Fortinet, Inc. (FTNT) Business

ITEM 1.    Business

Overview

Fortinet is a leader in cybersecurity, driving the convergence of networking and security. Our mission is to secure people, devices and data everywhere. Our integrated platform, the Fortinet Security Fabric, spans secure networking, unified Secure Access Service Edge (“SASE”) and artificial intelligence (“AI”)-driven security operations (“SecOps”). As of December 31, 2025, our end-customers were located in over 100 countries and included enterprises across a wide variety of market verticals, including financial services, retail, healthcare and operational technology (“OT”) market verticals, communication and security service providers, and government organizations. As a global company headquartered in Sunnyvale, California, our research and development is centered in the United States and Canada with a global footprint of support and centers of excellence around the world. As of December 31, 2025, we held 1,064 U.S. patents and a total of 1,405 global patents, including 321 AI-related patents. We have been recognized in over 140 enterprise analyst reports demonstrating both our vision and execution across security and networking products.

Our competitive differentiation lies in our core technologies, which together provide performance, security, flexibility and integration across diverse environments.

•FortiOS—Our unified operating system enables the convergence of networking and AI-powered security to enforce consistent policies across all form factors and edges. As the foundational engine of the Fortinet Security Fabric, FortiOS empowers organizations to unify management and analytics, providing network visibility and control at scale. FortiOS includes advanced encryption and other security technologies designed to address evolving cybersecurity threats, including emerging quantum-resistant cryptographic capabilities.

•FortiASIC—Our Application-Specific Integrated Circuit (“ASIC”)-based security processing units (“SPUs”) increase the speed, scale, efficiency and value of our solutions while reducing footprint and power requirements. From branch and campus to data center solutions, SPU-powered Fortinet appliances deliver superior Security Compute Ratings versus industry alternatives.

•FortiCloud—Our organically built global cloud infrastructure provides customers with global reach, flexible connectivity and cost savings. FortiCloud is our private cloud software as a service (“SaaS”) platform, powered by FortiStack, which is our secure SaaS platform operating as a private cloud service provider and leveraging software and hardware to optimize and secure all layers.

•FortiAI—FortiAI provides a dual-layered defense across the Fortinet Security Fabric through the AI for Security and Security for AI framework. Within AI for Security, FortiAI-Assist uses generative and agentic AI to support Network Operations Center (“NOC”) and Security Operations Center (“SOC”) teams in monitoring, analysis and response activities across enterprise environments. Security for AI comprises of FortiAI-Protect and FortiAI-SecureAI. FortiAI-Protect utilizes AI/Machine Learnings (“ML”) to address AI-driven threats and zero-day attacks, and support governance over generative AI (“GenAI”) applications, FortiAI-SecureAI focus on protecting an organization’s AI infrastructure, including large language models (“LLMs”) and Application Programming Interface (“APIs”), and preventing data leakage into and out of LLMs. FortiAI protects the AI ecosystem, infrastructure, models, workloads, data and supply chains, while leveraging unified AI intelligence across the Fortinet Security Fabric to defend against threats.

•FortiEndpoint—FortiEndpoint converges secure connectivity, endpoint protection and advanced capabilities like endpoint detection and response and Universal Zero Trust Network Access (“ZTNA”), into a single agent. It simplifies management and enhances visibility while reducing costs and complexity. The solution gives IT teams the visibility and control they need, while security teams benefit from automated threat detection and response. This minimizes the need for manual intervention and provides faster remediation of threats across environments.

•OT Security—The Fortinet Security Fabric enables security for OT systems and Cyber-Physical Systems (“CPS”), including converged IT/OT architectures. Our OT Security Platform is purpose-built to protect the engineered systems that underpin critical infrastructure and supply chains around the world. This includes securing energy and utilities systems, manufacturing environments, and transportation, utilizing FortiGuard OT Security Services. These offerings include security capabilities for CPS assets and tools that support centralized NOC and SOC functions.

3

Table of Contents

These competitive differentiators provide networking and security professionals with a cyber security platform comprised of over 50 products across three solution pillars:

•Secure Networking—Our Secure Networking solutions focus on the convergence of networking and security via FortiOS, our networking and security operating system that is the foundation of our Fortinet Security Fabric platform and supports a broad range of functions that can be delivered via a physical, virtual, cloud or SaaS solutions. When delivered through our network firewall appliances, functionality is accelerated through our proprietary ASIC technology. These proprietary ASICs, allow our systems to scale, run multiple applications at higher performance, lower power consumption and perform more processor-intensive operations, such as inspecting encrypted traffic, including streaming video. Our network firewall offerings consist of a FortiGate, which can be deployed at branch, campus, data center, internal segmentation, private and public cloud to enable hybrid mesh firewall solutions, as well as encrypted applications (secure sockets layer (“SSL”) inspection, virtual private network and Internet Protocol Security connectivity). Our ability to converge networking and security also enables the ethernet to become an extension of our customers’ security infrastructure through FortiSwitch and FortiLink. FortiExtender secures 5G/LTE and remote ethernet extenders to connect and secure any branch environment. Our Secure Connectivity solution includes FortiSwitch secure ethernet switches, FortiAP wireless local area network access points and FortiExtender 5G connectivity gateways and Network Access Control (“NAC”) for securing Internet of Things (“IoT”) devices.

•Unified Secure Access Service Edge (SASE)—As applications move to the cloud and hybrid workforce is now the norm, enabling secure access for users with zero trust framework becomes important. The Fortinet Unified SASE solution includes a single-vendor SASE solution that includes firewall, SD-WAN, secure web gateway, cloud access services broker, Data Loss Prevention (“DLP”), Digital Experience Monitoring (“DEM”), Remote Browser Isolation (“RBI”) and ZTNA to deliver flexible secure access for all users. We are one of the few vendors to deliver consistent convergence and AI-powered security across Secure SD-WAN and SSE to enable a single-vendor SASE framework with a cloud-centric architecture powered by FortiOS. Our global and scalable cloud network includes over 190 PoPs to deliver a seamless secure access experience. Leveraging this global infrastructure, we believe we are well positioned to support customers expanding from SD-WAN to a single-vendor SASE platform. We also allow our customers to deploy our FortiSASE as Sovereign SASE, which provides control over the technology elements needed for a SASE solution. FortiSASE Sovereign delivers full SASE capabilities within infrastructure environments that organizations control, including on-premises, in private data centers or trusted colocation environments. Additionally, we offer a full suite of integrated cloud security solutions that enable customers to secure their applications from code to cloud. Our solutions include application security that includes web application firewalls, cloud network security with virtualized firewalls and cloud-native firewalls, cloud-native application protection and code security. We deliver a holistic approach to cloud security, offering a single unified platform, consolidating protection across multiple disparate tools, including coding, deploying, and running applications across hybrid and multi-clouds. Additionally, we also offer flexible consumption licensing programs that enable organizations to dynamically optimize their cloud security needs and investments as well as readily meet their cloud minimum spend commitment obligations with Cloud Service Providers. We continue to develop all the core SASE capabilities in a single operating system, FortiOS, including Next-Gen Firewall, SD-WAN, ZTNA, secure web gateway, cloud access security broker and DLP. This native integration of our Next-Gen Firewall, SD-WAN and SASE has become the New-Generation SASE Firewall.

•AI-Driven Security Operations (SecOps)—Our AI-Driven SecOps portfolio provides a suite of cybersecurity solutions that identify, protect, detect, respond and recover from threats, all integrated within the Fortinet Security Fabric. At the core is FortiAnalyzer, which serves as the central SOC platform with its unified data lake that provides: built-in security information and event management (“SIEM”); security, orchestration, automation, and response (“SOAR”); XDR and threat intelligence, enabling centralized visibility, analytics and automation with complete control. FortiSIEM delivers security information and event management for more advanced SOC requirements, while FortiSOAR enables automated orchestration and playbook-driven response. This solution set also includes FortiEndpoint, FortiNDR, FortiSandbox, FortiDeceptor, FortiDLP and FortiRecon, helping organizations achieve defense in depth, ensuring attackers face multiple layers of detection and mitigation across endpoints, networks, and applications. To bolster their security posture, organizations contending with staff shortages can tap into FortiGuard services, including SOC-as-a-Service (“SOCaaS”), Managed detection and response (“MDR”), Security Posture Assessment and Incident Response. Finally, FortiAI generative AI assistance streamlines operations, helping security teams stay ahead of an ever-evolving threat landscape.

FortiGuard Labs is our cybersecurity threat intelligence and research organization comprised of experienced threat hunters, researchers, analysts, engineers and data scientists who develop and utilize ML and AI technologies to provide timely protection updates and actionable threat intelligence for the benefit of our customers. Using millions of global network sensors, FortiGuard Labs monitors the worldwide attack surface and employs AI to mine that data for new threats.

FortiGuard and Other Security Services are a suite of AI-powered security capabilities that are natively integrated as part of the Fortinet Security Fabric to deliver coordinated detection and enforcement across the entire attack surface. The

4

Table of Contents

portfolio consists of FortiGuard application security services, content security services, device security services, NOC/SOC security services and web security services.

FortiCare Technical Support Service is a technical support service, which provides customers access to experts to ensure efficient and effective operations and maintenance of their Fortinet solution. Global technical support is offered 24x7 with flexible add-ons, including enhanced service-level agreements (“SLAs”) and priority hardware replacement through in-country and local depots. Organizations have the flexibility to procure different levels of service for different solutions based on their availability needs. We offer three support options tailored to the needs of our enterprise customers: FortiCare Elite, FortiCare Premium and FortiCare Essential. The FortiCare Elite service aims to provide a 15-minute response time for key product families.

In addition to FortiCare solution based services, Advanced Support service options are available per account. These services are available for regional account support in three options: Core, Pro and Pro Plus, and can be available or provided on a global basis at the Pro and Pro Plus levels. Advanced Support brings support directly to each account, helping account holders to make their operations more effective and to plan and manage their solution lifecycle.

Additionally, we are committed to addressing the cybersecurity skills shortage through training and certification programs for customers, partners and employees. The Fortinet Training Institute’s ecosystem of public and private partnerships around the world extend to industry, academia, government and nonprofits to ensure we are reaching and increasing access of our cybersecurity certifications and training to all populations. The Fortinet Training Institute has issued approximately two million certifications to date.

During the year ended December 31, 2025, we generated total revenue of $6.80 billion and net income of $1.85 billion. See Part II, Item 8 of this Annual Report on Form 10-K for more information on our consolidated balance sheets as of December 31, 2025 and 2024 and our consolidated statements of income, comprehensive income, stockholders’ equity (deficit), and cash flows for each of the three years ended December 31, 2025, 2024 and 2023.

We were incorporated in Delaware in November 2000. Our principal executive office is located at 909 Kifer Road, Sunnyvale, California 94086, and our telephone number at that location is (408) 235-7700.

Industry Background: The Trends Driving the Need for a Platform Approach

Modern networks are increasingly complex, spanning many edges as well as a mix of cloud and on-premises deployments. We were founded with the mission of providing a converged networking and security approach that empowers organizations to adopt new technologies without worrying about how it would impact their ability to manage and secure their environments. The escalating threat landscape has resulted in a significant increase in the demand for secure networking solutions. In fact, we believe the demand for secure networking will overtake the pure networking market by 2030. At the same time, businesses contend with an escalating threat landscape, a cybersecurity skills shortage, and siloed security tools that do not work well together. They need to consolidate point products to gain better visibility and faster threat response times.

A platform approach–what we call the Fortinet Security Fabric–has emerged to address these challenges and support enterprises in reducing complexity and improving risk mitigation. The concept of an integrated cybersecurity platform that converges networking and security and consolidates point products is what guides how we design our products and advise our customers and partners.

As organizations continue to modernize their cybersecurity infrastructure, we anticipate a significant firewall refresh and upgrade cycle in the coming years. Given our platform approach, this refresh presents a strategic opportunity to expand our footprint within existing customer environments. By leveraging our integrated security and networking capabilities, we can drive opportunities across our broader portfolio, including LAN, SD-WAN, SASE, Cloud-Native Application Protection Platform (“CNAPP”) and SecOps solutions. With a unified management console, we enable consistent security policies, simplified operations, and an improved user experience across on-premises, cloud, and hybrid deployments. This approach strengthens security effectiveness and helps reduce complexity and total cost of ownership.

Customers

Our end-customers are located in over 100 countries and include small, medium and large enterprises and government organizations across a wide range of industries, including financial services, government, manufacturing, retail, technology, education, healthcare and telecommunications. An end-customer deployment may involve as few as one or as many as dozens of different types of integrated products and services from across our broad portfolio that spans secure networking, unified SASE, and security operations. Depending on the solution or form factor purchased, customers may also access our products via the cloud through our data centers and PoPs, third-party colocations and cloud providers such as Amazon Web Services,

5

Table of Contents

Microsoft Azure and Google Cloud. Often, our customers also purchase our FortiGuard and other security subscription services and FortiCare technical support services. Refer to Note 15. Segment Information in Part II, Item 8 of this Annual Report on Form 10-K for distributor customers accounted for 10% or more of our revenue or net accounts receivable.

Sales and Marketing

We primarily sell our products and services through a two-tier distribution model. We sell to distributors that sell to resellers and to service providers and managed security service providers (“MSSPs”), who, in turn, sell products and/or services to end-customers. In certain cases, we sell directly to large service providers, major systems integrators and large end users. We work with many technology distributors, including Arrow Electronics, Inc., Exclusive, Ingram Micro, and TD Synnex. In addition, we provide our cloud-based subscription offerings through Fortinet-owned data centers and PoPs, as well as data centers operated under colocation arrangements globally, and via public cloud providers.

We support our channel partners with a dedicated team of experienced channel account managers, sales professionals and sales engineers who provide business planning, joint marketing strategy, pre-sales and operational sales support. Additionally, our sales teams help drive and support large enterprise and service provider sales through a direct touch model. Our sales professionals and engineers typically work closely with our channel partners and directly engage with large end-customers to address their unique security and deployment requirements. To support our broadly dispersed global channel and end-customer base, we have sales professionals in over 100 countries around the world.

Our marketing strategy is focused on building our brand, driving thought leadership with emphasis on the criticality of cybersecurity platform adoption and the convergence of security and networking as well as driving end-customer demand for our security solutions. We use a combination of internal marketing professionals and our network of regional and global channel partners. Our internal marketing organization is responsible for messaging, branding, demand generation, product marketing, channel marketing, partner incentives and promotions, event marketing, digital marketing, communications, analyst relations, public relations, and sales enablement. We focus our resources on campaigns, programs, and activities that can be leveraged by partners worldwide to extend our marketing reach, such as sales tools and collateral, product awards and technical certifications, media engagement, training, regional seminars and conferences, webinars, and various other demand-generation activities.

Manufacturing and Suppliers

We outsource the manufacturing of our security appliance products to a variety of contract manufacturers and original design manufacturers. Our current manufacturing partners include Accton Technology (“Accton”), IBASE Technology, Inc. (“IBASE”), Micro-Star International Co. (“Micro-Star”), Senao Networks, Inc. (“Senao”), Wistron Corporation (“Wistron”), and a number of other manufacturers. Approximately 87% of our hardware is manufactured in Taiwan. We submit purchase orders to our contract manufacturers that describe the type and quantities of our products to be manufactured, the delivery date and other delivery terms. Once our products are manufactured, they are sent to either our warehouse in California, our warehouse in the Netherlands or to our logistics partner in Taoyuan City, Taiwan, where accessory packaging and quality-control testing are performed. We believe that outsourcing our manufacturing and a substantial portion of our logistics enables us to focus resources on our core competencies. Our proprietary ASICs, which are key to the performance of our appliances, are built by contract manufacturers including Toshiba America Electronic Components, Inc. (“Toshiba America”) and Renesas Electronics America, Inc. (“Renesas”). These contract manufacturers use foundries in Taiwan and Japan operated by either Taiwan Semiconductor Manufacturing Company Limited (“TSMC”) or by the contract manufacturer itself.

The components included in our products are sourced from various suppliers by us or, more frequently, by our contract manufacturers. Some of the components important to our business, including certain Central Processing Units (“CPUs”) from Intel Corporation (“Intel”) and Advanced Micro Devices, Inc. (“AMD”), network and wireless chips from Broadcom Inc. (“Broadcom”), Marvell Technology Group Ltd. (“Marvell”), Qualcomm Incorporated (“Qualcomm”) and Intel and memory devices from Intel, Micron Technology (“Micron”), ADATA Technology Co., Ltd. (“ADATA”), Toshiba Corporation (“Toshiba”), Samsung Electronics Co., Ltd. (“Samsung”), and Western Digital Technologies, Inc. (“Western Digital”), are available from limited or sole sources of supply.

We have no long-term contracts related to the manufacturing of our ASICs or other components that guarantee any capacity or pricing terms.

Additionally, we manage global memory component supply through diversified sourcing arrangements, strategic inventory planning and coordination with key supply chain partners. Memory components are obtained from multiple suppliers, and we continuously monitor availability, lead times and logistics conditions to support manufacturing continuity and delivery schedules. These actions are intended to mitigate supply volatility and maintain operational flexibility.

6

Table of Contents

Our supply chain plays a critical role in providing safety for our customers and protection for our brand. Supply chain security management begins with establishing control of a qualified supplier base, which provides qualified and trusted components for use in design, development, manufacturing and post-sale product support.

Our Trusted Supplier Program (“TSP”) was developed in accordance with the requirements defined in National Institute of Standards and Technology Special Publications (“NIST SP”) 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations and other directives as periodically established by the U.S. government for securing the Information and Communication Technology Services supply chain, in response to increasing customer demand for transparency in the security of the hardware, firmware and software that is included in our products and to comply with U.S. government directives.

We conduct a thorough security assessment of our key TSP partners to ensure they satisfactorily comply with applicable controls established by NIST SP 800-161, and work side by side with them to remediate gaps and monitor their security posture.

Research and Development

We focus our research and development efforts on developing new hardware and software products and services, and adding new features to existing products, services and operating systems. Our development strategy is to identify features, products and systems for both software and hardware that are, or are expected to be, important to our end-customers. Our success in designing, developing, manufacturing and selling new or enhanced products will depend on a variety of factors, including identification of market demand for new products or new features, components selection, timely implementation of product design and development, product performance, quality, ease of use, costs of development, bill of materials, delivery models, effective manufacturing and assembly processes and sales and marketing.

Fortinet Secure Product Development Life Cycle

We recognize that supply chain security is an increasingly important dimension of cybersecurity and enterprise risk management. We are committed to implementing a comprehensive approach to protecting the security and integrity of our products throughout the product design, development, manufacturing, delivery and support processes.

We manage a coordinated program across our engineering, manufacturing, technical services teams, together with our suppliers and channel partners, to ensure the security of our supply chain.

•We develop our own Network Processors, Content Processors and System-on-Chip Application-Specific Integrated Circuits technology in-house.

•Our research and development is conducted primarily in the United States and Canada. We do not perform source code development or internal research and development in Russia or China.

•We operate a Trusted Supplier Program with a rigorous selection and qualification of manufacturing partners, adhering to National Institute of Standards and Technology (“NIST”) 800-161.

•We implement technical measures to prevent malware and rogue components that could compromise functionality.

•We provide technical support from dedicated Fortinet regional centers.

•We leverage application of secure development best practices (including NIST 800-53, NIST 800-160, NIST 800-218, US Executive Order 14028, and UK Telecoms Security Act).

•We conduct regular patch release cycles and operate a notification service to support and encourage customers to apply security patches.

We pursue and maintain a broad portfolio of product and information security certifications available at the Fortinet Trust Site.

7

Table of Contents

Intellectual Property

We rely primarily on patent, trademark, copyright and trade secrets laws, confidentiality procedures and contractual provisions to protect our technology. We periodically have discussions with third parties regarding licensing our intellectual property (“IP”) and have sometimes taken legal action against competitors to protect our IP, and as a result third parties have paid us fees in return for licenses or covenants-not-to-sue related to Fortinet IP. As of December 31, 2025, we had 1,064 U.S. and a total of 1,405 global patents, and 365 pending U.S. and foreign patent applications. We also license software from third parties for inclusion in our products, including open source software and other software.

Despite our efforts to protect our rights in our technology, unauthorized parties may attempt to copy aspects of our products or obtain and use information and technology that we regard as proprietary. We generally enter into confidentiality agreements with our employees, consultants, vendors and customers, and generally limit access to and distribution of our proprietary information. However, we cannot provide assurance that the steps we take will prevent misappropriation of our technology. In addition, the laws of some foreign countries do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States.

Our industry is characterized by the existence of a large number of patents and frequent claims and related litigation regarding patent and other IP rights. Third parties have asserted, are currently asserting and may in the future assert patent, copyright, trademark or other IP rights against us, our channel partners or our end-customers. Successful claims of infringement by a third-party could prevent us from distributing certain products or performing certain services or require us to pay substantial damages (including treble damages if we are found to have willfully infringed patents or copyrights), royalties or other fees. Even if third parties offer a license to their technology, the terms of any offered license may not be acceptable and the failure to obtain a license or the costs associated with any license could cause our business, operating results or financial condition to be materially and adversely affected. In certain instances, we indemnify our end-customers, distributors and resellers against claims that our products infringe the IP of third parties.

Government Regulation

We are subject to regulation by various federal, state, regional, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing employment and labor laws, workplace safety, security and security certifications, product safety, product labeling, environmental laws, consumer protection laws, anti-bribery laws, data privacy laws, import and export controls and tariffs, securities laws and tax laws and regulations. Many of the laws and regulations that are or may be applicable to our business are changing or being tested in courts and could be interpreted in ways that could adversely impact our business and additional laws and regulations applicable to our business may be enacted. In addition, the application and interpretation of these laws and regulations often are uncertain, particularly in the industry in which we operate. We believe we take reasonable steps designed to ensure we are in compliance with current laws and regulations and do not expect continued compliance to have a material impact on our capital expenditures, earnings, or competitive position. We continue to monitor existing and pending laws and regulations and while the impact of regulatory changes cannot be predicted with certainty, we do not currently expect compliance to have a material adverse effect.

Seasonality

For information regarding seasonality in our sales, see the section entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Seasonality, Cyclicality and Quarterly Revenue Trends” in Part II, Item 7 of this Annual Report on Form 10-K.

Competition

The markets for our products are extremely competitive and are characterized by rapid technological change. The principal competitive factors in our markets include:

•product security performance, throughput, features, effectiveness, interoperability and reliability;

•addition and integration of new networking and security features and technological expertise;

•compliance with industry standards and security and other certifications;

•price of products and services and total cost of ownership;

8

Table of Contents

•brand recognition;

•customer service and support across varied and complex customer segments and use cases;

•sales and distribution capabilities;

•size and financial stability;

•breadth of product line;

•form factor of the solution; and

•other competitive differentiators.

Among others, our competitors include Check Point Software Technologies Ltd. (“Check Point”), Cisco Systems, Inc. (“Cisco”), CrowdStrike Holdings, Inc. (“CrowdStrike”), F5 Networks, Inc. (“F5 Networks”), Hewlett-Packard Enterprise (“HPE”), Huawei Technologies Co., Ltd. (“Huawei”), Microsoft Corporation (“Microsoft”), Netskope Inc. (“Netskope”), Palo Alto Networks, Inc. (“Palo Alto Networks”), SonicWALL, Inc. (“SonicWALL”), Sophos Group Plc (“Sophos”) and Zscaler, Inc. (“Zscaler”).

We believe we compete favorably based on our products’ security performance, throughput, reliability, breadth and ability to work together, our ability to add and integrate new networking and security features and our technological expertise. Several competitors are significantly larger, have greater financial, technical, marketing, distribution, customer support and other resources, are more established than we are, and have significantly better brand recognition. Some of these larger competitors have substantially broader product offerings and leverage their relationships based on other products or incorporate functionality into existing products in a manner that discourages users from purchasing our products. Other, often smaller competitors, may intensely focus on a small group of point solutions and be positioned as a leader in discrete technologies that we compete with. Based in part on these competitive pressures, we may lower prices or attempt to add incremental features and functionalities to our products.

Conditions in our markets could change rapidly and significantly as a result of technological advancements, market consolidation or de-consolidation, supply chain constraints, price list or discount changes or inflation. The development and market acceptance of alternative technologies could decrease the demand for our products or render them obsolete. Our competitors may introduce products that are less costly, provide superior performance, are better marketed, or achieve greater market acceptance than our products. Additionally, our larger competitors often have broader product lines and are better positioned to withstand a significant reduction in capital spending by end-customers, and will therefore not be as susceptible to downturns in a particular market. The above competitive pressures are likely to continue to impact our business. We may not be able to compete successfully in the future, and competition may harm our business.

Human Capital Management

As of December 31, 2025, our total headcount was 15,109 employees, approximately 30% of whom were employed in the United States, approximately 20% of whom were employed in Canada and approximately 50% of whom were employed outside of the United States and Canada, primarily in Europe, Middle East and Africa (“EMEA”), consistent with our customer base. We do not own any manufacturing or research and development activities in China.

Our employees are the foundation of our innovation and cybersecurity leadership for the benefit of our customers. We understand there is a shortage of highly skilled employees for security companies like ours, and we believe that our success and competitive advantage depends largely on our ability to continue to attract and retain highly skilled employees. We believe we offer fair, competitive compensation and benefits, and we encourage a merit-based and inclusive culture. Our compensation programs for our employees include base pay, incentive compensation, opportunities for equity ownership where local statutes allow and employee benefits that promote well-being across different aspects of our employees’ lives, which may include health and welfare insurance, retirement benefits and paid time off.

As a global company, we value diversity of experience, skills and backgrounds across our workforce. Such commitment starts at the top, with a highly skilled and diverse board of directors. As of December 31, 2025, women represented approximately 40% of the members of our board of directors, and approximately 60% of our board of directors was from underrepresented communities.

9

Table of Contents

We are also committed to community engagement and social responsibility with regards to our employees and beyond, and our board of directors has active oversight of such initiatives. Examples of our initiatives focused on our employees include our company matching program for employee charitable contributions, paid volunteering days (where applicable) and the free security training programs we offer to help with career development for our employees, in addition to the general public.

Our culture is defined by our commitment to ethics and integrity. We reinforce our ethical “tone at the top” through clear policies including our Code of Business Conduct and Ethics, regular compliance training for our employees, quarterly meetings of our cross-functional Ethics Committee, clear messaging from our executives, enforcement of company policies and oversight by our board of directors. In addition, our Chief Executive Officer regularly communicates the importance of our core values of openness, teamwork and innovation.

None of our U.S. employees are represented by a labor union. Our employees in certain European and Latin American countries, however, have the right to be represented by external labor organizations if they maintain up-to-date union membership. We have not experienced any work stoppages, and we consider our relations with our employees to be good.

Corporate Sustainability

We are committed to responsible corporate sustainability practices and having a positive impact on the sustainability of our society and planet. We are a member of the Dow Jones Sustainability Indices — World and North America, and report to both Carbon Disclosure Project (“CDP”) and Ecovadis. Our approach to corporate sustainability is based on a strong corporate governance structure, starting with the Governance and Social Responsibility Committee (the “GSR Committee”) of our board of directors, which provides oversight of our Corporate Social Responsibility (“CSR”) strategy, initiatives and execution related to corporate sustainability matters. Our senior leadership sponsors the integration of CSR priorities via a CSR Committee, comprised of cross-functional team of senior leaders that drives CSR initiatives and functionality across the company including engaging with internal and external stakeholders to lead CSR execution, communications and disclosure via an annual Sustainability Report.

We recognize that environmental considerations such as climate change, resource scarcity and the energy crisis are top priorities for the future of our planet. We are committed to helping address climate change impacts and minimizing the environmental footprint of our solutions, operations and our broader value chain. We have completed our validation process and have been approved by the Science Based Targets Initiatives for a near-term target. We are engaged on a decarbonization path to reach zero emissions for our Scope 1 and Scope 2 emissions by 2030. In 2025, we maintained the ISO 14001 certification we obtained in 2023 for our largest company-owned warehouse in Union City, California, and have continued to be a leader on energy efficiency with the launch of our SP5 ASIC and our FortiGate-90G model. We have been certified to Environmental Product Declarations for our FortiGate 50G family. We also disclose our Scope 3 emissions, across all 12 relevant categories, as part of our annual reporting on sustainability.

We are committed to empower individuals within our organization and across the security industry to reach their full potential. We continue to focus on skilling, upskilling and reskilling individuals. As part of our Education Outreach Program, which focuses on creating a more diverse cybersecurity talent pool, we launched the Veterans Program Advisory Council to help build on the Veterans Program’s success in providing more cybersecurity training pathways for military veterans across the United States, the United Kingdom, Canada, Australia and New Zealand. We offered our Security Awareness Curriculum at no cost to primary and secondary schools across the same countries. We are involved in over 890 education partnerships across more than 100 countries and participates in public-private partnerships, including the World Economic Forum’s Cybersecurity Talent Framework.

Our approach to responsible business is based on strong corporate governance practices that aim to ensure accountability while meeting our responsibilities across our value chain, starting with our employees. Our board of directors regularly reviews our governance practices and in 2024 we formed our GSR committee which combined our Governance Committee with the Social Responsibility Committee to GSR Committee. Our Codes of Conduct apply to employees, partners and suppliers, and we have compliance trainings and controls in place. We have a risk management committee and steering committee to further enhance our anti-corruption program and we employ a thorough screening process for partners and suppliers, including continuous monitoring in high-risk zones, and resolution process for risk mitigation.

Available Information

Our website is located at https://www.fortinet.com, and our investor relations website is located at https://investor.fortinet.com. The information posted on our website is not incorporated by reference into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Act of 1933, as amended (the “Securities Act”), are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such

10

Table of Contents

material with, or furnish it to, the Securities and Exchange Commission (the “SEC”). You may also access all of our public filings through the SEC’s website at https://www.sec.gov.

We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events and press and earnings releases, as part of our investor relations website. The contents of these websites are not intended to be incorporated by reference into this report or in any other report or document we file.