.
• Employee Value Proposition: The company offers competitive compensation and benefits, including base pay, incentive compensation, opportunities for equity ownership, and comprehensive employee benefits that support overall well-being. Diversity & Development:
• Diversity Metrics: As of December 31, 2025, women constituted approximately 40% of the board of directors, and approximately 60% of the board members were from underrepresented communities.
• Development Programs: The Fortinet Training Institute provides training and certification programs for customers, partners, and employees. Its Education Outreach Program aims to diversify the cybersecurity talent pool, including initiatives like the Veterans Program Advisory Council and offering a free Security Awareness Curriculum to primary and secondary schools. Fortinet is involved in over 890 education partnerships across more than 100 countries.
• Culture & Engagement: Fortinet's culture is built on ethics and integrity, reinforced by a Code of Business Conduct and Ethics, regular compliance training, and executive communication of core values: openness, teamwork, and innovation. Employee engagement initiatives include a company matching program for charitable contributions and paid volunteering days.

Environmental & Social Impact

Environmental Commitments: Climate Strategy:

• Emissions Targets: Fortinet is on a decarbonization path to achieve zero emissions for its Scope 1 and Scope 2 emissions by 2030.
• Carbon Neutrality: The company is committed to reaching zero emissions for Scope 1 and Scope 2 by 2030.
• Renewable Energy: Not explicitly mentioned in the filing. Supply Chain Sustainability:
• Supplier Engagement: Fortinet's Trusted Supplier Program (TSP) adheres to National Institute of Standards and Technology Special Publications (NIST SP) 800-161, ensuring a qualified and trusted supplier base through thorough security assessments and continuous monitoring.
• Responsible Sourcing: The company addresses compliance with "conflict minerals" regulations under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, incurring costs for sourcing data and due diligence. Social Impact Initiatives:
• Community Investment: Fortinet's Education Outreach Program focuses on creating a diverse cybersecurity talent pool, including a Veterans Program Advisory Council and offering a free Security Awareness Curriculum to primary and secondary schools. It participates in public-private partnerships, such as the World Economic Forum’s Cybersecurity Talent Framework.
• Product Impact: Not explicitly mentioned in the filing.

Business Cyclicality & Seasonality

Demand Patterns:

• Seasonal Trends: Fortinet's quarterly results typically show increased customer buying at year-end, which positively impacts billings and product revenue in the fourth quarter. The first quarter generally experiences lower sequential product buying, followed by increases in the second and third quarters. A significant portion of product revenue is generated in the final month and last two weeks of each quarter.
• Economic Sensitivity: The business is sensitive to global and regional economic conditions, including economic downturns, recessions, inflation, changing interest rates, and geopolitical instability. These factors can lead to longer sales cycles, lower prices, increased component costs, reduced unit sales, and slower growth.
• Industry Cycles: Fortinet anticipates a significant firewall refresh and upgrade cycle in the coming years, which presents a strategic opportunity for expanding its market footprint. Planning & Forecasting: Inventory management is a complex area, particularly during periods of supply chain disruption. Accurate forecasting of inventory requirements and demand is challenging due to variable channel partner ordering patterns, product shortages, and the introduction of new products.

Regulatory Environment & Compliance

Regulatory Framework: Industry-Specific Regulations: Fortinet is subject to a broad range of regulations from federal, state, regional, local, and foreign governmental agencies. These include laws governing employment, workplace safety, product safety, product labeling, environmental protection, consumer protection, anti-bribery, data privacy, import and export controls, securities, and tax.

• International Compliance: The company navigates stringent data handling requirements under the General Data Protection Regulation (GDPR) in the EU, the EU Data Act (data and cloud service interoperability), the EU’s Network and Information Security Directive II (resilience and incident response), and the Digital Operational Resilience Act (DORA) for the financial sector. Compliance with these evolving regulations can impact business operations and financial results. Trade & Export Controls:
• Export Restrictions: Due to the incorporation of encryption technology, certain products are subject to U.S. export controls, requiring specific licenses or exceptions, or may be prohibited from export to certain countries (e.g., Russia and Belarus). Various countries also regulate the import of encryption technology.
• Sanctions Compliance: Fortinet adheres to U.S. economic sanctions that prohibit shipments to embargoed or sanctioned countries, governments, and persons. Legal Proceedings:
• Material Litigation: Fortinet is involved in legal proceedings, including:
  • Securities class actions filed in September and October 2025 (Oklahoma Firefighters Pension and Retirement System v. Fortinet, Inc., et al.; State of Rhode Island Office of the General Treasurer v. Fortinet, Inc., et al.) alleging false or misleading statements regarding business, operations, and prospects, including the 2026 firewall refresh cycle. Fortinet believes these cases are without merit.
  • Stockholder derivative complaints filed in October and December 2025 (Pittrof v. Xie, et al.; Marrinan v. Xie, et al.; Foster v. Xie, et al.; LR Trust v. Xie, et al.) alleging breach of fiduciary duty, unjust enrichment, insider trading, gross mismanagement, waste of corporate assets, and violations of Exchange Act sections.
  • An appeal by Alorica Inc. following a jury verdict in favor of Fortinet in October 2024 regarding breach of warranty and misrepresentation claims.
• Regulatory Investigations: Fortinet currently has ongoing tax audits in the United Kingdom, Canada, Germany, and several other foreign jurisdictions, primarily focusing on inter-company profit allocation.
• Settlement Exposures: Accruals for litigation contingencies are recorded when a loss is probable and reasonably estimable; as of December 31, 2025 and 2024, litigation loss contingency accruals were not material.

Tax Strategy & Considerations

Tax Profile:

• Effective Tax Rate: Fortinet's effective tax rate for 2025 was 19%, an increase from 14% in 2024.
• Geographic Tax Planning: The company is subject to income taxes in the United States and numerous foreign jurisdictions. Its effective tax rate is influenced by the geographic distribution of earnings, local tax regulations, the availability of tax credits and carryforwards, and tax planning strategies.
• Tax Reform Impact:
  • The "One Big Beautiful Bill Act" (H.R. 1), enacted July 4, 2025, made permanent certain elements of the Tax Cuts and Jobs Act, including immediate expensing of U.S. research and development expenditures and certain eligible assets, and modifications to the international tax framework. This resulted in a $120.0 million decrease in Fortinet's 2025 income tax liability but increased its GAAP effective tax rate by one percentage point.
  • Recent U.S. Treasury regulations and IRS notices regarding the foreign tax credit have favorably impacted Fortinet's ability to claim foreign tax credits for certain taxes imposed by foreign jurisdictions.
  • The Organisation for Economic Co-operation and Development's (OECD) BEPS Pillar Two global minimum tax framework had no impact on Fortinet's effective tax rate or cash flows for the tax year 2025.

Insurance & Risk Transfer

Risk Management Framework:

• Insurance Coverage: Fortinet maintains information security risk insurance coverage. It also has broad insurance programs for its properties and operating activities, with liability limits, deductibles, and self-insured retentions that are considered comparable to similarly situated companies.
• Risk Transfer Mechanisms: To mitigate foreign currency exchange risk, Fortinet engages in foreign currency risk management activities, including the use of short-term forward exchange contracts, primarily focused on the Canadian dollar, to minimize the impact of balance sheet items denominated in foreign currencies.