// Trust & Security Report
Fortinet, Inc. (acquired Lacework, Inc. August 2024)
FortiCNAPP (Cloud-Native Application Protection Platform) - comprehensive cloud security suite combining CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform), CIEM (Cloud Infrastructure Entitlement Management), CDR (Cloud Detection and Response), and code security (SAST, SCA, IaC scanning).
Certifications held
8
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.fortinet.com“SOC 2 (listed as a Fortinet corporate compliance certification in the Compliance section of Fortinet's Trust Resource Center). Note: this is a Fortinet, Inc. corporate certification; a FortiCNAPP/Lacework product-specific SOC 2 Type II report post-acquisition was not independently confirmed. The prior proof quote was a pre-acquisition 2018 Lacework press release from a third-party newswire, not the vendor's own domain.”
Verify on trust.fortinet.com“ISO/IEC 27001 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification). SOCaaS certified in both ISO27001 and SOC 2') does not appear on the cited product-certifications page and was fabricated.”
Verify on trust.fortinet.com“ISO/IEC 27017:2015 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).”
Verify on trust.fortinet.com“ISO/IEC 27018:2019 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).”
Verify on fortinet.com“We are committed to complying with the GDPR and supporting our partners and customers in their efforts to comply with the GDPR.”
Verify on trust.fortinet.com“CSA STAR (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).”
Verify on trust.fortinet.com“ISO 9001:2015 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).”
Verify on trust.fortinet.com“Common Criteria (listed as a Fortinet certification on Fortinet's Trust Resource Center and product-certifications pages; applies to select Fortinet security products, not necessarily FortiCNAPP).”
> Show 2 unconfirmed / not-held certifications
source: trust.fortinet.comHIPAA appears as a compliance item in the Compliance section of Fortinet's Trust Resource Center, but there is no formal 'HIPAA certification' (HIPAA is a US regulation, not a certifiable standard). FortiCNAPP offers HIPAA compliance-mapping as a product feature (see products/notes); this is not a vendor certification. No public evidence of a vendor HIPAA attestation for the product.
source: fortinet.comThis is a FortiCNAPP product feature (compliance mapping), not a vendor certification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multiple regions with regional data hosting options. Lacework's historical policy mentioned EU data hosted in Frankfurt, APAC data in Australia. Now subject to Fortinet's data residency policies.
Fortinet's privacy policy does not explicitly address ML/AI model training on customer data or opt-out mechanisms. The policy states Fortinet may use data 'to analyze and improve the Fortinet Services, including responding to new threats and developing new features' but does not specify whether this includes training ML models. For Processor Data (customer data Fortinet handles), companies must request choices directly through their Fortinet customer account. Recommend contacting dsar@fortinet.com for clarification.
// Security controls
Data Handling - Processor Model
For most customer data, Fortinet acts as a data processor subject to contractual obligations and GDPR requirements
fortinet.comRegional Data Residency
Supports regional data hosting with customer choice for data location
lacework.comZero Trust Architecture
FortiCNAPP supports zero trust security model with continuous identity and permission assessment
fortinet.comPatented ML Technology
Lacework acquisition brought 225 patents including cloud security and AI/ML technology to Fortinet
fortinet.com// Products & data scope
data: Scans cloud infrastructure configurations (AWS, Azure, GCP) for misconfigurations and compliance violations
Supports compliance mapping for SOC 2, ISO 27001, PCI DSS, HIPAA, NIST, FedRAMP
data: Runtime protection for containerized workloads and Kubernetes environments
Detects threats in running containers and orchestration platforms
data: Analyzes cloud identity permissions and access across multi-cloud environments
Continuous visibility into user roles, groups, and excessive permissions
data: Runtime monitoring and anomaly detection for cloud workloads
Detects compromised credentials, ransomware, cryptojacking
data: Scans source code and infrastructure-as-code templates for vulnerabilities
Shift-left security with SAST, SCA, and IaC scanning capabilities
// What to watch
- IDENTITY COMPLEXITY: Lacework was acquired by Fortinet (August 1, 2024). The product is now branded as FortiCNAPP, but vendor slug remains 'lacework'. AIFOXX listing title should clarify 'FortiCNAPP (formerly Lacework)' to avoid confusion.
- CERT INHERITANCE UNCLEAR: Lacework's historical SOC 2 Type II (Sept 2018) is pre-acquisition. It is unclear whether this certification carries forward under Fortinet/FortiCNAPP or whether a new assessment was required post-acquisition. Recommend verifying current FortiCNAPP product-specific certifications via trust.fortinet.com.
- OVER-CLAIM RISK: Marketing materials state FortiCNAPP 'supports' or 'maps to' compliance frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS). This describes a PRODUCT FEATURE (helping customers meet compliance), not vendor certifications. Marketing should clearly separate 'compliance-mapping capabilities' from 'Fortinet's own certifications'.
- ML TRAINING UNCLEAR: No explicit policy statement found regarding whether Fortinet trains machine learning models on customer data or offers opt-out. Fortinet's privacy policy mentions using data 'to improve services and develop new features' but does not specify ML training. This gap should be flagged for vendor clarification.
- RECENT ACQUISITION: Acquisition completed August 2024 (less than 2 years old). Product certifications post-integration with Fortinet may be in transition. Recommend contacting Fortinet to confirm whether FortiCNAPP has been assessed for separate product-level certifications or inherits Fortinet corporate certs.
// At a glance
Pricing model
SaaS subscription-based, pricing typically per cloud asset or resource unit, with tiered enterprise plans
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fortinet, Inc. (acquired Lacework, Inc. August 2024)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.fortinet.com