Singularity XDR – From Vision to Reality

These past quarters have been incredibly exciting for SentinelOne as a whole and specifically for Singularity XDR. They have highlighted a terrific year of success for everyone involved – from Engineering to every person in our Global Sales team.

Over the past few months, Singularity XDR has outperformed every other vendor in the MITRE ATT&CK evaluations (in more ways than one), has had unrivaled success in the Gartner Critical Capabilities report, and positioned itself firmly in the leaders quadrant of the 2021 Gartner EPP Magic Quadrant. Every external data point is important to us, and we pride ourselves on being a data-driven company but no data point is perhaps as good as the way your industry sees you and how much they emulate your choices (as they are arguably your strongest critics), including Palo Alto Networks CEO and other security vendors like Checkpoint on their MITRE report.

From its launch, Singularity XDR has inherently remained a means to an end, as opposed to a shiny goal in and of itself. Every investment we’ve made has been 100% tied to a need our customers – from the Fortune 10 to enterprises – have expressed: how can we help accelerate detection and response workflows with fewer clicks, agents, screens, and people. Data and automation are a huge part of that, but they are not the goal – they are a way for us to achieve what our customers need (more on that later).

Furthermore, as Resha Chedda mentioned in a previous post (“5 Questions to Consider Before Choosing the Right XDR Solution”), our approach to XDR is one that assumes that it is rooted in our unique approach to EDR. Challenges such as data normalization, contextualization, and correlation are not new. Neither is the need to maximize automation and maintain a strong offering across all protected surfaces. It is not a coincidence that this market is not XIEM or XOAR but XDR. Had our EDR not been best in class, our XDR strategy would be inherently flawed.

That does not mean that EDR is enough. While the EDR fundamentals are critical, they must be combined with net-new innovation and execution at an exponentially larger scale. XDR is somewhere between evolution and revolution – On one hand, XDR is clearly not just a patchwork of capabilities; it calls for an organic evolution from EPP and EDR. On the other hand, the realities facing an XDR solution – ranging from the threat landscape to the abundance of vulnerable surfaces and the quantity of data, all serve as a catalyst for revolutionary, force-multiplying, technological advancement.

From E to XDR

Both EDR and XDR are essentially a Venn diagram of Data, Detection, Automation and Action – with the sweet spot being unsurprisingly in the middle. There are several key EDR foundational product capabilities that SentinelOne has spent multiple years perfecting and have been a huge part of our success. It’s exactly that sweet-spot which: A) is so hard to replicate; and B) is critical to XDR (and why so many “XDR” vendors are failing)

Storyline™ + MITRE

  • The 2021 MITRE ATT&CK evaluation (as well as those before it) has become, for all intents and purposes, the benchmark for EDR. While the results are definitely open to interpretation and almost everyone can make a claim to be the best – we’re actually proudest of a metric that often gets overlooked and is probably the only one that translates directly to MTTR (Mean time to Respond) – Despite being the only vendor with 100% visibility as well as more observed behaviors – SentinelOne created fewer distinct incidents than any other vendor.
  • This is thanks to Storyline – The ability to correlate and aggregate 100s of suspicious activities across multiple entities (Files, Processes, Users, Domains, IPs and more) into a single Campaign-Level-Insight. This means that analysts using SentineOne can Triage, Investigate and Respond to large, complex attacks with exponentially fewer clicks, but more importantly, in less time.

1 Click Remediation – Across Every Platform

  • One of the most impactful derivatives of Storyline is the fact that an entire campaign can be mitigated, remediated and in some cases entirely rolled-back with a single click. With Storyline correlating all of the different activities and entities – remediating the storyline translates into remediating an entire campaign. SentinelOne’s approach to Response has always been focused on automation and cross-platform parity and will continue to be so. For example, we have recently launched a Remote Scripting Orchestration capability which will enable our customers to automatically execute multiple scripts across their entire environment, regardless of OS, with a single, easy to use workflow.


  • Storyline Active Response (STAR)™  is our cloud-based Automated Hunting, Detection, and Response engine. Balancing between our own built-in detection and delivering a powerful mechanism for our partners and customers to define their own detections was not an easy task- but that’s what we’ve achieved with STAR. Every query that can be run in Singularity can also be defined as a rule that monitors every incoming data-point in near real-time. Upon triggering, these rules can initiate anything from a simple alert to a complex playbook of actions. STAR is already a key part of our EDR and will evolve with Singularity XDR in terms of both the data it monitors and the actions it can initiate.

365 Days of Live Hunting Data

  • The term data retention gets thrown around far too frequently in this industry. Many vendors claim they offer “Long Term Data Retention,” but upon further investigation, it is either only partial data or partially accessible. Within Singularity, we offer our customers the ability to perform live hunting across 365 days (or more if needed) of data. For context, S1 was deemed the only one with 100% MITRE ATT&CK visibility – so that’s an unparalleled amount of data).  Since SolarWinds and SUNBURST, many of our customers have utilized our ability to query 365 days of data to get a picture of what occurred in their environment for a whole year.

It’s the combination and balance of foundations like these, alongside many others that enable us to deliver on XDR.

Data & Automation – As Guiding Principles

Despite everything said above, we are far from “Done”. We continue to Build, Integrate and Expand on all fronts.

The recent acquisition of Scalyr is probably the best example of our strategy becoming a reality, as well as the inseparable bond between being the best EDR and XDR. With Data being one of the cornerstones of every security problem, not just XDR, it was clear to us that we needed to establish Singularity on top of a foundation that can optimize for the “holy trinity” of data – Performance, Scale and Cost. Scalyr’s technology complements everything we want to achieve with both EDR and XDR – Unparalleled speed, efficiency, and flexibility and a perfect fit for rapid ingestion of data from an increasing number of new sources, both Endpoint and beyond.  Additionally, we are now seeing just how critical it is to choose a technology that was designed to address topics such as “How easy is it to ingest new types of data”, “How efficient is the data normalization process” and “Does the technology support the creation of abstraction and analysis layers on top of the data” – instead of just buying a “SIEM” or creating a “Graph”.

SentinelOne Storyline Active Response (STAR)
Customize EDR to adapt to your environment

Marketplace and Integrating into existing Security Stacks

The recently launched Singularity Marketplace is another huge part of our XDR strategy. SentinelOne has a great track record of launching new products – whether covering new surfaces or addressing new use-cases, but we recognize that many of our customers have diverse security stacks. With the Singularity Marketplace we facilitate the integration and orchestration of Data and Response across those stacks, but in a way that alienates nobody and optimizes for speed, simplicity and above all else, IMPACT. The list and scope of XDR applications that we support for Data Ingestion, Correlation and Response is growing by the week – being prioritized by a single voice – that of our customers. We make sure that every source we ingest and every API we expose actually makes an impact – does it enhance context, does it improve root-cause analysis, does it accelerate remediation?


Today’s marketing and positioning around the need for XDR can be confusing. One might find different technologies claiming similar claims, leaving the buyer with too many options and the need to research what it actually means. For us at SentinelOne, it’s these initiatives, together with the EDR foundations mentioned above and several other ground-breaking projects – from covering new surfaces to introducing new workflows, that are going to help us keep delivering what our customers need. Singularity XDR will not compromise – we are not a SOAR, not a SIEM, but the world’s best XDR. And we’re only just getting started.

If you would like to learn more about STAR and the SentinelOne XDR platform, contact us for more information or request a free demo.