SentinelOne Singularity Complete Reviews

We are mainly using it to replace a product we used before for antivirus. My specific use case for SentinelOne is threat hunting. I'm a security professional in our organization, doing offensive security. I do pen tests and analysis, and I'm hunting for intruders in our network. That's the context in which I'm using SentinelOne.

We're using two parts of SentinelOne right now. The first one is the antivirus and that has improved our company in that we have been able to find about 25 percent more malware on our machines than the old solution did, and that's remarkable because we are a bigger company and we used a big solution from a big player in the market. Finding 25 percent more is a really big increase. 

In addition, previously we were not able to collect all the actions from our clients in the field, and search, systematically, through what they are doing and see if there is an intruder. It's the first time that is possible for us, with SentinelOne.

In terms of incident response time, it's too early to provide real numbers because we haven't finished the rollout around the world in our company. But from the trend I have seen, I would estimate we are saving about 20 percent in response time, compared to our old antivirus solution.

When talking about mean time to repair, our old solution had some problems on several clients, which resulted in having to completely restore the client. That is something we haven't had with SentinelOne, up until now. It's also difficult to estimate because we don't have it on every machine. The old product was on about 5,000 machines and I now have SentinelOne on 2,500 machines, so it's not a completely fair comparison. But if you need a number, it has also been reduced by 20 percent.

In addition, it has increased analyst productivity in our company. My main job is to analyze many of the malware threats and, again, penetration testing. But the connection to virus total is a very helpful thing and I am using it heavily. That reduces the payload I have to analyze manually and the amount of malware I have to execute in sandboxes. It has probably reduced my workload by about 50 percent. That's really great.

For me, the most valuable feature is the Deep Visibility. It gives you the ability to search all actions that were taken on a specific machine, like writing register keys, executing software, opening, reading, and writing files. All that stuff is available from the SentinelOne console. I'm able to see which software is permanent on a machine, and how that happened, whether by registry keys or writing it to a special folder on the machine. That's threat-handy. Deep Visibility has found threats we did not know were lingering on endpoints, but I am not allowed to speak further about this issue.

Because we are a bigger company, we are doing a step-by-step rollout. We don't have all countries fully in production, where "fully in production" means that SentinelOne is the only antivirus product on the machine. So in some countries we just have it reporting and not quarantining. For example, in China we have SentinelOne completely up and running, and there the Behavioral AI analysis is one of the reasons the antivirus is so effective. To be honest, we have to white-list some stuff which behaves weird but is really needed and not harmful to us.

The Behavioral AI recognizes novel and fileless attacks and responds in real-time and it does so really well. That is one of the things that has really brought us forward. It completely changes how we work with our antivirus solution. The previous product just gave us the information that the software had blocked something, while in SentinelOne we really see what was going on. We see the complete path of execution for a given malware: how it got on the machine and how it got executed. And then, SentinelOne stops it. It gets executed but then gets stopped, and that's something completely different from a pattern-based antivirus.

Another great benefit comes from the fact that SentinelOne doesn't rely on pattern updates. For some machines we have at customer sites, which are not reachable by internet or VPN, we have better protection than before because you don't need to update the SentinelOne agent every day to get the actual pattern from it. The Behavioral AI gives you protection even if you don't update the client. That's a great benefit for us at customer sites.

When it comes to the Storyline feature, as a penetration tester, I'm doing threat hunting. Every time malware gets executed on a machine, it's something I have to investigate. Normally we block it very early, on our proxy servers, for example, for all our users. Seeing how the malware got executed shows me the kinds of security holes we have are on our proxy servers. That's very important for strengthening some portions of our defense in other places.

The solution’s distributed intelligence at the endpoint is pretty effective, but from time to time I see that the agent is not getting the full execution history or command-line parameters. I would estimate the visibility into an endpoint is around 80 percent. There is 20 percent you don't see because, for some reason, the agents don't get all of the information.

Another area that could be improved is their handling of the updating of the agent. It is far from optimal. The agent changes often and about 5 percent of our machines can't be automatically updated to the newest agent. That means you have to manually uninstall the agent and install the new agent. That needs to be improved.

I have been using SentinelOne for about a year. Because we have been using it for a long time, we have several versions in production but we tend to use the most recent. The version we are using mainly is 4.5.2.136.

We literally haven't hit a minute of downtime. It's pretty stable and I haven't even given its stability a thought.

In the beginning, I saw that Deep Visibility was really fast. Then, with more and more agents reporting their daily work to the console at SentinelOne, I noticed a decrease of response time with the console. But what's really great is that they updated the console rapidly and the response time got better and better. Now I like the response time. There are ups and downs in the console response times, and in how fast the agents are reporting, but I have the feeling that SentinelOne monitors that and reacts if it gets too slow. Of course it's a trade off for SentinelOne between response times and costs. But right, it's more than we need.

In terms of expanding our usage, there's another very interesting product called Ranger. Right now we feel it's too expensive, but it might be interesting in the next two or three years. For now, we just want to finish our rollout.

My overall experience with their technical support has been positive.

SentinelOne does not provide equal protection across Windows, Linux, and Mac OS, but it's the first antivirus solution we have had in our company which provides any antivirus protection for all these very relevant operating systems. None of our previous antivirus solutions were on Linux and on Mac. That is really helpful for us because we have it all under one hood.

This is the first time we have used an antivirus software as a service and it was the easiest set up I have ever had in my life, and I have been doing this stuff for many years. The console was set up by SentinelOne, literally in 20 minutes. The deployment of the agent took me five minutes for the first machines and they reported within those five minutes. That was the fastest ramp-up I've ever seen.

There are three IT security guys who are concerned with information security in our company. Normally I don't do antivirus stuff. My colleagues are information security officers as well and don't care about antivirus. But I got this project to roll it out it all over the world because I'm one of the technical guys who is capable of doing it. So strictly speaking, I'm doing it alone—one person for 5,500 computers. But at least we have people in every time zone who are capable of using the SentinelOne console, more or less. Altogether, there are six people in our company who actually access the solution, including me.

We had an implementation strategy. Because we had a major pain point in China, we started rolling it out there. Because it's in a completely different time zone and the people are completely different in their mindset, this was one of the critical areas for us. It worked like a charm. I installed 230 machines within five days, and then I recognized that SentinelOne was finding so much more than our old antivirus solution that I started to really do a rollout plan. 

As part of that plan, we always install SentinelOne side-by-side with our old solution, and that works great. They say, "Don't ever have two antivirus solutions on one computer," but that's not true for SentinelOne. You can configure both and they work together. In the first step, SentinelOne is on the machine, just reporting to the console. That way, I see which software gets executed, software that SentinelOne might find problematic, and I do whitelisting or blacklisting, depending on the software. Once I don't get much software that I have to whitelist, I put the client into a kill and quarantine mode and every software gets removed automatically. Once the agent is in kill and Quarantine mode, the old antivirus solution is uninstalled. That's how we do it, country-by-country.

The time it took was affected by the Coronavirus. As a result of that, many of the machines were not onsite and many of the people weren't online, or were only on VPN. I don't distribute SentinelOne by VPN because people at home normally don't have a big bandwidth and I didn't want to stress it even more. I kept in mind that they were covered by our old solution, so there was no big need to really push it forward. But the 2,500 machines we have installed took six months.

SentinelOne gives their customers access to the SentinelOne API and that made it possible for me to write software for the deployment of SentinelOne. I'm speaking to the company to get permission to publish this software as open source. That might help many other companies that are facing the same problems I have in rolling it out all over the world.

It would be easier to calculate ROI if we had already rolled it out to every machine, because the number I have to compare it with is for the complete installation on all machines. My feelings say "Yes, we have seen ROI," but I don't really have good numbers that I could give you.

There are no fees other than their standard licensing fees.

We compared five products. We had a matrix with weights and the requirements we needed from a new antivirus solution. We did three proofs of concept and SentinelOne won it easily.

It was difficult to compare them because we had one other product that worked with artificial intelligence as well, but with a completely different mechanism. We also had three traditional antivirus products based on patterns, and it was really difficult to compare the features of SentinelOne with the competitors. That was the reason we decided to do a POC.

The biggest lesson I have learned is that SentinelOne is an antivirus product which gives you, on the one hand, all information you could dream of if you need to analyze software or malware, especially, on the machine. On the other hand, it's simple and fast and easy to use, and that's something I really appreciate.

We have been playing around with the solution's ActiveEDR technology, to get an idea of what is possible. We have not gotten so far that we use it for building KPIs and the like. But we have noticed it and it seems it could be a big game-changer for us, but I can't really provide much information on that topic.

While I really use Storyline right now, I'm the only one who does so in our company. I'm not sure if we will use it in our company on a large scale. That's the other side of this product. We don't have many people who are able to work with the information you get out of the module from SentinelOne.

We don't use the rollback feature, we just use quarantine right now. We haven't had any outbreak of cryptoware encrypting files. So as of now, we haven't needed it. That might change in the future.

I would rate SentinelOne a 10 out of 10, and I don't give 10s easily. I really love how simple and effective the product is. I really love the visibility it gives me into the endpoint. I really love that they open their product to the customer to enhance it with custom-made software, giving you the APIs to program it. Those are all things competitors don't have.

I really feel like the software has made my life easier. As I said before, my workload for malware analysis dropped by 50 percent. That's why I'm really thankful and really appreciate the product. I would say to everyone, at least give it a try. For our company, it really fits.

We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.

In our company it is deployed in 83 countries and on over 40,000 workstations and servers.

It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if

• we're being targeted globally
• my endpoints are actively being attacked
• we have outstanding issues in any one region
• we have malicious activity.

In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.

The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.

Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.

And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.

We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us. 

We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns. 

For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.

We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.

Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.

I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.

We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.

The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.

SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.

I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.

Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.

Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.

If they would stop changing the dashboard so much I'd be a happy man. 

Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.

The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.

I have been using SentinelOne for about 14 months now.

It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.

I talk to my TAM once a week, minimum. I think I have the best customer support in the business.

I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me. 

They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.

I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.

Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.

The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.

When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.

For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.

I got a really good deal so I'm very happy with the pricing.

I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.

One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.

Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.

Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.

When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice. 

A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.

It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.

Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.

I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.

The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.

For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.

We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.

It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.

SentinelOne performs primary functions for our endpoint antivirus and anti-malware solutions. It's a centralized managed version of an antivirus product that gives real-time information on any kind of threat we might receive. It's very broad. It not only protects through signature defense, which is like what most common antivirus products do, but it also does behavioral which has been absolutely lifesaving here a couple of times.

It has saved our bacon more than once by detecting threats. It even detects zero-day threats because it detects them through their behavior. It doesn't need a signature. It actually keeps me busy with this and the insight into the agents that are installed. Our level of protection around here has never been this high.

By comparison, we're also running Windows Defender, which comes with Windows 10 operating systems. We collect that data through our SCCM and SentinelOne finds threats that are at a rate of 25:1 to 30:1. It's not even close. SentinelOne has made a tremendous difference in our ability to protect our endpoints and servers.

SentinelOne gives us a lot more insight into the endpoint for the agents that are installed there. I can actually see applications. We can see precisely anything that needs to be patched, something that is dangerously out of date, or a security vulnerability. I can get insight into all of that.

It gathers the data for anything that is related to the security of an endpoint. It has very configurable policies. We can make the agent as locked down as possible. It can be very intolerant or you can actually make it to where it's relatively loose, in which it warns you about everything but doesn't lock everything down on everything, which is the way we run our environment.

At our university, there is a lot of end-user freedom that you cannot curtail like you could in a corporate environment because people doing research tend to go to a variety of websites that they really shouldn't go to. It keeps me very busy but SentinelOne has proven so far to allow us to stay ahead of the game as opposed to playing catch up.

The agent communicates through to the console incessantly. It has some intelligence on the agent, but most of the time it's literally getting its instructions from the console. That has been extremely effective and very useful. The effect on the end-user experience is practically non-existent which makes it head and shoulders above other antivirus and anti-malware platforms.

SentinelOne does not impede our ability to do our work. It doesn't start to show latency. It doesn't take up a lot of extra memory or a lot of extra cycles. How it's able to do what it does on the endpoint, as powerfully as it does, without affecting the end-user experience is beyond me. It's a stroke of brilliance in their programming. Very seldom in security products do you get the best of both worlds. Usually, you have to give up convenience for security. But in this case, they go hand-in-hand. It's very impressive.

We have used the one-click automatic remediation and rollback for restoring an endpoint quite a few times. Its ability to mitigate a threat, whether you're deciding just to kill it, quarantine it, rollback, or just remediate, which changes files back, is absolutely very easy, very intuitive, and very fast to get the job done. It's top-notch.

SentinelOne has dramatically reduced our mean time to repair. In many cases, if I have to remediate a threat, I can see the threat, confirm it is a true positive, and then I can send it to remediation. It takes roughly two minutes. Whereas, in prior times, we'd have to dispatch a technician to go out there. A lot of times, they could not remediate the threat because we didn't have the capabilities that this thing has. They'd have to fully re-image the machine, which is a two-hour deal to re-image the machine, copy the data back, and configure for the end-user. We took that job and took it from a two-hour job down to about two to three minutes. It's been a dramatic effect. 

The automation SentinelOne offers has increased analyst's productivity. We have fewer people due to budget cuts which means we are wearing more hats. The efficiency of this particular product has enabled me to do that relatively seamlessly. It is a phenomenally efficient and useful product.

There is a feature that allows for deep visibility, which is interesting. You can actually research files. It also does threat hunting. It goes out and finds vulnerabilities before you actually have to deal with the vulnerability. But that is at an additional cost. It's something you get if you buy additional structure.

The best thing SentinelOne has done for us is that it gives us insight into the endpoints. We never had insight into lateral movement threats before. Once a threat known as Qbot gets on the network, it actually spreads throughout sub-networks quickly. SentinelOne has detected that and saved our bacon. We were able to get in there and stop the threat, lock it down, and prevent it from actually spreading through. It would have been 50 or 60 computers. It had spread through in a few minutes. We have a lot of HIPAA data and FERPA data that we need to keep protected.

In a situation where we had a Qbot that was caught by SentinelOne, it literally saved the university millions of dollars worth of privacy protection we would have to pay for. SentinelOne has made a big difference. 

We use the storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques. When we get a warning, it comes up as a very nice dashboard-type screen we can go to. It gives a lot of information on the threat right away, including going to the storyline. You can actually trace it back to the actual file. You can see where the compromise happened, the exact steps that happened, and what happened from thereon.

It's almost like a giant flow chart. It shows you where everything's going, what affected what, what was changed, what was modified, and it also gives you the opportunity at that time to actually do a rollback which allows you to roll back all of those things that were affected and changed at that particular point in time by the threat. 

The storyline automatically assembles a PID tree. I use it more for my own purposes just to see where things came from and the damage they'd done. But we don't actually make a lot of use of a lot of higher functions like that. When there's a problem, we're able to rectify the issue and get the end-user up and running again. We don't have the personnel we had before, which gives us the additional cycles to actually research a lot of these things and go through them and focus on that. We don't make a lot of use of this particular functionality.

The way SentinelOne displays the threat has been the greatest effect on our incident response. It tells you exactly what the threat is, where the threat originated, allows you to look it up quickly in places like VirusTotal and Recorded Future which are malware information sites. You can link the hash of the file directly to the sync without having to do a lot of copy and pasting. It actually knocks some time off of the research of a problem when you do that. It allows me to quickly determine whether the threat is true, or if it's a false positive. It's a pretty strict engine.

If something is relatively programmed sloppy, a lot of times it assumes that that is a threat and it will flag it as suspicious. It can be a little overzealous when it comes to that. In this industry, you'd rather have that than something being too lax. You can configure it so that even if it does see something that it doesn't like, it doesn't stop it automatically. It just alerts you. It doesn't hamper the end-user if you don't want it to do that. But it puts the onus on the administrator, in this case, me, to verify the threat and deal with the threat quickly, or mark it as a false positive. Then, when you do mark something as a false positive or as a threat, it has a backend database. 

The machine learning is very impressive. Once I actually start to configure the machine learning, my day-to-day administration of it, roughly four hours, shrinks down to three hours, then two hours and an hour and a half, because the amount of machine learning involved saves us all that time. That's been its biggest improvement for me. It allows me to be very efficient with my time. It learns our environment, actually stops threats before they get there, and ignores the false positives without having to come up and bother you every time, then ask for input for it.

SentinelOne has dramatically decreased my incident response time.

We've used the deep visibility feature a few times. We don't make a lot of use out of it. We were using the deep visibility feature to search through our entire environment. There was a particular piece of software that was being flagged as not being used in its appropriate manner. It was being used as an enterprise service and it really wasn't. We were able to use the agents on SentinelOne and use its deep visibility to find the particular program and obtain its hash from there. Then, we were able to use the SentinelOne agent to extract this particular program on there, so we were no longer operating something out of license. That's what we've used deep visibility for. 

Deep visibility is very useful. If I had to simplify it, I would say if you know the threat you're looking for, it's fantastic.

Using the deep visibility, we did not find threats that were lingering on our endpoints, because the SentinelOne agent had dealt with them. We used it for a purpose that it probably was not intended for, which was actually finding specific software that was not supposed to be installed in our environment.

SentinelOne provides equal protection across Windows, Linux, and Mac OS. This particular product has worked so well that we mandated it across all workstations and all servers in our environment. It is our primary endpoint defense across all three of those operating system platforms. It has proven to be equally effective amongst all three. It did such a good job that it is our frontline.

I find their version naming conventions interesting in the fact that it's not just a number so it does help to recall some things when it comes to what version you are on. Anytime I open a support ticket, they always ask me what version of the console I'm on. I always have to look that up. I never remember that because this particular Liberty version has changed four or five times over the last month and a half.

They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support.

They changed the UI a little bit which is to be expected but there are times where I actually preferred the older UI. The newer UI, once I got used to it, was fine. But before, when we would launch into the UI, it went straight to the bread and butter. In this case, it goes to a dashboard, which gives some statistics on the attack surface, endpoint connection status, and stuff, which looks nice. It's a lot of nice bar graphs. It's a lot of nice pie charts. But that's not what I really need. I had to configure it to get it somewhat back to what it was. I wanted to know immediately if there any threats that are incoming. I actually had to add that. I think the new dashboard has a lot of bells and whistles but I don't need it. We used to have to dig in to get this kind of stuff and that's exactly what I prefer it to be. The dashboard, in my particular case, has to tell me where the threat is, how severe the threat is, and let me remediate it as quickly as possible. I don't want to fish through pie charts to find that.

I think they put this new dashboard in two versions ago. In their defense, it's a fully customizable dashboard. I was able to put back what I wanted. It seemed like that should be a default, not something I have to add later. 

I have been working with SentinelOne since 2017.

My primary function is endpoint security and administration of SentinelOne and the other applications that go with that particular function.

The baseline, the agents, the console, and its primary functions are always steady. Those have never been compromised by any of their patching or updating. That has been really good. In our case, we still have some Windows 7 devices in our environment because they're older. They run a very specific piece of software that's not been upgraded, and by watching money, they don't want to upgrade certain pieces of software, specific labs, or things like that. They don't support their older clients past a certain date, which makes perfect sense. However, the agent doesn't just stop working. It still does its job. It loses some of its functionality, but it still does the primary job of protecting the endpoint. That's one thing I do like. Even if you do go out of date on something on an agent version because you're limited by the operating system, it doesn't just die. It still does its job.

We have a 100% adoption rate. We've used all of our licenses. But we are trying to get more licenses so that we can cover our labs and other places like that. We did not have the budget at the time to cover everything we wanted to cover.

We do have plans to increase usage. It's done a fantastic job. And so every time we can, we do add more licenses to it with the end goal of actually covering not only our faculty, staff, and workstations, but also all of our labs.

There are 1,823 users online right now out of 2,750. In addition to myself, there are three other individuals who have administrative privileges and there are other members of the security department in the event I'm not here or I'm on vacation, they can fill in that role. Our IT assistant manager has read access to it so he can see in there, access the API, and can actually incorporate SentinelOne data into ServiceNow. SentinelOne has a very robust API, so if you're into programming or integrating it into other systems, you can do that.

It has phenomenal scalability. It can be used as just a small business or it can operate on hundreds of thousands of devices in a single enterprise.

We don't lose any functionality by its scaling at all.

Support has been knowledgeable and well thought out. I don't feel like I'm getting a copy and paste. The technician interacts with me. The more data I can give them, the more they get back. I feel like someone's really putting time in to fix it, and they want to get the job done right the first time. I've never had to go back to them for the same problem.

Their sales rep and sales engineer usually assign two people to your case. One's your actual salesman and the other salesman is your technical salesman, the guy who answers the tech questions. They have been very involved. When it comes to deploying this, they help get the packages created and figure things out. They point you in the right direction. I can reach out to them directly. They have gotten back to me quickly and are very thorough. Their customer support from a salesperson to help desk individuals or whoever you're reaching out to remotely has been top-notch. They've always been professional. They have always been quick and they've always done the best job they possibly could for you. I can't say enough about them, they have been very impressive.

The previous tier is slower than what they are at now. With the service level agreement that we have, they need to get us an answer within around six hours but before they would answer within one hour. They've always been ahead of that curve, but it is a little noticeably slower than it was. That's because we're not paying them for that level of service. We can't really expect them to do anything more than that.

The previous solution we used was the Windows System Center Endpoint Protection, which is a part of the Microsoft Active Directory. It's a solution that's packaged with all the Windows products. It has a centralized means of communicating back when it detects an error. However, it was woefully inadequate. We had no idea how bad that was until we tried SentinelOne. We had no idea how teetering our environment was on the threats of viruses until we actually had the insight that we did through SentinelOne.

We switched because we knew the product. We knew what we were using. We were getting to the point where we knew that our current solution was inadequate. We started looking around. We looked at Red Hat, Cylance, and a couple of other ones. We looked at these vendors of these products to gain greater insight. We knew we had to spend the money to get what we needed to get. SentinelOne was brand new at the time and we decided to give them a shot. The Chief Information Security Officer had gone to a conference and was interested. SentinelOne came in, made their pitch, we went through some examples and some tests, and they let us do a proof of concept.

I was around a day and a half into the proof of concept and I was sold. It was an unbelievably effective product so we decided to go with it. Within a month of that, we had another level of agents out there. We were covering the bulk of the machines we needed to cover and we have not looked back since. It's been one of the few things that we have done here that we have never second-guessed.

When we looked at the solutions, Cylance had similar capabilities as far as having a behavioral engine and a static engine, but the difference was the usability of the interface. SentinelOne's interface is phenomenally well laid out, easy to do, and very efficient. The other products we looked at were nowhere near as efficient on the user interface side.

We didn't test them thoroughly enough to find out if there was something that got through on SentinelOne that didn't get through on the other solutions. I don't know how it does it this quickly, but in addition to its own engine and its own ability to check through behavior, it actually references VirusTotal. VirusTotal is a website of centralized virus information. Even if their engine were somehow not detected, it checks the threat against VirusTotal and if any other engine out there has detected that threat, it flags it. It actually uses the intelligence of the other anti-malware products. It does it quickly. I have no idea how it does it that quickly, but it's impressive.

We went with cloud-based instead of on-prem. Going cloud-based was pretty easy. The most difficult thing we had to do was deploy the agent. They don't have any means of deploying the agent. You have to use either your Shoe Leather Express, you have to go walk around and deploy it. And in our case, we use our active directory network, we used SCCM to push it out to departments in that manner. 

One thing that would be nice is if they had a means of deploying their agent. For example, a long time ago, on a different network of a different company, they wanted some help, and I helped them install a Sophos antivirus solution. Sophos had a means of emailing. You can email people and they could click on a link, which would download and install the agent for them, which was nice. Now, we depend on the end-user to do their part of the job which is risky. But one thing about SentinelOne is that I can upgrade agents all day long, but I can't deploy an agent to a machine that doesn't have one on there. There's no means of doing that. I wouldn't expect them to have that in there necessarily, but I think it would be a fantastic ability if they could do that.

I actually like their agent. As a matter of fact, it's required. I don't see how they'd be able to pull it off otherwise to do what it does. My point is, if a computer did not have SentinelOne on it and they were to run into a problem, for example, if we had a device that's not on our active directory network and we wanted them to deploy SentinelOne on it, the only way for me to do that is literally to run the user down, find them, or find their device and install it manually. It would be really nice if there would be a means to deploy it to an endpoint.

We have 2,750 licenses, and I was able to deploy it to 2,750 devices quickly. If you have a deployment mechanism like using your domain or your network, you can actually just say, "Please put it on these devices." You can create an installer package and it talks back to the console and that's it. It's super easy.

Our deployment took close to six months, not because of SentinelOne but because of internal politics.

Because SentinelOne was a new product and anytime you install anything new here, it has to go through committees to install things, we targeted our most high valuable departments first, the ones with the protected data and also administrative offices, like the president of offices and HR. We tested it in our department first and once the rest of the university saw that our computers didn't go up in flames, they began to relax about it. Then, we went to our high priority departments, our Chief Information Security Officer got behind it 100% and pushed the issue, which allowed us to go full force on it after we got through the initial departments. We got it in there, we tested it in our environment, created the packages for it, and tested it in our department for a month. Over the next four months, I rolled it out to individual departments in groups.

We did the deployment ourselves. We only needed one guy to do all those things centrally, which was nice. I was the primary person responsible for the deployment. I would occasionally enlist some help with my coworkers, specifically when we were initially deploying it to go over and test it on some machines. Once we got past the initial deployment, it was just me.

In terms of maintenance, it is no more than a mouse click away. I can upgrade agents in batches, which I normally do, and they are very aggressive about creating new agent versions. The agent versions actually contained more capability. Right now the agents are extremely powerful. I can update every agent here at once, all I have to do is select them and deploy the agent to them. It's very easy.

SentinelOne has paid for itself more than once because of the threats it stops. It allows central management, the end-user does not have to interact with the antivirus at all. They will get a warning that says, "Hey, you went somewhere risky," but it's all centrally managed. We don't have to dispatch a technician to go out and try to clean something. I can literally clean it right here from the console. It actually has full rollback capability. If you have ransomware that goes and encrypts an entire hard drive, the way the SentinelOne works on a Windows machine is so that I can hit a rollback command and I can roll the thing back before the thing got there and actually defeat ransomware for that.

It's been night and day for what my job was previous to having this solution.

They were very good about finding a price that could work for us. I'm not the bean counter, so I don't know exactly what the end cost was, but I do know that we got them at a time of the most financial stress we had been under and they found a way to make it work for us. It was a three-year contract and everyone fully expected the price to take a significant jump because the capabilities of the solution had been significantly increased with no additional costs. We expected it to maybe even be priced out and they did not. It went up a slight bit, which you can expect, but they worked with us. We were one of the first companies to go with them here, in Ohio. They have a lot of respect for their loyal customers. They worked with us and allowed us to keep this high-level product and actually add more licenses to it without breaking our bank.

In terms of additional costs, they've added something called Ranger and another layer of deep visibility. The base console doesn't come with that. Ranger is threat hunting and we were able to use the Ranger and the visibility, which is the threat hunting and of course the deep visibility and more in-depth storyline. We were able to use that, but we hardly ever needed that for our environment and the way we use the product. Because of that, we did not opt to have those in our current console.

We do more threat response than hunting. We put the latest and greatest agent out there and it's backed by this particular product but we just simply don't have the personnel to do it like we used to. That's the one thing we're missing. If you were to add the deep visibility and the threat hunting capability onto it, it would be a little bit more. I don't think it's that much of a significant cost, but I don't know the end results of the prices. Because we didn't make use of those two functionalities, they just cut it out.

I could not recommend SentinelOne highly enough. The one thing about this product is something I very seldom say when it comes to almost anything in life, sadly, is that I trust it. I trust this program to be well taken care of on the backend. I trust this program to do its job on the frontend. I trust the endpoint and network security of our university to this product. I have no doubt that we're in good hands. It has proven itself with ransomware, proven itself with Qbot infections, proven itself with a multitude of end-users. 

We had a pen tester on campus that was actively trying to hack things, doing penetration testing, and SentinelOne stops him every time. Every time he got to the machine with SentinelOne on, it stopped him dead in his tracks. The pen tester said, "Your endpoint solution here is fantastic". This is a trained white-hat hacker trying to break through and he couldn't do it. We gave him a foothold, an account, and all kinds of stuff. We opened the door for him to see how far he could get. He was able to get in on machines that did not have this level of protection. He was able to get to devices, create administrative users, elevate privileges. You name it, he can do it. Once he got to a machine with SentinelOne on it, it stopped him.

They didn't tell me we were pen-testing. Suddenly I was seeing lateral movement and all kinds of things on the network and I ran this guy down just to find out we hired him to go do this. I thought we had a hacker on-premises.

I would recommend that anybody who uses this product also interacts with other people who have it. Another university was the first university that had it near us and then we got it. They were a big help to us, as far as answering questions about the deployment. They told us about a couple of little headaches to watch out for. It had nothing to do with SentinelOne, but how Microsoft servers operate. So we were able to save ourselves a lot of time by interfacing with the network of users of this particular program.

What I've learned with a product of this caliber is how efficient one person can be. I don't think you're going to find many places where you have primarily one person safeguarding the endpoint solution of an entire university. The good news is that because everything is the way it's set up, the way it's configured, and the machine intelligence that I've added over the last three years, if I'm not here and someone else steps in front of it, it can run itself in many ways. I've learned that if you find the right product, you can become incredibly efficient.

I'd give SentinelOne a ten out of ten. I'd give it higher than that if I could. I've actually done calls where they've called me and had me speak to the salesman, we had a really good working relationship. He had me call and speak to people who he's actually trying to sell the product to. I think I've sold half a dozen of these things for him, but I can't recommend it enough. I believe in SentinelOne wholeheartedly.

Singularity Complete combines prevention, detection, response, and remediation for endpoints, servers, and VMs. It autonomously blocks malware, ransomware, and zero-day threats using behavioral AI and machine-speed prevention.
Enables natural language queries, auto-summaries, and investigation notebooks for faster triage and hunting

It has reduced the need for manual intervention and accelerates incident response, lowering operational overhead.

Provides rich forensic data and automated root cause analysis cuts down investigation time from hours/days to minutes, improving SOC efficiency.

I believe it is currently at its best.

Moreover SentinelOne development teams is working for continuous improvement of agent and console features.

We started deploying it in 2018.

I do confirm, it is a really stable solution: we have been using sentinelOne solution for years and the agent minimizes conflicts and reduces system resource consumption, which contributes to stability across diverse environments.

The platform is built on a cloud-native foundation, So we don’t need heavy on-prem infrastructure, it means we can easily scale up or down as our organization grows, without worrying about hardware limitations.

One lightweight agent handles EPP, EDR, threat hunting, and even IoT/identity protection, reducing complexity and makes scaling across thousands of endpoints straightforward.
Finally the management console provides centralized control for endpoints across multiple regions and environments (Windows, macOS, Linux, cloud workloads).

5 star.
Very fast and very professional.

P.S.: I cannot edit “Pros” and “Cons”

Positive

Previously, we had the McAfee, which was complicated to managed. 

We heard about this SentinelOne and its new antivirus, so we contacted our consultant who organized a PoC. After the PoC, we decided to migrate the solution.

For deploying, it takes a long time. Our process was first to install SentinelOne with McAfee, having two antiviruses in the same host. Then, we started to uninstall McAfee. That process took about six to nine months because we had a lots of endpoints to deploy.

The antivirus migration was smooth. The only thing that was tricky was the removal of the McAfee tool because sometimes it worked incorrectly and didn't uninstall the antivirus.

The deploy was almost completely autonomous, we just followed the suggestions provided by SORINT and used our software distribution tool to install the agents on our assets.

I am sure the solution has reduced our incident response time and detection as well, but we have never evaluate, calculate an actual Return of investment of the solution. We will think about it, thank you.

I haven't managed budget so far, so I have no experience with licenses and costs

No other solutions were evaluated.

I would rate this solution as a 10 out of 10.
The only advice I would give is to try the solution with a POC/POV and evaluate the solution features provided with the complete. 
I am sure they will be surprised by the effectiveness of the solution and the simplicity of its management.

The use case varies based on the customers' requirements and specific needs.

The solution's Ranger functionality offers network visibility and a defined set of capabilities, particularly in terms of discovering and understanding network structures. 

The fact that Ranger doesn't necessitate new agents, hardware, or network modifications is a crucial aspect for us. It stands out as one of the primary selling points, especially considering the intermittent nature of changes like those affecting CPO. 

With the increasing prevalence of remote processes and a shift towards cloud architectures like SASE or SSE, moving towards a single vendor for security purposes could simplify the overall process. It aided in minimizing alerts, primarily due to the behavioral analytics component, which reduces a significant amount of noise. 

It contributed to time savings for our team, particularly for the projects and tasks I predominantly handled on my own.

The solution contributed to a decrease in our organization's time to detect incidents and respond to incidents. It aided the organization in cost savings and it contributed to a reduction in our organizational risk.

One of the most valuable features resides on the endpoint, with the rollback functionality standing out as particularly noteworthy. It seamlessly integrates with other solutions, providing a high level of compatibility and effectiveness. 

The capability to ingest and correlate data across our security solutions stands out as one of the strongest features. It excels in connecting incidents to create a coherent storyline.

Improvement seems necessary, especially with the focus on enhanced support. This is particularly crucial in the analytics domain, where the existing agent falls short in comprehensive performance. Additionally, there's room for enhancement in the mobile element. Although it's in their pipeline, the current state is not optimal, especially when considering the need to install it on people's phones.

I have been using it for a year.

The stability is straightforward and solid. It's notably uncomplicated and easily manageable.

The scalability is excellent, with a high degree of flexibility and ease.

Mostly, we handled the support aspect for our clients. However, among the vendors, it's notable for being quite strong in terms of support. I would rate it eight out of ten.

Positive

The initial setup was straightforward.

When it comes to deploying the agent across machines within the environment, it's a relatively straightforward process, akin to pushing it through the system's processor. The implementation strategy is contingent on the specific cluster, taking into account factors like the proof of concept and the desired objectives. In our case, we managed the implementation independently, involving only a few people. The deployment model is highly variable and depends on the customer's preferences. They typically communicate their preferences to us, and we adapt accordingly. Some opt for in-house hosting, while others prefer a cloud-based approach. It doesn't require maintenance. 

The pricing is on the higher end, making it less suitable for small or medium-sized businesses and perhaps not the ideal fit for the public sector where budget constraints may be more pronounced. I would recommend it more as an enterprise-level product.

SentinelOne Singularity Complete was selected from a range of different providers, evaluated against other companies, and then analyzed to be the chosen product for our managed service. The capacity for innovation, ease of deployment, and streamlined management set it apart from other solutions. Additionally, its leading capability to correlate incidents into a cohesive storyline is a noteworthy aspect.

As a partner, I find them to be highly effective, especially since they are increasingly focusing on the enterprise market. Overall, I would rate it nine out of ten.

SentinelOne Singularity Complete has improved our security stack. You don't have to worry about monitoring 24/7. 

The tool's most valuable feature is Vigilance Respond Pro monitoring. You don't have to have a dedicated SOC and worry about staffing. 

I don't like switching the way you switch from legacy to XDR.

I have been using SentinelOne Singularity Complete since March 2023. 

SentinelOne Singularity Complete is stable. 

The product is scalable. 

A reseller consultant helped us with the tool's implementation. Our experience was good. 

SentinelOne Singularity Complete has freed up my staff's time and helped them focus on other tasks. 

The product's interoperability with other SentinelOne solutions and third-party tools is good. 

The solution has reduced our organizational risk. We have faster responses to incidents. 

SentinelOne Singularity Complete is a mature and solid product. I like the standard EDR capabilities. 

I rate it a nine out of ten. 

We are using SentinelOne Singularity Complete for an EDR platform for our clients.

The most valuble feature of SentinelOne Singularity Complete is the recovery and zero-day detection.

SentinelOne Singularity Complete could improve by having DNS filtering. Other competitor solutions have this feature.

I have been using SentinelOne Singularity Complete for approximately one year.

We have approximately 1,000 people using this solution. We have plans to increase our usage.

The scalability of SentinelOne Singularity Complete is great.

We do the implementation of the solution in-house.

I have previously used BitDefender.

The initial setup of SentinelOne Singularity Complete is easy. For exciting clients, the deployment of the solution can be done in minutes.

I have received a return on investment using SentinelOne Singularity Complete.

We've used SentinelOne Singularity Complete capability to enhance our offering and, therefore, be able to leverage that to increase our pricing.

For our use case, the solution is affordable. There are not any hidden fees.

We evaluated Sophos, Carbon Black, and CloudStrike before choosing SentinelOne Singularity Complete.

I rate SentinelOne Singularity Complete a nine out of ten,

The primary use case of the solution is cybersecurity. The solution provides endpoint protection against direct threats and insider threats.

The most valuable features are Deep Visibility, Remote Script Orchestration, and Ranger.

The solution can improve by adding more granular firewall capabilities. I would like to see an interface where I can in one view change the security posture of all groups with one click. I would like to have a listing of all the groups and then apply what's relevant to all the groups at once.

I have been using the solution for one year.

The solution is extremely stable.

The solution is scalable.

The tech support is brilliant.

Positive

The initial setup is straightforward. It takes about four weeks to deploy.

The implementation was done in-house.

The ROI is good. Once you go through the stabilization phase and get to know and understand the customer's environment and configure accordingly to what the customer needs, the return is there immediately.

The license is paid annually and is competitive. There are features that are not included in the licensing cost but it does include Vigilance and STAR.

I give the solution a nine out of ten.

On average, once the implementation phase is complete the solution only requires two people to maintain it.