1,200 arrests, 11,400 takedowns, one report: what Fortinet's 2025 sustainability disclosure actually says

Written By Sindhu V Kashyap

Somewhere in Zambia last year, 65,000 people lost an estimated $300 million to an online investment fraud operation sophisticated enough to also run a parallel human trafficking network. In Côte d'Ivoire, a transnational inheritance scam originating in Germany had already cost victims $1.6 million. In Angola, 60 Chinese nationals were running 25 illegal cryptocurrency mining centres beneath the radar of local authorities. None of these operations were small. None of them was new. And none of them were stopped by any single government or company acting alone.

They were stopped, in part, by Fortinet.

This month, the company published its 2025 Sustainability Report, arriving on Fortinet's 25th anniversary and reading less like a corporate compliance filing than a reckoning with what it means to run critical digital infrastructure for 85% of the Fortune 100 at $6.8 billion in annual revenue. "As cyber threats evolve, so does our responsibility to protect people, organisations, and society," wrote Meera Ramanathan, the company's head of CSR. The report is, in essence, Fortinet's answer to a question the cybersecurity industry has been circling for years: when the systems you protect are the same systems society depends on, where does commercial obligation end and public responsibility begin?

When one company can't do it alone

The Zambia, Côte d'Ivoire, and Angola cases were among the outcomes of Operation Serengeti 2.0, an INTERPOL-led campaign spanning 18 African nations and the United Kingdom that Fortinet supported as a Gateway partner. FortiGuard Labs supplied indicators of compromise, command-and-control infrastructure data, and forensic intelligence to enable coordinated cross-border investigations. The final count: more than 11,400 malicious infrastructure sites dismantled, over 1,200 arrests, approximately 88,000 victims identified, and $97.4 million recovered.

INTERPOL Secretary General Valdecy Urquiza credited the architecture of sustained collaboration for the results. "Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing, and developing investigative skills across member countries," he said. "This global network is stronger than ever, delivering real outcomes and safeguarding victims."

What made the operation possible was not just intelligence but the relationships behind it. Fortinet has been an INTERPOL partner since 2015. It co-founded the Cyber Threat Alliance, which in 2025 distributed over 500,000 threat observables daily to member organisations. Through the World Economic Forum's Cybercrime Atlas initiative, it helped grow participation from 22 to 30 organisations across more than 40 countries, contributing more than 17,000 community-vetted data points and supporting four cross-border disruption operations. In 2025, it also launched, with Crime Stoppers International, the Global Cybercrime Bounty programme — the first anonymous, citizen-powered platform for reporting cybercriminal activity — on the premise that the volume of modern cybercrime has outpaced what institutional law enforcement can absorb without civilian intelligence feeding into it.

The scale of that premise is not rhetorical. Over 48,000 CVEs were published globally in 2025, a 20% increase on the prior year. Cybercriminals are deploying weaponised AI, voice cloning, and Cybercrime-as-a-Service models that lower the technical barrier for would-be attackers to near zero. Criminal networks are increasingly blending cyber and physical crime, as illustrated by the case in Zambia.

Preparing for threats that do not yet exist

There are dangers the company is readying for that have not yet fully arrived. Quantum computing poses what the industry calls the "harvest now, decrypt later" problem: adversaries collecting encrypted data today with the intention of decrypting it once quantum capability catches up. For organisations in government, healthcare, and financial services, where data must remain protected for decades, the window for action is now, not when the threat materialises.

In 2025, Fortinet advanced quantum-safe capabilities across FortiOS, introducing post-quantum cryptography algorithms including NIST-approved ML-KEM alongside hybrid encryption and quantum key distribution. The transition is available to existing customers at no additional cost. The company also introduced a Secure AI Data Center solution that combines protections for AI infrastructure with quantum-safe security, recognising that the two most consequential technology transitions of the coming decade are likely to collide in ways current architectures are not designed to handle.

Chris Gibson, CEO of incident response organisation FIRST, of which Fortinet is the only founding partner from the cybersecurity industry, described the company's posture in broader terms. "Fortinet's leadership demonstrates their commitment to strengthening cybersecurity knowledge across industries and borders," he said. "Together, we're building communities grounded in internationally recognised best practices that will enhance incident-response capabilities across the globe."

Transparency as product policy

Fortinet's CISO Carl Windsor made a pointed observation in the report about how the industry misreads its own metrics. "A common misconception is that a larger number of vulnerabilities reported publicly is a sign of weaker security," he wrote. "The real measure of security is not the number of vulnerabilities, but how quickly and transparently a company identifies, communicates, and fixes them to protect customers."

In 2025, 56% of Fortinet's vulnerabilities were identified internally, before external observation or exploitation. The company launched a private bug-bounty programme through HackerOne backed by a reward pool of up to $1 million, with plans to open it publicly in 2026, and led the development of the Cyber Threat Alliance's Responsible Vulnerability Communication Policy, a cross-industry framework for more systematic disclosure practices. Approximately 1.5 million devices were updated using the auto-update feature since its introduction in 2024.

The environmental cost of hardware decisions

The consequences of hardware decisions made today will be felt across decades of installed infrastructure. In 2025, Fortinet became the first cybersecurity company to publish Environmental Product Declarations for its networking and security hardware, standardised, third-party-verified documents that disclose environmental impact across the full product lifecycle. The energy efficiency trajectory for the 2025 product generation is up to 62% lower consumption than the prior generation, with the FortiGate 700G series consuming 7 times less energy per gigabit of traffic than the devices it replaces. For a company whose hardware sits in hundreds of thousands of enterprise networks globally, those improvements compound at scale. Approximately 91.6 metric tonnes of plastic were removed from product packaging during the year, and Fortinet completed its first comprehensive climate scenario analysis, mapping physical and transition risks through 2040 under the TCFD framework.

Since 2022, Fortinet has trained 914,800 people in cybersecurity, 91% of its target of one million by the end of 2026. The curriculum runs from K-12 digital safety programmes to professional certification tracks, a Veterans programme offering free training to service members and military spouses, and 110 new academic partnerships launched in 2025. The global cyber skills gap remains structurally acute; the World Economic Forum's Global Risks Report ranks cyber insecurity among the top short- and long-term global risks precisely because organisations frequently cannot hire their way to adequate posture regardless of budget.

Governing what you've built

It is in the governance disclosures that the report's internal reckoning is most visible. Fortinet established a formal AI Governance Committee in 2025 and published its Principles for Responsible AI Use and Development, formalising oversight of a capability it has been building into its products for more than 15 years. "Responsible innovation and strong governance are more important than ever," Ramanathan wrote. The company reported 99% of employees completing annual Trust and Compliance training, with 100% completion among distributors and top contract manufacturers representing more than 90% of spend.

Fortinet carries an MSCI ESG Rating of AAA and a Sustainalytics ESG Risk Rating assessed as Low Risk. The report aligns with the GRI Standards, SASB Standards, TCFD framework, and UN Sustainable Development Goals. Founded in Sunnyvale, California in 2000, the company now employs more than 15,100 people across more than 100 locations and holds over 1,400 issued patents, including more than 550 in AI. Twenty-five years in, the report's implicit argument is that the company Fortinet has become is one for which the older, simpler definitions of corporate responsibility no longer quite fit.

Sindhu V Kashyap

Global Technology Journalist & Multimedia Storyteller | Covering Founders, Investors & Leaders Reshaping Tech | Writer · Interviewer · Moderator · Editor

Previous

AI security auditors can be fooled by code they cannot see past
Next

China-aligned hackers exposed after leaving Slack and Discord logs intact during Mongolia espionage campaign