SentinelOne OverviewUNIXBusinessApplication

SentinelOne is the #3 ranked solution in endpoint security software and EDR tools. PeerSpot users give SentinelOne an average rating of 8.6 out of 10. SentinelOne is most commonly compared to Crowdstrike Falcon Endpoint Security and XDR: SentinelOne vs Crowdstrike Falcon Endpoint Security and XDR. SentinelOne is popular among the large enterprise segment, accounting for 47% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
SentinelOne Buyer's Guide

Download the SentinelOne Buyer's Guide including reviews and more. Updated: December 2022

What is SentinelOne?

SentinelOne is a leading comprehensive enterprise-level autonomous security solution that is very popular in today’s marketplace. SentinelOne will ensure that today’s aggressive dynamic enterprises are able to defend themselves more rapidly, at any scale, and with improved precision, by providing comprehensive, thorough security across the entire organizational threat surface.

SentinelOne makes keeping your infrastructure safe and secure easy and affordable. They offer several tiered levels of security and varied payment options. SentinelOne works well with Linux, Windows, and MacOS, and can successfully support legacy infrastructures as well as the newer popular environments, including the latest operating systems. The single pane of glass management will save time and money by reducing manpower and ensuring comprehensive security protection of all your endpoints locally and worldwide.

SentinelOne offers intensive training and support to meet every organization’s unique business needs.

SentinelOne's levels of services and support include, but are not limited to:

SentinelOne GO is a guided 90-day onboarding service to ensure successful deployment and success. It assists with the deployment planning and overview, initial user setup, and product overviews. It provides ongoing training and advisory meetings, ensuring that everything is set up correctly and that your team understands the appropriate protocols to ensure success.

SentinelOne offers multi-tiered support based on your organizational needs from small business to enterprise, using their Designed Technical Account Management (TAM). They have support for every business level: Standard, Enterprise, and Enterprise Pro. SentinelOne is always available to ensure that you and your organization work together to minimize the risk of downtime and any threat exposure.

Threat Hunting & Response Services

Support for threat hunting and response include Watch Tower, Watch Tower Pro, Vigilance Respond, and Vigilance Respond Pro. Each of these services builds on the other, progressively adding features based on your organizational needs.

Watch Tower: This is the entry-level plan and includes: Active campaign hunting and cyber crime alerts and course correction for potential threats, access to the Monthly Hunting & Intelligence Digest.

Watch Tower Pro: Includes everything in WatchTower and customized threat hunting for all current & historical threats, unlimited access to Signal Hunting Library of Pre-Built Queries, Incident-Based Triage and Hunting, continuous customer service, followup and reporting, a Security Assessment, and quarterly Cadence meetings.

Vigilance Respond: Includes all of the features of Watch Tower in addition to a security assessment and Cadence meetings, which are on-demand. Provides the features of Watch Tower Pro in addition to 24x7x365 monitoring, triage, and response.

Vigilance Respond Pro: Includes all of the features of the above options, including a security assessment and quarterly cadence meeting as well as a complete digital forensic investigation and malware analysis.

Reviews from Real Users

Jeff D. who is an Operations Manager at Proton Dealership IT, tells us that "The detection rate for Sentinel One has been excellent and we have been able to resolve many potential threats with zero client impact. The ability to deploy via our RMM allows us to quickly secure new clients and provides peace of mind."

"The most valuable feature varies from client to client but having absolute clarity of what happened and the autonomous actions of SentinelOne are what most people find the most assuring." relates Rae J., Director IR and MDR at a tech services company.

SentinelOne was previously known as Sentinel Labs.

SentinelOne Customers

Havas, Flex, Estee Lauder, McKesson, Norfolk Southern, JetBlue, Norwegian airlines, TGI Friday, AVX, Fim Bank

SentinelOne Video

SentinelOne Pricing Advice

What users are saying about SentinelOne pricing:
  • "The pricing is very reasonable."
  • "The licensing is comparable to other solutions in the market. The pricing is competitive."
  • "The pricing is very fair for the solution they provide."
  • "We pay $30,000 a year for 275 endpoints. We're growing, so I plan to buy another 75 endpoints. There is still a year and a half left in my three-year subscription, so I'm going to increase my endpoint count by 30 percent."
  • "Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender. Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one."
  • "SentinelOne is more affordable than some competing products, and it's not overly expensive for what you're getting."
  • SentinelOne Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Director IR and MDR at a tech services company with 201-500 employees
    Real User
    Top 20
    Provides deep visibility, helpful and intuitive interface, effectively prevents ransomware attacks
    Pros and Cons
    • "The most valuable feature varies from client to client but having absolute clarity of what happened and the autonomous actions of SentinelOne are what most people find the most assuring."
    • "As a cloud-based product, there is a minimum number of licenses that need to be purchased, which is unfortunate."

    What is our primary use case?

    We are a solution provider and this is one of the products that we implement for our clients.

    Sentinel One is being deployed as a replacement for any antivirus solution. In our case, we use it to primarily prevent ransomware and other malware from entering networks or computers, as they're deployed across the entire world now, in this new post-COVID environment.

    We no longer have the luxury of the corporate firewall protecting everyone equally. This means that having SentinelOne on each box is providing a solution where we stop the badness before it can spread.

    This is a cloud-based platform that we use in every capacity you can imagine. We use it on cloud components in both Azure and Amazon.

    How has it helped my organization?

    We have tested SentinelOne's static AI and behavioral AI technologies and it performs well. We actually put a laboratory together and we tested SentinelOne against CrowdStrike, Cylance, and Carbon Black side by side. We found that the only product that stopped every instance of ransomware we placed into the computers in the test lab, was SentinelOne. As part of the testing, we used a variety of actual ransomware applications that were occurring, live on people's systems at the time.

    My analysts use SentinelOne's storyline feature, which observes all OS processes. They're able to utilize the storyline to determine exactly how the badness got into the network and touched the computer in the first place. That allows us to suggest improvements in network security for our clients as we protect them.

    The storyline feature offers an incredible improvement in terms of response time. The deep visibility that is given to us through the storyline is incredibly helpful to get to the root cause of an infection and to create immediate countermeasures, in an IT solution manner, for the client. Instead of just telling them a security problem, we are able to use that data, analyze it, and give an IT solution to the problem.

    SentinelOne has improved everybody's productivity because the design of the screens is such that it takes an analyst immediately to what they need next, to make the proper decision on the next steps needed for the client.

    What is most valuable?

    The most valuable feature varies from client to client but having absolute clarity of what happened and the autonomous actions of SentinelOne are what most people find the most assuring. The fact that it stops everything and lets you analyze it with great detail, including how it occurred, to improve your overall security infrastructure to prevent such an attack from occurring in the future, is really important to clients because it's almost like a security advisor or a security operation center in the tool itself.

    When an event occurs, it gets stopped, and then they have a way to look into that data to find ways to improve the security of their network or what risk factors they need to tend to within the company through education or other means. For example, they may be constantly clicking on the wrong links or the wrong attachments in phishing emails.

    Our people constantly use the Ranger functionality. The first thing we do is look for unprotected endpoints in the environment. This is critical because SentinelOne should be placed on everything in the environment for maximum protection. The second way we use it is if a printer or a camera or a thermostat is being used as a relay for an attack, through a weakness in that product, we are able to let them know exactly what product it is. The other advantage of Ranger is that it lets us put a block into the firewall of SentinelOne that's on every Windows computer, and we can stop the communications from the offending internet of things product to every system on the network with just a few clicks.

    It's incredibly important to us that Ranger requires no new agents, hardware, or network changes. If you think about it, we're in the middle of an incident response every day. We have between 60 and 80 incident responses ongoing at any time, and having the ability to deploy just one agent to do everything we need to advise clients on how to improve their security and prevent a second attack, is incredibly important. It was a game-changer when Ranger came to fruition.

    Various clients, depending on their business practices, are heavily in the IoT. Some are actually the creators of IoT and as they put new products on the air for testing, we're able to help protect them from external attacks.

    What needs improvement?

    As a cloud-based product, there is a minimum number of licenses that need to be purchased, which is unfortunate.

    Buyer's Guide
    SentinelOne
    December 2022
    Learn what your peers think about SentinelOne. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    670,331 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using SentinelOne personally, on and off, for approximately three years.

    What do I think about the stability of the solution?

    SentinelOne is very stable and the agent rarely fails. The only time I've seen an agent fail is normally on a compromised system. The fact that it even works to protect a compromised system in the first place is amazing, but that's the only time that we actually see the failure of an agent. Specifically, it can happen when there's a compromise to the box prior to loading SentinelOne.

    On a pristine new load of a workstation or server where it has no compromises and no malfeasance exists, the SentinelOne agent is incredibly stable and we rarely have any issues with the agent stopping in function. I will add that in this respect, the fact that the agent cannot be uninstalled without a specific code gives us higher stability than others because even a threat actor can't remove or disable the agent in order to conduct an attack against the network. It's a unique feature.

    What do I think about the scalability of the solution?

    Right now, we have 54 analysts managing approximately 300,000 endpoints at any one time, globally. We operate 24/7 using SentinelOne.

    How are customer service and support?

    The technical support team is probably the fastest in the industry at responding, and they do care when we have to call them or send them an email due to a new issue that we've discovered. Most of the time, the problem is the operating system that we're dealing with is not regular, but they're still very helpful to us when it comes to protecting that endpoint.

    I would rate their customer server a nine out of ten. I could not give anybody a ten. They are a continuous process improvement company and I'm sure that they are constantly trying to improve every aspect of customer service. That is the attitude that I perceive from that company.

    Which solution did I use previously and why did I switch?

    Primarily in the last year, the number one solution clients had, in cases where we replaced it, was probably Sophos. Next, it was CrowdStrike, and then Malwarebytes. The primary reason that these solutions are being replaced is ransomware protection.

    Almost every client that I get involved with has been involved in a ransomware case. They've all been successfully hacked and we can place it onto their boxes, clean them up, along with all of the other malware that everyone else missed, no matter who it was. SentinelOne cleans up those systems, brings them to a healthy state, and protects them while we are helping them get over their ransomware event. This gives them the peace of mind that another ransomware event will not occur.

    Personally, of the EDR tools, I have worked with Cylance, Carbon Black, and CrowdStrike. I've also worked with legacy antivirus solutions, such as McAfee and Symantec. However, this tool outshines all of them. It has ease of use, provides valuable information, and protects against attack. The autonomous nature of SentinelOne combined with artificial intelligence gives us the protection we cannot experience with any other EDR tool today.

    How was the initial setup?

    The initial setup is very straightforward. SentinelOne has incredibly helpful information on their help pages. They are probably the fastest company that I know of in the entire EDR space for responding to a client's email or phone call when you need to do something new or complex.

    We have covered everything from Citrix networks to more complicated systems that work by utilizing the Amazon and Azure cloud to spin up additional resources and spin down resources. We were able to protect every one of those assets with it. The agent is easy to load and configure and the library allows us to quickly pivot on a new client and get their exclusions in fast enough to not impede business as we're protecting them.

    What was our ROI?

    When we were at a point of 50 clients, which is an average of 10,000 endpoints, we needed four analysts using Cylance. When we switched to SentinelOne for that same protection, the 50 clients could be covered by two analysts. We dropped our need for analysts in half.

    The average cost of a security incident involving ransomware is a minimum of $50,000 USD, and this is something that SentinelOne can prevent.

    The product has a rollback feature, where you can take a machine that's been attacked and partially damaged, and you can roll it back to a previously healthy state. That saves endless hours of system administrators' time rebuilding systems. That alone can reduce the cost of an incident from $50,000 down to $20,000. There is a cost because you still have to determine exposure and other factors with an incident response to determine if the threat actor has taken any data, things like that, but on the damage to the equipment, with the rollback feature and the restoration features built in the SentinelOne, and the fact that it stops everything but the most sinister lateral movements today, just means that an incident never has to occur.

    This means that there is a great return on investment for a lot of companies. Another important thing to mention is that they don't lose people. Approximately 60% of businesses that are hit with a ransom attack go out of business within six months. If SentinelOne is preventing those incidents from occurring, that return on investment is worth almost the value of the entire company in some cases.

    It is difficult to put an exact number on something like that, but the lack of pain and suffering of the employees of the company, because they didn't have to go through an incident response, and the lack of expense for the company to hire lawyers and professional companies to come in and help them during an incident, as well as their increased insurance costs of having an incident is also another factor.

    Overall, it's difficult to judge but it's a true factor in the return on investment of owning SentinelOne and utilizing it to protect your environment.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is very reasonable. Unfortunately, because it's a cloud-based product, it has a minimum count for licensing, but other than that, I've found their pricing to be incredibly reasonable and competitive with tools that are very similar.

    Considering the invaluable nature of SentinelOne's autonomous behavior, I don't believe anyone else can measure up to that. That makes it an incredible bargain when compared to the cost of an incident for any company.

    Which other solutions did I evaluate?

    There are organizations such as MITRE and ESET Labs that have been doing testing that is similar to what we did three years ago. We just look at those results for the same truth that we discovered in the beginning, and the product continues to improve its performance.

    What other advice do I have?

    I have been a proponent of SentinelOne for many years. When I learn about somebody who has been hacked and wants to have protection against problems such as ransomware occurring, this is the one solution that I recommend.

    The SentinelOne team is open to suggestions. They listen to the analysts and managers that are using their product and they innovate constantly. The improvements to the SentinelOne agent have enhanced its ability to catch everything and anything that comes in, including the detection of lateral movement attacks, which are the worst-case scenario.

    When an unprotected agent penetrates the firewall and attacks a network, that unprotected asset has no protection on it so that the hacker can do whatever they want from that box with no impedance. But, the detection of it attacking from a lateral basis has been improved immensely over the last three years.

    The improvement in the exclusions library has been phenomenal to help us get the new systems on the air with the new software. It allows the end-user to almost seamlessly get SentinelOne loaded and operational without impacting their business, which is incredibly helpful.

    SentinelOne is working on something right now in the Ranger space that is going to allow us to remotely load endpoints that need the SentinelOne protection through the Ranger portion of the application. This is going to significantly improve the security of all of our clients, whether they be in long-term care or short-term incident response, it will help us protect them better. It's a significant improvement to our ability to protect the client.

    Of all the products on the market today, I can say that they are the ones that I trust the absolute most to protect my clients.

    I would rate this solution a ten out of ten.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior Information Security Engineer at a retailer with 5,001-10,000 employees
    Real User
    Top 10
    The Storyline feature significantly simplifies the investigation and research related to threats
    Pros and Cons
    • "The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes."
    • "There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap."

    What is our primary use case?

    There are four use cases:

    1. Endpoint visibility.
    2. Endpoint protection, which includes detection, protection, and error response. We use this for protection endpoints as well.
    3. Provides historical loss of any events or changes in files that may have happened in the last 90 days.
    4. Threat hunting, which we use to troubleshoot applications.

    There are different versions. The SaaS portal has a different version. The agents for each operating system have a different version. For the SaaS platform, we are on the current release. For the agents, we are one behind the current GA release.

    How has it helped my organization?

    We have another tool for network analysis. Last night, it detected some suspicious network activity for a machine that was making an outbound action to a spacious external entity. So, it raised an alert. Other than being a network tool, it couldn't provide any information as to why it suddenly started doing this. As far as response and running through our playbook, the first steps were for the SOC to go and reach out to our engineering teams to see if any users caused what happened. That took them almost until the end of the day. Finally, they came back, and said, "There is nothing that we can see." Then, I went into SentinelOne, spending about 15 minutes, and was able to determine exactly:

    • What process caused the activity.
    • The reason for it. 
    • The user.
    • The command line running that caused it.
    • What addresses it tried to communicate out, since the network tool wasn't able to capture all the IP addresses. 

    We were able to determine it was a process that one of our engineers had set up and forgot about. It took us almost an entire day for the SOC to get a response from a person on that. Whereas, we were able to get that information directly from SentinelOne in less than 15 minutes.

    SentinelOne's automation has increased analyst productivity. It can automate actions on a threat, such as, kill/quarantine, remediate, and then roll back. All those automation processes have significantly helped us in making our SOC more effective.

    What is most valuable?

    All the features are valuable. Their core product, EDR, is pretty good. We utilize the entire functionality of the feature set that they have to offer with their core product. For EDR, we are using all their agents: the Static AI and Behavioral AI technologies as well as their container visibility engine.

    We use SentinelOne’s Storyline feature to observe all OS processes quite routinely. When we want to know a bit more details about any threats or want to investigate any suspicious event types, that is when we use the Storyline quite a bit. Its ability to automatically connect the dots when it comes to incident detection is useful. It significantly simplifies the investigation and research related to threats.

    Today, we automatically use Storyline’s distributed, autonomous intelligence for providing instantaneous protection against advanced attacks for threat detection. The AI components help tremendously. You can see how the exploits, if any, match to the MITRE ATT&CK framework, then what actions were taken by the AI engine during the detection process or even post detection actions. This is good information that helps us understand a little about the threat and its suspicious activities.

    We use the solution’s one-click remediation for reversing unauthorized changes. In most of the groups, we have it automatically doing remediation. We seldom do manual remediation.

    What needs improvement?

    There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality. 

    For how long have I used the solution?

    We have been using SentinelOne since early 2020.

    What do I think about the stability of the solution?

    It has been very stable. There have been no issues so far.

    One person is needed for maintenance (me).

    What do I think about the scalability of the solution?

    It is scalable with the caveat that we have had some challenges within our infrastructure for 20 agents across Linux servers. Beyond that, scalability is not an issue.

    8,000 to 9,000 people are using the solution across our entire organization.

    We are using SentinelOne as our de facto endpoint protection software. As a result, it is a requirement for every machine in our infrastructure, except for the devices that do not support their agents. So, as our infrastructure continues to grow or shrink, the users of SentinelOne will either increase or decrease, depending on the state of our infrastructure at that specific point in time.

    How are customer service and technical support?

    The technical support is good and very responsive. 99.99 percent of the time, they have been able to provide satisfactory responses. Whenever we have asked them to join a call that requires their assistance on a priority basis, they have been able to join the call and provide assistance. Whenever they felt that they do not have enough information, they were upfront about it, but they realistically cannot do anything about it because there is a limitation on either SentinelOne agent software or deeper logs would need to be captured in order to provide more information. There has been no situation where support provided an unsatisfactory response.

    Which solution did I use previously and why did I switch?

    We were previously using Sophos. The primary reason that we switched was Sophos did not provide us the extended capabilities we needed to support our infrastructure, both on-prem and on the cloud. Sophos did not support any of the Kubernetes cluster environmental containers systems on the cloud. It did not have the advanced AI engines that SentinelOne does. Overall, Sophos was very bulky, needing a lot of resources and a number of processes. In contrast, SentinelOne was thinner, very lightweight, and more effective.

    How was the initial setup?

    The deployment and rollout of SentinelOne are pretty simple. In our environment, we deployed the agents, then we had to remove them from some of the machines because the agent was impacting the performance of those machines. At that time, we found out it wasn't the SentinelOne agent rather an underlying issue on our own system or even the environment that it was in. We had to take SentinelOne out to troubleshoot the root cause, which delayed us a bit in rolling it out to our other infrastructure. That was completely fine. Looking at it from a global and world perspective, the rollout was very simple. 

    About 6,000 to 7,000 endpoints took us six to seven months to deploy. Linux took a bit longer to deploy because the tools are not as good for deployment as what is available for Windows and Macs. Using a script, we were able to take care of that. However, we could only do that during maintenance windows, otherwise we couldn't deploy the agents without an approval change.

    What about the implementation team?

    We did the implementation ourselves. We have several teams responsible for each area:

    • Two to four people for workstations. 
    • Two people for a retail environment
    • Two people for the server infrastructure. 

    This provided resource continuity. In case one resource would be unavailable for any reason, then the other resource would be able to continue. Essentially, the deployment needed three people, but we had six for continuity.

    What was our ROI?

    We saw a return of investment during the first year. We far exceeded our ROI expectations, meeting our ROI expectations within the first year.

    The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.

    From an overall perspective, it has reduced our mean time to repair in some cases to less than seconds to a maximum of an hour. Before, it would take days.

    What's my experience with pricing, setup cost, and licensing?

    The licensing is comparable to other solutions in the market. The pricing is competitive.

    We subscribe to the Managed Detection and Response (MDR) service called Vigilance, which is like an extension of our SOC. Vigilance's services help us with mitigating and responding to any suspicious, malicious threats that SentinelOne detects. Vigilance takes care of those. 

    We also pay for the support. The endpoint license and support are part of the base package, but we bought the extended package of Vigilance Managed Detection and Response (MDR) services.

    Which other solutions did I evaluate?

    Sophos was eliminated very early on in the PoC process. Then, we looked at: 

    • SentinelOne
    • FireEye
    • CarbonBlack
    • CrowdStrike. 

    Out of these solutions, we selected SentinelOne. Their ability to respond quickly in terms of feature functionality was the biggest pro as well as their fee for agents in the cloud. The other solutions' interpretation of a cloud solution did not match with our expectations. From an overall perspective, we found SentinelOne's methodology, its effectiveness, its lightweight agents and their capabilities far exceeded other solutions that we evaluated.

    SentinelOne had the highest detection rates and the ability to roll back certain ransomware, where other solutions were not even close to doing that.

    What other advice do I have?

    It is a very good tool that is easy to deploy and manage. The administration over it is little to none. However, depending on the environment and whoever is trying to deploy the agents, they should test it with the vendor environment before they go and deploy it to production. The reason why is because SentinelOne has the ability to be tuned for optimization. So, it is better to understand what these optimizations would be before deploying them to production. That way, they will be more effective, and it will be easier to get buy-in from the DevOps team and the infrastructure team managing the servers, thus simplifying the process all around. Making the agents and configurations optimized for specific environments is key.

    The Storyline feature has affected our SOC productivity. Though, we have yet to fully use the Storyline feature in a SOC. We are using it on a case-by-case basis. However, as we continue to deploy agents throughout our infrastructure and train our SOC to use the tool more effectively, that is when we will start using the Storyline feature a bit more. Currently, this is on our roadmap.

    I am very familiar with the Ranger functionality, but we haven't implemented it yet for our environment. Ranger does not require any new agents nor hardware. That is a good feature and functionality, which is helpful. It can also create live, global asset inventories, which will be helpful for us. Unfortunately, we have not yet had an opportunity to roll that out and capture enough information from our infrastructure to be able to maximize the effectiveness of that functionality. We are still trying to get SentinelOne core services fully deployed in our environment.

    Now that we have SentinelOne, we cannot go without it. 

    Compared to other solutions in the market, I would rate it as 10 out of 10.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Rick Bosworth S1 - PeerSpot reviewer
    Rick Bosworth S1Director, Product Marketing at SentinelOne
    Real User

    On behalf of the entire SentinelOne team, thank you for your extensive and thoughtful review, RS.  It is rewarding to hear how customers derive value from our endpoint protection and EDR, whether for user endpoint, Linux VMs, or Kubernetes-managed container clusters.  Cheers.

    Buyer's Guide
    SentinelOne
    December 2022
    Learn what your peers think about SentinelOne. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    670,331 professionals have used our research since 2012.
    Network & Cyber Security Manager at a energy/utilities company with 51-200 employees
    Real User
    Top 20
    Cut our response times down to "nothing" and reduces our dependency on a SOC
    Pros and Cons
    • "When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help."
    • "All they need to do to improve it is for it to grow further. The hackers don't sleep. If the hackers don't sleep, the solution continually needs to be updated. They need to keep ahead of the hackers."

    What is our primary use case?

    We have the solution deployed on-premises and, for the last year, on the cloud as well. We have two systems.

    Over the last year of Corona, we provided a lot of laptops to our workers to work at home. But because they're not connected, at first, to our network, they can't connect to the SentinelOne instance on-premises. We wanted something that would protect them when they're on the internet, and not only after they connected to our network. That is why we got the system that is in the cloud, to protect all the company laptops.

    We don't have a lot of incidents because ours is a very closed network. We don't connect directly to the internet. So SentinelOne is only a barrier between us and the emails or between us and the files that go into our network. 

    How has it helped my organization?

    Three years ago, one of our employees got an email from someone and opened a file. It was ransomware. It started to infect the disks and I didn't know if it had started to encrypt the network routes. I stopped the computer, but I didn't know if another computer had also been infected. I waited for a company that was giving us support for those kinds of things. They got the disk and they started to check and analyze it. After four hours—and that was very quick, by their standards—I got the first analysis. If I had had SentinelOne the whole thing would have taken between 10 seconds and one minute. And then there was the cost of the SLA that we paid to the support company for that kind of support. A four-hour SLA costs a lot of money; the basic SLA is eight hours.

    It has cut the response times to nothing. When we have an incident, we get an email in seconds and I can respond in a second to any threat. Even if it's a false alarm, I get the alarm immediately. For example, when we started to work from home, I accidentally installed a program that writes to the MBR partition in the laptop. It wanted to write to the MBR partition and SentinelOne stopped the file and it saved me from having to install the whole computer again. So it not only protects against threats but against mistakes. It's like having a big brother sitting behind you who protects you.

    When you pay for a system like SentinelOne, along with the other systems that we have, we're less dependent on a SOC.

    The solution gives me peace of mind when it comes to the reliability of the computers on our system. We can work through the internet, as has been happening recently with half of the company working from home, and I know that I have a system that has my back, that protects me. I know it does because I have tested it.

    What is most valuable?

    There isn't a single valuable feature, it's the whole engine and system. It's working online in  real-time and gives us alerts, on-click. We chose SentinelOne because in the millisecond that I clicked on the file, I got a block-alert.

    SentinelOne's Static AI and Behavioral AI technologies are among the most effective for protecting against attacks because they analyze not only the file's surface, but the behavior of the file. When I described to my manager what I was going to buy, I described a system that analyzes file behavior. If you open a calculator, calc.exe, you know it's going to open calc.exe, and maybe open service X or Y, but it won't go to the internet, to an IP, and spread something. When you analyze the behavior or reaction of each file that works on your PC, it's something else. It's a different level of EDR.

    When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help. We see the whole picture in front of us, from the beginning to the end. We can see, with the click of a button, if that file ran on more computers, not only one or two, and how it spread to other computers. We can see the whole tree and we can immediately respond. We don't need to wait for analysis.

    The UI is very clear. You don't need to look for something or to dig to understand where it is. It's all in front of your eyes.

    What needs improvement?

    All they need to do to improve it is for it to grow further. The hackers don't sleep. If the hackers don't sleep, the solution continually needs to be updated. They need to keep ahead of the hackers.

    For how long have I used the solution?

    I have been using SentinelOne for two years.

    What do I think about the stability of the solution?

    It has never gone down. In two years I haven't had any software or hardware problems.

    What do I think about the scalability of the solution?

    The scalability is driven by demand. If I need to buy 100 licenses, I can buy 100 licenses. We started with 50 and now we have 200 on-premises and 100 on the cloud.

    In terms of expanding our usage, we have a SCADA network. It is our operational network. That network is 100 percent disconnected from the outside world. It's not connected to any network, not to IT and not to the internet. We use a regular antivirus there. We plan on deploying SentinelOne to support that and to remove the old antivirus.

    Which solution did I use previously and why did I switch?

    Prior to using Sentinel one we were using McAfee Endpoint Security. We switched because I understood that the systems that are only checking file signatures don't work anymore.

    How was the initial setup?

    We installed it, in the beginning, on-premises on our computer inside the network, and the installation was done with an integration company. Every three or four months we upgrade because our location is not connected to the internet directly.

    The on-premises deployment took something like a week to get it deployed to everyone, but the installation itself was very quick, half a day. Then, to see what should be put in the blacklist or what to exclude took about two weeks. The deployment was done by me and the IT manager.

    The cloud version was very simple, no problem. Things were done automatically.

    What about the implementation team?

    The integrator we used was DnA-IT. They only did the installation for the first implementation.

    Now that we are going back to the workplace, I will start to work with them on an hourly basis, and we'll learn about all the features from them. They have good guys who know what I need and what we're going to do. I am one person who supports 400 people, so I need the time to sit with the system and to learn it. The system has a lot of features that we don't use or that we don't understand how to use because we haven't had a lot of time in the past year to research them and sit with the company to teach us. We work with the basic features, things like the blacklist and the USB restrictions. The integrator will show us how to use the more advanced features. I'm starting to think that if we can implement all the features from SentinelOne, I will be able to cut the antivirus that we are paying for.

    We also use DnA-IT for support. If necessary, they open a ticket with SentinelOne.

    What was our ROI?

    It's cost-effective. The price of 100 licenses that I need in the cloud is cheaper than one Bitcoin I would need to pay in the case of ransomware. It's already paying for itself.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is very fair for the solution they provide.

    Aside from the standard licensing fee, the only other costs are for the hardware, because we use Hyper-V on-premises.

    Which other solutions did I evaluate?

    I don't remember the names of the other solutions we tested because it was more than two years ago. At that time, SentinelOne was a very young, small, Israeli company with a new product. We were using another startup on our OT network and I asked them if they knew of a good EDR company and they told me there's a little company like ours, our friends, check them out. We also checked two other companies.

    We did a penetration test on some solutions. A company that we work with on pen testing planted malware in Excel files, in a macro. We tested how each of the solutions alerted us on the macro and about what it was doing. SentinelOne alerted us at the moment I clicked on the mouse. When I got the popup alert from SentinelOne, I said, "That's it."

    In the other software that we checked, there was a little delay because the software got the file, transferred it to the cloud, waited for the cloud to handle the file, and then got the answer back. It took about half a minute or a minute. But in half a minute or a minute, an attack can destroy half of the network. In fact, one of the others didn't detect it at all.

    What other advice do I have?

    My advice is check out SentinelOne. See how the system works in a real-time attack. Only when you see how it works in real life, in real time, will you understand the ROI of the system. Simulate an attack, simulate a file, simulate that file changing something, and see how it works. I can say to my manager, "I have McAfee installed on my system, I'm safe," and they'll check the checkbox and move on, without understanding what they are doing. I need to sleep well at home and I can do so by knowing I have a system that has my back. That is what SentinelOne is.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Operations Manager at Proton Dealership IT
    Real User
    Top 10
    Excellent detection rate / allowed our team to focus on proactive management
    Pros and Cons
    • "The detection rate for Sentinel One has been excellent and we have been able to resolve many potential threats with zero client impact. The ability to deploy via our RMM allows us to quickly secure new clients and provides peace of mind."
    • "One area of SentinelOne that definitely has room for improvement is the reporting. The canned reports are clunky and we haven't been able to pull a lot of good information directly from them."

    What is our primary use case?

    Everyone who is a client of ours gets SentinelOne by default. It provides ransomware protection, malware protection, and increased security. Those are our top-three selling points for SentinelOne when we talk to clients.

    How has it helped my organization?

    Prior to deploying Sentinel One, we had a team of staff members dedicated to ransomware prevention and malware alerts. Since deploying Sentinel One, we have been able to allow that team to focus on other proactive security measures for our clients.

    The dashboard alerting is great and it has helped us out a ton.

    SentinelOne has also greatly reduced incident response time, based on the toolsets and the ability to deploy it to new companies through a script. That has been very helpful. It has decreased the amount of time spent on incident response by 40 to 60 hours a month.

    And when it comes to mean time to repair, while we haven't had a situation where we've had to reload an operating system or repair to that extent, we've used the 1-Click Rollback feature which saves several hours over a reload of a PC. 

    What is most valuable?

    The detection and response feature is really good for us. 

    Also, there is a feature called Applications, and it shows all the critical applications that are on devices that may need to be reviewed.

    The solution’s Static AI and Behavioral AI technologies are great when it comes to protecting against file-based, fileless, and Zero-day attacks. I would rate that aspect at eight out of 10. They have been great at detection.

    The solution’s 1-Click Rollback for reversing unauthorized changes is also huge for us. That is one of the top reasons we have SentinelOne in place. For example, we had a site that had downloaded malware on a share for their sales office. It was trying to move laterally throughout the network but SentinelOne detected it. We then used the 1-Click option to remove it from the 10 or so PCs it had infected. Then we blocked it based on the information SentinelOne provided to us. That way if it happened again, it would already be blocked and wouldn't be allowed to launch.

    What needs improvement?

    One area of SentinelOne that definitely has room for improvement is the reporting. The canned reports are clunky and we haven't been able to pull a lot of good information directly from them.

    Also, integration is almost non-existent. We would really like to see integration with ConnectWise. Within ConnectWise Automate, you're only allowed to deploy at the top-level group. Our company is dealership-focused, but if we have a parent dealership that has 10 sub-dealerships with SentinelOne, we have to treat them as one large group instead of one parent and 10 sub-groups. That's been a pain point for us. We've done some workarounds, but since there is no integration, it's tough.

    For how long have I used the solution?

    I have been using SentinelOne for about two years.

    What do I think about the stability of the solution?

    We haven't had any issues, outages, or upgrades. I would rate the stability at 10 out of 10.

    What do I think about the scalability of the solution?

    One of the features that we love about SentinelOne is that we don't have to buy licenses ahead of time. It just scales up as we grow. We're bringing on a client now that has 500 endpoints and I don't have to worry about contacting sales at SentinelOne and getting a PO for 500 licenses. It just scales up and we're charged based on what we use, which is awesome.

    The solution is on 100 percent of our clients that we manage, and that's going to be the goal moving forward. Our sales team does not put in a contract without SentinelOne.

    How are customer service and support?

    SentinelOne technical support has always been very quick and responsive. We haven't used them a lot. We're a technology company as well and we're able to fix the minor stuff ourselves or by looking at a knowledge base.

    One of our concerns or complaints at the beginning was the lack of training, which they fixed. They allowed us to schedule our staff to do the eight hours of free training, which was great. That would have been my only complaint, but that was resolved a few months ago.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We didn't have any EDR solution in place like SentinelOne. We had Bitdefender for antivirus, but that has been removed. Our existing antivirus was failing in several ways. It wasn't detecting everything that was coming through. That was the big catalyst for the switch.

    Originally, we had SentinelOne through SolarWinds, which was our previous RMM tool. And when we migrated to ConnectWise, we moved our existing licenses over.

    How was the initial setup?

    The initial setup was straightforward. It was through our RMM. We bought licenses and we had a one-click deployment to deploy that software. And when we migrated, the gentleman who helped us was awesome. We migrated 9,000 endpoints from that RMM directly into SentinelOne, and he did a lot of the heavy lifting. We just had to check and confirm things were getting moved over.

    The migration of the 9,000 agents took 10 to 14 days.

    Our implementation strategy included a deployment where we would do a test phase. We picked certain endpoints at different clients and we would deploy and set it in a "listen-only" mode and see what it caught. If everything was good, we would then turn it on to regular mode. That process helped a lot in the implementation.

    We have about 75 people in our company using SentinelOne. The main roles among them are about 60 percent help desk, which is view-only; 20 percent client-side, which is reporting and view-only; and the rest are our engineering level where they have the ability to do rollbacks and fix certain issues that are coming in. There is very little maintenance involved with the solution, maybe a handful of hours a month. We have it set up to auto-update. Prior to that, we had to set up our script to download the most recent version, but that's all been replaced now with automation. Maintenance on the actual system is very minimal.

    What's my experience with pricing, setup cost, and licensing?

    In the past, we had to purchase licenses in advance, so if we hit our license limit, we could not expand until we got a signed agreement in place with the sales rep after the back-and-forth. That meant if a client had ransomware and they had 200 agents, we couldn't deploy right away if we were up against our limit. So we always had that balancing act of figuring out if we were close to our limit and whether we needed to buy more licenses? We ended up paying for licenses we didn't need because we had to buy them in packages of 100.

    We now pay based on usage. They do an audit once a quarter and calculate any overages. We pay a set amount quarterly, based on our licenses in use, and then they true-up the figure. Right now we have 12,800 agents with SentinelOne on them. We charge our clients monthly, so it would be really difficult for us to write a check to SentinelOne, in advance, for a full year's worth, at that level. It's been great for us to have the quarterly payments.

    Which other solutions did I evaluate?

    We looked at CylancePROTECT in addition to SentinelOne. We liked the pricing better and the contract options better with SentinelOne. The deployment also seemed to be easier. In addition, SentinelOne detected things that others missed. We did a few quick trials of other solutions, but SentinelOne seemed to be the best in terms of detection. For example, we did a test with Mimikatz and SentinelOne detected it immediately, whereas some of the others bypassed or didn't see it at all.

    And when we talked to the ConnectWise sales rep—because ConnectWise was integrated with Cylance at that point, and SentinelOne was not—the rep told us that they were actually dropping Cylance and moving to SentinelOne over the next year for integration, which was a big factor for us.

    What other advice do I have?

    My advice would be to implement SentinelOne immediately. It is one of the top things that we've implemented and it has saved us countless hours. It's really hard to quantify the savings, but if a client were to get ransomware, it could involve weeks of several team members working around the clock to get them back up and running. Since we've implemented this, we haven't had to do that in an environment where we had experienced having to do so previously.

    The biggest thing I've learned from using SentinelOne is that there are a lot more attacks out there than a typical antivirus will display. Regular antivirus, rather than an EDR-type platform, gives people a false sense of security because there are a lot of processes running in the background that the typical antivirus solution is not equipped to catch. It was eye-opening when we started deploying this at clients, locations where we felt we had very good peace of mind in terms of what was happening. SentinelOne started detecting things left and right that were completely unable to be seen prior.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSP
    PeerSpot user
    Ashish Dubey - PeerSpot reviewer
    Lead Security Analyst at SecurityHQ
    Real User
    Top 5Leaderboard
    Provides a better graph showing when the alert started, the process, the challenges, and the parameters; has an AI that segregates and categorizes events
    Pros and Cons
    • "The most valuable feature of SentinelOne is the good graph it provides. It has a specific page where it detects the recent attacks on other machines or the hackers, for example, group APT28 and all."
    • "An area for improvement in SentinelOne is the search feature. You can't go beyond twenty thousand events, which ruins the task because it isn't enough when you're doing your investigation."

    What is our primary use case?

    Using SentinelOne isn't part of my daily tasks. My team only uses it when there's a detection, so the tool is only kept as a screenshot or wallpaper and is only used when there's an alert. It doesn't give us many alerts anyway.

    My company uses SentinelOne for EDR purposes for alerts, detections, and patch deployment. For example, some clients ask my team to patch multiple devices and apply policies to the devices, so my team updates policies, applies patches, and updates machines per Windows and Mac updates.

    My company also uses SentinelOne for EDR detections and investigations, including forensic purposes.

    What is most valuable?

    The most valuable feature of SentinelOne is the good graph it provides. It has a specific page where it detects the recent attacks on other machines or the hackers, for example, group APT28 and all. It shows the active group or predators in the market, the tactics the group uses, and the recent attacks the group performed.

    My company even asked a particular client to onboard devices on SentinelOne because it's easier to graph the alerts. The tool can provide you with a better graph that shows when the alert started, the process, the challenges, and the parameters of the processes.

    SentinelOne also has a knowledge base embedded in it. You have to visit the page to get the details.

    I also like that you can see the activities performed for the alerts received from your end. You have a bunch of people working on SentinelOne, and you don't have to worry about not knowing who received and resolved the alerts because you can get information on the activities on the tool. You can view the actions on the alerts and who has taken action. This is a valuable feature of SentinelOne that's not usually provided on the other EDRs because it's unrelated to the investigations. I can see who recently closed or resolved a particular alert on SentinelOne because the name of the person who took action will appear on the activity page.

    Another feature I like a lot about SentinelOne that I can't find in other EDR solutions is the AI segregation and categorization of events. You'll be directed to the logon events category if you're looking into logon-related events. If you're looking into network-related events, you'll be directed to another category, the appropriate one. Based on your search, the SentinelOne AI will segregate the results into categories. You can click on the category and view the categories related to your events. The segregated results then make it easier to do the investigations.

    What needs improvement?

    An area for improvement in SentinelOne is the search feature. It could be easier. For example, you can select the number of results that will be shown to you, such as two thousand events, and you can even go up to twenty thousand events for the search you've made, but you can't go beyond twenty thousand. You can only receive up to twenty thousand if you find login-related, detection-related, or process creation-related events. That's the limitation in the search feature of SentinelOne, which ruins the task because it isn't enough when you're doing your investigation.

    The retention period of the tool also has room for improvement. The retention period is a time when you can patch up the logs, even older ones. Still, on SentinelOne, the retention period is only one week or one week up to twenty-eight days, and that period is insufficient, especially for a security breach. If a security breach occurs within the company, it could be six months to a year, so if you want to view the logs, you cannot go beyond the limit set by SentinelOne.

    The retention period of the tool is way less than what other EDR solutions provide. SentinelOne and CrowdStrike come with a shorter retention period, which means you cannot go beyond one month when investigating the logs.

    One month is the timeframe of the retention period, and one week is real-time, as scheduled by the vendor. For forensics purposes, the retention period is critical, so what would make SentinelOne better is a more extended retention period that lets you investigate logs. If you want to patch logs, you can directly call or reach out to the vendor who can provide you with the logs. If the vendor has no logs, you won't get the initial alert when the incident starts.

    What I want to see from SentinelOne in its next release is a faster search. I also wish that the twenty thousand event limitation be removed.

    For how long have I used the solution?

    I've been using SentinelOne for nine to ten months now.

    What do I think about the stability of the solution?

    SentinelOne is a stable tool that never crashes. It's a good product.

    Its stability is nine out of ten because, at times, the tool lacks robustness when searching. For example, if I want to search, it can take some time based on my ability to search. Searching on SentinelOne can be much faster because, search-wise, it could be a little laggy.

    What do I think about the scalability of the solution?

    The scalability of SentinelOne is much better than other tools, so it's a ten for me, scalability-wise.

    How are customer service and support?

    I haven't contacted the technical support for SentinelOne, but many of my colleagues had experience getting SentinelOne support. One case was about the retention period because a client had been compromised and needed more logs from SentinelOne, but the support team couldn't provide more logs as the retention period was too short.

    Which solution did I use previously and why did I switch?

    My company chose SentinelOne over other solutions because it's powerful in the areas of detection, flagging for alerts, and logs. The alert creation is stronger in SentinelOne, so my company went with this tool.

    How was the initial setup?

    The initial setup for SentinelOne was easy, and I manually performed it. It's easy to deploy a device onto SentinelOne. You have to run the agent, and the application, then the tool will be onboarded. It's that easy.

    The deployment of SentinelOne hardly took me half an hour. Once you've learned how and executed the agent file on the machine, you'll start getting the logs. You'll test, configure, and collect the right resources and receive the logs.

    What about the implementation team?

    I implemented SentinelOne, so it's in-house.

    What's my experience with pricing, setup cost, and licensing?

    As a developer, I have no information on the pricing of SentinelOne.

    What other advice do I have?

    I'm using SentinelOne, the EDR solution.

    SentinelOne is deployed on the cloud, probably the public cloud, though I wonder if it's private or public. It's on the cloud because it has many more features and doesn't use up many resources even when there's a high workload, and as a tool, SentinelOne performs very well. It may be on AWS or Azure, though.

    Within the company, twenty people personally use SentinelOne daily.

    My company is a partner of SentinelOne, so my team recommends it to clients, especially if clients require more detection and easy onboarding.

    I'd tell anyone looking into implementing the tool that it's fun to learn and use. You can use it without needing many clicks to isolate the machine or perform your required activities. One of the best features of SentinelOne is that it has minimal mouse actions. For example, when you click on a machine, you'll get the hyperlink that shows you the machine details, the uptime, when it was first and last seen, the memory, and all the machine details. You get the details in one location, such as the applications installed on the machine, the network-related configurations of the machine, and the machine processes. You won't get as many features from other EDR solutions. You can isolate the machine, repair and update the machine, update the knowledge base and software, and onboard a particular device on SentinelOne. The tool has many more features. It's a good tool.

    My rating for SentinelOne is nine out of ten. Still, if the twenty-thousand event limitation is removed, then that's the time I'd give the tool a score of ten because if there's no limit set, then you can get all process details related to your investigation.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Brian Fulmer - PeerSpot reviewer
    IT Manager at American Incorporated
    Real User
    The MDR service is convenient for a small team like ours
    Pros and Cons
    • "SentinelOne's managed detection response service Vigilance Respond is convenient for companies like ours with small IT teams. If something happens on the weekend, SentinelOne steps in and resolves the issue. It's a false positive 97% of the time, but at least they're resolved instead of hanging around for us to find on Monday."
    • "Managing the false positives creates additional management overhead. The behavioral analysis engine might misinterpret real user behavior as malware. For example, a drafter was cleaning up a Revit folder and deleting 4,000 files. That looks like ransomware. The SentinelOne agent kicked his computer off the network."

    What is our primary use case?

    We're a construction company using SentinelOne for endpoint security with endpoint detection and response. SentinelOne covers all of our endpoints and servers. It protects everyone across the company, even those not actively using an AV.

    How has it helped my organization?

    SentinelOne's managed detection response service Vigilance Respond is convenient for companies like ours with small IT teams. If something happens on the weekend, SentinelOne steps in and resolves the issue. It's a false positive 97% of the time, but at least they're resolved instead of hanging around for us to find on Monday.

    We have the Ranger feature for network scans, allowing us to pick up any new devices that show up on a network. That was especially useful for us when we shifted to working from home.

    If two or more agents are in a remote network, they will scan the network and give you an inventory of the MAC addresses and device types they see. This is handy when you have a small office or someone working from home. We do not allow employees to bring their own devices, but people are plugging their company computers into their home network, exposing them to risks. The ability to report on connections in remote networks is handy.

    What is most valuable?

    SentinelOne's machine learning engine is purely behavioral. The engine will shut down anything that's bad, isolate the system from the network, and alert everyone. We had tremendous success with CylancePROTECT for over five years. Zero successful attacks. In 18 months in with SentinelOne, we've seen the same lack of drama. No endpoints have been compromised to the degree that it has negatively impacted our network.

    What needs improvement?

    Managing the false positives creates additional management overhead. The behavioral analysis engine might misinterpret real user behavior as malware. For example, a drafter was cleaning up a Revit folder and deleting 4,000 files. That looks like ransomware. The SentinelOne agent kicked his computer off the network.

    We interrupted that process and then isolated his computer and the file server. It was somewhat disruptive in the middle of the day. At the same time, it was a perfect simulation of what ransomware would do, so it was reassuring that SentinelOne stepped up and said, "Nope!" 

    It was not a malicious process running that was detected. It was simply behavior he shouldn't have done. Now, our drafters know to co my team when they're going to do some file cleanup. The false positives are just inherent in just the large amount of poorly written software that's out there. Any competent antivirus is going to have a behavioral, heuristic engine looking at what's actually being done.

    It might be something bad done by the software you use. We used a machine learning engine for five years. The Wire Hauser Corporation builds subpar software because they're supposed to be building lumber products. It triggered a false positive, that's about the only negative for any modern AV is just false positives.

    In the future, I would like to see SentinelOne implement integrated patch management. It would be great to manage endpoint patching through SentinelOne. We're on our third patch manager in three years because they are lackluster. It would be nice to have a new patch management tool.

    For how long have I used the solution?

    I have been using Sentinel One for about a year and a half.

    What do I think about the stability of the solution?

    SentinelOne is stable and constantly improving. Today I did a demo of a new acquisition they made for Active Directory. Ranger is the product that scans networks. This is a new product from a company they bought.

    They do automated scans of your Active Directory infrastructure to identify fixable problems and anyone trying to take advantage of the unfixable problems. They're improving their core product while adding new functionality and products that I'm interested in.

    What do I think about the scalability of the solution?

    SentinelOne is highly scalable. I know folks with 10 times the number of endpoints we have, and they're pleased with it. One fellow I know has 4,000 endpoints under management.

    How are customer service and support?

    I rate SentinelOne support nine out of 10. I wish our other vendors had tech support as good as SentinelOne. I can only think of one other vendor that possibly has better tech support, but the vast majority of software companies have sub-par tech support. Little goes wrong, but get a quick turnaround time when something comes up. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We were using CylancePROTECT, one of the early innovators in machine learning next-gen AV. Then they added on an EDR component called  CylanceOPTICS. CylancePROTECT was an outstanding product for us. It was extremely low overhead and highly efficient. It crushed it in the proof of concept and did an excellent job for us.

    Blackberry acquired the solution in 2019, the last year of our three-year agreement. It was awful. Development essentially stopped. All of the intelligent people started leaving. I found out that some went to SentinelOne. It was clear my worst fears were realized: that Blackberry was going to screw up yet another good thing.

    How was the initial setup?

    I had prior experience with this kind of antivirus, so I thought setting up SentinelOne was very straightforward. We stood up three different products in the course of 60 days to do this test. I didn't think there was anything unusual or unexpected about setting it up. It's perfectly understandable if you know what you're doing.

    We have automated tools for deploying software. The biggest problem was getting the old endpoint solution off and the new endpoint solution parked on top of it. We had a 30-day window to get it all done for 250 endpoints.

    My IT group has four people, including me, but it's not hard to manage or deploy. It fits right within our normal imaging endpoints, so it's super-low overhead.

    What about the implementation team?

    We did the deployment in-house. I'm paranoid. I wouldn't let anybody touch our security software.

    What's my experience with pricing, setup cost, and licensing?

    We pay $30,000 a year for 275 endpoints. We're growing, so I plan to buy another 75 endpoints. There is still a year and a half left in my three-year subscription, so I'm going to increase my endpoint count by 30 percent.

    I'm buying midterm. We're a little over our licensing right now—less than 10%—but we'll correct our device count and plan for future growth. We pay for additional managed detection and Ranger network scanning.

    Which other solutions did I evaluate?

    We started doing proofs of concept for a short list of candidates in October 2020 when things calmed down a little bit. In addition to SentinelOne, we were looking at Sophos Intercept X, and CrowdStrike Falcon, which I assumed would win the bake-off. I had every expectation that Falcon was going to be our new endpoint. SentinelOne was kind of a startup. CrowdStrike Falcon was number three. Our second choice would've been Sophos Intercept X.

    We left behind traditional AVs like Symantec and Norton Antivirus in 2016. It's awful stuff. We would've been good with Intercept X or Falcon, but SentinelOne has just proven to be the right choice for what we're doing. I hope they don't get bought.

    What other advice do I have?

    I rate SentinelOne 10. It's an excellent next-gen AV with none of the signature-update nonsense. It'll kill anything that does something bad, which sometimes is an Adobe product, etc. False positives are expected in that situation, but it's not a problem.

    If you're considering SentinelOne, devote time, money, and staff to a thorough proof of concept. If you don't test your use cases, You will regret it. Just assume it's going to be an exit project to do an endpoint security selection. Ignore Gartner's and the press. Don't pay attention to the big analysts. Read the peer reviews and the community feedback. 

    Do the heavy lifting with a proof of concept. If you think you're spending too much time on it, you're probably not spending enough. It's so important. Treat picking a product like you would any other big project.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    SimonThornton - PeerSpot reviewer
    Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
    Real User
    Top 10
    Has good process visualization and automated response capabilities, and comes with excellent support and flexible licensing
    Pros and Cons
    • "The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable."
    • "The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work."

    What is our primary use case?

    We're a partner of SentinelOne, but we're also a partner of many other companies. We're not a vendor per se. We sell SOC as a service, and as a part of that service, we provide protection solutions. My area is around antivirus. So, we are not a reseller in that sense.

    I am using its latest version. It can be deployed on-prem as well as on the cloud. I have customers with a requirement for both. SentinelOne provides their own cloud because that's where they do their artificial intelligence (AI).

    How has it helped my organization?

    SentinelOne is what they call extended detection and response (XDR). So, it is the next generation of endpoint detection. The main difference between Endpoint Detection and Response (EDR) and XDR is that in XDR you have visibility on how something is executing. An EDR solution detects a suspicious or malicious package based on its signature or its behavior and sends an alert, but the problem is that you only see the file that it alerts on. For example, if it is an attachment to an email, you'll see the trigger on the attachment when you try to open it, but what you don't always know is from where that came. With an XDR solution like SentinelOne, you can see the whole process execution. You can say that it was executed from inside Word, Outlook, or something else. For example, when you opened an attachment in Outlook, it triggered Word and got opened in Word. This whole process execution is visible with XDR. It also offers the possibility to suspend or respond intelligently. So, you can use it not only to detect that the package is suspicious, but you could also suspend it so that when the person comes to investigate, the suspended process is still there.

    What is most valuable?

    The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

    What needs improvement?

    The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

    For how long have I used the solution?

    I have been using it for about a year and a half.

    What do I think about the stability of the solution?

    It gives good stability. It can have an impact on the performance of the workstation, but that is usually a question of tuning. From a stability point of view, I've never had a machine with a blue screen.

    What do I think about the scalability of the solution?

    It scales very well.

    How are customer service and support?

    They're excellent. I would rate them a five out of five.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We are technology agnostic in the sense that if a customer doesn't have a solution, we'll make a recommendation. If they don't have a solution, then our recommendation goes along the lines of SentinelOne, Palo Alto Cortex, Microsoft Defender ATP, or ESET. These are the ones that I typically would recommend, but Microsoft Defender ATP is problematic because you have to have the Azure and Office licenses to get it. For the other ones, you can buy the licenses separately. We also take over other solutions. I have some customers on Kaspersky and other solutions.

    How was the initial setup?

    It is straightforward. If we deploy it from a URL where it downloads, it can be done in 10 minutes. If it is coming from an internal deployment server, it can be a few minutes. It is essentially headless. There are no prompts.

    What about the implementation team?

    I have six people, but they normally work with the customers. As an MSSP, we normally work with the customer IT teams to deploy the agents in large companies. In small companies, it could be our people who do it. 

    The number of people required depends on the number of endpoints, but generally, the number is low because it is a very simple installation. In fact, we even have end users running this.

    What was our ROI?

    It has the best ROI that I've seen. If I compare it to Microsoft Defender ATP or Defender for Endpoint, which a lot of people compare it against because it's included with the E3 or E5 Office licenses, Defender is three to five years behind SentinelOne. You're also tied to Microsoft's licensing scheme, whereas SentinelOne is independent of all of them. The ROI is very good. For me, its closest direct competitor is either Cybereason or Palo Alto's Cortex.

    What's my experience with pricing, setup cost, and licensing?

    Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender.

    Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one.

    The Singularity product has three versions: Singularity Core, Singularity Control, and Singularity Complete. The Singularity Complete one is really what I consider an enterprise rate solution. The middle one, Control, is more than adequate. In terms of price, it works out very similar to what you would pay for Kaspersky or for any other solution. The licensing per endpoint, per year, and per version is progressively more expensive for the Core, Control, and Complete versions. 

    The interesting thing is that it is possible to upgrade across the versions without a major change. If a customer buys the most basic installation and would like some of the features out of the middle, it is possible.

    What other advice do I have?

    You have a choice between an on-premise console and the cloud. My advice would be to use the cloud, but it is a consideration of whether your endpoints can connect to the cloud or not. One of my customers is in the military defense area, and they have no connection to the internet. So, we had to deploy on-prem. What you don't get with the on-prem is all the AI. So, if you're deploying on-prem, you get the core features of SentinelOne, but you don't get all of the bells and whistles that you get from the cloud environment. The same is true for Cisco AMP and other solutions that are deployed on-prem. So, you need to consider how you're going to consume it if you have a disconnected network. If you're in the financial world, a lot of the production networks are not connected to the internet. So, solutions like Microsoft Defender are not an option because they're cloud-based, whereas SentinelOne is an option in those environments.

    I would rate it an eight out of ten. It is a very good solution, but you have to compare it to understand it better.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Head of IT at a transportation company with 501-1,000 employees
    Real User
    Straightforward to install, quick and detailed technical support, and application inventory is helpful
    Pros and Cons
    • "In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting."
    • "With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately."

    What is our primary use case?

    Our primary uses are endpoint protection and application inventory.

    The management is done through the SentinelOne web interface.

    We work strictly in a Windows environment, using it for both workstations and servers.

    How has it helped my organization?

    At the moment, using SentinelOne brings us peace of mind. It has only highlighted a few things and generally, we've been quite lucky.

    In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting. From that perspective, it's been good.

    We don't have a lot of incidents but SentinelOne has reduced our response time by a couple of hours, per incident. It does a lot more than what the previous AV products did.

    What is most valuable?

    The most valuable features are application auditing and malware detection.

    Application inventory and auditing highlight which applications are installed on the endpoints, and whether there are any known vulnerabilities. If the endpoint is not patched then it will be reported. This helps us in terms of validating our patch management methodology.

    On the malware protection, it looks like it stops all malware and detects things such as suspicious activity.

    The automatic monitoring of OS processes is a good thing to have. However, I'm not totally familiar with the product in-depth. It gives peace of mind in terms of our security and it doesn't seem to have any impact from an end-user perspective.

    We use the threat detection feature.

    The Deep Visibility feature is something that we have used once or twice. It gives us visibility of all of the activities that took place, to determine what exactly was caused. We don't use this feature very much, purely because we don't have many things to look at. We did find some things that were suspicious, and we were able to resolve them. It highlights certain things that we weren't aware of, and then we were able to go in and understand them further. At that point, we either marked an issue as a false positive, or we denied it permission to continue. In either case, SentinelOne stopped it from proceeding. 

    At the moment, my confidence is quite high with respect to the effectiveness of the distributed intelligence at the endpoint. I haven't had reason to determine if it's not working and at the moment, it seems to be doing what it says it does.

    What needs improvement?

    With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately. As it is now, it shows you what products require patching, but you need a separate application to install the patch. If you could initiate an update to the application from SentinelOne, that would be a nice feature. 

    For how long have I used the solution?

    I have been using SentinelOne for approximately a year and a half.

    What do I think about the stability of the solution?

    Overall, the stability is very good. We have had one version where it had a high CPU usage, but the later versions were better.

    What do I think about the scalability of the solution?

    We have not run into problems with scalability. It can be very good.

    There are three users in the company including the IT department, helpdesk, and operations manager. At the moment, we have implemented 100% of our endpoints. Probably, as we add endpoints over time, our usage will increase slightly.

    How are customer service and technical support?

    The technical support is excellent. We have only had to use them two or three times, and the response has been very fast, very detailed, and very explanatory.

    Which solution did I use previously and why did I switch?

    Prior to SentinelOne, we used Symantec Endpoint Protection. We switched because SentinelOne offered various features such as Deep Visibility, threat analysis, and application inventory. There were a lot of features that SentinelOne had that Symantec didn't, at the time.

    How was the initial setup?

    The initial setup is very straightforward. It was pretty much all done for us. Essentially, all we had to do was install the agent on each workstation that was upgraded.

    It took about three weeks to deploy, covering all 212 of our endpoints.

    We didn't have a specific implementation strategy. We somewhat phased it in, and all of the new devices would be installed with SentinelOne. As we go through the different workstations, we replace what is necessary and upgrade the agent. It was a case of going through our four different offices and because we're quite small, we did it one by one.

    There is no maintenance required, post-deployment.

    What about the implementation team?

    SentinelOne support assisted us with deployment and it was done pretty much right away. They were very good.

    Once the tenant was created, they gave us an overview of how to use it. The product is quite straightforward and easy to use and. There are probably elements we could go through further with SentinelOne, but I don't know if it's because I buy through a third party. Maybe, the third party is supposed to do more, but I'm not sure.

    The reseller that we purchased SentinelOne from is O2 Mobile, and the experience was fine.

    What was our ROI?

    Although there isn't a tangible ROI, the product gives us a lot more detail and insight into the threats, which is valuable. There has been ROI, but it's more time value rather than a hard dollar value.

    What's my experience with pricing, setup cost, and licensing?

    The price is reasonable in terms of what the product offers. SentinelOne is more affordable than some competing products, and it's not overly expensive for what you're getting.

    Which other solutions did I evaluate?

    We looked at Trend Micro before choosing this product. SentinelOne looked easier to use and it was almost a complete product. We didn't go into too much depth, and I cannot compare the detection capabilities, but the cost was a factor.

    What other advice do I have?

    My advice for anybody who is implementing this product is to fully understand all of the elements that it provides and to be aware of all of the features. For myself, I think it's important to have a deeper and better understanding of all of the functionality that the product offers.

    At the moment, we have a lot of trust in SentinelOne. If it continues to stop future threats then I will continue to rate it highly, or even perfect. At this time, I wouldn't say it's perfect because I can't say that I haven't been compromised because of it.

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    Download our free SentinelOne Report and get advice and tips from experienced pros sharing their opinions.
    Updated: December 2022
    Buyer's Guide
    Download our free SentinelOne Report and get advice and tips from experienced pros sharing their opinions.