SentinelOne is an antivirus and an EDR platform. We are using is simply for its antivirus and EDR features.
Senior IT Security Analyst at a comms service provider with 501-1,000 employees
Easy to set up and good for protecting endpoints with helpful documentation available
Pros and Cons
- "The solution is overall very good in terms of protecting endpoints and servers from malicious activities, malware, cyber attacks, viruses, worms, and so on."
- "It doesn't have application control capability. Other antivirus or EDR solutions have that."
What is our primary use case?
What is most valuable?
The solution is overall very good in terms of protecting endpoints and servers from malicious activities, malware, cyber attacks, viruses, worms, and so on. It offers really good security.
The initial setup is easy.
We have been happy with the stability.
It is possible to scale the product.
There is good documentation available, and support works to help users resolve issues.
What needs improvement?
It doesn't have application control capability. Other antivirus or EDR solutions have that. I would be happy if SentinelOne added that to their platform. This is the first point.
The second point is SentinelOne should provide support for legacy open-source operating systems. For example, old versions of Oracle are not supported by SentinelOne.
The third point is that SentinelOne does not support a few platforms, including IBM AIX and UNIX-based OS. These three platforms are almost all used in all enterprises, and SentinelOne does not support them. If SentinelOne provides agents for these missing platforms, it'll be very good.
It would be ideal if they offered video support for troubleshooting issues.
For how long have I used the solution?
I've been dealing with the solution for just over one year.
Buyer's Guide
SentinelOne Singularity Endpoint
June 2026
Learn what your peers think about SentinelOne Singularity Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,871 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution is stable and reliable. We have been happy with its performance. There are no bugs or glitches, and it doesn't crash or freeze.
I'd give it a four out of five in terms of stability.
What do I think about the scalability of the solution?
The scalability has been very good.
There are thousands of both users and servers. Everyone uses it.
How are customer service and support?
I have raised a lot of tickets, and their support is very good. However, with other members, when we have raised tickets in the past, we were able to have technical sessions through Zoom, WebEx, or Teams very easily. That's true, for example, with Microsoft, Cisco, McAfee, and Kaspersky. With SentinelOne, they are providing very good support, excellent support, however, their engineers are not very interested in providing online sessions, which is more convenient.
When you face any issue, they always provide documentation and videos - and that's very good. However, sometimes it's required that they show us how something is done. Doing some sort of video call helps with the walk-through. SentinelOne engineers, most of them, are not so much interested in doing this.
Which solution did I use previously and why did I switch?
We did previously use a different solution. However, I can't speak to which product that was.
Other solutions that I usually use in other organizations were on-premises. This one is cloud-based. The point is, when you have your antivirus or EDR solution on-prem, that's your responsibility to troubleshoot the core server and do that maintenance patch and all of those kinds of tasks. When the solution is hosted in the cloud, all of these responsibilities belong to the provider, in this case, SentinelOne. When a new patch is getting released from the vendor, normally, if we were using legacy platforms, we would have to upgrade each endpoint one by one. By using cloud-based EDRs, it can be done automatically and reduces maintenance time.
How was the initial setup?
The solution is very easy to set up. It's not overly complex or difficult.
The implementation strategy was very simple: removing the old antivirus solution and replacing that with SentinelOne.
It took us three months to migrate and deploy.
We have ten to 14 people that can handle deployment and maintenance. Only one person, however, needs to handle typical maintenance tasks.
What about the implementation team?
We handled the initial setup ourselves. We did not need any outside assistance.
What's my experience with pricing, setup cost, and licensing?
Licensing is part of the procurement team. I can't speak to the exact cost of the product.
What other advice do I have?
We are a customer of SentinelOne.
SentinelOne does not have a version. SentinelOne is a centralized platform that is hosted in the cloud. It's the agent that we install on servers and clients, it has versions we are using the latest version of agents.
The product has two deployment options, cloud deployment, and on-prem deployment. Most people prefer to use cloud deployment in the way we do.
I recommend this solution often. I'd rate the solution eight out of ten.
My advice for other companies that do not use SentinelOne is this: that everyone, every company, likely has its own antivirus solution, whether it's McAfee, Symantec, Kaspersky, and so on. These platforms provide only an antivirus solution, however. If they replace their solutions with SentinelOne, they will have two features: EPP, endpoint protection from antiviruses, and EDR, endpoint protection and response features. They will not need to install two applications, one antivirus, and one EDR, on their clients' computers; only one agent can do anything.
SentinelOne provides an amazing amount of visibility over clients and servers. Anything done on a server, on a client, with a network connection, login, logout, changes in directories, et cetera, is recorded. Using query searches, you can find what happened very easily.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior IT Consultant at Jeneri IT
Does an excellent job of using AI to determine and stop an attack, and the peace of mind it gives is significant
Pros and Cons
- "It protects your machine, and it does an excellent job using AI to determine an attack and stop the attack. Its most powerful feature is prevention, and it can unwind ransomware activity as well. So, it is a really useful product in that sense."
- "While the cost of SentinelOne is higher than Webroot, the reality is that the peace of mind and the knowledge that you are probably not going to get a complete attack, simply because SentinelOne stepped in and stopped it, is worth every penny."
- "One of the things they could do is extend the product range to include Android and iPhone so that you could have the app on your phone as well. There is probably something going on there with that, but that's something that they're lacking at the moment. For instance, if I was to have to recommend a client to protect their phone, I'd have to recommend Norton or something else. I don't have an answer within the SentinelOne solution."
- "One of the things they could do is extend the product range to include Android and iPhone so that you could have the app on your phone as well."
How has it helped my organization?
It runs continuously and uses AI to look for any suspicious activity. If it does determine that there is a virus or something going on that shouldn't be happening, it not only stops the process but also completely logs the whole function. It tells you in a map version how the attack happened and how it was stopped. It is brilliant. In the past, for example, if I had the same problem in Webroot, I would've had to submit the case to Webroot for viewing so that they could, as a human, literally determine what the cause was, but by that time, it is way too late, whereas, this is the real-time protection.
What is most valuable?
It protects your machine, and it does an excellent job using AI to determine an attack and stop the attack. Its most powerful feature is prevention, and it can unwind ransomware activity as well. So, it is a really useful product in that sense.
There is the ability to SSH into a machine even if the machine has been disconnected from the network. When a real hazard happens, SentinelOne disconnects it from the internet so that no more transactions can occur, but I still have access to the machine. One of the bigger benefits is that no harm could be done because there is no communication with the internet, but I still have the ability to go in, restart a machine, do some investigations, and make some things happen.
What needs improvement?
One of the things they could do is extend the product range to include Android and iPhone so that you could have the app on your phone as well. There is probably something going on there with that, but that's something that they're lacking at the moment. For instance, if I was to have to recommend a client to protect their phone, I'd have to recommend Norton or something else. I don't have an answer within the SentinelOne solution.
For how long have I used the solution?
I have been using this solution for close to three years.
What do I think about the stability of the solution?
It is perfect. I've seen very few problems related to the app. It is not using too much of the PC's power. It does not make PCs slower. So, I find it the best of both worlds. You reduce the impact of the product on the user, but at the same time, thoroughly protect the user, no matter what he does.
What do I think about the scalability of the solution?
You can certainly have thousands of SentinelOne users. We have 250 users. In terms of our plans to increase its usage, I provide IT as a service. So, as I add clients, I always add licenses for those clients.
How are customer service and support?
Their support is very good. I would rate them a five out of five.
How would you rate customer service and support?
Positive
How was the initial setup?
It was straightforward. It probably took me a week to get 250 machines converted.
What about the implementation team?
It can be done in-house very easily. You probably need one staff member that knows how to implement it, and after that, it pretty much runs itself. It requires very little maintenance.
What's my experience with pricing, setup cost, and licensing?
It is not sold as a consumer product. It is only sold based on the number of licenses. So, as an MSP, you're probably going to pay about three and a half dollars per license, per month to have SentinelOne.
What other advice do I have?
I would advise others to go for it. It is great. As an MSP, the peace of mind it gives me is really significant. While the cost of SentinelOne is higher than Webroot, the reality is that the peace of mind and the knowledge that you are probably not going to get a complete attack, simply because SentinelOne stepped in and stopped it, is worth every penny.
I would rate it a ten out of ten. It is absolutely fantastic.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
SentinelOne Singularity Endpoint
June 2026
Learn what your peers think about SentinelOne Singularity Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,871 professionals have used our research since 2012.
Director of Technology and Digital Transformation at Banco Fibra
Collects logs and data and integrates well with other solutions
Pros and Cons
- "It is easy to collect and retain logs with SentinelOne."
- "The only concern we have is that there are a few features that were not readily available."
What is our primary use case?
We use SentinelOne to collect logs and data. We will connect it to other tools and places in the future.
What is most valuable?
It is easy to collect and retain logs with SentinelOne. When you need to compare information, the data is available. It also has the possibility to configure information. It integrates well with all the other solutions we use.
What needs improvement?
The only concern we have is that there are a few features that were not readily available. We use a lot of application files that didn't have a connection.
We would also like to see integration with other tools that have to collect the logs.
Although Microsoft claims the use of building artificial intelligence to correlate events, we have actually had a couple of events that should have logs but did not. The solution is not at the same level in terms of building artificial intelligence.
SentinelOne can do a better job of not only creating corrective action based on the correlation. For example, someone was trying to repeatedly change their password. What they didn't realize was that they weren't connected correctly.
For how long have I used the solution?
I have been using SentinelOne for six months.
What do I think about the stability of the solution?
SentinelOne is a stable product.
What do I think about the scalability of the solution?
Scalability is based on the measure. There is no limitation regarding scalability if you pay for the upgrades.
How are customer service and support?
Technical support is good. When you need help from Microsoft, there is a long list of resources to help understand the issues.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is straightforward as we have contracts with Microsoft Office Supplies, commodities, defender, and Active Directory.
I would rate the ease of initial setup of SentinelOne a five out of five. It is easy.
What about the implementation team?
Our company used a third party that provided the utility.
What's my experience with pricing, setup cost, and licensing?
This solution is less expensive than its competitors. You might need to buy additional space depending on how much they are willing to provide. I would rate the pricing a five out of five.
Which other solutions did I evaluate?
We selected SentinelOne because it was less expensive than the competitors. We also saw the speed of evolution with Microsoft, so it can be involved theoretically when compared to Splunk.
We also chose SentinelOne because of the balance between features. It is stable and has enough choices. Being with Microsoft, we felt confident that the solution would evolve.
What other advice do I have?
If you are considering SentinelOne, you should consider the cost of storage. Otherwise, the product is easy to deploy. You either need to have your own security operating center or hire someone that will use Sentinel or the secondary service. For you to consume the data, you may have had an internal security center or Sentinel.
With SentinelOne you have to invest extra cost. You have to always think of how much it will cost you to delay a response by a couple of days. If the incident is going to cost two days of revenue for the organization, that is much more than the cost of the solution.
I would rate SentinelOne an eight out of ten because of the price point and the features you get.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Head at a financial services firm with 11-50 employees
Excellent for detection and device blocking and offer good network control
Pros and Cons
- "The solution is both stable and scalable."
- "We are very satisfied with the product overall."
- "The delay in updating inventory is ten minutes. If it can be improved, it will help a lot."
- "The inventory is a good feature. However, it's not up to date."
What is our primary use case?
We use the solution for anti-malware, policy enforcement, and blocking USBs, for example. It's used for detection in general, and for protection and threat blocking.
What is most valuable?
The solution is very straightforward to set up.
The features are great. It is excellent for detection and device blocking.
The network control has been useful, as well as the firewall control.
The solution is both stable and scalable.
What needs improvement?
The inventory is a good feature. However, it's not up to date. The delay in updating inventory is ten minutes. If it can be improved, it will help a lot.
For the general IT management, there is a need to correlate the software version from inventory with the CVE information. For example, we have the CVE, however, it doesn't take into account the current version. We need it to stay up to date with the latest version.
For how long have I used the solution?
I've used the solution for less than one year.
What do I think about the stability of the solution?
The solution is quite stable. It's reliable. There are no bugs or glitches.
What do I think about the scalability of the solution?
The product can scale very well.
We have less than 50 people on the solution currently. We are using it in a smaller environment.
We do have plans to increase usage in the future. We are, in fact, still deploying it. So the department is not finished yet.
How are customer service and support?
We get technical support from the vendor.
Which solution did I use previously and why did I switch?
I've also used Microsoft Defender.
How was the initial setup?
It offers an easy implementation process. It's not overly complex or difficult. Setting everything up on the cloud is simple. The deployment was done in a matter of days. In the end, it took less than a week. We had two people handle the deployment process.
What about the implementation team?
We did have some outside assistance. They helped with half of the process.
What was our ROI?
We found the ROI to be quite high. However, it would vary, depending on the contract. It's a good investment. I'd give it a five out of five.
What's my experience with pricing, setup cost, and licensing?
I cannot speak to the exact pricing. That said, it's very reasonable. I'd rate it five out of five in terms of affordability. There are cheaper options; however, it is quite affordable. We pay a yearly licensing fee.
What other advice do I have?
We are a customer and end-user. We deal with a SentinelOne partner.
I can't speak to which version we are using.
Whether or not the solution would work for an organization depends on the environment and other factors. That said, we are very satisfied with the product overall.
I'd rate the solution ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Sr. System Administrator at Danube Group
Lightweight, easy to implement, and good support
Pros and Cons
- "SentinelOne is very lightweight; it doesn’t consume much memory of endpoints, endpoints don't hang, and machine performance doesn’t get impacted, and their technical support is also very nice."
- "It has all the features that other leading products in the market provide. They should keep enhancing it based on the challenges in the market. I am fine with its detection capability, but they can work more on deep inspection."
How has it helped my organization?
We are using it for endpoint security. It acts as an antivirus as well as is useful for endpoint detection. We are using the same product for both use cases.
What is most valuable?
SentinelOne is very lightweight. It doesn’t consume much memory of endpoints. Endpoints don't hang, and machine performance doesn’t get impacted. Their technical support is also very nice.
What needs improvement?
It has all the features that other leading products in the market provide. They should keep enhancing it based on the challenges in the market. I am fine with its detection capability, but they can work more on deep inspection.
For how long have I used the solution?
I have been using this solution for around two years.
What do I think about the stability of the solution?
It is stable. I would rate it a four out of five in terms of stability.
What do I think about the scalability of the solution?
It is scalable. I would rate it a four out of five in terms of scalability. We have more than 1,200 users who are using this solution.
How are customer service and support?
Their technical support is very nice. I would rate them a five out of five.
How would you rate customer service and support?
Positive
How was the initial setup?
It is very easy to implement or install. I would rate it a five out of five in terms of the ease of setup. It does require maintenance by someone.
What's my experience with pricing, setup cost, and licensing?
Its cost is yearly. It is not much costlier than other leading products available in the market. I would rate it a four out of five in terms of pricing.
Which other solutions did I evaluate?
We were looking for an antivirus and EDR solution. We evaluated some of the products, and finally, we decided to go for SentinelOne EDR. CrowdStrike was one of the solutions we evaluated. SentinelOne was lightweight, but CrowdStrike had a more secure door.
What other advice do I have?
I would rate it a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cloud Engineer at a comms service provider with 1,001-5,000 employees
Quick deployment, beneficial lateral movement, and integrates well with Active Directory
Pros and Cons
- "The most valuable features of SentinelOne are the lateral movement and the use of the Active Directory."
- "The initial setup of SentinelOne is very easy. You only need to turn it on and it starts working with a couple of clicks."
- "SentinelOne can improve by having better integration with Active Directory."
What is our primary use case?
We use SentinelOne mainly for lateral movement, ransomware, anti-malware, AI engine, and forensics.
What is most valuable?
The most valuable features of SentinelOne are the lateral movement and the use of the Active Directory.
What needs improvement?
SentinelOne can improve by having better integration with Active Directory.
For how long have I used the solution?
SentinelOne can be deployed on-premise and in the cloud.
I have been using SentinelOne for approximately two years.
What do I think about the stability of the solution?
SentinelOne is stable. However, the only issue I had was with legacy system, such as older kernels. The newer systems are more stable.
What do I think about the scalability of the solution?
The scalability of SentinelOne is good, but my biggest concern is they need to find some way to automatically install their agents to specifically Microsoft Windows devices because not every IT infrastructure has SECM of others that automatically deploy it. It would be helpful during the migration of new customers.
We have approximately 4,000 systems using the solution and plan on adding another 400.
How are customer service and support?
I haven't had the opportunity to interact with SentinelOne support.
Which solution did I use previously and why did I switch?
I have previously used Microsoft Windows Defender.
How was the initial setup?
The initial setup of SentinelOne is very easy. You only need to turn it on and it starts working with a couple of clicks. The ease of implementation is SentinelOne strongest feature.
What about the implementation team?
We have three people deploying SentinelOne. As part of the team deploying the agent, there are multiple teams involved, and each one can deploy an agent when they have their own time.
What's my experience with pricing, setup cost, and licensing?
SentinelOne can cost approximately $70 per device.
What other advice do I have?
The advice I would give others that are thinking of implementing SentinelOne is if they have any other solutions, I would highly recommend them to start using it, especially if they have Active Directory. It's very good at picking up weird anomalies.
I rate SentinelOne an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
IT Project Manager at Rajiv Gandhi Cancer Institute In India
Excellent notification capabilities, good roll-back features and a straightforward interface
Pros and Cons
- "SentinelOne is preferred because of its great features and nominal cost."
- "The setup process could be improved."
- "The setup process could be improved, and it would be good if artificial intelligence were added as an additional feature in the next release."
What is our primary use case?
The most important feature is the roll-back feature because when any system is corrupted, we can easily restore it within a few seconds. Also, if an end-user is not connected to your network, they can communicate with the central manager. We can be notified of any end-user activity with a central dashboard. The solution is also a very lightweight agent model compared to other solutions like Sophos, Carbon Black and the app action from X-microsite product. SentinelOne does not use the RAM SCP installation for the agent, and the user interface is also straightforward.
What needs improvement?
The setup process could be improved, and it would be good if artificial intelligence were added as an additional feature in the next release.
For how long have I used the solution?
We used SentinelOne at my previous company before I left eight months ago, and it was deployed on cloud base.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a scalable solution, and we have about 800 users using SentinelOne. We only need one person for maintenance, and they can offer maintenance in person and remotely via email and SMS.
How are customer service and support?
I rate the technical support a ten out of ten. The support is very easy if you connect with global support. A company focused on non-technical issues can't easily adopt the solution. You have a support team from the layman language.
How was the initial setup?
The initial setup was a bit complex but very simple if you set up a single order.
What's my experience with pricing, setup cost, and licensing?
I rate the price of SentinelOne a ten out of ten, meaning it is the best price in the market. This is because SentinelOne has a nominal cost. For example, if CrowdStrike costs $1000, SentinelOne provides the same features for about $7 to $8.
What other advice do I have?
I rate this solution a ten out of ten. I have around 10 to 15 years of experience in security and have used products like Sophos, Micro and CrowdStrike. CrowdStrike and SentinelOne are the best, but SentinelOne is preferred because of its great features and nominal cost.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Information Technologies Manager at VAS Bilisim Teknolojileri A.S
Reliable, easy to set up and easy to use
Pros and Cons
- "The product can scale as needed."
- "It's an easy tool and it offers a different experience."
- "Security could always be better."
What is our primary use case?
We primarily use the solution for security purposes.
What is most valuable?
It's an easy tool and it offers a different experience. It is a new generation product.
The initial setup was easy.
It's stable and reliable.
The product can scale as needed.
What needs improvement?
While I'm sure improvements are necessary, there isn't one specific area I've found to be lacking.
Security could always be better. It always needs to be adjusted to keep up with what's happening.
For how long have I used the solution?
I've been using the solution for two years.
What do I think about the stability of the solution?
We haven't had any issues with stability. It's reliable. there are no bugs or glitches and it doesn't crash or freeze.
What do I think about the scalability of the solution?
It's scalable. We are using management software on the cloud. Therefore, if we want to install 1,000 agents, it doesn't impact our business now. We can scale and it's got a central implementation method for agents.
How are customer service and support?
Technical support has been very good and we are quite pleased with them.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We actually use regular antivirus solutions as well, such as Sophos and McAfee.
How was the initial setup?
It's a simple, straightforward setup. It is not overly complex or difficult.
We have a small IT team and have found that we just need to have one person managing the product.
What about the implementation team?
We deployed it using an outside resource.
What's my experience with pricing, setup cost, and licensing?
I cannot speak to the exact cost. Our managers buy the licenses. That said, it is my understanding that we are using the subscription model and pay for it yearly. I'm not sure if there are any other ancillary fees beyond that.
What other advice do I have?
I'm a customer and end-user.
I'm not sure which version of the solution I'm using.
I'd rate the solution eight out of ten. It's a good overall product.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Information Security Engineer at a retailer with 5,001-10,000 employees
The Storyline feature significantly simplifies the investigation and research related to threats
Pros and Cons
- "The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes."
- "Now that we have SentinelOne, we cannot go without it."
- "There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap."
What is our primary use case?
There are four use cases:
- Endpoint visibility.
- Endpoint protection, which includes detection, protection, and error response. We use this for protection endpoints as well.
- Provides historical loss of any events or changes in files that may have happened in the last 90 days.
- Threat hunting, which we use to troubleshoot applications.
There are different versions. The SaaS portal has a different version. The agents for each operating system have a different version. For the SaaS platform, we are on the current release. For the agents, we are one behind the current GA release.
How has it helped my organization?
We have another tool for network analysis. Last night, it detected some suspicious network activity for a machine that was making an outbound action to a spacious external entity. So, it raised an alert. Other than being a network tool, it couldn't provide any information as to why it suddenly started doing this. As far as response and running through our playbook, the first steps were for the SOC to go and reach out to our engineering teams to see if any users caused what happened. That took them almost until the end of the day. Finally, they came back, and said, "There is nothing that we can see." Then, I went into SentinelOne, spending about 15 minutes, and was able to determine exactly:
- What process caused the activity.
- The reason for it.
- The user.
- The command line running that caused it.
- What addresses it tried to communicate out, since the network tool wasn't able to capture all the IP addresses.
We were able to determine it was a process that one of our engineers had set up and forgot about. It took us almost an entire day for the SOC to get a response from a person on that. Whereas, we were able to get that information directly from SentinelOne in less than 15 minutes.
SentinelOne's automation has increased analyst productivity. It can automate actions on a threat, such as, kill/quarantine, remediate, and then roll back. All those automation processes have significantly helped us in making our SOC more effective.
What is most valuable?
All the features are valuable. Their core product, EDR, is pretty good. We utilize the entire functionality of the feature set that they have to offer with their core product. For EDR, we are using all their agents: the Static AI and Behavioral AI technologies as well as their container visibility engine.
We use SentinelOne’s Storyline feature to observe all OS processes quite routinely. When we want to know a bit more details about any threats or want to investigate any suspicious event types, that is when we use the Storyline quite a bit. Its ability to automatically connect the dots when it comes to incident detection is useful. It significantly simplifies the investigation and research related to threats.
Today, we automatically use Storyline’s distributed, autonomous intelligence for providing instantaneous protection against advanced attacks for threat detection. The AI components help tremendously. You can see how the exploits, if any, match to the MITRE ATT&CK framework, then what actions were taken by the AI engine during the detection process or even post detection actions. This is good information that helps us understand a little about the threat and its suspicious activities.
We use the solution’s one-click remediation for reversing unauthorized changes. In most of the groups, we have it automatically doing remediation. We seldom do manual remediation.
What needs improvement?
There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality.
For how long have I used the solution?
We have been using SentinelOne since early 2020.
What do I think about the stability of the solution?
It has been very stable. There have been no issues so far.
One person is needed for maintenance (me).
What do I think about the scalability of the solution?
It is scalable with the caveat that we have had some challenges within our infrastructure for 20 agents across Linux servers. Beyond that, scalability is not an issue.
8,000 to 9,000 people are using the solution across our entire organization.
We are using SentinelOne as our de facto endpoint protection software. As a result, it is a requirement for every machine in our infrastructure, except for the devices that do not support their agents. So, as our infrastructure continues to grow or shrink, the users of SentinelOne will either increase or decrease, depending on the state of our infrastructure at that specific point in time.
How are customer service and technical support?
The technical support is good and very responsive. 99.99 percent of the time, they have been able to provide satisfactory responses. Whenever we have asked them to join a call that requires their assistance on a priority basis, they have been able to join the call and provide assistance. Whenever they felt that they do not have enough information, they were upfront about it, but they realistically cannot do anything about it because there is a limitation on either SentinelOne agent software or deeper logs would need to be captured in order to provide more information. There has been no situation where support provided an unsatisfactory response.
Which solution did I use previously and why did I switch?
We were previously using Sophos. The primary reason that we switched was Sophos did not provide us the extended capabilities we needed to support our infrastructure, both on-prem and on the cloud. Sophos did not support any of the Kubernetes cluster environmental containers systems on the cloud. It did not have the advanced AI engines that SentinelOne does. Overall, Sophos was very bulky, needing a lot of resources and a number of processes. In contrast, SentinelOne was thinner, very lightweight, and more effective.
How was the initial setup?
The deployment and rollout of SentinelOne are pretty simple. In our environment, we deployed the agents, then we had to remove them from some of the machines because the agent was impacting the performance of those machines. At that time, we found out it wasn't the SentinelOne agent rather an underlying issue on our own system or even the environment that it was in. We had to take SentinelOne out to troubleshoot the root cause, which delayed us a bit in rolling it out to our other infrastructure. That was completely fine. Looking at it from a global and world perspective, the rollout was very simple.
About 6,000 to 7,000 endpoints took us six to seven months to deploy. Linux took a bit longer to deploy because the tools are not as good for deployment as what is available for Windows and Macs. Using a script, we were able to take care of that. However, we could only do that during maintenance windows, otherwise we couldn't deploy the agents without an approval change.
What about the implementation team?
We did the implementation ourselves. We have several teams responsible for each area:
- Two to four people for workstations.
- Two people for a retail environment
- Two people for the server infrastructure.
This provided resource continuity. In case one resource would be unavailable for any reason, then the other resource would be able to continue. Essentially, the deployment needed three people, but we had six for continuity.
What was our ROI?
We saw a return of investment during the first year. We far exceeded our ROI expectations, meeting our ROI expectations within the first year.
The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.
From an overall perspective, it has reduced our mean time to repair in some cases to less than seconds to a maximum of an hour. Before, it would take days.
What's my experience with pricing, setup cost, and licensing?
The licensing is comparable to other solutions in the market. The pricing is competitive.
We subscribe to the Managed Detection and Response (MDR) service called Vigilance, which is like an extension of our SOC. Vigilance's services help us with mitigating and responding to any suspicious, malicious threats that SentinelOne detects. Vigilance takes care of those.
We also pay for the support. The endpoint license and support are part of the base package, but we bought the extended package of Vigilance Managed Detection and Response (MDR) services.
Which other solutions did I evaluate?
Sophos was eliminated very early on in the PoC process. Then, we looked at:
- SentinelOne
- FireEye
- CarbonBlack
- CrowdStrike.
Out of these solutions, we selected SentinelOne. Their ability to respond quickly in terms of feature functionality was the biggest pro as well as their fee for agents in the cloud. The other solutions' interpretation of a cloud solution did not match with our expectations. From an overall perspective, we found SentinelOne's methodology, its effectiveness, its lightweight agents and their capabilities far exceeded other solutions that we evaluated.
SentinelOne had the highest detection rates and the ability to roll back certain ransomware, where other solutions were not even close to doing that.
What other advice do I have?
It is a very good tool that is easy to deploy and manage. The administration over it is little to none. However, depending on the environment and whoever is trying to deploy the agents, they should test it with the vendor environment before they go and deploy it to production. The reason why is because SentinelOne has the ability to be tuned for optimization. So, it is better to understand what these optimizations would be before deploying them to production. That way, they will be more effective, and it will be easier to get buy-in from the DevOps team and the infrastructure team managing the servers, thus simplifying the process all around. Making the agents and configurations optimized for specific environments is key.
The Storyline feature has affected our SOC productivity. Though, we have yet to fully use the Storyline feature in a SOC. We are using it on a case-by-case basis. However, as we continue to deploy agents throughout our infrastructure and train our SOC to use the tool more effectively, that is when we will start using the Storyline feature a bit more. Currently, this is on our roadmap.
I am very familiar with the Ranger functionality, but we haven't implemented it yet for our environment. Ranger does not require any new agents nor hardware. That is a good feature and functionality, which is helpful. It can also create live, global asset inventories, which will be helpful for us. Unfortunately, we have not yet had an opportunity to roll that out and capture enough information from our infrastructure to be able to maximize the effectiveness of that functionality. We are still trying to get SentinelOne core services fully deployed in our environment.
Now that we have SentinelOne, we cannot go without it.
Compared to other solutions in the market, I would rate it as 10 out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Information Security & Privacy Manager at a retailer with 10,001+ employees
By using the Deep Visibility feature, we found some previously unknown persistent threats
Pros and Cons
- "The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview."
- "We saw a return of investment within the first month."
- "The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do."
- "The role-based access is in dire need of improvement."
What is our primary use case?
Our use cases are for client and server visibility in our enterprise and operational technology environments, as EPP and EDR solutions.
How has it helped my organization?
Traditionally, we have had an open policy on endpoints in terms of what has actually been installed. We don't really centrally manage the application. So, we have had a sort of dirty environment. Now that we have SentinelOne with its advanced capabilities, this has enabled us to detect and categorize unwanted applications. It has given us a good foothold into the area of inventory management on endpoints when it comes to our applications as well.
One of the main selling points of SentinelOne is its one-click, automatic remediation and rollback for restoring an endpoint. It is extremely effective. Everything is reduced, like cost and manpower, by having these capabilities available to us.
What is most valuable?
The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview.
From a forensics point of view, we can see exactly what is going on with the endpoint when we have threats in progress. It also gives us the ability to react in real-time, if it has not been handled by the AI. We have set the policy to protect against unknown threats, but only alert on suspicious ones.
The Behavioral AI feature is excellent. It is one of the reasons why we selected SentinelOne. We needed a solution that was quite autonomous in its approach to dealing with threats when presented, which it has handled very well. It has allowed us to put resources into other areas, so we don't need to have someone sitting in front of a bunch of screens looking at this information.
The Behavioral AI recognizes novel and fileless attacks, responding in real-time. We have been able to detect several attacks of this nature where our previous solution was completely blind to them. This has allowed us to close gaps in other areas of our environment that we weren't previously aware had some deficiencies.
The Storyline technology is part of our response matrix, where you can see when the threat was initially detected and what processes were touched, tempered, or modified during the course of the threat. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and technique is very effective. By getting that visibility on how the attack is progressing, we can get a good idea of the objective. When we have the reference back to the framework, that is good additional threat intelligence for us.
Storyline automatically assembles a PID tree for us. It gives us a good framing of the information from a visibility standpoint, so it is not all text-based. We can get a visualization of how the threat or suspicious activity manifested itself.
The abilities of Storyline have enabled our incident response to be a lot more agile. We are able to react with a lot greater speed because we have all the information front and center.
The solution’s distributed intelligence at the endpoint is extremely effective. We have a lot of guys who are road warriors. Having that intelligence on the network to make decisions autonomously is highly valuable for us.
What needs improvement?
The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.
For how long have I used the solution?
We have used it for around 10 to 11 months.
What do I think about the stability of the solution?
In the 11 months that we have had it, we have only had one problem. That was related back to a bug on the endpoint agent. So. it is very stable when I compare it to other platforms that I have used, like McAfee, Symantec, and Cylance.
Being a SaaS service, they take care of all the maintenance on the back-end. The only thing that we have to do is lifecycle the agents when there is a new version or fixes. So, it is very minimal.
What do I think about the scalability of the solution?
It is highly scalable. It is just a case of purchasing more licensing and deploying agents.
We have three global admins, myself included, with about 10 other administrators. Primarily, the way that we are structured is we have a client team and a server team. So, we have resources from each geographical region who have access to the solution to police their own environment on a geographical basis. So, we have three global admins, then everybody else just has a sort of SoC-based level functionality, which goes back to the custom role issue because this is too much access.
How are customer service and technical support?
The technical support is very good. My only criticism is they are not very transparent when they are giving you a resolution to a problem. We have had several cases where we have had a problem that we have been given the fix for it. However, when we asked for background information on the actual problem, just to get some more clarity, it is very difficult to get that. I don't know if it's relative to protecting the information regarding the platform or a liability thing where they don't want to give out too much information. But, in my experience, most vendors when you have a problem, they are quite open in explaining what the cause of the issue was. I find SentinelOne is a bit more standoffish. We have gotten the information in the end, but it is not an easy process.
When responding to fixing a problem, they are excellent. It is any of the background information that we are after (around a particular problem) that we find it difficult to get the right information.
Which solution did I use previously and why did I switch?
We were previously using Trend Micro Deep Security. The primary reason why we switched was that it is rubbish. It is a legacy-based AV. We had a lot of problems functionality-wise. It was missing a lot of things, e.g., no EDR, no NextGen capabilities, and it had interoperability problems with our Windows platform deployments. So, there was just this big, long list of historical problems.
We specifically selected SentinelOne for its rollback feature for ransomware. When we started looking into securing a new endpoint solution about 24 months ago, there was a big uptick in ransomware attacks in the territory where I am based. This was one of the leading criteria for selecting it.
How was the initial setup?
The initial setup is extremely straightforward. The nature of the platform has been very simplistic when it comes to configuring the structure for our assets and policies. Several other platforms that I have worked with are quite complex in their nature, taking a lot of time. We were up and running within a day on the initial part of our rollout. For the whole organization, it took us about 30 days to roll out completely in five different countries across roughly 20,000 endpoints.
Behavioral AI works both with or without a network connection. We tested it several times during procurement. It can work autonomously from the network. One of our selection criteria was that we needed it to be autonomous because we have air gapped environments. Therefore, we can connect, install, or disconnect, knowing that we have an adequate level of protection. This mitigates certain risks from our organization. It also gives us good assurance that we have protection.
We had a loose implementation strategy. It was based on geography and the size of the business premises in each country. We started with our administration office, but most of our environment is operational technology, e.g., factories and manufacturing plants.
What about the implementation team?
We did the deployment ourselves, but we had representation from the vendor in the form of their security engineer (SE). We did the work, but he gave us input and advisories during the course of the deployment.
Three of us from the business and one person from Sentinel (their SE) were involved in the deployment of SentinelOne.
What was our ROI?
We saw a return of investment within the first month.
On several occasions, we found some persistent threats that we wouldn't have known were there by using the Deep Visibility feature.
The solution has reduced incident response time by easily 70 percent.
The solution has reduced mean time to repair by probably 40 to 50 percent. This has been a game changer for us.
Analyst productivity has increased by about 50 percent.
What's my experience with pricing, setup cost, and licensing?
We are on a subscription model by choice. Therefore, we are paying a premium for the flexibility. We would have huge cost savings if we committed to a three-year buy-in. So, it's more expensive than the other solutions that we were looking at, but we have the flexibility of a subscription model. I think the pricing is fair. For example, if we had a three-year tie-in SentinelOne versus Cylance or one of the others, there is not that much difference in pricing. There might be a few euro or dollars here and there, but it's negligible.
Which other solutions did I evaluate?
We evaluated:
- Microsoft Defender for Endpoint
- Cisco AMP for Endpoints
- CylancePROTECT
- Apex One, which is Trend Micro's NextGen platform.
The main differentiator between SentinelOne has been ease of use, configuration, and performance. It outperformed every single one of the other solutions by a large margin in our testing. We had a standardized approach in tests, which was uniform across the platforms. Also, there is a lot of functionality built into SentinelOne, where other vendors offered the additional functionality as paid add-ons from their basic platforms.
During our evaluation process, SentinelOne detected quite a lot of things that other solutions missed, e.g., generic malware detection. We had a test bed of 15,000 samples, and about 150 were left for SentinelOne. What was left was actually mobile device malware, so Android and iOS specific, fileless attacks, and MITRE ATT&CKs. SentinelOne performed a lot stronger than others. Cylance came second to SentinelOne, even though they were 20 percent more effective in speed and detection. The gulf was so huge compared to other solutions.
SentinelOne's EDR is a lot more comprehensive than what is offered by Cylance. They are just two different beasts. SentinelOne is a lot more user-friendly with a lot less impactful on resources. While I saw a lot of statistics from Cylance about how light it is, in reality, I don't think it is as good as the marketing. What I saw from SentinelOne is the claims that they put on paper were backed up by the product. The overall package from SentinelOne was a lot more attractive in terms of manageability, usability, and feature set; it was just a more well-rounded package.
What other advice do I have?
Give SentinelOne a chance. Traditionally, a lot of companies look at the big brand vendors and SentinelOne is making quite a good name for itself. I have actually recommended them to several other companies where I have contacts. Several of those have picked up the solution to have a look at it.
You need to know your environment and make sure it is clean and controlled. If it's clean and you have control, then you will have no problems with this product. If your environment isn't hygienic, then you will run into issues. We have had some issues, but that's nothing to do with the product. We have never been really good at securing what is installed on the endpoint, so we get a lot of false positives. Give it a chance, as it's a good platform.
I would give the platform and company, with the support, a strong eight or nine out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Rick Bosworth S1Cloud Security (CNAPP, CSPM, CWPP) at a tech vendor with 1,001-5,000 employees
Top 20Real User
Thank you for your patience. I'm happy to report that today we released fully custom RBAC roles as generally available. Again, thank you for your feedback and continued patronage. If ever I may be of service, I am not difficult to find online.
Buyer's Guide
Download our free SentinelOne Singularity Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Product Categories
Endpoint Detection and Response (EDR) Endpoint Protection Platform (EPP) Anti-Malware Tools Extended Detection and Response (XDR) AI-Powered Cybersecurity Platforms AI ObservabilityPopular Comparisons
CrowdStrike Falcon
Cortex XDR by Palo Alto Networks
Microsoft Defender for Endpoint
IBM Security QRadar
Elastic Security
Huntress Managed EDR
HP Wolf Security
Trellix Endpoint Security Platform
WatchGuard Firebox
TrendAI Vision One
TrendAI Vision One – Cloud Security
Microsoft Defender XDR
Buyer's Guide
Download our free SentinelOne Singularity Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Carbon Black CB Defense, CrowdStrike, and SentinelOne?
- Which is better - SentinelOne or Darktrace?
- What do you recommend to choose when replacing Symantec EDR: SentinelOne or CrowdStirke Falcon?
- Cortex XDR by Palo Alto vs. Sentinel One
- Which solution do you prefer: CrowdStrike Falcon or SentinelOne Singularity Complete?
- Does SentinelOne have a Virtual Patching functionality?
- What is the biggest difference between EPP and EDR products?
- What is the difference between EDR and traditional antivirus?
- What is your recommendation for a 5-star EDR with low resource consumption for a financial services company?
- Which is the best EDR for a logistics company with 500-1000 employees?



















On behalf of the entire SentinelOne team, thank you for your extensive and thoughtful review, RS. It is rewarding to hear how customers derive value from our endpoint protection and EDR, whether for user endpoint, Linux VMs, or Kubernetes-managed container clusters. Cheers.