The architecture primarily focuses on the endpoint, employing an agent-based approach. The acquisition of Scalyr has empowered SentinelOne to establish a comprehensive security big data lake. Similarly, aquision of Attivo brought in deception capabilities.

Agent-based functionality is specifically crafted to provide extensive coverage across infrastructure endpoints. In the case of XDR, APIs are leveraged to streamline data ingestion and response. However, its usage is confined to the ecosystem and limited to 3rd party technology partnerships.

While the EDR functionality in S1 offers comprehensive visibility and response functions, it falls short in its ability to detect and respond to threats beyond end points in the IT landscape. For instance, it lacks features such as NBAD, UEBA, SIEM, and others that are crucial. Achieving comprehensive coverage necessitates heavy reliance on third-party products and vendor partnerships and or, strategic aquisions made - thus making the overall solution feel like a bolt-on function.

Sentinelone offers good analytics capabilities and supports third-party log ingestion. However, it lacks long-term storage capabilities, which limits your ability to perform in-depth analytics. This is crucial given the current threat landscape and evolving compliance and regulatory requirements.

Analysts are typically expected to initiate incident response within 30 minutes of an incident. However, there are limitations on the number of third-party functionalities that can be used for executing response functions. These limitations are dependent on the technology partnership ecosystem or the existing built-in response capabilities available through API integration.Unfortunately, SentinelOne lacks the ability to perform Security Orchestration, Automation, and Response (SOAR) functions. This means that it is not possible to design response functions based on the specific business context or alert type and ever changing use cases considering changing threat landscape.

EDR-driven XDR capability heavily relies on integrating third-party threat detection functionalities to identify malicious signals across the IT landscape. However, these third-party threat detection systems primarily share "Alert Data" and do not provide access to the raw data they analyze to identify anomalies. Consequently, the ability to triage across the organization becomes limited, creating vulnerabilities in the XDR framework and compromising the overall effectiveness of the system.

Hunts are only performed on ingested log data, which limits the overall scope of the hunt. There is also a risk of overlooking important artifacts if the log data is not completely collected, especially considering that a majority of logs are never stored in the data lake. It's important to note that threat hunts are not real-time and do not rely on behavioral analysis.

No functionality to fetch live forensics post Incident Response / remediation compromising on assurance.

Functionality available with certain challenges in managing / monitoring third party security products.

Functionality not available.

Contracts are always annual & hence, you’re locked in.

Deployment of Agent is pain taking task, on top of it, from XDR point of view - there are limited intergations only. Volume of false positives are way to high, does take good 2 months to bring the overall noise down.

Rigid working with competetor products / solutions.

High, platform offers coverage around End point majorly with dependence on third party deployments to gain better visibility

Data unavailable