SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service account credentials, and use those to join rogue workstations to Active Directory. In one case, the attacker used the access to deploy remote management tools and steal the NTDS.dit file. The incidents highlight the need for strong access controls, patching, and improved logging on edge devices. Organizations are advised to implement SIEM solutions to detect anomalous activity and automate responses.