SentinelOne Singularity Complete Reviews

The primary use case is as an endpoint detection and response software. Basically, it is an enhanced antivirus, anti-malware, and anti-ransomware solution. It protects from ransomware attacks and other types of cyber attacks. It protects the endpoint from malicious actions.

Protection from cyber attacks is the feature we find the most valuable.

It's a stable product.

We find the solution to be scalable.

Technical support is good. 

The pricing is not too high.

It has a pretty simple user interface and is user-friendly.

They need to improve how we install the software. For the agent of SentinelOne in the endpoint, it's not an automated process. We have to download it and then upload it on the endpoint. That is something that can be made simple. The uploading of the software in the endpoint, if that can be done publicly, would be great. The setup should be available publicly. The agent installation should all be done in the cloud.

I've been using the solution for more than a year.

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution scales well. You can expand it as needed. 

We are a small organization and have around 200 to 250 people on the solution. 

The management is outsourced, and I find they are doing a very good job. We are satisfied with how we are able to get help if we need it. 

This is the first EDR solution we used. We did not have another solution in place beforehand. We only used basic antivirus software previously.

The initial setup is annoying since you have to download the agent and then upload it to the endpoint. 

For maintenance, basically, I'm the admin for SentinelOne. Also, there is a different organization altogether to whom we have outsourced the management of SentinelOne. They have their own employees. Their particular team would be working for our organization. They are an SoC organization, and they work 24/7 for various clients. We are one of their clients.

The pricing is reasonable. 

I'm not sure of the exact costs, as those are managed by a different team.

I'm a client and end-user. 

The solution is pretty easy to implement and administrate. We have not tried to integrate it with other solutions. While the pricing is reasonable, it's a bit more than typical antivirus software. That said, it has advanced functionalities that make the price worthwhile. Therefore, I would rate it nine out of ten. 

We primarily use the solution at our endpoints. We use it for security.

It's catching a lot of malicious and suspicious threats. That's good for us. 

We are able to write some custom rules on SentinelOne.

The setup is simple. 

Right now, the solution meets our needs. We do not need anything added to it. 

Maybe they can develop some firewall aspects for it to better protect us. If they did that, we can write a lot of rules for the firewall and custom rules.

I've been using the solution for about two years. 

The solution is stable and reliable. It catches a lot of malicious and suspicious threats. There are no bugs or glitches and it doesn't crash or freeze. 

The solution scales well and can work across platforms. We can use it with MacOS, Linux, and Windows Servers. You can use it with everything.

We have 600 people on the solution right now. It is used throughout the company.

We may increase usage in our company. 

Technical support is great. They are very responsive. For example, today, if I open a ticket, they will likely give me an answer in 24 hours.

Positive

I used FireEye and Symantec. However, SentinelOne is better than them. It's more flexible and catches more threats. 

We found the initial setup to be very simple. You just click through, and you're up and running. 

I'd rate it five out of five in terms of ease of deployment.

We're deploying it every month. SentinelOne sends updates every month and we action them. 

Licensing is paid on a yearly basis. I can't speak to the exact pricing. 

I'm not sure which version number we are currently on. 

If a company has a lot of people and needs to protect its many endpoints, this is a great option.

I'd rate the solution eight out of ten. 

It runs continuously and uses AI to look for any suspicious activity. If it does determine that there is a virus or something going on that shouldn't be happening, it not only stops the process but also completely logs the whole function. It tells you in a map version how the attack happened and how it was stopped. It is brilliant. In the past, for example, if I had the same problem in Webroot, I would've had to submit the case to Webroot for viewing so that they could, as a human, literally determine what the cause was, but by that time, it is way too late, whereas, this is the real-time protection.

It protects your machine, and it does an excellent job using AI to determine an attack and stop the attack. Its most powerful feature is prevention, and it can unwind ransomware activity as well. So, it is a really useful product in that sense.

There is the ability to SSH into a machine even if the machine has been disconnected from the network. When a real hazard happens, SentinelOne disconnects it from the internet so that no more transactions can occur, but I still have access to the machine. One of the bigger benefits is that no harm could be done because there is no communication with the internet, but I still have the ability to go in, restart a machine, do some investigations, and make some things happen.

One of the things they could do is extend the product range to include Android and iPhone so that you could have the app on your phone as well. There is probably something going on there with that, but that's something that they're lacking at the moment. For instance, if I was to have to recommend a client to protect their phone, I'd have to recommend Norton or something else. I don't have an answer within the SentinelOne solution.

I have been using this solution for close to three years.

It is perfect. I've seen very few problems related to the app. It is not using too much of the PC's power. It does not make PCs slower. So, I find it the best of both worlds. You reduce the impact of the product on the user, but at the same time, thoroughly protect the user, no matter what he does.

You can certainly have thousands of SentinelOne users. We have 250 users. In terms of our plans to increase its usage, I provide IT as a service. So, as I add clients, I always add licenses for those clients.

Their support is very good. I would rate them a five out of five.

Positive

It was straightforward. It probably took me a week to get 250 machines converted.

It can be done in-house very easily. You probably need one staff member that knows how to implement it, and after that, it pretty much runs itself. It requires very little maintenance.

It is not sold as a consumer product. It is only sold based on the number of licenses. So, as an MSP, you're probably going to pay about three and a half dollars per license, per month to have SentinelOne.

I would advise others to go for it. It is great. As an MSP, the peace of mind it gives me is really significant. While the cost of SentinelOne is higher than Webroot, the reality is that the peace of mind and the knowledge that you are probably not going to get a complete attack, simply because SentinelOne stepped in and stopped it, is worth every penny.

I would rate it a ten out of ten. It is absolutely fantastic.

We use SentinelOne daily for endpoint protection and restriction on using USB devices. 

The protection and management provided by SentinelOne is good.

I would like to see the reports from SentinelOne more customizable, as there are very few options.

I have been using SentinelOne for four months. I work as a senior network security engineer.

The management of SentinelOne is easy, it does not put too much burden on the machine. We will be upgrading to Windows 11 in the upcoming months, we will be able to better comment on stability after that.

Our organization has close to 3,000 machines with approximately 2,000 users. It is easy to scale.

We were using McAfee prior to SentinelOne. McAfee has a wide range of reports and is more customizable than SentinelOne. We switched from McAfee because we were no longer satisfied with the support they provided. They were no longer providing prompt responses, tickets were taking too long to get resolved.

The other reason we switched was that McAfee was a traditional antivirus working on a definition basis. They have not moved on to the next generation of antivirus. McAfee needs to focus on the behavior of the program and machine files. If you want this, you need to choose a different McAfee product. They were not putting everything in one place, but rather offering a buffet of offerings, driving the cost up.

The initial setup of this solution was simple. We did the setup ourselves, but did require a little help from the vendor.

I would give SentinelOne a four out of five for ease of setup.

The deployment of SentinelOne is easy. If you calculate the installation of the product and make all the packages ready, it takes about a week. Implementation was another month to go through and replace the older systems and install the new ones.

The pricing of SentinelOne is less than McAfee.

I would advise anyone looking to implement SentinelOne to look before you set up. Know how many machines are working in your network and which type of communication they are doing, whether it is internal or on the internet. No matter what solution you pick if it is SentinelOne, Carbon Black, McAfee, or Symantec check the usage of your machines.

I would rate SentinelOne a nine out of ten overall.

Our primary use cases for SentinelOne are data endpoint management, document version tracking, and email security.

A concrete fact is that it allows us insight into our data and our security and helped us protect our intellectual property.

For us, the dashboard is the most valuable feature. The analytics that you can pull out of the actual tool are valuable.

Their CASB tool needs to mature. I think there are some CASB vendors out there that have a dashboard tool that's much more mature than SentinelOne. That would be the only constructive criticism that I have.

I have been using SentinelOne for more than five years now. 

I have total confidence in the stability of the solution. 

SentinelOne's scalability is very good. The solution is very flexible. 

I was extremely happy with their technical staff. The solution's tech support is top-notch. They have some really good engineers on their team.

We previously used McAfee ePO and we switched to SentinelOne just because of the customer service and the product.

The initial setup was complex, but their technical staff are professionals and were able to help us custom-tailor the package we needed. On a scale of one to five, in terms of the complexity, with one being impossible to do and five effortless, I would put SentinelOne at about a four.

Deployment was about a six-month project for us and it included a discovery period and learning about our environments. We worked with SentinelOne to learn the environments and figure out what we needed to be successful. Then, we focused on an implementation period and then just monitored it after that. It was about a month and a half for each phase of that six-month period.

We implemented it in-house but we worked directly with SentinelOne. Our experience with them was fantastic. I wouldn't want to do it without those folks again.

The ROI we saw was that for the first time we had actual dashboard data on our data usage for our cloud vendor that we chose and also for our on-premises. We purchased our servers from Dell and it allowed us to actually get a better grip on what we actually needed to buy versus what we were buying.

SentinelOne's licensing costs are reasonable. I can't provide hard numbers, but I can say that SentinelOne is a much better solution with better value and a lower cost than the McAfee ePO. 

We did not evaluate any other options before switching to SentinelOne. 

SentinelOne would be my go-to security provider. I would recommend that others go there first. They will get solicitations from McAfee and such because McAfee knows they're losing that business, but they just can't offer what SentinelOne offers.

Overall, I would give the product a nine out of ten rating. 

We are mainly using it to replace a product we used before for antivirus. My specific use case for SentinelOne is threat hunting. I'm a security professional in our organization, doing offensive security. I do pen tests and analysis, and I'm hunting for intruders in our network. That's the context in which I'm using SentinelOne.

We're using two parts of SentinelOne right now. The first one is the antivirus and that has improved our company in that we have been able to find about 25 percent more malware on our machines than the old solution did, and that's remarkable because we are a bigger company and we used a big solution from a big player in the market. Finding 25 percent more is a really big increase. 

In addition, previously we were not able to collect all the actions from our clients in the field, and search, systematically, through what they are doing and see if there is an intruder. It's the first time that is possible for us, with SentinelOne.

In terms of incident response time, it's too early to provide real numbers because we haven't finished the rollout around the world in our company. But from the trend I have seen, I would estimate we are saving about 20 percent in response time, compared to our old antivirus solution.

When talking about mean time to repair, our old solution had some problems on several clients, which resulted in having to completely restore the client. That is something we haven't had with SentinelOne, up until now. It's also difficult to estimate because we don't have it on every machine. The old product was on about 5,000 machines and I now have SentinelOne on 2,500 machines, so it's not a completely fair comparison. But if you need a number, it has also been reduced by 20 percent.

In addition, it has increased analyst productivity in our company. My main job is to analyze many of the malware threats and, again, penetration testing. But the connection to virus total is a very helpful thing and I am using it heavily. That reduces the payload I have to analyze manually and the amount of malware I have to execute in sandboxes. It has probably reduced my workload by about 50 percent. That's really great.

For me, the most valuable feature is the Deep Visibility. It gives you the ability to search all actions that were taken on a specific machine, like writing register keys, executing software, opening, reading, and writing files. All that stuff is available from the SentinelOne console. I'm able to see which software is permanent on a machine, and how that happened, whether by registry keys or writing it to a special folder on the machine. That's threat-handy. Deep Visibility has found threats we did not know were lingering on endpoints, but I am not allowed to speak further about this issue.

Because we are a bigger company, we are doing a step-by-step rollout. We don't have all countries fully in production, where "fully in production" means that SentinelOne is the only antivirus product on the machine. So in some countries we just have it reporting and not quarantining. For example, in China we have SentinelOne completely up and running, and there the Behavioral AI analysis is one of the reasons the antivirus is so effective. To be honest, we have to white-list some stuff which behaves weird but is really needed and not harmful to us.

The Behavioral AI recognizes novel and fileless attacks and responds in real-time and it does so really well. That is one of the things that has really brought us forward. It completely changes how we work with our antivirus solution. The previous product just gave us the information that the software had blocked something, while in SentinelOne we really see what was going on. We see the complete path of execution for a given malware: how it got on the machine and how it got executed. And then, SentinelOne stops it. It gets executed but then gets stopped, and that's something completely different from a pattern-based antivirus.

Another great benefit comes from the fact that SentinelOne doesn't rely on pattern updates. For some machines we have at customer sites, which are not reachable by internet or VPN, we have better protection than before because you don't need to update the SentinelOne agent every day to get the actual pattern from it. The Behavioral AI gives you protection even if you don't update the client. That's a great benefit for us at customer sites.

When it comes to the Storyline feature, as a penetration tester, I'm doing threat hunting. Every time malware gets executed on a machine, it's something I have to investigate. Normally we block it very early, on our proxy servers, for example, for all our users. Seeing how the malware got executed shows me the kinds of security holes we have are on our proxy servers. That's very important for strengthening some portions of our defense in other places.

The solution’s distributed intelligence at the endpoint is pretty effective, but from time to time I see that the agent is not getting the full execution history or command-line parameters. I would estimate the visibility into an endpoint is around 80 percent. There is 20 percent you don't see because, for some reason, the agents don't get all of the information.

Another area that could be improved is their handling of the updating of the agent. It is far from optimal. The agent changes often and about 5 percent of our machines can't be automatically updated to the newest agent. That means you have to manually uninstall the agent and install the new agent. That needs to be improved.

I have been using SentinelOne for about a year. Because we have been using it for a long time, we have several versions in production but we tend to use the most recent. The version we are using mainly is 4.5.2.136.

We literally haven't hit a minute of downtime. It's pretty stable and I haven't even given its stability a thought.

In the beginning, I saw that Deep Visibility was really fast. Then, with more and more agents reporting their daily work to the console at SentinelOne, I noticed a decrease of response time with the console. But what's really great is that they updated the console rapidly and the response time got better and better. Now I like the response time. There are ups and downs in the console response times, and in how fast the agents are reporting, but I have the feeling that SentinelOne monitors that and reacts if it gets too slow. Of course it's a trade off for SentinelOne between response times and costs. But right, it's more than we need.

In terms of expanding our usage, there's another very interesting product called Ranger. Right now we feel it's too expensive, but it might be interesting in the next two or three years. For now, we just want to finish our rollout.

My overall experience with their technical support has been positive.

SentinelOne does not provide equal protection across Windows, Linux, and Mac OS, but it's the first antivirus solution we have had in our company which provides any antivirus protection for all these very relevant operating systems. None of our previous antivirus solutions were on Linux and on Mac. That is really helpful for us because we have it all under one hood.

This is the first time we have used an antivirus software as a service and it was the easiest set up I have ever had in my life, and I have been doing this stuff for many years. The console was set up by SentinelOne, literally in 20 minutes. The deployment of the agent took me five minutes for the first machines and they reported within those five minutes. That was the fastest ramp-up I've ever seen.

There are three IT security guys who are concerned with information security in our company. Normally I don't do antivirus stuff. My colleagues are information security officers as well and don't care about antivirus. But I got this project to roll it out it all over the world because I'm one of the technical guys who is capable of doing it. So strictly speaking, I'm doing it alone—one person for 5,500 computers. But at least we have people in every time zone who are capable of using the SentinelOne console, more or less. Altogether, there are six people in our company who actually access the solution, including me.

We had an implementation strategy. Because we had a major pain point in China, we started rolling it out there. Because it's in a completely different time zone and the people are completely different in their mindset, this was one of the critical areas for us. It worked like a charm. I installed 230 machines within five days, and then I recognized that SentinelOne was finding so much more than our old antivirus solution that I started to really do a rollout plan. 

As part of that plan, we always install SentinelOne side-by-side with our old solution, and that works great. They say, "Don't ever have two antivirus solutions on one computer," but that's not true for SentinelOne. You can configure both and they work together. In the first step, SentinelOne is on the machine, just reporting to the console. That way, I see which software gets executed, software that SentinelOne might find problematic, and I do whitelisting or blacklisting, depending on the software. Once I don't get much software that I have to whitelist, I put the client into a kill and quarantine mode and every software gets removed automatically. Once the agent is in kill and Quarantine mode, the old antivirus solution is uninstalled. That's how we do it, country-by-country.

The time it took was affected by the Coronavirus. As a result of that, many of the machines were not onsite and many of the people weren't online, or were only on VPN. I don't distribute SentinelOne by VPN because people at home normally don't have a big bandwidth and I didn't want to stress it even more. I kept in mind that they were covered by our old solution, so there was no big need to really push it forward. But the 2,500 machines we have installed took six months.

SentinelOne gives their customers access to the SentinelOne API and that made it possible for me to write software for the deployment of SentinelOne. I'm speaking to the company to get permission to publish this software as open source. That might help many other companies that are facing the same problems I have in rolling it out all over the world.

It would be easier to calculate ROI if we had already rolled it out to every machine, because the number I have to compare it with is for the complete installation on all machines. My feelings say "Yes, we have seen ROI," but I don't really have good numbers that I could give you.

There are no fees other than their standard licensing fees.

We compared five products. We had a matrix with weights and the requirements we needed from a new antivirus solution. We did three proofs of concept and SentinelOne won it easily.

It was difficult to compare them because we had one other product that worked with artificial intelligence as well, but with a completely different mechanism. We also had three traditional antivirus products based on patterns, and it was really difficult to compare the features of SentinelOne with the competitors. That was the reason we decided to do a POC.

The biggest lesson I have learned is that SentinelOne is an antivirus product which gives you, on the one hand, all information you could dream of if you need to analyze software or malware, especially, on the machine. On the other hand, it's simple and fast and easy to use, and that's something I really appreciate.

We have been playing around with the solution's ActiveEDR technology, to get an idea of what is possible. We have not gotten so far that we use it for building KPIs and the like. But we have noticed it and it seems it could be a big game-changer for us, but I can't really provide much information on that topic.

While I really use Storyline right now, I'm the only one who does so in our company. I'm not sure if we will use it in our company on a large scale. That's the other side of this product. We don't have many people who are able to work with the information you get out of the module from SentinelOne.

We don't use the rollback feature, we just use quarantine right now. We haven't had any outbreak of cryptoware encrypting files. So as of now, we haven't needed it. That might change in the future.

I would rate SentinelOne a 10 out of 10, and I don't give 10s easily. I really love how simple and effective the product is. I really love the visibility it gives me into the endpoint. I really love that they open their product to the customer to enhance it with custom-made software, giving you the APIs to program it. Those are all things competitors don't have.

I really feel like the software has made my life easier. As I said before, my workload for malware analysis dropped by 50 percent. That's why I'm really thankful and really appreciate the product. I would say to everyone, at least give it a try. For our company, it really fits.

SentinelOne performs primary functions for our endpoint antivirus and anti-malware solutions. It's a centralized managed version of an antivirus product that gives real-time information on any kind of threat we might receive. It's very broad. It not only protects through signature defense, which is like what most common antivirus products do, but it also does behavioral which has been absolutely lifesaving here a couple of times.

It has saved our bacon more than once by detecting threats. It even detects zero-day threats because it detects them through their behavior. It doesn't need a signature. It actually keeps me busy with this and the insight into the agents that are installed. Our level of protection around here has never been this high.

By comparison, we're also running Windows Defender, which comes with Windows 10 operating systems. We collect that data through our SCCM and SentinelOne finds threats that are at a rate of 25:1 to 30:1. It's not even close. SentinelOne has made a tremendous difference in our ability to protect our endpoints and servers.

SentinelOne gives us a lot more insight into the endpoint for the agents that are installed there. I can actually see applications. We can see precisely anything that needs to be patched, something that is dangerously out of date, or a security vulnerability. I can get insight into all of that.

It gathers the data for anything that is related to the security of an endpoint. It has very configurable policies. We can make the agent as locked down as possible. It can be very intolerant or you can actually make it to where it's relatively loose, in which it warns you about everything but doesn't lock everything down on everything, which is the way we run our environment.

At our university, there is a lot of end-user freedom that you cannot curtail like you could in a corporate environment because people doing research tend to go to a variety of websites that they really shouldn't go to. It keeps me very busy but SentinelOne has proven so far to allow us to stay ahead of the game as opposed to playing catch up.

The agent communicates through to the console incessantly. It has some intelligence on the agent, but most of the time it's literally getting its instructions from the console. That has been extremely effective and very useful. The effect on the end-user experience is practically non-existent which makes it head and shoulders above other antivirus and anti-malware platforms.

SentinelOne does not impede our ability to do our work. It doesn't start to show latency. It doesn't take up a lot of extra memory or a lot of extra cycles. How it's able to do what it does on the endpoint, as powerfully as it does, without affecting the end-user experience is beyond me. It's a stroke of brilliance in their programming. Very seldom in security products do you get the best of both worlds. Usually, you have to give up convenience for security. But in this case, they go hand-in-hand. It's very impressive.

We have used the one-click automatic remediation and rollback for restoring an endpoint quite a few times. Its ability to mitigate a threat, whether you're deciding just to kill it, quarantine it, rollback, or just remediate, which changes files back, is absolutely very easy, very intuitive, and very fast to get the job done. It's top-notch.

SentinelOne has dramatically reduced our mean time to repair. In many cases, if I have to remediate a threat, I can see the threat, confirm it is a true positive, and then I can send it to remediation. It takes roughly two minutes. Whereas, in prior times, we'd have to dispatch a technician to go out there. A lot of times, they could not remediate the threat because we didn't have the capabilities that this thing has. They'd have to fully re-image the machine, which is a two-hour deal to re-image the machine, copy the data back, and configure for the end-user. We took that job and took it from a two-hour job down to about two to three minutes. It's been a dramatic effect. 

The automation SentinelOne offers has increased analyst's productivity. We have fewer people due to budget cuts which means we are wearing more hats. The efficiency of this particular product has enabled me to do that relatively seamlessly. It is a phenomenally efficient and useful product.

There is a feature that allows for deep visibility, which is interesting. You can actually research files. It also does threat hunting. It goes out and finds vulnerabilities before you actually have to deal with the vulnerability. But that is at an additional cost. It's something you get if you buy additional structure.

The best thing SentinelOne has done for us is that it gives us insight into the endpoints. We never had insight into lateral movement threats before. Once a threat known as Qbot gets on the network, it actually spreads throughout sub-networks quickly. SentinelOne has detected that and saved our bacon. We were able to get in there and stop the threat, lock it down, and prevent it from actually spreading through. It would have been 50 or 60 computers. It had spread through in a few minutes. We have a lot of HIPAA data and FERPA data that we need to keep protected.

In a situation where we had a Qbot that was caught by SentinelOne, it literally saved the university millions of dollars worth of privacy protection we would have to pay for. SentinelOne has made a big difference. 

We use the storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques. When we get a warning, it comes up as a very nice dashboard-type screen we can go to. It gives a lot of information on the threat right away, including going to the storyline. You can actually trace it back to the actual file. You can see where the compromise happened, the exact steps that happened, and what happened from thereon.

It's almost like a giant flow chart. It shows you where everything's going, what affected what, what was changed, what was modified, and it also gives you the opportunity at that time to actually do a rollback which allows you to roll back all of those things that were affected and changed at that particular point in time by the threat. 

The storyline automatically assembles a PID tree. I use it more for my own purposes just to see where things came from and the damage they'd done. But we don't actually make a lot of use of a lot of higher functions like that. When there's a problem, we're able to rectify the issue and get the end-user up and running again. We don't have the personnel we had before, which gives us the additional cycles to actually research a lot of these things and go through them and focus on that. We don't make a lot of use of this particular functionality.

The way SentinelOne displays the threat has been the greatest effect on our incident response. It tells you exactly what the threat is, where the threat originated, allows you to look it up quickly in places like VirusTotal and Recorded Future which are malware information sites. You can link the hash of the file directly to the sync without having to do a lot of copy and pasting. It actually knocks some time off of the research of a problem when you do that. It allows me to quickly determine whether the threat is true, or if it's a false positive. It's a pretty strict engine.

If something is relatively programmed sloppy, a lot of times it assumes that that is a threat and it will flag it as suspicious. It can be a little overzealous when it comes to that. In this industry, you'd rather have that than something being too lax. You can configure it so that even if it does see something that it doesn't like, it doesn't stop it automatically. It just alerts you. It doesn't hamper the end-user if you don't want it to do that. But it puts the onus on the administrator, in this case, me, to verify the threat and deal with the threat quickly, or mark it as a false positive. Then, when you do mark something as a false positive or as a threat, it has a backend database. 

The machine learning is very impressive. Once I actually start to configure the machine learning, my day-to-day administration of it, roughly four hours, shrinks down to three hours, then two hours and an hour and a half, because the amount of machine learning involved saves us all that time. That's been its biggest improvement for me. It allows me to be very efficient with my time. It learns our environment, actually stops threats before they get there, and ignores the false positives without having to come up and bother you every time, then ask for input for it.

SentinelOne has dramatically decreased my incident response time.

We've used the deep visibility feature a few times. We don't make a lot of use out of it. We were using the deep visibility feature to search through our entire environment. There was a particular piece of software that was being flagged as not being used in its appropriate manner. It was being used as an enterprise service and it really wasn't. We were able to use the agents on SentinelOne and use its deep visibility to find the particular program and obtain its hash from there. Then, we were able to use the SentinelOne agent to extract this particular program on there, so we were no longer operating something out of license. That's what we've used deep visibility for. 

Deep visibility is very useful. If I had to simplify it, I would say if you know the threat you're looking for, it's fantastic.

Using the deep visibility, we did not find threats that were lingering on our endpoints, because the SentinelOne agent had dealt with them. We used it for a purpose that it probably was not intended for, which was actually finding specific software that was not supposed to be installed in our environment.

SentinelOne provides equal protection across Windows, Linux, and Mac OS. This particular product has worked so well that we mandated it across all workstations and all servers in our environment. It is our primary endpoint defense across all three of those operating system platforms. It has proven to be equally effective amongst all three. It did such a good job that it is our frontline.

I find their version naming conventions interesting in the fact that it's not just a number so it does help to recall some things when it comes to what version you are on. Anytime I open a support ticket, they always ask me what version of the console I'm on. I always have to look that up. I never remember that because this particular Liberty version has changed four or five times over the last month and a half.

They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support.

They changed the UI a little bit which is to be expected but there are times where I actually preferred the older UI. The newer UI, once I got used to it, was fine. But before, when we would launch into the UI, it went straight to the bread and butter. In this case, it goes to a dashboard, which gives some statistics on the attack surface, endpoint connection status, and stuff, which looks nice. It's a lot of nice bar graphs. It's a lot of nice pie charts. But that's not what I really need. I had to configure it to get it somewhat back to what it was. I wanted to know immediately if there any threats that are incoming. I actually had to add that. I think the new dashboard has a lot of bells and whistles but I don't need it. We used to have to dig in to get this kind of stuff and that's exactly what I prefer it to be. The dashboard, in my particular case, has to tell me where the threat is, how severe the threat is, and let me remediate it as quickly as possible. I don't want to fish through pie charts to find that.

I think they put this new dashboard in two versions ago. In their defense, it's a fully customizable dashboard. I was able to put back what I wanted. It seemed like that should be a default, not something I have to add later. 

I have been working with SentinelOne since 2017.

My primary function is endpoint security and administration of SentinelOne and the other applications that go with that particular function.

The baseline, the agents, the console, and its primary functions are always steady. Those have never been compromised by any of their patching or updating. That has been really good. In our case, we still have some Windows 7 devices in our environment because they're older. They run a very specific piece of software that's not been upgraded, and by watching money, they don't want to upgrade certain pieces of software, specific labs, or things like that. They don't support their older clients past a certain date, which makes perfect sense. However, the agent doesn't just stop working. It still does its job. It loses some of its functionality, but it still does the primary job of protecting the endpoint. That's one thing I do like. Even if you do go out of date on something on an agent version because you're limited by the operating system, it doesn't just die. It still does its job.

We have a 100% adoption rate. We've used all of our licenses. But we are trying to get more licenses so that we can cover our labs and other places like that. We did not have the budget at the time to cover everything we wanted to cover.

We do have plans to increase usage. It's done a fantastic job. And so every time we can, we do add more licenses to it with the end goal of actually covering not only our faculty, staff, and workstations, but also all of our labs.

There are 1,823 users online right now out of 2,750. In addition to myself, there are three other individuals who have administrative privileges and there are other members of the security department in the event I'm not here or I'm on vacation, they can fill in that role. Our IT assistant manager has read access to it so he can see in there, access the API, and can actually incorporate SentinelOne data into ServiceNow. SentinelOne has a very robust API, so if you're into programming or integrating it into other systems, you can do that.

It has phenomenal scalability. It can be used as just a small business or it can operate on hundreds of thousands of devices in a single enterprise.

We don't lose any functionality by its scaling at all.

Support has been knowledgeable and well thought out. I don't feel like I'm getting a copy and paste. The technician interacts with me. The more data I can give them, the more they get back. I feel like someone's really putting time in to fix it, and they want to get the job done right the first time. I've never had to go back to them for the same problem.

Their sales rep and sales engineer usually assign two people to your case. One's your actual salesman and the other salesman is your technical salesman, the guy who answers the tech questions. They have been very involved. When it comes to deploying this, they help get the packages created and figure things out. They point you in the right direction. I can reach out to them directly. They have gotten back to me quickly and are very thorough. Their customer support from a salesperson to help desk individuals or whoever you're reaching out to remotely has been top-notch. They've always been professional. They have always been quick and they've always done the best job they possibly could for you. I can't say enough about them, they have been very impressive.

The previous tier is slower than what they are at now. With the service level agreement that we have, they need to get us an answer within around six hours but before they would answer within one hour. They've always been ahead of that curve, but it is a little noticeably slower than it was. That's because we're not paying them for that level of service. We can't really expect them to do anything more than that.

The previous solution we used was the Windows System Center Endpoint Protection, which is a part of the Microsoft Active Directory. It's a solution that's packaged with all the Windows products. It has a centralized means of communicating back when it detects an error. However, it was woefully inadequate. We had no idea how bad that was until we tried SentinelOne. We had no idea how teetering our environment was on the threats of viruses until we actually had the insight that we did through SentinelOne.

We switched because we knew the product. We knew what we were using. We were getting to the point where we knew that our current solution was inadequate. We started looking around. We looked at Red Hat, Cylance, and a couple of other ones. We looked at these vendors of these products to gain greater insight. We knew we had to spend the money to get what we needed to get. SentinelOne was brand new at the time and we decided to give them a shot. The Chief Information Security Officer had gone to a conference and was interested. SentinelOne came in, made their pitch, we went through some examples and some tests, and they let us do a proof of concept.

I was around a day and a half into the proof of concept and I was sold. It was an unbelievably effective product so we decided to go with it. Within a month of that, we had another level of agents out there. We were covering the bulk of the machines we needed to cover and we have not looked back since. It's been one of the few things that we have done here that we have never second-guessed.

When we looked at the solutions, Cylance had similar capabilities as far as having a behavioral engine and a static engine, but the difference was the usability of the interface. SentinelOne's interface is phenomenally well laid out, easy to do, and very efficient. The other products we looked at were nowhere near as efficient on the user interface side.

We didn't test them thoroughly enough to find out if there was something that got through on SentinelOne that didn't get through on the other solutions. I don't know how it does it this quickly, but in addition to its own engine and its own ability to check through behavior, it actually references VirusTotal. VirusTotal is a website of centralized virus information. Even if their engine were somehow not detected, it checks the threat against VirusTotal and if any other engine out there has detected that threat, it flags it. It actually uses the intelligence of the other anti-malware products. It does it quickly. I have no idea how it does it that quickly, but it's impressive.

We went with cloud-based instead of on-prem. Going cloud-based was pretty easy. The most difficult thing we had to do was deploy the agent. They don't have any means of deploying the agent. You have to use either your Shoe Leather Express, you have to go walk around and deploy it. And in our case, we use our active directory network, we used SCCM to push it out to departments in that manner. 

One thing that would be nice is if they had a means of deploying their agent. For example, a long time ago, on a different network of a different company, they wanted some help, and I helped them install a Sophos antivirus solution. Sophos had a means of emailing. You can email people and they could click on a link, which would download and install the agent for them, which was nice. Now, we depend on the end-user to do their part of the job which is risky. But one thing about SentinelOne is that I can upgrade agents all day long, but I can't deploy an agent to a machine that doesn't have one on there. There's no means of doing that. I wouldn't expect them to have that in there necessarily, but I think it would be a fantastic ability if they could do that.

I actually like their agent. As a matter of fact, it's required. I don't see how they'd be able to pull it off otherwise to do what it does. My point is, if a computer did not have SentinelOne on it and they were to run into a problem, for example, if we had a device that's not on our active directory network and we wanted them to deploy SentinelOne on it, the only way for me to do that is literally to run the user down, find them, or find their device and install it manually. It would be really nice if there would be a means to deploy it to an endpoint.

We have 2,750 licenses, and I was able to deploy it to 2,750 devices quickly. If you have a deployment mechanism like using your domain or your network, you can actually just say, "Please put it on these devices." You can create an installer package and it talks back to the console and that's it. It's super easy.

Our deployment took close to six months, not because of SentinelOne but because of internal politics.

Because SentinelOne was a new product and anytime you install anything new here, it has to go through committees to install things, we targeted our most high valuable departments first, the ones with the protected data and also administrative offices, like the president of offices and HR. We tested it in our department first and once the rest of the university saw that our computers didn't go up in flames, they began to relax about it. Then, we went to our high priority departments, our Chief Information Security Officer got behind it 100% and pushed the issue, which allowed us to go full force on it after we got through the initial departments. We got it in there, we tested it in our environment, created the packages for it, and tested it in our department for a month. Over the next four months, I rolled it out to individual departments in groups.

We did the deployment ourselves. We only needed one guy to do all those things centrally, which was nice. I was the primary person responsible for the deployment. I would occasionally enlist some help with my coworkers, specifically when we were initially deploying it to go over and test it on some machines. Once we got past the initial deployment, it was just me.

In terms of maintenance, it is no more than a mouse click away. I can upgrade agents in batches, which I normally do, and they are very aggressive about creating new agent versions. The agent versions actually contained more capability. Right now the agents are extremely powerful. I can update every agent here at once, all I have to do is select them and deploy the agent to them. It's very easy.

SentinelOne has paid for itself more than once because of the threats it stops. It allows central management, the end-user does not have to interact with the antivirus at all. They will get a warning that says, "Hey, you went somewhere risky," but it's all centrally managed. We don't have to dispatch a technician to go out and try to clean something. I can literally clean it right here from the console. It actually has full rollback capability. If you have ransomware that goes and encrypts an entire hard drive, the way the SentinelOne works on a Windows machine is so that I can hit a rollback command and I can roll the thing back before the thing got there and actually defeat ransomware for that.

It's been night and day for what my job was previous to having this solution.

They were very good about finding a price that could work for us. I'm not the bean counter, so I don't know exactly what the end cost was, but I do know that we got them at a time of the most financial stress we had been under and they found a way to make it work for us. It was a three-year contract and everyone fully expected the price to take a significant jump because the capabilities of the solution had been significantly increased with no additional costs. We expected it to maybe even be priced out and they did not. It went up a slight bit, which you can expect, but they worked with us. We were one of the first companies to go with them here, in Ohio. They have a lot of respect for their loyal customers. They worked with us and allowed us to keep this high-level product and actually add more licenses to it without breaking our bank.

In terms of additional costs, they've added something called Ranger and another layer of deep visibility. The base console doesn't come with that. Ranger is threat hunting and we were able to use the Ranger and the visibility, which is the threat hunting and of course the deep visibility and more in-depth storyline. We were able to use that, but we hardly ever needed that for our environment and the way we use the product. Because of that, we did not opt to have those in our current console.

We do more threat response than hunting. We put the latest and greatest agent out there and it's backed by this particular product but we just simply don't have the personnel to do it like we used to. That's the one thing we're missing. If you were to add the deep visibility and the threat hunting capability onto it, it would be a little bit more. I don't think it's that much of a significant cost, but I don't know the end results of the prices. Because we didn't make use of those two functionalities, they just cut it out.

I could not recommend SentinelOne highly enough. The one thing about this product is something I very seldom say when it comes to almost anything in life, sadly, is that I trust it. I trust this program to be well taken care of on the backend. I trust this program to do its job on the frontend. I trust the endpoint and network security of our university to this product. I have no doubt that we're in good hands. It has proven itself with ransomware, proven itself with Qbot infections, proven itself with a multitude of end-users. 

We had a pen tester on campus that was actively trying to hack things, doing penetration testing, and SentinelOne stops him every time. Every time he got to the machine with SentinelOne on, it stopped him dead in his tracks. The pen tester said, "Your endpoint solution here is fantastic". This is a trained white-hat hacker trying to break through and he couldn't do it. We gave him a foothold, an account, and all kinds of stuff. We opened the door for him to see how far he could get. He was able to get in on machines that did not have this level of protection. He was able to get to devices, create administrative users, elevate privileges. You name it, he can do it. Once he got to a machine with SentinelOne on it, it stopped him.

They didn't tell me we were pen-testing. Suddenly I was seeing lateral movement and all kinds of things on the network and I ran this guy down just to find out we hired him to go do this. I thought we had a hacker on-premises.

I would recommend that anybody who uses this product also interacts with other people who have it. Another university was the first university that had it near us and then we got it. They were a big help to us, as far as answering questions about the deployment. They told us about a couple of little headaches to watch out for. It had nothing to do with SentinelOne, but how Microsoft servers operate. So we were able to save ourselves a lot of time by interfacing with the network of users of this particular program.

What I've learned with a product of this caliber is how efficient one person can be. I don't think you're going to find many places where you have primarily one person safeguarding the endpoint solution of an entire university. The good news is that because everything is the way it's set up, the way it's configured, and the machine intelligence that I've added over the last three years, if I'm not here and someone else steps in front of it, it can run itself in many ways. I've learned that if you find the right product, you can become incredibly efficient.

I'd give SentinelOne a ten out of ten. I'd give it higher than that if I could. I've actually done calls where they've called me and had me speak to the salesman, we had a really good working relationship. He had me call and speak to people who he's actually trying to sell the product to. I think I've sold half a dozen of these things for him, but I can't recommend it enough. I believe in SentinelOne wholeheartedly.

We are a managed services provider. We are not just using it for ourselves, but we are also supporting it and deploying it for a number of our customers.

The primary use case is that it's endpoint protection software and we use it to protect our end customers' endpoints, whether they are Apple or computers, laptops or servers.

SentinelOne is software as a service, but it has an agent that has to be installed on a computer or a server onsite.

Its Behavioral AI recognizes novel and fileless attacks and responds in real-time. What that means is that we have better confidence. For example, a number of users use USB drives which they bring from home. While we have a lot of customers where we have actually restricted the use of external USB drives, there are certain customers where we cannot restrict that use because of the way they run their businesses. The result, for them, is that there is a constant fear that at any given point in time, an infected USB from someone's home computer can actually infect the whole lot of computers within the corporate environment. But having SentinelOne means we have a certain level of peace of mind, so that even if something completely new tries to enter the network or the system via a USB drive, for example, it doesn't matter. The system will detect it and kill it. There is a level of protection which we never felt before using SentinelOne.

As a managed service provider, the most important thing is that the more secure a customer's network is, the less time our team will spend trying to fix issues. One of our customers is a prestigious hotel in London, and they were struggling, literally battling, with a virus that had infected their network of about 90 computers. Whatever we could have done, and all their previous IT company could have done, could not have eliminated that virus. Even if you completely formatted a computer, it kept coming back. The only way we were able to clean that whole network up and stabilize the environment was when we brought in SentinelOne. Before that it was Symantec, and Symantec couldn't do anything to control that infection. But SentinelOne brought in such stability, that since we introduced it into that network about one-and-a-half years back, not a single report has come in of any infection there.

Also, when we have to report on attacks to a customer, the customer always asks us for the root cause analysis. It is very important for us to understand the behavior and to find out where that infection came from and what it initially did so that we can look at that behavior and try to prevent it from happening again elsewhere. SentinelOne helps us in doing the root cause analysis and reporting back to our customers. It gives us insight into where a problem started and how it propagated into the system. Tracking the history of the virus' actions gives that insight, which is very important. Otherwise, there is no way to create a root cause analysis report for a security breach.

The automatic remediation and rollback in Protect mode, without human intervention, is already enabled on almost all of our computers. That helps us minimize the number of technicians we need to work on things. Automatic remediation is a policy which we enable when we deploy the system, which means that a lot of things happen automatically. And from our side, we only keep an eye on the dashboard. That means that we need fewer technicians to support the system. It provides support itself through that functionality.

Overall, SentinelOne has reduced our incident response time, absolutely. In our case, it's particularly true because we have remote teams working from remote offices. With SentinelOne, we don't need to send someone onsite because we can see a lot of things from a single pane of glass on the dashboard. And if there is a problem, we can do all the troubleshooting, and working on that incident, remotely. So it has definitely improved the way we have provided cybersecurity to our customers.

And it has reduced our mean time to repair by more than 60 percent. Previously, when we were using other solutions, we had to do a lot more work.

The solution's automation has also increased analyst productivity. The effect is significant in the sense that the amount of time our analysts used to spend on security has been reduced. These days, they only have a look at the dashboard which is open on one of the screens in our office. They just keep an eye on that and as long as it shows everything is green, they don't even bother drilling down and looking at other stuff. It's only when they see an alarm coming up that they jump in and look at it. That was never the case before. Before, they were remotely accessing computers and working on them and trying to fix issues. That has become a thing of the past since we started using SentinelOne.

It's artificial intelligence-based software. The best part is the fact that it doesn't necessarily rely on definitions, like other software. For example, Symantec, AVG, Avast, and Kaspersky, traditional antivirus software, rely on virus definitions. So every now and then, if there is a virus infection, they will compile a new set of virus definitions and push it to the local agent so it will know that this virus exists and that it should keep an eye out for it. 

These traditional software solutions have small levels of functionality that may help them to identify if there are any dodgy activities within the computer. They would then try to mitigate those, but only to a very limited extent. With SentinelOne, that's not the case because it basically has its own intelligence to identify any dodgy behavior within the system. As soon as SentinelOne detects anything which is not right, it will start tracing the changes being made. And because it's centrally controlled, it will give the controller team an early indication that there is something wrong and that we need to fix it. Not only that, but it will block it and keep track of it for mitigation.

We also use the solution’s ActiveEDR technology. Because it's an agent-based system, it is monitoring internally. It's not that the central system is doing it. It's keeping an eye on the functioning of the endpoint itself. If the endpoint is functioning properly, it will sit behind the scenes and not do anything at all. As soon as it sees any malicious activity within the system, that's where it's triggered. The artificial intelligence part of the agent is able to differentiate what activity can be considered malicious and what activity can be considered normal. And that's big. It's something that cannot happen without that kind of intelligence in place.

It has a one-click button that we can use to reverse all those dodgy changes made by a virus program and bring the system quickly back to what it was. That's one of the most important features.

Another valuable feature is that if a machine is infected, one that may infect other computers within the network, we have the capability of segregating that machine so that it remains connected to the internet but is cut off from the other machines in the network. That helps prevent spreading of the infection. That's a very unique feature, one I have not seen in the last 10 to 15 years from any other antivirus program. That's amazing.

We have used it on Mac and we have used it on Windows. We have seen a good level of protection, because since installing it for those of our customers who have taken it, not a single report of a breach has come out. I feel very strongly that the system is quite capable.

One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system. 

There is also a bit of room for improvement in the way SentinelOne is deployed. Right now we push it, but a lot of the time the pushing doesn't work. So we have to log in to each computer and do a manual install. That area would help in making the product stronger.

We have been using SentinelOne for about two-and-a-half years.

It's very stable. I have not seen it crash, nor have I seen any other problems.

I have not used their technical support. My engineers have used it, and their feedback about the support has been good so far. I don't think they have had complaints.

The initial setup is straightforward. But when deploying it to 100 or 200 or 300 machines, pushing it is easier than logging on to each machine and doing it manually. But sometimes, pushing doesn't work and doing it manually takes a little bit more time. But that's a one-off exercise.

We don't have much of an implementation strategy for the solution. As an MSP, there are a lot more things going on, day-to-day, than just dealing with SentinelOne. But for deployment, I get my boys to log on to a customer's systems, do the push, and then whatever does not work through push deployment, they install manually.

For maintenance of SentinelOne, we only have two engineers who look at it on a day-to-day basis. We don't need any more than that. In terms of deployment, it depends on the size of the deployment. If it's a 100-user deployment, we would have a team of three or four who would do it over a few days' time.

The return for us is that it has reduced the manpower we require.

Pricing is a bit of a pain point. That's where we have not been able to convince all of our customers to use SentinelOne. The pricing is still on the higher side. It's almost double the price, if not more, of a normal antivirus, such as NOD32, Kaspersky, or Symantec.

I understand that these are not similar products, but for a customer who has a certain amount of money to pay for an antivirus, they can only spend so much. That's where it becomes hard to convince them to pay double the price for endpoint security.

That is the only feature of this product which causes us to step back and not be able to deploy it for absolutely every customer we have. We would love to, but obviously if the customer doesn't have the budget to pay for it, there is not much we can do.

If they can somehow bring the prices down, that would massively help in bringing this to a lot more customers.

We looked into other solutions, but not as deeply as we went into SentinelOne. Because we liked SentinelOne so much, we just stopped there. And we already had experience with the likes of Malwarebytes, Symantec, and AVG. This was a far superior product.

I haven't had a chance to take a deeper dive into Carbon Black, but that is something I have been told is comparable to SentinelOne.

One of the things which attracted me to SentinelOne was the fact that it is the only product which is tied to the SonicWall platform, and we use the SonicWall platform a lot. A lot of our customers have SonicWall firewalls. Having a combination of SonicWall and SentinelOne provides an end-to-end security arrangement with products that are integrated with each other.

Go for it. It's an absolutely brilliant product. But understand what it is before starting to deploy. Unless you understand the product, you will not know how to use it to the best of its best capabilities.

The solution's Behavioral AI works with and without a network connection, providing the internal protection. But having that network connection is important because it will then be able to report it to the central dashboard. While it will do what it has to do locally, it's helpful when the agent reports back to the central dashboard so that the IT Admin can take action. It is important that the systems remain connected to the internet.

But overall, the Behavioral AI is amazing. It's something very new in the market. The way SentinelOne works and the way it is set up, I haven't been more impressed by any other product. It is a step forward in security.

We have 400 to 500 endpoints using SentinelOne at the moment, and all those customers are happy. We are happy that they're using it, because it helps us secure their network better than what they had before. We have it on laptops which have been given to home users, on computers in offices, on servers in computer rooms. They all have SentinelOne and we are happy with the level of protection that it offers.

Moving forward, with every customer whose antivirus is coming up for renewal in our portfolio, we are recommending getting rid of Symantec and other products and taking on SentinelOne.

It's very effective and it's improving by the day. In the last two-and-a half years I have seen that the way it detects and the way it mitigates threats are constantly improving. It's a very effective solution.