SentinelOne Singularity Complete Reviews

We use SentinelOne as an endpoint protection solution.

The overall integration functionality for this solution could be improved. 

I have been using this solution for three years. 

This is a scalable solution.

The customer support for this solution is good.

The initial setup is straightforward.

I would recommend that anyone considering using this solution first understand exactly how this solution works and what their business needs. 

I would rate this solution a nine out of ten. 

SentinelOne monitors our infrastructure 24/7.

We are a very small team. Recently, we had to add an extra person; we had two guys, but now there are three. We have about 2000 endpoints and servers, which is a lot if you have to do it on your own. The SOC monitoring that we now have from SentinelOne gives us more time to focus on other important stuff and go to bed without any worries, since SentinelOne is watching over us.

They also guarantee an insurance. For example, if your company has been infected by ransomware, then they provided one million dollars or something as an assurance. For us, if SentinelOne has the balls to say, "Okay, if endpoints are infected, we will give you $2,000 per endpoint that is infected." That's a way for them to convey that we can trust their company.

It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way. 

They do updates all the time. It's very nice to see how they constantly evolve. New features are being added each time that I take a look at the interface, which is really nice. It's not something you have to do for yourself all the time. You just go to the interface of the management portal, and you will see each time a new feature has been deployed. For example, when we started with SentinelOne, we had some applications that needed to be whitelisted, where we had to go through a whole bunch of licensing rules provided by the distributor. Now, we have the possibility to select from a catalog which rules we want to whitelist, since we are using that application. It is such an easy step for us, which is nice. It makes our life comfortable when managing all our endpoints and very complex infrastructure.

The Behavioral AI recognizes novel and fileless attacks and responds in real-time. The nice thing about SentinelOne is that it is behavior-based, so the AI is smart enough to detect when something is moving. For example, an external person was doing some administrative tasks for us, and he used a tool that is also used by attackers. He called me, and says, "I'm blocked. I think SentinelOne is seeing my tool as a virus or malware." Then, I looked at SentinelOne, and it says this guy is using hacker tools. That is what I found very nice. SentinelOne can immediately identify the tools used by hackers. In this case, it was immediately blocked, even though it was not a malicious application, Trojan, or something like that. Because the solution knows hacker tools and behaviors, it says, "Okay, this cannot work on this environment. This will be blocked." That's something that I really like.

It is a good use as an EDR solution because it immediately reacts on stuff. It also quarantines endpoints.

We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running. 

We installed the agent a little more than a year ago.

One of the nicest things about SentinelOne is their support. I never met a company which gives such fast, great support. It's extremely fast. When I create a case with some questions, they answer immediately. They provide us with information on how to do stuff, and if we have issues, then they give us an update immediately. Normally, when I open a case with other products it takes days, but with SentinelOne, I get a response in about half an hour. Most of the time, it's cleared in about two hours time.

If we have a remaining question that has nothing to do with the things that the case was created for, SentinelOne will still answer. Some companies need you to create a new case for this, but SentinelOne just says, "Okay, we will help you also with this and provide you with more info," which is magnificent.

The support is very handy because, when you have an issue, it's like working with an extra colleague. If you ask a question to recall it, SentinelOne support can solve it in about two hours, which is nice because then you can go to the next thing. You don't have to focus anymore on the problem. With other vendors, it takes some days to solve it, then it hangs.

Our previous antivirus server was on-premise. When we did the updates, then all the clients needed to be connected to that on-premise server. However, with COVID-19 happening, we have been very happy that SentinelOne is in the cloud because even when an endpoint leaves the company, they are still protected by SentinelOne and receiving updates. SentinelOne gives more time back to a small team as well as always being accessible, even if you're not at the company.

The initial setup was easy. We did it step-by-step, so we didn't deploy it to all our endpoints in one shot. We deployed 300 or 400 endpoints per week. This was in case there were any issues, then we could act immediately so we wouldn't have an impact on the whole business. However, we didn't experience any issues. We were up and running in about three or four days and had migrated 2000 clients to SentinelOne.

For our implementation strategy, we deployed one day, then another day we would watch. Then, we deployed another day and would watch the next. So, in about two weeks, we were up and running. We decided to do it that way because we have had issues with mass rollouts in the past. Now, we are very careful when rolling out stuff to the whole company. Perhaps, it might have not been a problem to roll it out in one day, but we did it very slowly to have a kind of a control outcome.

The solution gives us more time. We can divide our productivity and time to other products. We don't have to look at SentinelOne a lot.

The pricing level for this service and application was very interesting for us. I don't know exactly what the price was, but apparently it was a big surprise that the SOC was also included in our pricing model.

The Deep Visibility feature practically double the price. Because we have a SOC, we rely on them to have insights about all the threats, so we are not monitoring our environment ourselves. It is mostly done by the SentinelOne SOC. That is the reason why we decided not to go for this feature.

We believe the traditional antivirus protection that is using signature-based validation is outdated. We had a look at different solutions, like CrowdStrike and SentinelOne. These solutions are more AI-based that go on behavior. When we spoke to SentinelOne, they also offered a SOC as service. This means that SentinelOne is monitoring all our endpoints with us, and we don't have to do anything, because they do all the hard work. They validate the detections. So, if SentinelOne detects something on the endpoint, the SOC of SentinelOne will validate and see if it is a false positive or true positive. In case of a true positive, it will then see if there are extra steps needed. If that is the case, then SentinelOne contacts us through email asking us to do some final steps or provide them with the info.

SentinelOne was lucky because we first looked at CrowdStrike. However, they were pushing us all the time to get the deal. My manager got furious, and said, "Okay, let's stop everything. We told you we cannot decide before the end of October. That's our company rule." The pressure was too high from CrowdStrike. Therefore, we decided to have another look at SentinelOne. The first time when we saw SentinelOne, it was never mentioned in any Magic Quadrant, so it was hard for us to have a view on what the public experience was with SentinelOne. We were a little bit scared in just believing the vendor and their marketing people that it was a great, innovative product which uses smart technology and behavioral-based analysis. 

SentinelOne will not scan my hard disk. SentinelOne does not care about the hard disk. It only reacts when you execute something. So, I know when I connect my hard disk to my desktop with my tools on it, I don't have to be scared. SentinelOne will not respond, as long as I don't use the tools. A lot of other antivirus vendors, they will immediately start scanning the USB drive or external drive, and they quarantine all the tools. I don't like that. I know it seems a bit strange that it doesn't scan the USB drive. However, I don't care, as long as it protects the USB drive as soon as someone is executing or installing something. This is more convenient for me than something that scans all the time.

We have a partially view of the Storyline technology because we don't have the full license of SentinelOne. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques is very clear and nicely presented. They make it very clear on what phase it is in the attack. If it's a lateral movement, they make it very easy. I'm very happy with that.

I would rate this solution as a 10 out of 10.

We are a company with several types of PC users. Our office ranges from marketing to sales, and we also have people who are remote on laptops all over the world, as well as an R&D department. Those people use PCs in different ways. 

We wanted a platform that has ways of dealing with various kinds of users, but we also wanted a central management so we could overview the state of all our endpoints with one view.

We use the central cloud interface to manage all our endpoints.

We only use it on Windows machines.

It delivers the type of security which we were hoping for, since we have a lot of different endpoint users utilizing different types of software. We have people who only use Office software, like email, Word, and PDFs. Then, we have people who use some applications that other people wrote. We also write applications in-house using people who develop software. Therefore, we have some machines using very high-end developer software for mechanical development, electronic development, and software development. Those users are used to managing their PC on their own. The centralize platform allows us to differentiate between those three groups of people. We have overall control and can oversee the security levels at all the endpoints. They have not yet been blocked in any way when performing the functions.

I have one instance where we had a trigger of an attack. Luckily, it appeared to be in an unregistered program created a lot of threats by renaming files. This was something that the employer developed by his own. This was an unknown program that generated a lot of threats to very quickly rename a thousand files. However, it was not an actual attack, but the behavior of that program was such that the AI protection of SentinelOne kicked in and alarmed us of a possible attack. One of our employees created a program just for his benefit. It had exactly the same behavior as a ransomware attack would have had, then it kicked in. This is why I'm confident that SentinelOne will also detect real ransomware actions. That is the only one instance where I encountered the Behavior AI software kicking in.

We haven't had any real attacks over the last year. We did have some intrusions mainly from suspicious files that people were getting via their browser and some attachments that I tried to open with double extensions. Luckily, in the last year, we haven't had any actual attacks.

The effectiveness of the solution’s distributed intelligence at the endpoint is 100 percent. We haven't had any incidents break through. We only see a very small reduction in PC performance.

The main reasons that we use SentinelOne are the antivirus and Behavioral AI protections. We have this solution centrally managed to see what endpoints are active, along with the latest software protection running. It also provides us external control, so we can block machines remotely, even if they are in another country, because we have account managers all over the world. All these features together protect us against strange behavioral programs.

SentinelOne's one-click, automatic remediation and rollback for restoring an endpoint is very handy. We had some issues with programs that were unknown by SentinelOne, then marked as suspicious and quarantined, because we also develop software ourselves and have software packages that were compiled in 1995 and don't conform to the normal rules. SentinelOne always marks those packages as suspicious because they do something different than they should when you compile them with current libraries of Windows, etc. Therefore, we had some interventions of SentinelOne where you can easily whitelist them and rollback the quarantine action so people who use those old-fashioned programs could easily continue with their work. 

This was only an issue during the first month when we rolled out the software, then it starts doing scans mainly on the R&D PCs, which was our great concern. Normal office use is fairly straightforward, but when you develop software (and we also develop software to communicate with our embedded systems), then the demands are a bit different. However, until now, we have been very happy with it.

We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future.

We have been using it for about a year now. We rolled it out in December 2019.

All the endpoints are running without problems. It is very stable. We have deployed several versions of agents. I haven't encountered any issues, apart from when that rollback occurred, and the SentinelOne agents were locked out of the cloud platform, and the only way to retrieve that was by installing it again by hand. 

Up until now, SentinelOne's effectiveness has been 100 percent.

We are a relatively small company with about 80 employees. Most things are offsite. We do not use automated things very much.

There are four users from the admin side.

Together with another colleague, we chose SentinelOne, then tested and deployed it. A few other colleagues have monitoring views in SentinelOne, e.g., if a site has to be whitelisted. 

I had one issue that I brought up with customer support. They delivered a solution in about two hours. It was related to the issue with the agent. I just issued an email, and in about an hour, the problem was solved. I was delivered a good solution: an uninstalling procedure and how to go about it. That's the only thing that we needed it, and the only time we needed the technical support.

Before this solution, we used McAfee, which was not enough for our use. Then, SentinelOne came into the picture. It not only had static virus checking (antivirus), but it also had the Behavioral AI features, like triggers, that we could investigate.

The McAfee solution that we had was more demanding, more expensive, and had less functionality. Three to four years ago, we had an incident with ransomware, and it wasn't detected at the time by the McAfee on all the points. There were two points that were affected. Since it wasn't noticed by the McAfee. we were considering other software solutions from that point on.

SentinelOne offered a good solution, which is the main reason that we went with them. It was easy to manage, although we didn't use McAfee the way we use SentinelOne right now. McAfee was incorporated in our company about 20 years ago, so we probably didn't use all the facilities that McAfee can offer now. 

SentinelOne made us a good offer, especially regarding the Behavioral AI aspect of the protection. Therefore, we just wanted to see what they could offer us. After a year, we are still very satisfied.

SentinelOne had a smaller footprint, both in resources and time-wise, as in load, than the McAfee solution that we had previously.

The initial setup was fairly straightforward. It was very easy to start up. You didn't have to go into a lot of documentation to roll it out. We used the management from the central platform, not our own central platform on-premise, and did it on the cloud version. This way, it could be delivered and updated remotely.

The deployment took a week. We deployed it to about 90 endpoints.

We just had a discussion with the SentinelOne service provider onsite. He gave a revision of how SentinelOne should be deployed along with some examples. Before we deployed it to the entire company, we had a testing time of about two months. 

SentinelOne has reduced incident response time. The two main pillars that SentinelOne helps us with: 

1. Central management: I can ensure management that if there is a breach all the machines and endpoints are up-to-date and protected. 
2. SentinelOne allows us to switch off an endpoint remotely, which we could do previously. Most people are on-premises, but there are 15 to 20 people all over the world with laptops connected everywhere. 

It saves a few hours a week for one person, because you can see the statuses of all the machines in one place. 

It was cheaper than McAfee, which was a way to convince management to go with the solution.

At the moment, we are very pleased with the solution.

We saw the Storyline technology briefly. However, the Storyline is only when you have actual attacks, and they are not caught in the beginning. Most of our attacks were caught just by static recognition of the files, so there was no story because the file was not allowed to activate. In the beginning, we did some fake file checks in an enclosed surrounding and in a CM setup, which is how I saw the Storyline facilities, but we don't use it.

I would rate this solution as a nine (out of 10).

It's for our regular laptop users, desktops, and our production servers. For the production servers we use it to make sure there is nothing coming from the outside. And for our regular users it works everywhere, so they can do everything with a laptop.

It's a cloud solution. We don't have a large business. We have a lot of services but we don't have many users. Everything is in the cloud and we have about 20 clients or 20 agents for normal users in the Netherlands and we have between 100 and 200 users in the Philippines. The rest is for server safety.

There is a lot of remote work at the moment and SentinelOne provides the safety I want. Everything goes outside now and the only control I have is Sentinel One, but it gives me enough control.

We have developers who do a lot on their laptops and sometimes they create problems. When that happens, SentinelOne is pretty fast with them. We have configured it to disconnect them from the network so we don't end up with more problems. Now, those developers know they have to contact our IT department if they want to fix it. The great thing there is that we know that when something happens on a laptop it is isolated.

We see what is mitigated and what is not. And when SentinelOne is in doubt, it asks the managers what to do with what it has found. When you have arranged that once, it will take care of it the next time. That's great.

Overall, it's effectiveness is 100 percent because we don't see many outbreaks anymore. Nobody's complaining about using their endpoints.

I've only done a rollback once and it worked flawlessly at that moment, but that was nine months or a year ago. It saved us a lot of time because the problem didn't spread over the network. It affected one machine because it was disconnected from the network. We then rolled it back and it was up and running again. If the rollback hadn't worked well, it would have meant a couple of days of additional work. If the outbreak had reached my network I would have had to clean everything. I was able to do everything from the portal. The connection with the manager was still there. We just had to click on two buttons and everything went.

Overall, it has helped to reduce our response time by about 20 percent. 

The most valuable feature is the information it finds and what it is doing with that information. I can check if the info it sends is true. It's very clear. 

And if you configure it in the right way, it does a lot automatically. And that's what you want. You don't have to use it every day. I only log in to the SentinelOne portal once a day, just to check if there are alarms or the like and that's it. The rest is flawless.

Now that we've been using it for six months, SentinelOne knows what we want to have, what it has to do and it works that way. So it's very simple to use and that's pretty nice for the team. 

The best part of the agent is that users can't remove or disable it, so endpoints will be safe. I can control it from the portal. I can see when it's updated and I can push updates from the portal. The greatness of SentinelOne is that our end-users don't see anything to do with the agents. Some of them don't even know it's on their laptops. And that's a good thing.

It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning of the scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything.

I have been working in my current company since April 1, so I have been using it here for six months. But I used it in another company in Eindhoven for a couple of years. That company was also a provider of SentinelOne and that's why I know how it works and what it does.

It has great stability. We haven't experienced any downtime or any kinds of bugs. If the users use the endpoints normally, nothing happens. We have some users who think they have to bypass SentinelOne, and then we sometimes have problems with those endpoints. But that's because of user action. It has nothing to do with SentinelOne.

We started with about 50 endpoints and now we have over 300. We haven't had a problem with it.

There will be more servers to watch over so our usage will be increasing. When the business grows, our IT will grow with it, and SentinelOne has to grow along with us.

I have used their technical support and my experience with them has been very good. They are fast. They know what they're talking about. Those are two great things for support to have.

Before SentinelOne the company was using F-Secure. It started as an antivirus and then F-Secure also made a cloud-based endpoint protection solution from it, with a managed base and automation and checking for updates. It works with a database, which is not the way SentinelOne works. F-Secure is much cheaper.

They switched to SentinelOne because it is more for malware. F-Secure doesn't do anything in malware, just virus scanning.

The initial setup of SentinelOne is straightforward. It's fairly logical. Everything works in the way you think it has to work. It's pretty simple to work with. It's just a matter of installing the agent and go. It takes about two minutes. There is an agent client with token codes. You just install the token code in it and reboot your endpoint and it's working.

We have it installed on 305 endpoints. This is a work in progress. We didn't have all of those endpoints when SentinelOne came in. We've rolled out new endpoints. But, it doesn't take long for a machine to get an agent and to make a connection and to get updates. Once you are in the portal, you can update from there. And then, you only have to check if it's already there and if the agent is working.

If we push an update, within an hour everything is there. If they are all online it will go pretty fast.

It's working simply. You don't have to learn a lot to know what it does and how to work with it, and that saves time. And it gives you a solid solution for security.

You have to look at the kinds of problems you can end up with and the fact that you want security against them, and then SentinelOne is not expensive. That's the way I would sell it. 

If you avoid having one outbreak a year, just one, then SentinelOne is worth the money. When you have that one outbreak and it spreads across your complete network, it means days of work are gone. For a complete environment like ours, with 300-plus users, it would be very expensive.

I've also used Sophos with customers. If you want to have a safe environment, then you have to work with tools like SentinelOne. F-Secure and Sophos work with databases for virus knowledge and that creates a delay.

Also, SentinelOne has the rollback which works flawlessly, whereas F-Secure and Sophos don't have that.

My advice is start working with it. You're going to love it.

The biggest lesson I've learned from using SentinelOne is that security tools can be different. SentinelOne has taught me that you can do security in different ways. If it sounds expensive, I would not always say that it is expensive.

We are a very small business. We don't have somebody who specializes in security. Our IT is just three people who do everything. That makes it difficult to say we are going to focus on SentinelOne and try to use it completely. We put it into use for malware security and that's it. We only have a WatchGuard firewall on the front-end and that's it in terms of security on SentinelOne.

They are improving the management tools. They are getting better. The portal is functioning with more logic. Those are good improvements. It's user-friendly enough. People with low IT knowledge can work with it.

It's a very good program. It does what it says it does, and I'm very glad that I have it.

We were looking for an EDR solution to get the best protection available, especially against ransomware. For us, any EDR solution needed to be supported by a 24/7 SOC.

We deploy it on-premise, in all of our factories and branch offices, worldwide.

Security operations have been improved as SentinelOne is easier to manage and update compared to most traditional anti-malware products. It enables us, for the first time, to have global knowledge of what's happening in all of our subsidiaries. Previously, each of them had a local antivirus solution.

• Easy to install and update
• Management Console in the cloud
• Ability to partition it in "sites" (our subsidiaries) with local site admin
• Overall good quality protection

Also, in terms of impact on the endpoint, we carefully manage endpoints for specific purposes (such as for connection to industrial machines) to avoid the false positives that are quite typical in a behavioral engine like SentinelOne. But generally, the impact is quite low, and the Management Console and SOC support allow us to check if everything is working properly or not.

In addition, one of the features that convinced us to adopt SentinelOne was that the solution can recognize and respond to attacks with or without a network connection. That is very important.

We started to install SentinelOne on the first endpoints in August of 2019.

Generally, the stability is good, but I would like to see better stability from the solution. The stability issue is partially a con of a behavioral-based product, but being behavioral-based, it also has a lot of pros.

The scalability is good. At present, I can't see scalability limits.

We have SentinelOne installed on almost 1,700 endpoints and have one main admin for deployment and maintenance and about 20 local site admins.

We have some factories and branch offices where the solution is not yet installed. We hope to complete most of them by the end of this year and, by then, have it installed on about 2,300 endpoints.

Support is quite fast to solve problems. The SOC is very good and really operates 24/7. When necessary, they contact SentinelOne support directly and their replies, generally, are quite fast.

We used traditional antivirus solutions. None of them could stop ransomware attacks and that's the main reason we choose SentinelOne.

In terms of the time it takes for SentinelOne to catch malware compared to our previous platform, the results are similar, with an advantage of SentinelOne being its discovering of Zero-day threats and ransomware.

A SOC provider showed us the product, and we worked out a global agreement for EDR and SOC with them.

The initial complexity was mainly related to finding the right exclusions to avoid false positives, especially with endpoints running technical and industrial software.

The rollout in our main company, with about 600 endpoints, was completed in about three months, including the initial fine-tuning for the AI engine.

In terms of our deployment strategy, in the first company where we installed SentinelOne, we chose to maintain our traditional antivirus product, and run SentinelOne together with it. The decision came about because we were not initially confident with SentinelOne. When we deployed it later to all of our subsidiaries, SentinelOne replaced the local antivirus solution.

Main support was provided by the SOC company, working together with our IT Staff.

We have seen a good ROI about the SOC service and the product.

The solution's price/performance ratio is reasonable.

In addition to the standard licensing fees there is, of course, the SOC service fee.

We evaluated main SOC companies and the solutions they provide. Most of them required a SIEM platform but not specifically an EDR solution. In the end, we chose the best and most affordable combination of SOC and EDR.

My advice is to start with a few endpoints and become comfortable with SentinelOne, and test the exclusion rules for endpoints running specific software.

At present, it looks like the most advanced EDR solution on the market, but I think we have to stay tuned to the market and to what's happening in cybercrime, as 100 percent security doesn't exist.

We are a managed services provider. We are not just using it for ourselves, but we are also supporting it and deploying it for a number of our customers.

The primary use case is that it's endpoint protection software and we use it to protect our end customers' endpoints, whether they are Apple or computers, laptops or servers.

SentinelOne is software as a service, but it has an agent that has to be installed on a computer or a server onsite.

Its Behavioral AI recognizes novel and fileless attacks and responds in real-time. What that means is that we have better confidence. For example, a number of users use USB drives which they bring from home. While we have a lot of customers where we have actually restricted the use of external USB drives, there are certain customers where we cannot restrict that use because of the way they run their businesses. The result, for them, is that there is a constant fear that at any given point in time, an infected USB from someone's home computer can actually infect the whole lot of computers within the corporate environment. But having SentinelOne means we have a certain level of peace of mind, so that even if something completely new tries to enter the network or the system via a USB drive, for example, it doesn't matter. The system will detect it and kill it. There is a level of protection which we never felt before using SentinelOne.

As a managed service provider, the most important thing is that the more secure a customer's network is, the less time our team will spend trying to fix issues. One of our customers is a prestigious hotel in London, and they were struggling, literally battling, with a virus that had infected their network of about 90 computers. Whatever we could have done, and all their previous IT company could have done, could not have eliminated that virus. Even if you completely formatted a computer, it kept coming back. The only way we were able to clean that whole network up and stabilize the environment was when we brought in SentinelOne. Before that it was Symantec, and Symantec couldn't do anything to control that infection. But SentinelOne brought in such stability, that since we introduced it into that network about one-and-a-half years back, not a single report has come in of any infection there.

Also, when we have to report on attacks to a customer, the customer always asks us for the root cause analysis. It is very important for us to understand the behavior and to find out where that infection came from and what it initially did so that we can look at that behavior and try to prevent it from happening again elsewhere. SentinelOne helps us in doing the root cause analysis and reporting back to our customers. It gives us insight into where a problem started and how it propagated into the system. Tracking the history of the virus' actions gives that insight, which is very important. Otherwise, there is no way to create a root cause analysis report for a security breach.

The automatic remediation and rollback in Protect mode, without human intervention, is already enabled on almost all of our computers. That helps us minimize the number of technicians we need to work on things. Automatic remediation is a policy which we enable when we deploy the system, which means that a lot of things happen automatically. And from our side, we only keep an eye on the dashboard. That means that we need fewer technicians to support the system. It provides support itself through that functionality.

Overall, SentinelOne has reduced our incident response time, absolutely. In our case, it's particularly true because we have remote teams working from remote offices. With SentinelOne, we don't need to send someone onsite because we can see a lot of things from a single pane of glass on the dashboard. And if there is a problem, we can do all the troubleshooting, and working on that incident, remotely. So it has definitely improved the way we have provided cybersecurity to our customers.

And it has reduced our mean time to repair by more than 60 percent. Previously, when we were using other solutions, we had to do a lot more work.

The solution's automation has also increased analyst productivity. The effect is significant in the sense that the amount of time our analysts used to spend on security has been reduced. These days, they only have a look at the dashboard which is open on one of the screens in our office. They just keep an eye on that and as long as it shows everything is green, they don't even bother drilling down and looking at other stuff. It's only when they see an alarm coming up that they jump in and look at it. That was never the case before. Before, they were remotely accessing computers and working on them and trying to fix issues. That has become a thing of the past since we started using SentinelOne.

It's artificial intelligence-based software. The best part is the fact that it doesn't necessarily rely on definitions, like other software. For example, Symantec, AVG, Avast, and Kaspersky, traditional antivirus software, rely on virus definitions. So every now and then, if there is a virus infection, they will compile a new set of virus definitions and push it to the local agent so it will know that this virus exists and that it should keep an eye out for it. 

These traditional software solutions have small levels of functionality that may help them to identify if there are any dodgy activities within the computer. They would then try to mitigate those, but only to a very limited extent. With SentinelOne, that's not the case because it basically has its own intelligence to identify any dodgy behavior within the system. As soon as SentinelOne detects anything which is not right, it will start tracing the changes being made. And because it's centrally controlled, it will give the controller team an early indication that there is something wrong and that we need to fix it. Not only that, but it will block it and keep track of it for mitigation.

We also use the solution’s ActiveEDR technology. Because it's an agent-based system, it is monitoring internally. It's not that the central system is doing it. It's keeping an eye on the functioning of the endpoint itself. If the endpoint is functioning properly, it will sit behind the scenes and not do anything at all. As soon as it sees any malicious activity within the system, that's where it's triggered. The artificial intelligence part of the agent is able to differentiate what activity can be considered malicious and what activity can be considered normal. And that's big. It's something that cannot happen without that kind of intelligence in place.

It has a one-click button that we can use to reverse all those dodgy changes made by a virus program and bring the system quickly back to what it was. That's one of the most important features.

Another valuable feature is that if a machine is infected, one that may infect other computers within the network, we have the capability of segregating that machine so that it remains connected to the internet but is cut off from the other machines in the network. That helps prevent spreading of the infection. That's a very unique feature, one I have not seen in the last 10 to 15 years from any other antivirus program. That's amazing.

We have used it on Mac and we have used it on Windows. We have seen a good level of protection, because since installing it for those of our customers who have taken it, not a single report of a breach has come out. I feel very strongly that the system is quite capable.

One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system. 

There is also a bit of room for improvement in the way SentinelOne is deployed. Right now we push it, but a lot of the time the pushing doesn't work. So we have to log in to each computer and do a manual install. That area would help in making the product stronger.

We have been using SentinelOne for about two-and-a-half years.

It's very stable. I have not seen it crash, nor have I seen any other problems.

I have not used their technical support. My engineers have used it, and their feedback about the support has been good so far. I don't think they have had complaints.

The initial setup is straightforward. But when deploying it to 100 or 200 or 300 machines, pushing it is easier than logging on to each machine and doing it manually. But sometimes, pushing doesn't work and doing it manually takes a little bit more time. But that's a one-off exercise.

We don't have much of an implementation strategy for the solution. As an MSP, there are a lot more things going on, day-to-day, than just dealing with SentinelOne. But for deployment, I get my boys to log on to a customer's systems, do the push, and then whatever does not work through push deployment, they install manually.

For maintenance of SentinelOne, we only have two engineers who look at it on a day-to-day basis. We don't need any more than that. In terms of deployment, it depends on the size of the deployment. If it's a 100-user deployment, we would have a team of three or four who would do it over a few days' time.

The return for us is that it has reduced the manpower we require.

Pricing is a bit of a pain point. That's where we have not been able to convince all of our customers to use SentinelOne. The pricing is still on the higher side. It's almost double the price, if not more, of a normal antivirus, such as NOD32, Kaspersky, or Symantec.

I understand that these are not similar products, but for a customer who has a certain amount of money to pay for an antivirus, they can only spend so much. That's where it becomes hard to convince them to pay double the price for endpoint security.

That is the only feature of this product which causes us to step back and not be able to deploy it for absolutely every customer we have. We would love to, but obviously if the customer doesn't have the budget to pay for it, there is not much we can do.

If they can somehow bring the prices down, that would massively help in bringing this to a lot more customers.

We looked into other solutions, but not as deeply as we went into SentinelOne. Because we liked SentinelOne so much, we just stopped there. And we already had experience with the likes of Malwarebytes, Symantec, and AVG. This was a far superior product.

I haven't had a chance to take a deeper dive into Carbon Black, but that is something I have been told is comparable to SentinelOne.

One of the things which attracted me to SentinelOne was the fact that it is the only product which is tied to the SonicWall platform, and we use the SonicWall platform a lot. A lot of our customers have SonicWall firewalls. Having a combination of SonicWall and SentinelOne provides an end-to-end security arrangement with products that are integrated with each other.

Go for it. It's an absolutely brilliant product. But understand what it is before starting to deploy. Unless you understand the product, you will not know how to use it to the best of its best capabilities.

The solution's Behavioral AI works with and without a network connection, providing the internal protection. But having that network connection is important because it will then be able to report it to the central dashboard. While it will do what it has to do locally, it's helpful when the agent reports back to the central dashboard so that the IT Admin can take action. It is important that the systems remain connected to the internet.

But overall, the Behavioral AI is amazing. It's something very new in the market. The way SentinelOne works and the way it is set up, I haven't been more impressed by any other product. It is a step forward in security.

We have 400 to 500 endpoints using SentinelOne at the moment, and all those customers are happy. We are happy that they're using it, because it helps us secure their network better than what they had before. We have it on laptops which have been given to home users, on computers in offices, on servers in computer rooms. They all have SentinelOne and we are happy with the level of protection that it offers.

Moving forward, with every customer whose antivirus is coming up for renewal in our portfolio, we are recommending getting rid of Symantec and other products and taking on SentinelOne.

It's very effective and it's improving by the day. In the last two-and-a half years I have seen that the way it detects and the way it mitigates threats are constantly improving. It's a very effective solution.

SentinelOne has completely replaced the antivirus solution that we used before. It's also an EDR solution. In the case of any suspicious malware, we can control the system with this agent.

Previously, we had some processes related to incident response which required more steps.  We needed to upload to VirusTotal, Sandbox, et cetera. Now, this process is shortened because all of the information we need is already in SentinelOne. We can briefly analyze and even respond from one management console. If someone has SOC, using the API, they can control everything. It's very cool. I think this is the future.

Behavioral AI does recognize novel and fileless attacks but we hope not to experience an attack like this. These days, there is no life without the internet. I don't think it is really a plausible scenario because we all use Microsoft services, 365, etc. If you don't have an internet connection, then you don't have anything. The guys from SentinelOne showed me an example where they can actually work without an internet connection and it worked just fine, like a common antivirus solution. But it wasn't important to us that it can do this because we know that in the real world, there are not many scenarios that wouldn't involve the internet.

We do use the storyline feature because it's SentinelOne's main feature that they are proud of. We don't see a lot of viruses in our environment and from what we have seen, it doesn't really help because a user will download a virus, the antivirus blocks it, and that's the end of the story. So there isn't much of a storyline behind it. But the SentinelOne guys showed us how it works and in the case of a difficult attack, it should work fine. 

We work with the storyline feature when we are suspicious of something and we need to check. But we didn't have an exact case where something highly critical was in our systems.

I find all of the features to be valuable. It's a cool and very informative tool. The management console analyzes, stops, and prevents the spread of malware. You only need to work with the console. There is nothing to do on the agent side. The user does not need to be involved in this process. 

The level of information it provides is enormous. You have all you need in case something happens. If we need to have an incident response with third-party external companies, we can give them the data that they can analyze further. The information about what's happened on the computer is absolutely amazing.

It's very comprehensive. It offers a lot of data but you can see only what you need or you can go further. If you need to investigate a little further, you can do that in any process. It's a SOC-analyst style.

If you are not an analyst, you can still do a lot with it. It's very convenient. We have workers who are not in the office, who are working from home. This is a good solution for them because it's Cloud-based. I can control everything from one console and even for users who are not in the office. We work with lots of vendors and not many of them have this solution. Traditional antivirus software doesn't have these features.

In terms of its impact on the endpoint, when you have a house computer working on antivirus, it doesn't make a huge impact on the system resources and even more, it can be installed parallel to antivirus. We have had scenarios where we have traditional antivirus and SentinelOne installed in parallel. It's two antiviruses on the computer and users won't know about it. They know about it when they start to download bad stuff and the antivirus starts yelling. 

According to what I see in the console, I do think that SentinelOne covers a wide variety of operating systems. It's even more than it needs to. In the traditional way, it's like antivirus but it does even more because it's also like an EDR solution. It covers all processes, what it does, where it goes, et cetera. There's a lot of stuff under the hood. I'm surprised it doesn't use a lot of resources because I thought it would be more aggressive for CPU memory.

In terms of improvement, they should work on agents' updates because that is not a strong part. It's not their strong point. It's not straightforward to upgrade agents. I send them questions about it. They already worked on this and they promised that in the next release that they will show me their solution for it. But this year I have had complaints about agents' updates, that they aren't clear.

They have a lot of updates on their management console. They have a lot of features. There is not enough time to read about it all. It's really a lot. The features that they apply are great and I would love to use them, but it's lots of things to know. And if you're not only working with antivirus on SentinelOne like me, there isn't much time to learn about it. 

I have been using SentinelOne for almost a year. 

I'm very excited to work with SentinelOne but they have a problem with agent updates. We lose connectivity when we update agents. When users are working from home it's not good to lose connection because you don't have options to connect or have meetings. 

I think they started working very closely on this problem. This solution will be better but so far, that's been my experience. 

We use the Cloud. It's completely scalable. They use a management console for lots of companies. It's tremendously scalable, it can be used with hundreds of thousands of computers.

Right now, we protect only 100 endpoints, it's for highly critical systems. Before the COVID crisis, we had plans to increase usage. We need to renew at the end of the year. We will for sure renew for 100 endpoints. I'm not sure about expanding though.

We don't need to do anything related to updating service backend sites. For agents, we only need to click "select all" and "run update," that's it. It only requires one person for maintenance, to see events and analyst information, technology, etc. It has access for three people who are security engineers and our CSO.

They have excellent support. There are security vendors who take up to 48 hours to just answer back a "Hello," without an explanation to my problem. The SentinelOne guys answer within the hour with a solution to any concerns expressed in an email. Support is very awesome. They also connect me with engineers who can help me. I can share a screen with them to show them the exact problem. This is important because a lot of vendors don't do this.

The initial setup is very easy and straightforward. We don't use the on-premise solution, we are Cloud-based. It's important because we have a lot of resources on our side who work fast. We can deploy in minutes. The initial deployment took one hour. 

We did the deployment ourselves. It's really easy. We have a Wiki page where end-users can see what they can install themselves. They just need to click on it, type, tell us where they want us to put a computer, and that's it. The users can do it themselves.

We installed it for a pilot group of 10 users and then deployed for others.

Our analysts spend less time doing his job because he has everything he needs in one management console. He can programmatically do everything and only react to real incidents. It reduced the costs of analysts' work. Their work costs a lot of time and money and having SentinelOne enables us to save on these costs. 

There are actually three versions of this product: the user version, professional, and professional plus. If analysts need to see something, like what the users are doing, what processes are running, we can go to the console and see. The traditional version only shows when incidents happen. I think the next time we renew, we'd go with the lesser version because it shows enough information. 

There aren't additional costs to the standard licensing.

We have the option to choose different vendors. We briefly looked at other vendors. We looked at Carbon Black, Kaspersky, and ESET EDR.

We evaluated them one year ago. These vendors are comparable to traditional antivirus while SentinelOne is and all in one solution. It has everything you need. SOC analysts is straightforward and they gave us a straightforward proposal. 

It takes the same amount of time for SentinelOne to catch malware as it does other solutions. There's not much of a difference. In our case, we don't see a lot of viruses because we have a lot of levels of security that prevent them. 

We can see the difference between traditional antivirus and what we can do with SentinelOne. Even if the price is a little bit more, we can see what we can do with it. We can use EDR, stop network activity, do whatever we need on the endpoint, from the security engineer side. We can see that it's at a completely different level. We have a traditional antivirus but we're going to rid of them at the end of the licensing period.

My advice would be to go with the Cloud version, not on-prem. 

I would rate SentinelOne a ten out of ten. It's a ten out of ten in terms of the EDR. It's also a 10 of 10 for the product and company. The solution does a lot. 

In general, we replaced our entire antivirus and anti-spyware with SentinelOne. We use it across all platforms, from servers to workstations, to Macs, to Windows, to Linux, Virtual Desktop Infrastructure, and embedded systems - on-premise and in the cloud. We also use their console and their threat-hunting. We needed a solution that was simple and intuitive, without having multiple agents.

We have also started evaluating their IoT, for the discovery of all IoT devices. This is 

It has improved our operational efficiencies. It saves us time because it does that first level of EDR automatically and that allows us to focus on certain things that it tells us about.

And we have better confidence because of all the threats that have been remediated. In fact, the moment we started deploying, we started picking up stuff that was in a dormant state on machines.

SentinelOne has absolutely reduced the number of threats. We get thousands of hits around the world. I'm looking in the console right now and there are 14,639 suspicious detections in the last few days. Of those, it has blocked 87. Another 30 were mitigated right away, and 24 active threats are being investigated now. Remediation of those threats could not be automated because it needs a response to do certain things right.

The strength of SentinelOne is that it has an automated, active EDR. It does that first level of what a SOC analyst would do, automatically, using artificial intelligence, so we can focus on other things. Active EDR not only notifies you, but it actually fixes that first level. That is unheard of. Very few, if any, companies do that.

The reason we went into this whole selection process and selected SentinelOne is that their strategy is "defense-in-depth." They do not only do what the traditional AV endpoint security solutions used to do, but they go further by looking at behaviors and patterns. Additionally, their big differentiators are in the dept of behavior analysis. There are other companies that claim this - albeit in a lighter flavor. 

The whole behavioral analysis helps us get to the root causes. We can understand and pictorially see the "patient zero" of any threat. It shows the first one who got whatever that threat is. When you look at their console and you see a threat, you can not only pick up the raw data to do forensics on it, but it can actually tell you a storyline: who patient zero was and how this whole threat has spread through your environment or on that machine itself; how it happened. Then, you can check on these things yourself. That's crazy good.

In addition, there is no dependency on the cloud to fully protect. Many products you see today, especially those called next-generation, depend on getting some information from the cloud. With this solution, you don't need to connect. It has the intelligence on the endpoint itself. That's useful because you're not always connected to the cloud. You could be in a lab. We've got laboratories where they aren't necessarily connected to the internet, but you want to have the latest intelligence of machine learning to see that you're doing the right thing. SentinelOne doesn't have to be connected. It's already got that behavioral stuff built-in.

They have a rollback and remediation facility as well. If you've got a virus or some malware on a machine, it's going to detect it and it can actually just clean up that part of that malware. You don't have to do anything else. And if you have ransomware, for example, it will pick it up before it causes a problem. And if it didn't, you can actually roll back and get it to the previous good version.

It integrates well with other products. We've got other cloud services that we use for security, and the intelligence is shared between SentinelOne and the CASB that we have.

And with the threat-hunting, you can validate what it's telling you: Is it a real threat or is it just something that is suspicious?

It can tell you everything that's running on an endpoint: What applications are running there and which of those applications are weak and that you have to watch out for. That's one of their free add-ons. You can do queries, you analyze, you can see who touched what and when. You can check the activities, settings, and policies.

Another advantage is that you can break up consoles. You can have them all in the cloud, or you can have some available physically. You may want to keep certain logs local and not share them because of GDPR. You can do those kinds of things. It's very adaptable and malleable.

If you have an agent on your machine, it will find out what things are neighbors to your machine. You can control machines at different levels. You can even control a device on your machine. If there is, for example, a USB device on your machine, I can control it and not let you use that USB device. I can actually get into your console and do stuff.

The other strength of SentinelOne is that you get almost all these features out-of-the-box. They add many features as a default, you don't pay extra, unlike many other companies. There are services you do pay extra for. I mentioned that SentinelOne handles that first level SOC security analyst-type work. But if you need a deeper understanding, with research, they've got a service for that and it's one that we're using. I was convinced that our current team wasn't good enough, so we had to get that service. It's actually very cost-effective, even cheaper than other ways of getting that level of understanding.

They are already reporting on application vulnerabilities in the landscape and working on providing remediation - another big win. 

Regarding the IoT feature, it's on the fence whether they're going to charge for it but that's an add-on module. However, it's not like you have to do anything to install it. You just have to click something in the solution.

The area where it could be improved is reporting. They have some online reporting, but it would be nice to be able to pick and choose. When I'm looking at the console, I would love to be able to pull certain things into a report, the things that are specific to me. They're very responsive. They regularly ask customers to provide feedback. They've been working on their reporting since the last feedback meetings. It's not only me but other customers as well who would like to see improvements in the reporting.

 File Integrity Monitoring is not a gap, but to do it you have to type several times. It's not the few-click intuitive situation.

It would be nice to have some data leakage included. Also, when it comes to data leakage, while you can get out everything that a person does on a machine, there needs to be a proper way of doing so, like other products that are just focused on data leakage.

I can't wait to see their advances in the cloud infrastructure (containers and serverless).

It would be nice (and is critical) to allow administrators to notate when they make changes to the console configurations - perhaps a tag for reporting. I might, for example, whitelist an application. If I did that today and I leave the company at some point, someone might wonder why I did this. There should be a place to easily notate everything.

I started validating and testing the product back in the fall timeframe of 2017. By the time the proof of concept was done, we were signing the product by the end of 2017 or January of 2018.

In our company, if something happens with a solution, everybody will know, and it will be out of the environment in a jiffy.

So far, the scalability is going really well. It's really lightweight. Using the console, you can break it up into regions. It's integrated with Active Directory and we have it set up as the "research lab" in Melville, New York and something else in China.

Right now, it's our product of choice for endpoint protection. I suspect our usage will grow a lot once they enable the IoT; what they call Ranger.

Technical support started off mainly by email, but support is probably the single biggest improvement since we started with SentinelOne two years ago. They always had the intelligence, like any techie person, but techies are not necessarily good communicators. They always had answers, right up to the top. Their CEO is also a very technical person. But they have improved how tech support is delivered by 100-fold.

We had McAfee, and we were using it for other things too.

I'd never heard of SentinelOne in 2017. I knew of the other big guns but I came across it just by chance by looking at studies that spoke about SentinelOne. I had their sales guys and engineers demonstrate but it didn't mean anything. I still thought it might be fluff. So we had to test it and go through that whole rigmarole.

For all intents and purposes, they delivered. You have to remember that they were fighting a battle against all the big guns in the industry, solutions that were already entrenched. When we did our test, we actually broke a couple of their competitors, not because we wanted to. We were just comparing and doing it as a proof of concept. SentinelOne kept catching everything that I thought the other guys should have caught.

Also, they were never defensive; they were straight-easy to work with. Their responsiveness was also very good. If we needed to get something — and this might be because of the size of their company — we could go right up the chain and something would happen right away. If changes were required they happened really fast.

The initial setup was straightforward. I co-authored a book on evaluating products and one of the things that you have to take into account is ease of use and how intuitive things are. Some people may not consider that important, but I consider it important.

In general, it was easy to set up. That was one of the reasons I was pleasantly surprised.

What can make it difficult is the environment you are in. For example, we have "freeze periods" during about half the year, where we cannot make any changes. So, during retail, during Christmas, Chinese New Year, Black Friday, etc., nothing can change in the environment and we cannot deploy anything.

Other things, outside of the environment, were that there are financial/fiscal periods, every quarter, where we cannot change certain things. And we have different silos: a server group, a Windows group, a Mac group, and a Linux group that didn't want to touch anything. Everyone had some bad taste left in their mouths at some point in time, not necessarily with SentinelOne, but in general. If everything is working, why change it? So there were some political things, internally. We have about 35 different companies around the world. Each has a variation of things and there is every version of every thing out there. And some have badly written code too that shows up as malware; it manifests just like malware.

For deployment and maintenance it was me. I did almost everything. There were only one or two people. Obviously, we have to follow the sun because we're global, so at times there might have been three or four people involved, but generally it was one or two who were coordinating it. They know the product and how to deploy it and what needed to be done, but I needed those guys around the globe. They had to coordinate with each of those groups I mentioned. But we owned it and we were accountable for it. We have segregated duties. Even though I'm in security, I don't have the rights to get onto our Windows Servers and make changes. I have to ask the server guys to do something and that's why things take time. That's why you need people to coordinate it.

But, once it was detecting those threats, I felt that even though we had an outsourced team, they were lacking in knowledge. If I told them, "Hey, this is malware," without the right experience, they wouldn't know what the heck to do with it. That was the challenge. That's why we went with SentinelOne's managed service. They have people who can deal with it and sort out the things that are real.

The way you do it is that you don't just McAfee take off a machine and put this one in. You run them simultaneously for some time, and then take one out. I wanted to see if something would happen, or it started messing things up, or if people would start calling saying, "Hey, there's something going on in my machine."

We didn't work with any third-party. Over the years, I've seen that a lot of these guys tend to have biases.

We have absolutely seen a return on our investment because it has created that first-level SOC. Plus, it has all these other functions. It has replaced McAfee. We don't need a file integrity monitoring product. And we can see application vulnerabilities without using another product. And they keep adding features. Once they add this IoT feature, the ROI will be much more.

Initially, I was just researching solutions using independent reports and industry reviews. I don't necessarily agree with everything in industry reviews, but I used them to narrow down the field and to figure out which solutions I needed to look at. I also looked into whether there were any legal issues the companies were fighting. In that first phase, I got it down to about four or five that I would take to the next level and actually touch them with live malware. The reason the other ones fell off is either they were too focused on one thing or there were some legal things. The industry is small. You hear things, not necessarily officially, but unofficially you hear things.

I looked at McAfee, CrowdStrike, Carbon Black, Palo Alto Traps, Cylance, Endgame, Tanium.

In my evaluation, back in 2017, I wanted to see the features of each and match them up with our requirements. What were our influences? What was important to us? I tried to map that into what features were available at the time, or look at whether a product could consolidate another product that we had so that we would no longer need that other product. I also looked at operational efficiencies, security efficiency, and whether it meets all our compliance goals.

Then I went to the lab where I had real malware. There was a whole method to that madness of testing. 

McAfee failed miserably, even with their later product. It would have been easier for us to stick with the incumbent, but it couldn't pick up on malware. There was something it never detected. With that type of next-generation, machine-learning algorithm, it's not so much the algorithm as it is the intelligence, the data that they collect over time.

At the time, Palo Alto Traps was not ready for prime time - immature console, limited support across all our platforms and focus on exploits.

I broke Cylance, surprisingly. I didn't expect that. I'm not even a researcher, per se. I have other jobs in our company. When I managed to break them I was looking at how they responded. I'm not expecting everyone to be perfect, but I found them very defensive. They would say, "Oh, it's only one in 100 or 200 or 300 pieces of malware". But it was the way they responded to things. It took a while for them to get back to me, and they were more concerned about whether I was doing the same thing with the others.

The other weakness of Cylance was that, for anything else, like remediation and response to something, you had to buy another piece. It wasn't part of the product, whereas, with SentinelOne, it was part of the product, without paying anything more.

Some of our folks were convinced that CrowdStrike was the way to go but our tests proved otherwise. CrowdStrike has some good features, but it requires going to the cloud. And secondly, whenever you get events, you almost have to use their service, so you're paying them to help resolve something. It gets expensive.

Separately, I did a compatibility test where I checked our environment: I deployed it in a sampling of some of our machines to see if it run without creating another mess.

When you do a thorough proof of concept, you already have all the details, so nobody's going to mess with you. I compared everything. At the end of the day, I gave my boss a report and said, "This is it. You decide."

Have a look at it. Compare it. It's a very good product to have.

It gives you a lot more insight. It has combined many products into one agent and it's expanding. There are a lot of things it can do now on the cloud, like containers. It gives you insight into a lot of the threats with the hunting ability. I have learned from the tool to see how our environment is. I've learned about certain behaviors of our applications, just by observing what pops up.

There is a console that is in the cloud and there are agents that are all over. You put these agents on Macs or Windows or Linux, or on whatever the cloud versions are of all these virtual devices. We are spread out across the globe. We've got nearly 50,000 endpoints in different parts of the world. We generally stay as close to the latest version of the agent as possible, but we go through change-control and it is very strict. We don't just put things on endpoints. We validate and test in our environment because we have nearly every type of operating system and variations of them in our environment. Therefore, sometimes we are something like .1 or .2 of a version behind. In terms of the console, we are at the latest version.

As a company, we use all variations of clouds, from Ali Cloud, which is China to Azure; we're predominantly Azure. We have AWS and GCP. SentinelOne manages that console and we have access to it. We own that part, our console. It's on AWS, I believe.

Overall, is there room for improvement? Absolutely. There are gaps in the reporting because we need to give reports to different levels. Ideally, we want to just drag and drop things to create reports. They have very nice reports but they're canned. We want to be able to choose what goes into a report. Otherwise, it's right up there and I would give it a nine out of 10.