We performed a comparison between Cortex XDR by Palo Alto Networks and SentinelOne based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both products receive high marks from reviewers. However, SentinelOne comes out on top in this comparison due to its impressive security and EDR features, attractive price, and impressive ROI.
"Device Trajectory is one of the most valuable features. We're able to dig in and really understand how things came to be and where to focus our efforts."
"Among the most valuable features are the exclusions. And on the scalability side, we can integrate well with the SIEM orchestration engine and a number of applications that are proprietary or open source."
"The most valuable feature is its threat protection and data privacy, including its cyber attack and data protection, as we need to cover and protect data on user devices."
"The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious."
"I'm only using the AMP (advanced malware protection) which is protecting my file system from all the malicious things that might happen. It should protect all kinds of things that might happen on the servers, things that I cannot see."
"If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that."
"The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it."
"It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it."
"Their XDR agent and their behavioral indicators of compromise (BIOC) are pretty nice. Their managed threat hunting is also pretty nice. They also have WildFire, which is a service for actively looking for malware. It's quite useful."
"Palo Alto is constantly adding new features."
"Stability is a primary factor, and then there's the ease of distribution and policy management."
"It collects and caches and the knowledge of machine learning from different customers to take to the cloud. It makes it better to use for everybody. It allows for quick learning and updates and can, therefore, offer zero-day malware security. This sharing of metadata helps make the solution very safe."
"When the pandemic started, Palo Alto came up with many solutions, which helped with the quick shift from on-premises to the cloud."
"It's a nice product that's stable and scalable."
"It can automatically correlate events and logs, which is very helpful for an IT administrator. It can correlate different kinds of malware activities over a network, agent, or host system. You do not need to do it manually. It is a good feature. It is also a user-friendly solution. We have deployed it on the cloud because our space does not provide any flexibility for on-premises deployment, but Palo Alto has added some flexibility to install it on-premises. It must be like the same Cortex XDR agent for all the VPN services, web filtering services, and everything else."
"The most valuable for us is the correlation feature."
"Our clients have been able to survive a ransomware attack without even knowing that they had had files encrypted and automatically rolled back - even their Point of Sale (POS) system did not miss a beat and the business continued as normal without interruption."
"Another valuable feature is that if a machine is infected, one that may infect other computers within the network, we have the capability of segregating that machine in the network so that it remains connected to the internet but is cut off from the other machines in the network. That helps prevent spreading of the infection. That's a very unique feature, one I have not seen in the last 10 to 15 years from any other antivirus program. That's amazing."
"The product can scale as needed."
"The most valuable feature varies from client to client but having absolute clarity of what happened and the autonomous actions of SentinelOne are what most people find the most assuring."
"For me, the most valuable feature is the Deep Visibility. It gives you the ability to search all actions that were taken on a specific machine, like writing register keys, executing software, opening, reading, and writing files. All that stuff is available from the SentinelOne console. I'm able to see which software is permanent on a machine, and how that happened, whether by registry keys or writing it to a special folder on the machine."
"SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's... There are cost savings not only on licensing but because I don't have to have different people managing different consoles."
"It has a one-click button that we can use to reverse all those dodgy changes made by the virus program and bring the system quickly back to what it was. That's one of the most important features."
"The detection rate for Sentinel One has been excellent and we have been able to resolve many potential threats with zero client impact. The ability to deploy via our RMM allows us to quickly secure new clients and provides peace of mind."
"The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on."
"I would like to see integration with Cisco Analytics."
"The GUI needs improvement, it's not good."
"...the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal."
"It could be improved in connection with artificial intelligence and IoT."
"The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time."
"We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment."
"The thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself."
"In an upcoming release, the solution could improve by proving hard disk encryption. If it could support this it would be a complete solution."
"We had a problem with getting our older endpoints up to date, but their newest updates have been really good. I've been pleased with it in terms of what our needs are. It's doing what we want it to do."
"A little bit more automation would be nice."
"In general, the price could be more competitive."
"It's not an ideal choice for smaller businesses, as you need a minimum of 200 endpoints to even use the solution at all."
"Data privacy is a matter of concern. You have to be careful with data privacy, it can be sensitive and Cortex can have most of your access."
"It would be good to have a better way to search for a file within the UI."
"I would like to see some additional features related to email protection included."
"The overall integration functionality for this solution could be improved."
"They can improve the administrative interface. They can make it more user-friendly."
"Their CASB tool needs to mature. I think there are some CASB vendors out there that have a dashboard tool that's much more mature than SentinelOne. That would be the only constructive criticism that I have."
"One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system."
"Security could always be better."
"Generally, the stability is good, but I would like to see better stability from the solution. The stability issue is partially a con of a behavioral-based product, but being behavioral-based, it also has a lot of pros."
"I would like to see a better control panel for the managed service side of it."
"We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running."
More Cortex XDR by Palo Alto Networks Pricing and Cost Advice →
Cortex XDR by Palo Alto Networks is ranked 4th in Endpoint Protection for Business (EPP) with 44 reviews while SentinelOne is ranked 2nd in Endpoint Protection for Business (EPP) with 28 reviews. Cortex XDR by Palo Alto Networks is rated 8.2, while SentinelOne is rated 9.2. The top reviewer of Cortex XDR by Palo Alto Networks writes "Easy to set up, reliable, and always scanning". On the other hand, the top reviewer of SentinelOne writes "Made a tremendous difference in our ability to protect our endpoints and servers". Cortex XDR by Palo Alto Networks is most compared with CrowdStrike Falcon, Microsoft Defender for Endpoint, Symantec Endpoint Security, Trend Micro Apex One and Trellix Endpoint Security, whereas SentinelOne is most compared with CrowdStrike Falcon, Microsoft Defender for Endpoint, Darktrace and Carbon Black CB Defense. See our Cortex XDR by Palo Alto Networks vs. SentinelOne report.
See our list of best Endpoint Protection for Business (EPP) vendors.
We monitor all Endpoint Protection for Business (EPP) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
I haven't used Cortex. My worry with it and every other solution is how well does it perform when disconnected from the cloud/ the internet?
S1 - I have been using it for a couple of years now without an issue. I had been using Cylance prior. I've been very happy with the S1 solution. Works with or without the Internet.
Depends on the size, scope and needs of your environment.
XDR is an ok monitoring/alerting tool, especially if you have a Palo Alto firewall already and everything can integrate well together. However, S1 is a superior tool IMHO and can catch and fix things automatically if you so choose (magic quadrant agrees).
Cost-wise XDR is probably cheaper but I don't know specifics on-prem vs cloud. S1 is a cloud tool but is extremely fast and responsive compared to some other tools we POC'd and can support legacy devices w2k8 and below or Linux or VDI without having to special of workarounds. So again, it depends on your needs, environment and cost.
Cortex XDR by Palo Alto vs. SentinelOne
SentinelOne offers very detailed specifics with regard to risks or attacks. The ability to reverse damage caused by ransomware with minimal interruptions to the environment is note-worthy. Sentinel One works inconspicuously in the background, continually providing protection. It has an automated active EDR that will not only find issues but can fix them. I don’t know that any other solution does that.
Cortex XDR by Palo Alto has a nice console and is easy to use. One of my favorite things about it is that it will automatically connect and log various kinds of suspicious behavior - you don’t need to do it manually. Cortex XDR is very secure but it is missing some basic features. It doesn’t offer an on-prem solution and it doesn’t integrate so well with some third-party solutions.
SentinelOne can be challenging to set up and there seem to be some applications that do not function properly when SentinelOne is installed. I would like to be able to make the reporting more specific to my needs. It would be a more attractive option if the cost was lower.
Conclusions
The find-and-fix option that SentinalOne provides was a huge win for us. We feel it provides a deeper and more thorough level of security.