Why FortiGate AI/ML IPS matters for C2 detection

Fortinet's AI and ML-based IPS detection is interesting because it is not trying to replace IPS with vague "AI". The feature keeps the classic IPS path, then applies machine learning to features extracted after protocol decoding, including HTTP. That design matters for command-and-control traffic because modern C2 rarely looks identical from one campaign to the next, but it still has to preserve enough structure to keep beaconing, tasking, and session handling working reliably.

That is exactly why the Fortinet example around Backdoor.Cobalt.Strike is so relevant. Cobalt Strike operators can rotate domains, reshape URIs, and modify headers, but they still generate traffic with repeatable protocol-level patterns. A model trained on decoded traffic features has a better chance of catching that family resemblance than a pure string or IOC match, especially when the traffic is trying hard to look like ordinary web sessions.

The other reason this makes sense is operational: Fortinet runs the ML logic alongside traditional signatures instead of spraying it blindly across all flows. That is a sensible security engineering choice because it keeps performance predictable and helps limit false positives. For defenders, this is where AI is genuinely useful: not as a replacement for detection engineering, but as an extra layer for one of the hardest network problems to solve cleanly, which is short-lived, web-like C2 traffic such as Cobalt Strike.