Try our new research platform with insights from 80,000+ expert users
Aaron Riley - PeerSpot reviewer
Systems Administrator at a government with 201-500 employees
Real User
Is a lightweight solution, has a valuable dashboard, and saves us time
Pros and Cons
  • "The management dashboard is the most valuable feature."
  • "The most difficult part of using Singularity Complete is logging in, as they often update the management console."

What is our primary use case?

We use SentinelOne Singularity Complete as the antivirus for our computers.

We wanted a solution that could maintain the protection of our computers so we implemented SentinelOne Singularity Complete.

How has it helped my organization?

SentinelOne Singularity Complete is a lightweight application with a quick threat response.

Singularity Complete has helped reduce our alerts with prompt responses.

Singularity Complete has freed up several hours of our staff's time each week, allowing them to focus on other projects. They no longer need to manually monitor hundreds of computers, as they now have a single dashboard to manage them.

It has reduced our MTTD through prompt action taken against the vulnerability or threat.

It has also reduced our MTTR through quick notifications that allow us to respond within minutes.

Singularity Complete has helped us reduce our organizational risk.

What is most valuable?

The management dashboard is the most valuable feature.

What needs improvement?

The most difficult part of using Singularity Complete is logging in, as they often update the management console. I don't know if our accounts become disassociated or what the deal is, but if we don't log in within a certain amount of time, we have to go through a password reset or account reset process.

Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for around five years.

What do I think about the stability of the solution?

SentinelOne Singularity Complete is stable with no downtime.

What do I think about the scalability of the solution?

SentinelOne Singularity Complete is scalable.

How are customer service and support?

The technical support team is prompt.

How would you rate customer service and support?

Positive

What's my experience with pricing, setup cost, and licensing?

The price is fair for what we are getting.

What other advice do I have?

I would rate SentinelOne Singularity Complete nine out of ten.

SentinelOne is very mature. It's a lightweight application that does not waste a lot of resources, and the quality is definitely good.

Singularity Complete is a self-sustained standalone application that updates to the cloud. Every computer checks in and updates as needed.

I manage our future application deployments and ensure that Singularity Complete is automatically pushed out and kept up to date.

SentinelOne is a good overall security partner.

It's always worth testing out different solutions and finding the one that works for each organization. But as far as SentinelOne Singularity Complete goes, it's been an easy process for our organization and I recommend it to others.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Assistant Manager at airtel
Real User
Easy to deploy with good reporting and good rollback features
Pros and Cons
  • "The reporting part is awesome."
  • "Email security should also integrate with it to get more visibility on it."

What is our primary use case?

It is used in my customer's companies. It handles incident management, firewall implementation, and device control.

What is most valuable?

The most valuable feature is the rollback. 

Remediation is great. 

The ranger feature for work devices is most useful.

The reporting part is awesome.

It is easy to deploy the product. 

What needs improvement?

It should not limit itself to EDR. I need some other solutions to integrate into it. It should give us more visibility by integrating other solutions with it.

I want some other solutions like email security. Email security should also integrate with it to get more visibility on it.

Agent upgrades might cause some issues. Most of the time, an agent gets removed after it is not communicating with the server. After every three months, it will get automatically removed. That might cause an issue.

The solution is expensive. It is costlier than Trend Micro and Palo Alto XDR.

For how long have I used the solution?

I've used the solution for around six months.

What do I think about the stability of the solution?

The solution is stable. We've found the performance to be good. It's light. There are no bugs or glitches. 

What do I think about the scalability of the solution?

We have 1500 users on the solution right now. It is pretty scalable. 

How are customer service and support?

With technical support, I've got an immediate response, and when I log a ticket, I get good assistance. 

Which solution did I use previously and why did I switch?

I had worked on Palo Alto XDR as well. However, the remediation is not so good. There is no option with the rollback as well. That might cause data loss during a ransomware attack.

I'm also aware of the Trend Micro solution. 

How was the initial setup?

It's easy to set up and has a very lightweight agent. It's very easy to deploy.

The time it takes to deploy all depends upon the number of uses, the number of clients, which machines are there, et cetera. In the Ranger, you have options. If you have advanced features for deployment, Ranger deployment, it is easy.

What's my experience with pricing, setup cost, and licensing?

The solution is a bit pricey and they should look at the costs involved. You have to pay extra for certain features, such as the Ranger feature. Everything should be included in the subscription. 

What other advice do I have?

We are partners. 

It's a good solution as compared to others. In terms of MML features, it is fine.

I'd rate it eight out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Has good process visualization and automated response capabilities, and comes with excellent support and flexible licensing
Pros and Cons
  • "The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable."
  • "The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work."

What is our primary use case?

We're a partner of SentinelOne, but we're also a partner of many other companies. We're not a vendor per se. We sell SOC as a service, and as a part of that service, we provide protection solutions. My area is around antivirus. So, we are not a reseller in that sense.

I am using its latest version. It can be deployed on-prem as well as on the cloud. I have customers with a requirement for both. SentinelOne provides their own cloud because that's where they do their artificial intelligence (AI).

How has it helped my organization?

SentinelOne is what they call extended detection and response (XDR). So, it is the next generation of endpoint detection. The main difference between Endpoint Detection and Response (EDR) and XDR is that in XDR you have visibility on how something is executing. An EDR solution detects a suspicious or malicious package based on its signature or its behavior and sends an alert, but the problem is that you only see the file that it alerts on. For example, if it is an attachment to an email, you'll see the trigger on the attachment when you try to open it, but what you don't always know is from where that came. With an XDR solution like SentinelOne, you can see the whole process execution. You can say that it was executed from inside Word, Outlook, or something else. For example, when you opened an attachment in Outlook, it triggered Word and got opened in Word. This whole process execution is visible with XDR. It also offers the possibility to suspend or respond intelligently. So, you can use it not only to detect that the package is suspicious, but you could also suspend it so that when the person comes to investigate, the suspended process is still there.

What is most valuable?

The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

What needs improvement?

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

For how long have I used the solution?

I have been using it for about a year and a half.

What do I think about the stability of the solution?

It gives good stability. It can have an impact on the performance of the workstation, but that is usually a question of tuning. From a stability point of view, I've never had a machine with a blue screen.

What do I think about the scalability of the solution?

It scales very well.

How are customer service and support?

They're excellent. I would rate them a five out of five.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are technology agnostic in the sense that if a customer doesn't have a solution, we'll make a recommendation. If they don't have a solution, then our recommendation goes along the lines of SentinelOne, Palo Alto Cortex, Microsoft Defender ATP, or ESET. These are the ones that I typically would recommend, but Microsoft Defender ATP is problematic because you have to have the Azure and Office licenses to get it. For the other ones, you can buy the licenses separately. We also take over other solutions. I have some customers on Kaspersky and other solutions.

How was the initial setup?

It is straightforward. If we deploy it from a URL where it downloads, it can be done in 10 minutes. If it is coming from an internal deployment server, it can be a few minutes. It is essentially headless. There are no prompts.

What about the implementation team?

I have six people, but they normally work with the customers. As an MSSP, we normally work with the customer IT teams to deploy the agents in large companies. In small companies, it could be our people who do it. 

The number of people required depends on the number of endpoints, but generally, the number is low because it is a very simple installation. In fact, we even have end users running this.

What was our ROI?

It has the best ROI that I've seen. If I compare it to Microsoft Defender ATP or Defender for Endpoint, which a lot of people compare it against because it's included with the E3 or E5 Office licenses, Defender is three to five years behind SentinelOne. You're also tied to Microsoft's licensing scheme, whereas SentinelOne is independent of all of them. The ROI is very good. For me, its closest direct competitor is either Cybereason or Palo Alto's Cortex.

What's my experience with pricing, setup cost, and licensing?

Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender.

Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one.

The Singularity product has three versions: Singularity Core, Singularity Control, and Singularity Complete. The Singularity Complete one is really what I consider an enterprise rate solution. The middle one, Control, is more than adequate. In terms of price, it works out very similar to what you would pay for Kaspersky or for any other solution. The licensing per endpoint, per year, and per version is progressively more expensive for the Core, Control, and Complete versions. 

The interesting thing is that it is possible to upgrade across the versions without a major change. If a customer buys the most basic installation and would like some of the features out of the middle, it is possible.

What other advice do I have?

You have a choice between an on-premise console and the cloud. My advice would be to use the cloud, but it is a consideration of whether your endpoints can connect to the cloud or not. One of my customers is in the military defense area, and they have no connection to the internet. So, we had to deploy on-prem. What you don't get with the on-prem is all the AI. So, if you're deploying on-prem, you get the core features of SentinelOne, but you don't get all of the bells and whistles that you get from the cloud environment. The same is true for Cisco AMP and other solutions that are deployed on-prem. So, you need to consider how you're going to consume it if you have a disconnected network. If you're in the financial world, a lot of the production networks are not connected to the internet. So, solutions like Microsoft Defender are not an option because they're cloud-based, whereas SentinelOne is an option in those environments.

I would rate it an eight out of ten. It is a very good solution, but you have to compare it to understand it better.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Network Support at a university with 1,001-5,000 employees
Real User
Made a tremendous difference in our ability to protect our endpoints and servers
Pros and Cons
  • "The best thing SentinelOne has done for us is that it gives us insight into the endpoints. We never had insight into lateral movement threats before. Once a threat known as Qbot gets on the network, it actually spreads throughout sub-networks quickly. SentinelOne has detected that and saved our bacon. We were able to get in there and stop the threat, lock it down, and prevent it from actually spreading through. It would have been 50 or 60 computers. It had spread through in a few minutes. We have a lot of HIPAA data and FERPA data that we need to keep protected."
  • "They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support."

What is our primary use case?

SentinelOne performs primary functions for our endpoint antivirus and anti-malware solutions. It's a centralized managed version of an antivirus product that gives real-time information on any kind of threat we might receive. It's very broad. It not only protects through signature defense, which is like what most common antivirus products do, but it also does behavioral which has been absolutely lifesaving here a couple of times.

It has saved our bacon more than once by detecting threats. It even detects zero-day threats because it detects them through their behavior. It doesn't need a signature. It actually keeps me busy with this and the insight into the agents that are installed. Our level of protection around here has never been this high.

By comparison, we're also running Windows Defender, which comes with Windows 10 operating systems. We collect that data through our SCCM and SentinelOne finds threats that are at a rate of 25:1 to 30:1. It's not even close. SentinelOne has made a tremendous difference in our ability to protect our endpoints and servers.

How has it helped my organization?

SentinelOne gives us a lot more insight into the endpoint for the agents that are installed there. I can actually see applications. We can see precisely anything that needs to be patched, something that is dangerously out of date, or a security vulnerability. I can get insight into all of that.

It gathers the data for anything that is related to the security of an endpoint. It has very configurable policies. We can make the agent as locked down as possible. It can be very intolerant or you can actually make it to where it's relatively loose, in which it warns you about everything but doesn't lock everything down on everything, which is the way we run our environment.

At our university, there is a lot of end-user freedom that you cannot curtail like you could in a corporate environment because people doing research tend to go to a variety of websites that they really shouldn't go to. It keeps me very busy but SentinelOne has proven so far to allow us to stay ahead of the game as opposed to playing catch up.

The agent communicates through to the console incessantly. It has some intelligence on the agent, but most of the time it's literally getting its instructions from the console. That has been extremely effective and very useful. The effect on the end-user experience is practically non-existent which makes it head and shoulders above other antivirus and anti-malware platforms.

SentinelOne does not impede our ability to do our work. It doesn't start to show latency. It doesn't take up a lot of extra memory or a lot of extra cycles. How it's able to do what it does on the endpoint, as powerfully as it does, without affecting the end-user experience is beyond me. It's a stroke of brilliance in their programming. Very seldom in security products do you get the best of both worlds. Usually, you have to give up convenience for security. But in this case, they go hand-in-hand. It's very impressive.

We have used the one-click automatic remediation and rollback for restoring an endpoint quite a few times. Its ability to mitigate a threat, whether you're deciding just to kill it, quarantine it, rollback, or just remediate, which changes files back, is absolutely very easy, very intuitive, and very fast to get the job done. It's top-notch.

SentinelOne has dramatically reduced our mean time to repair. In many cases, if I have to remediate a threat, I can see the threat, confirm it is a true positive, and then I can send it to remediation. It takes roughly two minutes. Whereas, in prior times, we'd have to dispatch a technician to go out there. A lot of times, they could not remediate the threat because we didn't have the capabilities that this thing has. They'd have to fully re-image the machine, which is a two-hour deal to re-image the machine, copy the data back, and configure for the end-user. We took that job and took it from a two-hour job down to about two to three minutes. It's been a dramatic effect. 

The automation SentinelOne offers has increased analyst's productivity. We have fewer people due to budget cuts which means we are wearing more hats. The efficiency of this particular product has enabled me to do that relatively seamlessly. It is a phenomenally efficient and useful product.

What is most valuable?

There is a feature that allows for deep visibility, which is interesting. You can actually research files. It also does threat hunting. It goes out and finds vulnerabilities before you actually have to deal with the vulnerability. But that is at an additional cost. It's something you get if you buy additional structure.

The best thing SentinelOne has done for us is that it gives us insight into the endpoints. We never had insight into lateral movement threats before. Once a threat known as Qbot gets on the network, it actually spreads throughout sub-networks quickly. SentinelOne has detected that and saved our bacon. We were able to get in there and stop the threat, lock it down, and prevent it from actually spreading through. It would have been 50 or 60 computers. It had spread through in a few minutes. We have a lot of HIPAA data and FERPA data that we need to keep protected.

In a situation where we had a Qbot that was caught by SentinelOne, it literally saved the university millions of dollars worth of privacy protection we would have to pay for. SentinelOne has made a big difference. 

We use the storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques. When we get a warning, it comes up as a very nice dashboard-type screen we can go to. It gives a lot of information on the threat right away, including going to the storyline. You can actually trace it back to the actual file. You can see where the compromise happened, the exact steps that happened, and what happened from thereon.

It's almost like a giant flow chart. It shows you where everything's going, what affected what, what was changed, what was modified, and it also gives you the opportunity at that time to actually do a rollback which allows you to roll back all of those things that were affected and changed at that particular point in time by the threat. 

The storyline automatically assembles a PID tree. I use it more for my own purposes just to see where things came from and the damage they'd done. But we don't actually make a lot of use of a lot of higher functions like that. When there's a problem, we're able to rectify the issue and get the end-user up and running again. We don't have the personnel we had before, which gives us the additional cycles to actually research a lot of these things and go through them and focus on that. We don't make a lot of use of this particular functionality.

The way SentinelOne displays the threat has been the greatest effect on our incident response. It tells you exactly what the threat is, where the threat originated, allows you to look it up quickly in places like VirusTotal and Recorded Future which are malware information sites. You can link the hash of the file directly to the sync without having to do a lot of copy and pasting. It actually knocks some time off of the research of a problem when you do that. It allows me to quickly determine whether the threat is true, or if it's a false positive. It's a pretty strict engine.

If something is relatively programmed sloppy, a lot of times it assumes that that is a threat and it will flag it as suspicious. It can be a little overzealous when it comes to that. In this industry, you'd rather have that than something being too lax. You can configure it so that even if it does see something that it doesn't like, it doesn't stop it automatically. It just alerts you. It doesn't hamper the end-user if you don't want it to do that. But it puts the onus on the administrator, in this case, me, to verify the threat and deal with the threat quickly, or mark it as a false positive. Then, when you do mark something as a false positive or as a threat, it has a backend database. 

The machine learning is very impressive. Once I actually start to configure the machine learning, my day-to-day administration of it, roughly four hours, shrinks down to three hours, then two hours and an hour and a half, because the amount of machine learning involved saves us all that time. That's been its biggest improvement for me. It allows me to be very efficient with my time. It learns our environment, actually stops threats before they get there, and ignores the false positives without having to come up and bother you every time, then ask for input for it.

SentinelOne has dramatically decreased my incident response time.

We've used the deep visibility feature a few times. We don't make a lot of use out of it. We were using the deep visibility feature to search through our entire environment. There was a particular piece of software that was being flagged as not being used in its appropriate manner. It was being used as an enterprise service and it really wasn't. We were able to use the agents on SentinelOne and use its deep visibility to find the particular program and obtain its hash from there. Then, we were able to use the SentinelOne agent to extract this particular program on there, so we were no longer operating something out of license. That's what we've used deep visibility for. 

Deep visibility is very useful. If I had to simplify it, I would say if you know the threat you're looking for, it's fantastic.

Using the deep visibility, we did not find threats that were lingering on our endpoints, because the SentinelOne agent had dealt with them. We used it for a purpose that it probably was not intended for, which was actually finding specific software that was not supposed to be installed in our environment.

SentinelOne provides equal protection across Windows, Linux, and Mac OS. This particular product has worked so well that we mandated it across all workstations and all servers in our environment. It is our primary endpoint defense across all three of those operating system platforms. It has proven to be equally effective amongst all three. It did such a good job that it is our frontline.

I find their version naming conventions interesting in the fact that it's not just a number so it does help to recall some things when it comes to what version you are on. Anytime I open a support ticket, they always ask me what version of the console I'm on. I always have to look that up. I never remember that because this particular Liberty version has changed four or five times over the last month and a half.

What needs improvement?

They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support.

They changed the UI a little bit which is to be expected but there are times where I actually preferred the older UI. The newer UI, once I got used to it, was fine. But before, when we would launch into the UI, it went straight to the bread and butter. In this case, it goes to a dashboard, which gives some statistics on the attack surface, endpoint connection status, and stuff, which looks nice. It's a lot of nice bar graphs. It's a lot of nice pie charts. But that's not what I really need. I had to configure it to get it somewhat back to what it was. I wanted to know immediately if there any threats that are incoming. I actually had to add that. I think the new dashboard has a lot of bells and whistles but I don't need it. We used to have to dig in to get this kind of stuff and that's exactly what I prefer it to be. The dashboard, in my particular case, has to tell me where the threat is, how severe the threat is, and let me remediate it as quickly as possible. I don't want to fish through pie charts to find that.

I think they put this new dashboard in two versions ago. In their defense, it's a fully customizable dashboard. I was able to put back what I wanted. It seemed like that should be a default, not something I have to add later. 

For how long have I used the solution?

I have been working with SentinelOne since 2017.

My primary function is endpoint security and administration of SentinelOne and the other applications that go with that particular function.

What do I think about the stability of the solution?

The baseline, the agents, the console, and its primary functions are always steady. Those have never been compromised by any of their patching or updating. That has been really good. In our case, we still have some Windows 7 devices in our environment because they're older. They run a very specific piece of software that's not been upgraded, and by watching money, they don't want to upgrade certain pieces of software, specific labs, or things like that. They don't support their older clients past a certain date, which makes perfect sense. However, the agent doesn't just stop working. It still does its job. It loses some of its functionality, but it still does the primary job of protecting the endpoint. That's one thing I do like. Even if you do go out of date on something on an agent version because you're limited by the operating system, it doesn't just die. It still does its job.

What do I think about the scalability of the solution?

We have a 100% adoption rate. We've used all of our licenses. But we are trying to get more licenses so that we can cover our labs and other places like that. We did not have the budget at the time to cover everything we wanted to cover.

We do have plans to increase usage. It's done a fantastic job. And so every time we can, we do add more licenses to it with the end goal of actually covering not only our faculty, staff, and workstations, but also all of our labs.

There are 1,823 users online right now out of 2,750. In addition to myself, there are three other individuals who have administrative privileges and there are other members of the security department in the event I'm not here or I'm on vacation, they can fill in that role. Our IT assistant manager has read access to it so he can see in there, access the API, and can actually incorporate SentinelOne data into ServiceNow. SentinelOne has a very robust API, so if you're into programming or integrating it into other systems, you can do that.

It has phenomenal scalability. It can be used as just a small business or it can operate on hundreds of thousands of devices in a single enterprise.

We don't lose any functionality by its scaling at all.

How are customer service and technical support?

Support has been knowledgeable and well thought out. I don't feel like I'm getting a copy and paste. The technician interacts with me. The more data I can give them, the more they get back. I feel like someone's really putting time in to fix it, and they want to get the job done right the first time. I've never had to go back to them for the same problem.

Their sales rep and sales engineer usually assign two people to your case. One's your actual salesman and the other salesman is your technical salesman, the guy who answers the tech questions. They have been very involved. When it comes to deploying this, they help get the packages created and figure things out. They point you in the right direction. I can reach out to them directly. They have gotten back to me quickly and are very thorough. Their customer support from a salesperson to help desk individuals or whoever you're reaching out to remotely has been top-notch. They've always been professional. They have always been quick and they've always done the best job they possibly could for you. I can't say enough about them, they have been very impressive.

The previous tier is slower than what they are at now. With the service level agreement that we have, they need to get us an answer within around six hours but before they would answer within one hour. They've always been ahead of that curve, but it is a little noticeably slower than it was. That's because we're not paying them for that level of service. We can't really expect them to do anything more than that.

Which solution did I use previously and why did I switch?

The previous solution we used was the Windows System Center Endpoint Protection, which is a part of the Microsoft Active Directory. It's a solution that's packaged with all the Windows products. It has a centralized means of communicating back when it detects an error. However, it was woefully inadequate. We had no idea how bad that was until we tried SentinelOne. We had no idea how teetering our environment was on the threats of viruses until we actually had the insight that we did through SentinelOne.

We switched because we knew the product. We knew what we were using. We were getting to the point where we knew that our current solution was inadequate. We started looking around. We looked at Red Hat, Cylance, and a couple of other ones. We looked at these vendors of these products to gain greater insight. We knew we had to spend the money to get what we needed to get. SentinelOne was brand new at the time and we decided to give them a shot. The Chief Information Security Officer had gone to a conference and was interested. SentinelOne came in, made their pitch, we went through some examples and some tests, and they let us do a proof of concept.

I was around a day and a half into the proof of concept and I was sold. It was an unbelievably effective product so we decided to go with it. Within a month of that, we had another level of agents out there. We were covering the bulk of the machines we needed to cover and we have not looked back since. It's been one of the few things that we have done here that we have never second-guessed.

When we looked at the solutions, Cylance had similar capabilities as far as having a behavioral engine and a static engine, but the difference was the usability of the interface. SentinelOne's interface is phenomenally well laid out, easy to do, and very efficient. The other products we looked at were nowhere near as efficient on the user interface side.

We didn't test them thoroughly enough to find out if there was something that got through on SentinelOne that didn't get through on the other solutions. I don't know how it does it this quickly, but in addition to its own engine and its own ability to check through behavior, it actually references VirusTotal. VirusTotal is a website of centralized virus information. Even if their engine were somehow not detected, it checks the threat against VirusTotal and if any other engine out there has detected that threat, it flags it. It actually uses the intelligence of the other anti-malware products. It does it quickly. I have no idea how it does it that quickly, but it's impressive.

How was the initial setup?

We went with cloud-based instead of on-prem. Going cloud-based was pretty easy. The most difficult thing we had to do was deploy the agent. They don't have any means of deploying the agent. You have to use either your Shoe Leather Express, you have to go walk around and deploy it. And in our case, we use our active directory network, we used SCCM to push it out to departments in that manner. 

One thing that would be nice is if they had a means of deploying their agent. For example, a long time ago, on a different network of a different company, they wanted some help, and I helped them install a Sophos antivirus solution. Sophos had a means of emailing. You can email people and they could click on a link, which would download and install the agent for them, which was nice. Now, we depend on the end-user to do their part of the job which is risky. But one thing about SentinelOne is that I can upgrade agents all day long, but I can't deploy an agent to a machine that doesn't have one on there. There's no means of doing that. I wouldn't expect them to have that in there necessarily, but I think it would be a fantastic ability if they could do that.

I actually like their agent. As a matter of fact, it's required. I don't see how they'd be able to pull it off otherwise to do what it does. My point is, if a computer did not have SentinelOne on it and they were to run into a problem, for example, if we had a device that's not on our active directory network and we wanted them to deploy SentinelOne on it, the only way for me to do that is literally to run the user down, find them, or find their device and install it manually. It would be really nice if there would be a means to deploy it to an endpoint.

We have 2,750 licenses, and I was able to deploy it to 2,750 devices quickly. If you have a deployment mechanism like using your domain or your network, you can actually just say, "Please put it on these devices." You can create an installer package and it talks back to the console and that's it. It's super easy.

Our deployment took close to six months, not because of SentinelOne but because of internal politics.

Because SentinelOne was a new product and anytime you install anything new here, it has to go through committees to install things, we targeted our most high valuable departments first, the ones with the protected data and also administrative offices, like the president of offices and HR. We tested it in our department first and once the rest of the university saw that our computers didn't go up in flames, they began to relax about it. Then, we went to our high priority departments, our Chief Information Security Officer got behind it 100% and pushed the issue, which allowed us to go full force on it after we got through the initial departments. We got it in there, we tested it in our environment, created the packages for it, and tested it in our department for a month. Over the next four months, I rolled it out to individual departments in groups.

What about the implementation team?

We did the deployment ourselves. We only needed one guy to do all those things centrally, which was nice. I was the primary person responsible for the deployment. I would occasionally enlist some help with my coworkers, specifically when we were initially deploying it to go over and test it on some machines. Once we got past the initial deployment, it was just me.

In terms of maintenance, it is no more than a mouse click away. I can upgrade agents in batches, which I normally do, and they are very aggressive about creating new agent versions. The agent versions actually contained more capability. Right now the agents are extremely powerful. I can update every agent here at once, all I have to do is select them and deploy the agent to them. It's very easy.

What was our ROI?

SentinelOne has paid for itself more than once because of the threats it stops. It allows central management, the end-user does not have to interact with the antivirus at all. They will get a warning that says, "Hey, you went somewhere risky," but it's all centrally managed. We don't have to dispatch a technician to go out and try to clean something. I can literally clean it right here from the console. It actually has full rollback capability. If you have ransomware that goes and encrypts an entire hard drive, the way the SentinelOne works on a Windows machine is so that I can hit a rollback command and I can roll the thing back before the thing got there and actually defeat ransomware for that.

It's been night and day for what my job was previous to having this solution.

What's my experience with pricing, setup cost, and licensing?

They were very good about finding a price that could work for us. I'm not the bean counter, so I don't know exactly what the end cost was, but I do know that we got them at a time of the most financial stress we had been under and they found a way to make it work for us. It was a three-year contract and everyone fully expected the price to take a significant jump because the capabilities of the solution had been significantly increased with no additional costs. We expected it to maybe even be priced out and they did not. It went up a slight bit, which you can expect, but they worked with us. We were one of the first companies to go with them here, in Ohio. They have a lot of respect for their loyal customers. They worked with us and allowed us to keep this high-level product and actually add more licenses to it without breaking our bank.

In terms of additional costs, they've added something called Ranger and another layer of deep visibility. The base console doesn't come with that. Ranger is threat hunting and we were able to use the Ranger and the visibility, which is the threat hunting and of course the deep visibility and more in-depth storyline. We were able to use that, but we hardly ever needed that for our environment and the way we use the product. Because of that, we did not opt to have those in our current console.

We do more threat response than hunting. We put the latest and greatest agent out there and it's backed by this particular product but we just simply don't have the personnel to do it like we used to. That's the one thing we're missing. If you were to add the deep visibility and the threat hunting capability onto it, it would be a little bit more. I don't think it's that much of a significant cost, but I don't know the end results of the prices. Because we didn't make use of those two functionalities, they just cut it out.

What other advice do I have?

I could not recommend SentinelOne highly enough. The one thing about this product is something I very seldom say when it comes to almost anything in life, sadly, is that I trust it. I trust this program to be well taken care of on the backend. I trust this program to do its job on the frontend. I trust the endpoint and network security of our university to this product. I have no doubt that we're in good hands. It has proven itself with ransomware, proven itself with Qbot infections, proven itself with a multitude of end-users. 

We had a pen tester on campus that was actively trying to hack things, doing penetration testing, and SentinelOne stops him every time. Every time he got to the machine with SentinelOne on, it stopped him dead in his tracks. The pen tester said, "Your endpoint solution here is fantastic". This is a trained white-hat hacker trying to break through and he couldn't do it. We gave him a foothold, an account, and all kinds of stuff. We opened the door for him to see how far he could get. He was able to get in on machines that did not have this level of protection. He was able to get to devices, create administrative users, elevate privileges. You name it, he can do it. Once he got to a machine with SentinelOne on it, it stopped him.

They didn't tell me we were pen-testing. Suddenly I was seeing lateral movement and all kinds of things on the network and I ran this guy down just to find out we hired him to go do this. I thought we had a hacker on-premises.

I would recommend that anybody who uses this product also interacts with other people who have it. Another university was the first university that had it near us and then we got it. They were a big help to us, as far as answering questions about the deployment. They told us about a couple of little headaches to watch out for. It had nothing to do with SentinelOne, but how Microsoft servers operate. So we were able to save ourselves a lot of time by interfacing with the network of users of this particular program.

What I've learned with a product of this caliber is how efficient one person can be. I don't think you're going to find many places where you have primarily one person safeguarding the endpoint solution of an entire university. The good news is that because everything is the way it's set up, the way it's configured, and the machine intelligence that I've added over the last three years, if I'm not here and someone else steps in front of it, it can run itself in many ways. I've learned that if you find the right product, you can become incredibly efficient.

I'd give SentinelOne a ten out of ten. I'd give it higher than that if I could. I've actually done calls where they've called me and had me speak to the salesman, we had a really good working relationship. He had me call and speak to people who he's actually trying to sell the product to. I think I've sold half a dozen of these things for him, but I can't recommend it enough. I believe in SentinelOne wholeheartedly.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
System Engineer at Lyanthe
Real User
The rollback worked flawlessly, saving me a couple of days of work
Pros and Cons
  • "The best part of the agent is that users can't remove or disable it, so endpoints will be safe. I can control it from the portal. I can see when it's updated and I can push updates from the portal. The greatness of SentinelOne is that our end-users don't see anything to do with the agents. Some of them don't even know it's on their laptops. And that's a good thing."
  • "It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning for scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything."

What is our primary use case?

It's for our regular laptop users, desktops, and our production servers. For the production servers we use it to make sure there is nothing coming from the outside. And for our regular users it works everywhere, so they can do everything with a laptop.

It's a cloud solution. We don't have a large business. We have a lot of services but we don't have many users. Everything is in the cloud and we have about 20 clients or 20 agents for normal users in the Netherlands and we have between 100 and 200 users in the Philippines. The rest is for server safety.

How has it helped my organization?

There is a lot of remote work at the moment and SentinelOne provides the safety I want. Everything goes outside now and the only control I have is Sentinel One, but it gives me enough control.

We have developers who do a lot on their laptops and sometimes they create problems. When that happens, SentinelOne is pretty fast with them. We have configured it to disconnect them from the network so we don't end up with more problems. Now, those developers know they have to contact our IT department if they want to fix it. The great thing there is that we know that when something happens on a laptop it is isolated.

We see what is mitigated and what is not. And when SentinelOne is in doubt, it asks the managers what to do with what it has found. When you have arranged that once, it will take care of it the next time. That's great.

Overall, it's effectiveness is 100 percent because we don't see many outbreaks anymore. Nobody's complaining about using their endpoints.

I've only done a rollback once and it worked flawlessly at that moment, but that was nine months or a year ago. It saved us a lot of time because the problem didn't spread over the network. It affected one machine because it was disconnected from the network. We then rolled it back and it was up and running again. If the rollback hadn't worked well, it would have meant a couple of days of additional work. If the outbreak had reached my network I would have had to clean everything. I was able to do everything from the portal. The connection with the manager was still there. We just had to click on two buttons and everything went.

Overall, it has helped to reduce our response time by about 20 percent. 

What is most valuable?

The most valuable feature is the information it finds and what it is doing with that information. I can check if the info it sends is true. It's very clear. 

And if you configure it in the right way, it does a lot automatically. And that's what you want. You don't have to use it every day. I only log in to the SentinelOne portal once a day, just to check if there are alarms or the like and that's it. The rest is flawless.

Now that we've been using it for six months, SentinelOne knows what we want to have, what it has to do and it works that way. So it's very simple to use and that's pretty nice for the team. 

The best part of the agent is that users can't remove or disable it, so endpoints will be safe. I can control it from the portal. I can see when it's updated and I can push updates from the portal. The greatness of SentinelOne is that our end-users don't see anything to do with the agents. Some of them don't even know it's on their laptops. And that's a good thing.

What needs improvement?

It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning of the scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything.

For how long have I used the solution?

I have been working in my current company since April 1, so I have been using it here for six months. But I used it in another company in Eindhoven for a couple of years. That company was also a provider of SentinelOne and that's why I know how it works and what it does.

What do I think about the stability of the solution?

It has great stability. We haven't experienced any downtime or any kinds of bugs. If the users use the endpoints normally, nothing happens. We have some users who think they have to bypass SentinelOne, and then we sometimes have problems with those endpoints. But that's because of user action. It has nothing to do with SentinelOne.

What do I think about the scalability of the solution?

We started with about 50 endpoints and now we have over 300. We haven't had a problem with it.

There will be more servers to watch over so our usage will be increasing. When the business grows, our IT will grow with it, and SentinelOne has to grow along with us.

How are customer service and technical support?

I have used their technical support and my experience with them has been very good. They are fast. They know what they're talking about. Those are two great things for support to have.

Which solution did I use previously and why did I switch?

Before SentinelOne the company was using F-Secure. It started as an antivirus and then F-Secure also made a cloud-based endpoint protection solution from it, with a managed base and automation and checking for updates. It works with a database, which is not the way SentinelOne works. F-Secure is much cheaper.

They switched to SentinelOne because it is more for malware. F-Secure doesn't do anything in malware, just virus scanning.

How was the initial setup?

The initial setup of SentinelOne is straightforward. It's fairly logical. Everything works in the way you think it has to work. It's pretty simple to work with. It's just a matter of installing the agent and go. It takes about two minutes. There is an agent client with token codes. You just install the token code in it and reboot your endpoint and it's working.

We have it installed on 305 endpoints. This is a work in progress. We didn't have all of those endpoints when SentinelOne came in. We've rolled out new endpoints. But, it doesn't take long for a machine to get an agent and to make a connection and to get updates. Once you are in the portal, you can update from there. And then, you only have to check if it's already there and if the agent is working.

If we push an update, within an hour everything is there. If they are all online it will go pretty fast.

What was our ROI?

It's working simply. You don't have to learn a lot to know what it does and how to work with it, and that saves time. And it gives you a solid solution for security.

What's my experience with pricing, setup cost, and licensing?

You have to look at the kinds of problems you can end up with and the fact that you want security against them, and then SentinelOne is not expensive. That's the way I would sell it. 

If you avoid having one outbreak a year, just one, then SentinelOne is worth the money. When you have that one outbreak and it spreads across your complete network, it means days of work are gone. For a complete environment like ours, with 300-plus users, it would be very expensive.

Which other solutions did I evaluate?

I've also used Sophos with customers. If you want to have a safe environment, then you have to work with tools like SentinelOne. F-Secure and Sophos work with databases for virus knowledge and that creates a delay.

Also, SentinelOne has the rollback which works flawlessly, whereas F-Secure and Sophos don't have that.

What other advice do I have?

My advice is start working with it. You're going to love it.

The biggest lesson I've learned from using SentinelOne is that security tools can be different. SentinelOne has taught me that you can do security in different ways. If it sounds expensive, I would not always say that it is expensive.

We are a very small business. We don't have somebody who specializes in security. Our IT is just three people who do everything. That makes it difficult to say we are going to focus on SentinelOne and try to use it completely. We put it into use for malware security and that's it. We only have a WatchGuard firewall on the front-end and that's it in terms of security on SentinelOne.

They are improving the management tools. They are getting better. The portal is functioning with more logic. Those are good improvements. It's user-friendly enough. People with low IT knowledge can work with it.

It's a very good program. It does what it says it does, and I'm very glad that I have it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Mohammad Ali Khan - PeerSpot reviewer
Director at Pacific Infotech UK ltd
Real User
Automatic remediation and rollback help us minimize the number of technicians needed to support customers
Pros and Cons
  • "It has a one-click button that we can use to reverse all those dodgy changes made by the virus program and bring the system quickly back to what it was. That's one of the most important features."
  • "Another valuable feature is that if a machine is infected, one that may infect other computers within the network, we have the capability of segregating that machine in the network so that it remains connected to the internet but is cut off from the other machines in the network. That helps prevent spreading of the infection. That's a very unique feature, one I have not seen in the last 10 to 15 years from any other antivirus program. That's amazing."
  • "One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system."

What is our primary use case?

We are a managed services provider. We are not just using it for ourselves, but we are also supporting it and deploying it for a number of our customers.

The primary use case is that it's endpoint protection software and we use it to protect our end customers' endpoints, whether they are Apple or computers, laptops or servers.

SentinelOne is software as a service, but it has an agent that has to be installed on a computer or a server onsite.

How has it helped my organization?

Its Behavioral AI recognizes novel and fileless attacks and responds in real-time. What that means is that we have better confidence. For example, a number of users use USB drives which they bring from home. While we have a lot of customers where we have actually restricted the use of external USB drives, there are certain customers where we cannot restrict that use because of the way they run their businesses. The result, for them, is that there is a constant fear that at any given point in time, an infected USB from someone's home computer can actually infect the whole lot of computers within the corporate environment. But having SentinelOne means we have a certain level of peace of mind, so that even if something completely new tries to enter the network or the system via a USB drive, for example, it doesn't matter. The system will detect it and kill it. There is a level of protection which we never felt before using SentinelOne.

As a managed service provider, the most important thing is that the more secure a customer's network is, the less time our team will spend trying to fix issues. One of our customers is a prestigious hotel in London, and they were struggling, literally battling, with a virus that had infected their network of about 90 computers. Whatever we could have done, and all their previous IT company could have done, could not have eliminated that virus. Even if you completely formatted a computer, it kept coming back. The only way we were able to clean that whole network up and stabilize the environment was when we brought in SentinelOne. Before that it was Symantec, and Symantec couldn't do anything to control that infection. But SentinelOne brought in such stability, that since we introduced it into that network about one-and-a-half years back, not a single report has come in of any infection there.

Also, when we have to report on attacks to a customer, the customer always asks us for the root cause analysis. It is very important for us to understand the behavior and to find out where that infection came from and what it initially did so that we can look at that behavior and try to prevent it from happening again elsewhere. SentinelOne helps us in doing the root cause analysis and reporting back to our customers. It gives us insight into where a problem started and how it propagated into the system. Tracking the history of the virus' actions gives that insight, which is very important. Otherwise, there is no way to create a root cause analysis report for a security breach.

The automatic remediation and rollback in Protect mode, without human intervention, is already enabled on almost all of our computers. That helps us minimize the number of technicians we need to work on things. Automatic remediation is a policy which we enable when we deploy the system, which means that a lot of things happen automatically. And from our side, we only keep an eye on the dashboard. That means that we need fewer technicians to support the system. It provides support itself through that functionality.

Overall, SentinelOne has reduced our incident response time, absolutely. In our case, it's particularly true because we have remote teams working from remote offices. With SentinelOne, we don't need to send someone onsite because we can see a lot of things from a single pane of glass on the dashboard. And if there is a problem, we can do all the troubleshooting, and working on that incident, remotely. So it has definitely improved the way we have provided cybersecurity to our customers.

And it has reduced our mean time to repair by more than 60 percent. Previously, when we were using other solutions, we had to do a lot more work.

The solution's automation has also increased analyst productivity. The effect is significant in the sense that the amount of time our analysts used to spend on security has been reduced. These days, they only have a look at the dashboard which is open on one of the screens in our office. They just keep an eye on that and as long as it shows everything is green, they don't even bother drilling down and looking at other stuff. It's only when they see an alarm coming up that they jump in and look at it. That was never the case before. Before, they were remotely accessing computers and working on them and trying to fix issues. That has become a thing of the past since we started using SentinelOne.

What is most valuable?

It's artificial intelligence-based software. The best part is the fact that it doesn't necessarily rely on definitions, like other software. For example, Symantec, AVG, Avast, and Kaspersky, traditional antivirus software, rely on virus definitions. So every now and then, if there is a virus infection, they will compile a new set of virus definitions and push it to the local agent so it will know that this virus exists and that it should keep an eye out for it. 

These traditional software solutions have small levels of functionality that may help them to identify if there are any dodgy activities within the computer. They would then try to mitigate those, but only to a very limited extent. With SentinelOne, that's not the case because it basically has its own intelligence to identify any dodgy behavior within the system. As soon as SentinelOne detects anything which is not right, it will start tracing the changes being made. And because it's centrally controlled, it will give the controller team an early indication that there is something wrong and that we need to fix it. Not only that, but it will block it and keep track of it for mitigation.

We also use the solution’s ActiveEDR technology. Because it's an agent-based system, it is monitoring internally. It's not that the central system is doing it. It's keeping an eye on the functioning of the endpoint itself. If the endpoint is functioning properly, it will sit behind the scenes and not do anything at all. As soon as it sees any malicious activity within the system, that's where it's triggered. The artificial intelligence part of the agent is able to differentiate what activity can be considered malicious and what activity can be considered normal. And that's big. It's something that cannot happen without that kind of intelligence in place.

It has a one-click button that we can use to reverse all those dodgy changes made by a virus program and bring the system quickly back to what it was. That's one of the most important features.

Another valuable feature is that if a machine is infected, one that may infect other computers within the network, we have the capability of segregating that machine so that it remains connected to the internet but is cut off from the other machines in the network. That helps prevent spreading of the infection. That's a very unique feature, one I have not seen in the last 10 to 15 years from any other antivirus program. That's amazing.

We have used it on Mac and we have used it on Windows. We have seen a good level of protection, because since installing it for those of our customers who have taken it, not a single report of a breach has come out. I feel very strongly that the system is quite capable.

What needs improvement?

One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system. 

There is also a bit of room for improvement in the way SentinelOne is deployed. Right now we push it, but a lot of the time the pushing doesn't work. So we have to log in to each computer and do a manual install. That area would help in making the product stronger.

For how long have I used the solution?

We have been using SentinelOne for about two-and-a-half years.

What do I think about the stability of the solution?

It's very stable. I have not seen it crash, nor have I seen any other problems.

How are customer service and technical support?

I have not used their technical support. My engineers have used it, and their feedback about the support has been good so far. I don't think they have had complaints.

How was the initial setup?

The initial setup is straightforward. But when deploying it to 100 or 200 or 300 machines, pushing it is easier than logging on to each machine and doing it manually. But sometimes, pushing doesn't work and doing it manually takes a little bit more time. But that's a one-off exercise.

We don't have much of an implementation strategy for the solution. As an MSP, there are a lot more things going on, day-to-day, than just dealing with SentinelOne. But for deployment, I get my boys to log on to a customer's systems, do the push, and then whatever does not work through push deployment, they install manually.

For maintenance of SentinelOne, we only have two engineers who look at it on a day-to-day basis. We don't need any more than that. In terms of deployment, it depends on the size of the deployment. If it's a 100-user deployment, we would have a team of three or four who would do it over a few days' time.

What was our ROI?

The return for us is that it has reduced the manpower we require.

What's my experience with pricing, setup cost, and licensing?

Pricing is a bit of a pain point. That's where we have not been able to convince all of our customers to use SentinelOne. The pricing is still on the higher side. It's almost double the price, if not more, of a normal antivirus, such as NOD32, Kaspersky, or Symantec.

I understand that these are not similar products, but for a customer who has a certain amount of money to pay for an antivirus, they can only spend so much. That's where it becomes hard to convince them to pay double the price for endpoint security.

That is the only feature of this product which causes us to step back and not be able to deploy it for absolutely every customer we have. We would love to, but obviously if the customer doesn't have the budget to pay for it, there is not much we can do.

If they can somehow bring the prices down, that would massively help in bringing this to a lot more customers.

Which other solutions did I evaluate?

We looked into other solutions, but not as deeply as we went into SentinelOne. Because we liked SentinelOne so much, we just stopped there. And we already had experience with the likes of Malwarebytes, Symantec, and AVG. This was a far superior product.

I haven't had a chance to take a deeper dive into Carbon Black, but that is something I have been told is comparable to SentinelOne.

One of the things which attracted me to SentinelOne was the fact that it is the only product which is tied to the SonicWall platform, and we use the SonicWall platform a lot. A lot of our customers have SonicWall firewalls. Having a combination of SonicWall and SentinelOne provides an end-to-end security arrangement with products that are integrated with each other.

What other advice do I have?

Go for it. It's an absolutely brilliant product. But understand what it is before starting to deploy. Unless you understand the product, you will not know how to use it to the best of its best capabilities.

The solution's Behavioral AI works with and without a network connection, providing the internal protection. But having that network connection is important because it will then be able to report it to the central dashboard. While it will do what it has to do locally, it's helpful when the agent reports back to the central dashboard so that the IT Admin can take action. It is important that the systems remain connected to the internet.

But overall, the Behavioral AI is amazing. It's something very new in the market. The way SentinelOne works and the way it is set up, I haven't been more impressed by any other product. It is a step forward in security.

We have 400 to 500 endpoints using SentinelOne at the moment, and all those customers are happy. We are happy that they're using it, because it helps us secure their network better than what they had before. We have it on laptops which have been given to home users, on computers in offices, on servers in computer rooms. They all have SentinelOne and we are happy with the level of protection that it offers.

Moving forward, with every customer whose antivirus is coming up for renewal in our portfolio, we are recommending getting rid of Symantec and other products and taking on SentinelOne.

It's very effective and it's improving by the day. In the last two-and-a half years I have seen that the way it detects and the way it mitigates threats are constantly improving. It's a very effective solution.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Director of Cybersecurity at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
A top-tier product with excellent features that provide visibility into an organization's environment
Pros and Cons
  • "Deep Visibility is a valuable feature."
  • "The learning curve was a little steep."

What is our primary use case?

We used SentinelOne because we needed a tool that would add extra visibility into the environment. We also wanted something that was easier to use than our existing product so we switched to SentinelOne.

What is most valuable?

Deep Visibility is a valuable feature. It lets us search across the environment and correlate things much more easily than we could have previously.

What needs improvement?

The learning curve was a little steep. The solution gives training we can go through, but we have to pay for that. We ended up paying for it so we could get everybody ramped up. The product must enable easier onboarding for less familiar or less formally trained people. It would've helped us adopt it quickly.

For how long have I used the solution?

I have been using the solution for three months.

What do I think about the stability of the solution?

We had no stability issues.

What do I think about the scalability of the solution?

The product is on a cloud-hosted instance. It can be integrated into everything that we use. It seems highly scalable.

How are customer service and support?

Support is good. The support team is quick to respond and quick to resolve. We can't ask for anything more.

How would you rate customer service and support?

Positive

How was the initial setup?

The product is cloud-based. The initial deployment was straightforward. We were able to rip and replace and do it all faster than our onboarding team had expected. It was done within a month.

What about the implementation team?

We had the standard onboarding services, but we did all the lifting ourselves. It required four people from our side. Apart from agent upgrades, the tool doesn't need any major maintenance.

What was our ROI?

We currently see returns in getting our technicians' and engineers' time back.

What's my experience with pricing, setup cost, and licensing?

The pricing makes sense to us. The pricing model is simple. It was easy to move forward from our previous products to the new bundle.

What other advice do I have?

We've been using the tool mostly with third-party applications through Singularity Marketplace. Integrating it with our Microsoft environment has been helpful and convenient. The product is robust in ingesting and correlating across our security solutions. It is doing its job without us having to check it.

Previously, we had a few different endpoint solutions on a single asset. The product helped us rip and replace multiple solutions with one. We did a POC on Ranger but didn't go with it. The solution hasn't reduced any alerts, but it has at least given us more actionable data. We need to do tuning because we're so early in the adoption.

The tool has certainly saved the staff's time. It's able to correlate data a lot better and bring it all onto a single pane of glass, which helps save time. It's hard to quantify right now because we're so early in the adoption. We're definitely able to see more bandwidth for other projects. SentinelOne has helped reduce our mean time to detect.

We have seen the most improvements in our organization’s mean time to respond. We would have had to balance between different solutions or portals to correlate data. Now, the tool is just bringing everything into one place. Taking action within the solution has helped us respond and resolve. Our mean time to respond has been reduced by more than half.

We were using multiple products. We replaced them with SentinelOne. Getting a better solution for the same price was a no-brainer for us. Singularity Complete has helped reduce our organizational risk. The solution's quality is top-tier. The maturity was as good as our current solutions. It was easy to make the choice to move over.

SentinelOne is closely aligned with what the actual responders need to do. It seems like the vendor is building tools and solutions for people in the thick of it, which is a big reason why we went with their product. They are making tools for those who need to use them.

If someone were to evaluate or do a proof of concept, the bigger their initial POC, the better. We found some oddities after expanding the initial POC, which would have been nice to work through before the deployment. The vendors set up a capture-the-flag type of event that really helped us learn the environment, where to go for what, and how to use the tools. I highly recommend having everybody go through the capture-the-flag trial they set up.

Overall, I rate the tool a ten out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Laurie Reynolds - PeerSpot reviewer
Threat and Vulnerability Manager at GBG Plc
Consultant
Automation has been fantastic for us, and with real-time detection, we have better security
Pros and Cons
  • "I work in vulnerability management, and for me, at the moment, its automation is most valuable. For the SOC team, incident visibility would be most valuable, but for me, it is automation."
  • "In automation, if we could schedule when we run the task and on which systems we want to run the task, it would improve automation."

What is our primary use case?

First and foremost, we use SentinelOne Singularity Complete for endpoint detection and response in our company. We do not have any antivirus anymore. We have SentinelOne for the endpoint detection, response, and defense mechanism. This is our primary use case. 

We also have other use cases. I work predominantly in vulnerability management. I sometimes work in the SOC. For vulnerability management, we use it in a number of different ways. We sometimes use it to see which applications and versions are running on systems. We use it for an inventory of applications. We do not use it for vulnerability detection. We have another tool for that, which I believe is more dedicated to technical vulnerabilities. I know there has been some investment in this area, but at the moment, we are not using it for that. 

We also use it for running scripts and automating tasks on systems. In fact, I have been doing a lot of that recently. They have developed their automation and remote ops part, which has been fantastic for us. I have been updating a lot of applications using the scripts that I have deployed with SentinelOne. I love that part of the tool. It makes life a lot easier. 

I sometimes also use it to determine where we may not have other pieces of software on systems. For example, we use a vulnerability tool that runs on an agent. I can use SentinelOne to see whether all of the systems on which we have SentinelOne also have our vulnerability tool agent. If a system does not have it, we can deploy a script from SentinelOne to add the agent. 

We also use Ranger, so we can identify other systems on our network that do not necessarily have SentinelOne agents. That can be quite useful sometimes. Because of Ranger, we have seen a lot of systems that we did not already know about. 

As a part of the endpoint detection response, we ingest logs through our central SIEM. We have a hybrid Security Operations Center. The first line is done by a third party. They have access to the SIEM, and all of the SentinelOne data is ingested into that. When there is an incident or when SentinelOne detects an incident, it gets flagged to the Security Operations Center, and then we start to investigate that incident. Most of the time, if it is a SentinelOne-related incident, we will log in to SentinelOne and use it to investigate the incident. We look at the logs on the endpoint and try to establish whether it is a genuine incident or a false positive, what happened on the system, and why we are getting these alerts.

How has it helped my organization?

We use the Ranger functionality. It provides network and asset visibility. It is quite important for us. If we did not have another tool that is doing similar, it would have been extremely important, but we do have a vulnerability management tool that is very similar. It is quite good that it does that automatically out of the box, whereas we have to configure our vulnerability scanning solution to do something like this. The ability to have visibility of the network where we do not necessarily have SentinelOne deployed is very important.

Ranger requires no new agents, hardware, or network changes. This is important for us. It has an advantage over our vulnerability management tool because we have to deploy scanners with our vulnerability management tool, whereas we do not have to deploy anything for SentinelOne Ranger, so in that way, it is a better solution in helping us.

Ranger is very effective in helping to prevent vulnerable devices from becoming compromised. For example, we used Ranger and identified some systems in our data center that we could just log on to. It was not very difficult to get on to those devices. Therefore, it would not have been difficult for anyone else to get on those devices. We did not necessarily have the permission to do so, but we found a way to do that. We managed to get those devices secured, and therefore, increase the security of our systems. That kicked off from Ranger, and that is a good use case.

Singularity Complete has helped free up our staff for other projects and tasks. For example, with automation, I have been able to patch some of our systems, which has freed up time for our help desk team. They do not have to patch some of the systems. It has also been helpful for deploying some of our agents for our other tools. If we deploy through SentinelOne using the script, that frees up our team's time.

Singularity Complete has helped reduce our organizational risk. The previous solution we had was signature-based, so for endpoint detection, it has to know a certain kind of attack before it can detect it or even block it. Because Singularity Complete is more looking at the behavior of running processes and how these processes interact with other processes on the system, it has helped to reduce the risk. We are not relying on static detection signatures. We have got real-time detection. Singularity Complete can detect things that may be the first-ever attack in the world, and we get notified about it. It does reduce the risk.

What is most valuable?

I work in vulnerability management, and for me, at the moment, its automation is most valuable. For the SOC team, incident visibility would be most valuable, but for me, it is automation.

What needs improvement?

In automation, if we could schedule when we run the task and on which systems we want to run the task, it would improve automation.

For how long have I used the solution?

I have been using this solution for two and a half years. I have been using it since I joined this company. 

What do I think about the stability of the solution?

We have not had any issues with it. It has always worked for me.

What do I think about the scalability of the solution?

It is quite scalable. I do not see anything holding it back in that regard.

How are customer service and support?

My impression of SentinelOne as a strategic security partner is very positive.

In terms of support, for a lot of support requirements, I go through the engineering team. They are very knowledgeable about Singularity Complete, but I did contact SentinelOne's support team recently in July. There was a particular vulnerability that Microsoft had already caught. Microsoft Defender had a setting that would automatically block the vulnerability. I raised the question to SentinelOne support asking whether SentinelOne has the same ability to block the vulnerability. It took me a few times to get them to understand what I was asking, and they could not confirm 100% that it was blocked. They just said that their solution does block vulnerability attempts, but they did not specifically do this particular one. Unfortunately, that interaction was not entirely positive. Overall, I would rate them a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

My company had an endpoint solution previously, but I was not with this company before they had Singularity Complete. They already had Singularity Complete when I got here. It was replacing the previous endpoint solution, so I cannot say whether Singularity Complete reduced our alerts or mean time to detect than the previous solution.

How was the initial setup?

I was not involved in its initial deployment. I am with the engineering team. I have deployed SentinelOne on some systems, so I know the process, but I was not involved in deploying it or rolling it out company-wide.

It is in the cloud, but we have SentinelOne agents deployed on our systems. These agents report the data back to the cloud, which gives us the ability to see all of that data.

In terms of maintenance, the team that maintains it performs agent updates. They can be pushed automatically, but our engineering team has decided to not push the updates automatically because they could potentially break something or may not be fully compatible with a current version of, for example, macOS. There is some maintenance in that regard. There is also maintenance in terms of relieving some aged SentinelOne nodes. We might remove those. I would not necessarily call it maintenance, but when we set up particular alerts, we may maintain those alerts based on our requirements at the time. It may be the vulnerability being escalated in the wild, or we might want to set up some sort of detection that can basically detect or indicate any compromise. We maintain all of those rules.

What's my experience with pricing, setup cost, and licensing?

I do not know much about the pricing. What I do know is that the person who negotiates most of the pricing is quite a hard bargainer. In that regard, he often says that he managed to get a very good deal. When we first looked at replacing our old system with Singularity Complete, its price was definitely a big factor. Back then, Singularity Complete was fairly new to the marketplace. We got quite a good deal as an early adopter. They have honored that and respected that we were an early adopter, and I feel we are still getting a very good price.

What other advice do I have?

It is definitely worth considering. It is definitely up there with the best of them now. A few years ago, it probably was not. It was in the early stages, but now, it gives us everything that we need today. They invest heavily in the platform. That is important as well. If you buy it today, in a year or two, you will get a lot more features for your money.

It is quite mature now. Over the two and a half years that I have been using it, there have been numerous feature enhancements. As a basic endpoint detection response, it is very mature, and it now has other features, such as the Ranger functionality and automation, on top of it. It is a very mature offering now.

When it comes to integrations, I do not know about any tools that I have used with Singularity Complete. We just bought Wiz.io for our company, and I understand that SentinelOne links to Wiz.io. I have not personally used it, but I will be using it soon. From what I understand, it is going to be quite useful because if we detect an incident or an alert on a cloud system that Wiz.io manages and has visibility of, we can then get more information about that cloud system. For example, it could say, "We detected that this vulnerability attempt has been made, or one of the exploit attempts has been made on your system." We then get all of this information from Wiz.io which says, "Actually, the system is not vulnerable to that vulnerability." At that point, we would think that we do not need to worry as much, but we are going to see the investigations. 

In terms of its ability to ingest and correlate across our security solution, we do not necessarily ingest into Singularity Complete, but we ingest Singularity Complete into our central SIEM. It is very difficult to ingest data into that SIEM.

Overall, I would rate SentinelOne Singularity Complete an eight out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros sharing their opinions.