Experiencing a Breach?

Frequently Asked Questions

Everything You Need to Know About Sentinelone

Nothing Found!

About SentinelOne

What is SentinelOne software?

SentinelOne Singularity platform is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time, autonomous security layer across all enterprise assets.

How good is SentinelOne?

SentinelOne is regularly apprised by industry-leading analyst firms and independent 3rd party testing such as:

  • Gartner Best Endpoint Detection and Response (EDR) Solutions as Reviewed by Customers
  • Gartner Best Endpoint Protection Platforms (EPP) as Reviewed by Customers
  • MITRE ATT&CK APT29 report:
    • SentinelOne Singularity Platform had the highest number of combined high-quality detections and the highest number of automated correlations.
    • SentinelOne grouped all data over the 3-day MITRE test into a mere 11 console alerts, with each alert containing all the details within. Fewer alerts in the Management console are better than more alerts, and Singularity successfully grouped together relevant related data, context, and correlation, making it easier for analysts to understand and act.
    • SentinelOne had the highest number of tool-only detections and the highest number of human/MDR detections.

Analysts are drowning in data and simply aren’t able to keep up with sophisticated attack vectors. SentinelOne helps turn data into stories, so analysts can focus on the alerts that matter most

Which certifications does SentinelOne have?

SentinelOne participates in a variety of testing and has won awards. Here is a list of recent third party tests and awards:

  • MITRE ATT&CK APT29 report: Highest number of combined high-quality detections and the highest number of automated correlations, highest number of tool-only detections and the highest number of human/MDR detections
  • The first and only next-gen cybersecurity solution to receive VB100 certification from Virus Bulletin. The VB100 certification is a well-respected recognition in the anti-virus and malware communities due to its stringent testing requirements.
  • Gartner Best Endpoint Detection and Response (EDR) Solutions as Reviewed by Customers
  • Gartner Best Endpoint Protection Platforms (EPP) as Reviewed by Customers
  • Passmark’s January 2019 performance test compares SentinelOne to several legacy AV products. Testing showed that SentinelOne performs better than other vendors when the agent is under heavy load. During normal user workload, customers typically see less than 5% CPU load.

Who owns SentinelOne?

SentinelOne is a private company backed by top-tier VCs. SentinelOne was founded in 2013 and is headquartered in Mountain View, California.

When was SentinelOne founded?

SentinelOne was founded in 2013.

Who are SentinelOne’s competitors?

SentinelOne and Crowdstrike are considered the two leading EDR/EPP solutions on the market. SentinelOne is superior to Crowdstrike and has outperformed it in recent, independent evaluations.

SentinelOne offers an autonomous, single-agent EPP+EDR solution with Best-in-industry coverage across Linux, MacOS, and Windows operating systems. SentinelOne also offers an optional MDR service called Vigilance; Unlike CrowdStrike, SentinelOne does not rely on human analysts or Cloud connectivity for its best-in-class detection and response capabilities. Instead, it utilizes an Active EDR agent that carries out pre- and on-execution analysis on device to detect and protect endpoints autonomously from both known and unknown threats.

Is SentinelOne ISO 27001 compliant?

SentinelOne is ISO 27001 compliant. Please read our Security Statement.

How do I apply for a job at SentinelOne?

To apply for a job at SentinelOne, please check out our open positions and submit your resume via our Jobs section.

Endpoint Security

What is endpoint security software?

Endpoint security software is a program that is installed on laptops, desktops, and/or servers that protects them from the slew of attacks that can infect an endpoint – malware, exploits, live attacks, script-based attacks, and more – with the purpose of stealing data, profiting financially, or otherwise harming systems, individuals, or organizations.

What is considered an endpoint?

An endpoint is one end of a communications channel. It refers to parts of a network that don’t simply relay communications along its channels, or switch those communications from one channel to another. An endpoint is the place where communications originate, and where they are received.

Are servers considered endpoints?

Servers are considered endpoints, and most servers run Linux. SentinelOne Linux agent provides the same level of security for Linux servers as all other endpoints.

What is next gen endpoint protection?

Next Gen endpoint security solutions are proactive. They preempt and predict threats in a number of ways. By evaluating all activity in a network, both in the kernel and in user space, these tools keep a close eye on anything that looks suspicious. Machine learning processes are proficient at predicting where an attack will occur. Security tools may use things like out-of-band monitoring to make the surveillance more robust and to catch viruses, malware and other kinds of attacks early.

What is an endpoint protection platform?

SentinelOne Endpoint Protection Platform (EPP) unifies prevention, detection, and response in a single, purpose-built agent powered by machine learning and automation. It provides prevention and detection of attacks across all major vectors, rapid elimination of threats with fully automated, policy-driven response capabilities, and complete visibility into the endpoint environment with full-context, real-time forensics.

What is endpoint management software?

The SentinelOne agents connect to the Management console, which manages all aspects of the product providing one console for all of its capabilities, eliminating the need for separate tools and add-ons.

What is the best endpoint protection?

The best endpoint protection is achieved by combining static and behavioral AI within one autonomous agent defending the endpoint against file-based malware, fileless attacks, evil scripts, and memory exploits whether that endpoint is online or offline.

The SentinelOne Endpoint Protection Platform was evaluated by MITRE’s ATT&CK Round 2, April 21, 2020. It had the lowest number of missed detections, and achieved the highest number of combined high-quality detections and the highest number of correlated detections. Importantly, SentinelOne does not rely on human-powered analysis and defeats attacks using an autonomous Active EDR approach.

What is Active EDR?

ActiveEDR allows tracking and contextualizing everything on a device. ActiveEDR is able to identify malicious acts in real time, automating the required responses and allowing easy threat hunting by searching on a single IOC.

What is Sentinelone agent?

SentinelOne agent is a software program, deployed to each endpoint, including desktop, laptop, server or virtual environment, and runs autonomously on each device, without reliance on an internet connection. The agent sits at the kernel level and monitors all processes in real time. This process is performed by our Dynamic Behavioral Tracking engine, and allows users to see exactly what happened on an endpoint at each stage of execution. This includes origin, patient zero, process and file activity, registry event, network connections, and forensic data.

How do you implement endpoint security?

Implementing endpoint security measures requires the deployment of SentinelOne agents on all the endpoints in an organization. Security teams can monitor alerts, hunt for threats and apply local and global policies to devices across the enterprise.

Is endpoint security an antivirus?

Endpoint security solution is not an Antivirus. Antivirus is an antiquated, legacy technology that relies on malware file signatures. SentinelOne Endpoint Security does not use traditional anti-virus signatures to spot malicious attacks. Instead, we use a combination of static machine learning analysis and dynamic behavioral analysis to protect systems. All files are evaluated in real time before they execute and as they execute. Because SentinelOne technology does not use signatures, customers do not have to worry about network intensive updates or local system I/O intensive daily disk scans.

Are Norton and Symantec the same?

Norton and Symantec are Legacy AV solutions. They (and many others) rely on signatures for threat identification. SentinelOne Endpoint Security does not use traditional anti-virus signatures to spot malicious attacks. Instead, we use a combination of static machine learning analysis and dynamic behavioral analysis to protect systems. All files are evaluated in real time before they execute and as they execute. Because SentinelOne technology does not use signatures, customers do not have to worry about network intensive updates or local system I/O intensive daily disk scans.

How does SentinelOne Endpoint Security work?

How does SentinelOne work?

SentinelOne platform uses a patented technology to keep enterprises safe from cyber threats. Implementing a multi vector approach, including pre-execution Static AI technologies that replace Anti Virus application.

SentinelOne also uses on-execution Behavioral AI technologies that detect anomalous actions in real time, including fileless attacks, exploits, bad macros, evil scripts, cryptominers, ransomware and other attacks.

Delivered in milliseconds to shutdown attacks and reducing dwell time to near zero, SentinelOne response features include alert, kill, quarantine, remediate unwanted changes, Windows rollback to recover data, network containment, remote shell and more.

Does SentinelOne protect me while I am disconnected from the internet (such as during traveling)?

The SentinelOne agent offers protection even when offline. The agent will protect against malware threats when the device is disconnected from the internet. However, the administrative visibility and functionality in the console will be lost until the device is back online.

Is SentinelOne an antivirus?

While anti-virus were designed more than a decade ago, the threat landscape changed entirely in the last few years. SentinelOne is an Endpoint Protection Platform, which means it is superior, and replaces, the traditional, signature-based, Antivirus solutions.

Can I use SentinelOne platform to replace my current AV solution?

You can and should use SentinelOne to replace your current Antivirus solution. It is possible to run both Microsoft Defender and SentinelOne concurrently should you wish to.

Which products can SentinelOne help me replace?

SentinelOne was designed as a complete AV replacement. Enterprises need fewer agents, not more. SentinelOne offers many features that enable customers to add our product in and then pull traditional AV out. SentinelOne can also replace traditional NTA (Network traffic Analysis) products, network visibility appliances (e.g., Forescout) and dedicated threat-hunting platforms.

Can SentinelOne protect endpoints if they are not connected to the cloud?

The SentinelOne agent is designed to work online or offline. The agent on the endpoint performs static and dynamic behavioral analysis pre- and on-execution.

These two methods are the principal prevention and detection methods in use and do not require internet connectivity. However, when the agent is online, in addition to the local checks, it may also send a query to the SentinelOne cloud for further checking.

What detection capabilities does SentinelOne have?

SentinelOne utilizes multiple cascading engines: reputation, StaticAI, and ActiveEDR capabilities to prevent and detect different types of attacks at different phases.

Does SentinelOne provide malware prevention?

SentinelOne is designed to prevent all kinds of attacks, including those from malware. SentinelOne’s Endpoint Prevention (EPP) component uses StaticAI Prevention to analyze (online or offline) executable files pre-execution; this replaces the need for traditional signatures, which are easily bypassed, require constant updating and require resource-intensive scans on the device.

The SentinelOne engine also performs analysis of PDF, Microsoft OLE documents (legacy MS Office) and MS Office XML formats (modern MS Office) as well as other kinds of files that may contain executable code. The goal of StaticAI in the product is to detect commodity and some novel malware with a compact, on-agent machine learning model that serves as a substitute for the large signature databases used in legacy AV products.

Is SentinelOne machine learning feature configurable?

SentinelOne machine learning algorithms are not configurable.

Customers can not customize the artificial intelligence machine learning algorithm, and there is no need to “train” the AI within your environment.

Instead, the SentinelOne data science team trains our AI / ML models in our development lab to help improve detection and protection, as well as reduce the false positive rate. These new models are periodically introduced as part of agent code updates.

Can SentinelOne detect in-memory attacks?

SentinelOne can detect in-memory attacks.

SentinelOne is integrated with hardware-based Intel® Threat Detection Technology (Intel TDT) for accelerated Memory Scanning capabilities.

Is SentinelOne cloud-based or on-premises?

SentinelOne is primarily SaaS based. We offer our customers a choice between managing the service as a cloud hosted on Amazon AWS or as an on-premise virtual appliance. However, SentinelOne agent prevention, detection, and response logic is performed locally on the agent, meaning our agents and detection capability are not cloud-reliant.

Unlike other vendors, the agent does not have to upload data to the cloud to look for indicators of attack (IoA), nor does it need to send code to a cloud sandbox for dynamic analysis.

Other vendors’ cloud-centric approaches introduce a large time gap between infection, cloud detection and response time, at which point an infection may have spread or attackers may have already achieved their objectives.

Specifications, Performance, Installation

Which Operating Systems can run SentinelOne?

SentinelOne offers clients for Windows, macOS, and Linux, including no-longer supported OSs such as Windows XP.

Can I install SentinelOne on workstations, servers, and in VDI environments?

SentinelOne can be installed on all workstations and supported environments.

Do I need to uninstall my old antivirus program?

SentinelOne works as a complete replacement for traditional anti-malware solutions or in conjunction with them. You can uninstall the legacy AV or keep it. The choice is yours.

Will SentinelOne agent slow down my endpoints?

The SentinelOne agent does not slow down the endpoint on which it is installed. Our agent is designed to have as little impact on the end user as possible while still providing effective protection both online and offline.

In contrast to other anti-malware products that require constant “.dat” file signature updates and daily disk scans, our agent instead uses static file AI and behavioral AI which saves on CPU, memory and disk I/O. End users have better computer performance as a result. System resource consumption will vary depending on system workload.

Can SentinelOne scale to protect large environments with 100,000-plus endpoints?

SentinelOne can scale to protect large environments. Some of our clients have more than 150,000 endpoints in their environments.

How do I turn off SentinelOne?

To turn off SentinelOne, use the Management console. Agent functions can be modified remotely in multiple ways including starting and stopping the agent, as well as initiating a full uninstall if needed.

How do I uninstall SentinelOne?

The Management console is used to manage all the agents. Agent functions can be modified remotely in multiple ways including starting and stopping the agent, as well as initiating a full uninstall if needed.

Do I need a large staff to install and maintain my SentinelOne product?

You do not need a large security staff to install and maintain SentinelOne.

Our customers typically dedicate one full-time equivalent person for every 100,000 nodes under management. This may vary depending on the requirements of the organization. This estimate may also increase or decrease depending on the quantity of security alerts within the environment.

SentinelOne’s optional Vigilance service can augment your team with SentinelOne Cyber Security Analysts who work with you to accelerate the detection, prioritization, and response to threats. Customers that choose to work with Vigilance will experience a significant reduction in the number of hours per week required from their own staff.

SentinelOne Integrations

Does SentinelOne integrate with other endpoint software?

SentinelOne can integrate with other endpoint software.

SentinelOne currently offers the following integrations:

  • Splunk SIEM and Splunk Cloud
  • Qradar SIEM
  • Logrythm SIEM
  • Slack
  • ServiceNow
  • Joe Sandbox
  • Palo Alto Wildfire
  • ServiceNow

SentinelOne was designed as a complete AV replacement and a single EPP/EDR solution.  Enterprises need fewer agents, not more. SentinelOne offers many features that enable customers to add our product in and then pull traditional AV out.

Which integrations does SentinelOne Platform offer?

SentinelOne currently offers the following integrations:

  • Splunk SIEM and Splunk Cloud
  • Qradar SIEM
  • Logrythm SIEM
  • Slack
  • Joe Sandbox
  • Palo Alto Wildfire
  • ServiceNow

Does SentinelOne integrate with my SIEM?

SentinelOne easily integrates with data analytics tools such as SIEMs, either through syslog feeds or via our API. We offer several app-based SIEM integrations including:

  • Splunk
  • QRadar
  • LogRhythm

What is SentinelOne API?

SentinelOne’s platform is “API first,” one of our main market differentiators.

API-first means our developers build new product function APIs before coding anything else. Most UI functions have a customer-facing API. Because there is so much overlap between the UI and the API, the SentinelOne solution can be run as a point product (via the UI), or it can be an important component within your security stack via the API.

Which type of API does SentinelOne use?

The SentinelOne API is a RESTful API and is comprised of 300+ functions to enable 2-way integration with other security products. All APIs are well documented directly within the UI using Swagger API referencing and include facilities for developers to test their code.

Does SentinelOne offer an SDK (Software Development Kit)?

SentinelOne offers an SDK to abstract API access with no additional cost.

The SentinelOne SDK, complete with documentation, is available to all SentinelOne customers directly from the Management console.

SentinelOne Sales

Can I Get A Trial/Demo Version of SentinelOne?

Yes, you can get a trial version of SentinelOne.

Request a free demo through this web page: https://www.sentinelone.com/request-demo/

How much does SentinelOne cost?

SentinelOne prices vary according to the number of deployed endpoint agents.

SentinelOne Singularity Platform - Additional Capabilities

How does SentinelOne Singularity Platform compare to other “next-generation” endpoint protection solutions? What makes it unique?

SentinelOne Singularity Platform is a unique, next-gen cybersecurity platform. Singularity is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Unlike other next-gen products, SentinelOne is the first security offering to expand from cloud-native yet autonomous protection to a full cybersecurity platform — with the same single codebase and deployment model — and the first to incorporate IoT and CWPP into an extended detection and response (XDR) platform.

Singularity provides an easy to manage platform that prevents, detects, responds, and hunts in the context of all enterprise assets, allowing organizations to see what has never been seen before and control the unknown. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on prem or in the cloud.

What is SentinelOne Vigilance?

Vigilance is SentinelOne’s MDR (Managed Detection and Response) service – providing threat monitoring, hunting, and response, to its existing customers with a premium fee.

It provides a 24×7 Security Operations Centre (SOC) with expert analysts and researchers to give customers near real time threat monitoring, in-console threat annotations, and response to threats and suspicious events (on the premium tier).

You can learn more about SentinelOne Vigilance here.

What is SentinelOne Ranger?

SentinelOne Ranger is a rogue device discovery and containment technology.

It allows the discovery of unmanaged or “rogue” devices both passively and actively. Once discovered, Ranger can alert the security team to the presence of such devices and can protect managed devices like workstations and servers from the risk those unmanaged devices pose.

You can learn more about SentinelOne Ranger here.

How does SentinelOne Ranger help secure my organization from rogue devices?

SentinelOne Ranger is a rogue device discovery and containment technology.

It allows the discovery of unmanaged or “rogue” devices both passively and actively. Once discovered, Ranger can alert the security team to the presence of such devices and can protect managed devices like workstations and servers from the risk those unmanaged devices pose.

You can learn more about SentinelOne Ranger here.

Do I need to install additional hardware or software in order to identify IoT devices on my network?

SentinelOne Singularity Platform is a unique, next-gen cybersecurity platform. Singularity is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Unlike other next-gen products, SentinelOne is the first security offering to expand from cloud-native yet autonomous protection to a full cybersecurity platform — with the same single codebase and deployment model — and the first to incorporate IoT and CWPP into an extended detection and response (XDR) platform.

Singularity provides an easy to manage platform that prevents, detects, responds, and hunts in the context of all enterprise assets, allowing organizations to see what has never been seen before and control the unknown. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on prem or in the cloud.

What is SentinelOne Deep Visibility?

SentinelOne’s Deep Visibility is a built-in component of the SentinelOne agent that collects and streams information from agents into the SentinelOne Management console. This data enables security teams and admins to search for Indicators of Compromise (IoCs) and hunt for threats.

Can I use SentinelOne for Incident Response?

Yes, you can use SentinelOne for incident response.

SentinelOne’s Remediation and Rollback Response capabilities are an industry-unique capability, patented by the U.S. Patent and Trade Office. SentinelOne ActiveEDR tracks and monitors all processes that load directly into memory as a set of related “stories.”

The agent maintains a local history of these contextual process relationships and any related system modifications that are performed. By maintaining story context through the life of software execution, the agent can determine when processes turn malicious, then execute the response specified in the Management policy.

If the the policy calls for automatic remediation or if the administrator manually triggers remediation, the agent has the stored historical context related to the attack and uses that data to handle the threat and clean the system of unwanted malicious code artifacts. Essentially, the agent understands what has happened related to the attack and plays the attack in reverse to remove the unauthorized changes.

SentinelOne & MITRE ATT&CK

Does SentinelOne support MITRE ATT&CK framework?

SentinelOne supports MITRE ATT&CK framework by leveraging our Dynamic Behavioral engine to show the behavior of processes on protected endpoints.

To make it easier and faster for you to use this knowledge, we map our behavioral indicators to the MITRE ATT&CK framework.

How can I use MITRE ATT&CK framework for threat hunting?

You can create queries out-of-the-box and search for MITRE ATT&CK characteristics across your scope of endpoints. With SentinelOne, all you need is the MITRE ID or another string in the description, the category, the name, or the metadata.

Is SentinelOne MITRE certified/tested?

SentinelOne was evaluated by MITRE’s ATT&CK Round 2, April 21, 2020. SentinelOne had the lowest number of missed detections, and achieved the highest number of combined high-quality detections and the highest number of correlated detections.

How Does SentinelOne Respond to Ransomware?

How does SentinelOne respond to ransomware?

SentinelOne offers multiple responses to defeat ransomware, including:

  • The ability to kill offending processes
  • File and script quarantine
  • Remediation (reversal) of unwanted changes
  • Rollback of Windows systems to their prior state
  • Auto or manual device network containment while preserving the administrator’s ability to maintain interaction with the endpoint via the console or our RESTful API.

Is ransomware still a threat?

Ransomware is a very prominent threat. According to the 2020 Verizon DBIR report, more than a quarter of data breaches involving malware utilized ransomware.

Will SentinelOne protect me against ransomware?

SentinelOne is designed to protect enterprises from ransomware and other malware threats. SentinelOne recognizes the behaviors of ransomware and prevents it from encrypting files.

Additionally, SentinelOne is able to rollback Windows devices in the event that files are encrypted.

If SentinelOne is not able to recover encrypted files, we will pay $1,000 per encrypted machine, up to $1M.

Will I be able to restore files encrypted by ransomware?

SentinelOne offers a rollback feature, enabling files that have been maliciously encrypted or deleted to be restored to their prior state.

How does SentinelOne rollback work?

The SentinelOne rollback feature can be initiated from the SentinelOne Management console to return a Windows endpoint to its former state prior to the execution of a malicious process, such as ransomware, with a single click.

This feature also defeats ransomware that targets the Windows Volume Shadow Copy Service (VSS) in an effort to prevent restoration from backup.

Purpose Built to Prevent Tomorrow’s Threats.

Today.

Your most sensitive data lives on the endpoint and in the cloud. Protect what matters most from cyberattacks. Fortify every edge of the network with realtime autonomous protection.