SentinelOne Singularity Complete pros and cons

The most valuable feature varies from client to client but having absolute clarity of what happened and the autonomous actions of SentinelOne are what most people find the most assuring.

The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.

The detection rate for Sentinel One has been excellent and we have been able to resolve many potential threats with zero client impact. The ability to deploy via our RMM allows us to quickly secure new clients and provides peace of mind.

The most valuable feature of SentinelOne is the good graph it provides. It has a specific page where it detects the recent attacks on other machines or the hackers, for example, group APT28 and all.

SentinelOne's managed detection response service Vigilance Respond is convenient for companies like ours with small IT teams. If something happens on the weekend, SentinelOne steps in and resolves the issue. It's a false positive 97% of the time, but at least they're resolved instead of hanging around for us to find on Monday.

The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

The ability to get queries by pressing the "tab" button is a plus for SentinelOne.

It has saved us from a couple of ransomware attacks already.

I like that SentinelOne doesn't use a lot of system resources or make the system slow. It also performs a full scan quickly—within two hours. It has an easy-to-use end-user GUI.

It protects your machine, and it does an excellent job using AI to determine an attack and stop the attack. Its most powerful feature is prevention, and it can unwind ransomware activity as well. So, it is a really useful product in that sense.

As a cloud-based product, there is a minimum number of licenses that need to be purchased, which is unfortunate.

There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap.

One area of SentinelOne that definitely has room for improvement is the reporting. The canned reports are clunky and we haven't been able to pull a lot of good information directly from them.

An area for improvement in SentinelOne is the search feature. You can't go beyond twenty thousand events, which ruins the task because it isn't enough when you're doing your investigation.

Managing the false positives creates additional management overhead. The behavioral analysis engine might misinterpret real user behavior as malware. For example, a drafter was cleaning up a Revit folder and deleting 4,000 files. That looks like ransomware. The SentinelOne agent kicked his computer off the network.

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

It is difficult to manage users in SentinelOne.

If they can extend their product further on the DLP side of it so that I don't have to have another agent run exclusively for DLP production, that would be ideal.

We'd like SentinelOne to upgrade automatically. It doesn't automatically update the agent if some system has an older version of the SentinelOne. It has to be triggered from the console.

One of the things they could do is extend the product range to include Android and iPhone so that you could have the app on your phone as well. There is probably something going on there with that, but that's something that they're lacking at the moment. For instance, if I was to have to recommend a client to protect their phone, I'd have to recommend Norton or something else. I don't have an answer within the SentinelOne solution.