We performed a comparison between Darktrace and SentinelOne based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Based on our users’ reviews, we would conclude that SentinelOne is a stronger, more secure solution than Darktrace. Reviewers say that SentinelOne offers a deeper and more thorough level of security. Additionally, SentinelOne provides equal protection across Windows, Linux, and macOS. It can also support legacy infrastructure as well as newer environments. The single-pane feature helps protect numerous endpoints with a very lean team, saving time and money.
"It also gives the vulnerability status according to the versions you have selected. Let's say you have Google Chrome. It mentions the versions it has, and it updates. Within two hours of an update, it is reflected in the dashboard. That's really nice to have."
"The risk level notifications are most valuable. We get to know what kind of intrusion or attack is there, and we can fix a problem on time."
"Defender for 365 is a comprehensive cloud-based solution. The value of the cloud is that you aren't alone. Threat intelligence and analytics are shared in the cloud. We don't have to find the solution alone. If you face an unknown threat with traditional solutions like Trend Micro and Symantec, you need to open a case and send your information to them to analyze forensically and identify the source of the attack."
"At the moment we are satisfied with this product. It's a stable, scalable, and resilient solution for us."
"Some of the valuable features on the email side are anti-phishing, anti-malware, and Safe Links."
"Threat Explorer is one of the features that I very much like because it is a real-time report that allows you to identify, analyze, and trace security attacks."
"Microsoft Defender for Office 365 is a stable solution."
"The most valuable feature is the integration. It's a single console, so we don't have to switch around between multiple products. Another valuable feature is the ease of operations and maintenance."
"The most valuable feature is that it gives us visibility of rogue traffic that is on the network."
"The most valuable feature is the alerts. The alerts are meaningful. The event rolls up into meaningful and actionable alerts rather than just being noise."
"The ability to detect activity on the network is very useful to us. Even if it's not necessarily an illegal activity, if it is abnormal activity, it is able to detect it and notify us."
"The most valuable feature of Darktrace is the AI that detects abnormal network activity."
"The Antigena feature is most valuable. Once it learns your environment, Antigena can step in and block a denial of service attack, a ransomware attack, or just about anything that doesn't belong in the environment. It can detect any type of attack that hits the environment because it understands what normal looks like for the network. It is very useful for an autonomous response."
"One member of staff is enough for deployment and maintenance because Darkforce is AI-driven. It does a lot of things by itself."
"In terms of features, the data or information they collect and unsupervised machine learning are very valuable. Its unsupervised machine learning has reduced our team's effort. Both Darktrace and Vectra work on unsupervised machine learning that learns the behavior or develops a profile on its own, which allows our security team to do some other tasks rather than spending time on Darktrace or Vectra. Because of unsupervised machine learning, its detection capability is quite good. Along with that, if we utilize the integration feature properly, the automated incident response capability of Darktrace is quite useful."
"It has helped the organization to detect any malware affecting the machines...The network monitoring and the email monitoring features are very valuable for us."
"For me, the most valuable feature is the Deep Visibility. It gives you the ability to search all actions that were taken on a specific machine, like writing register keys, executing software, opening, reading, and writing files. All that stuff is available from the SentinelOne console. I'm able to see which software is permanent on a machine, and how that happened, whether by registry keys or writing it to a special folder on the machine."
"The threat detection and prevention capabilities are valuable, providing development programming support that enables us to perform fair investigations."
"It has good visibility features and it's straightforward."
"In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting."
"It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way."
"I was extremely happy with their technical staff. The solution's tech support is top-notch. They have some really good engineers on their team."
"The tool's most valuable feature is Vigilance Respond Pro monitoring. You don't have to have a dedicated SOC and worry about staffing."
"The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview."
"We are always looking for others tools to increase automation on tasks. There can be better integration with other solutions, such as PowerPoint and email."
"The XDR dashboard has room for improvement."
"We need to be able to whitelist data at the backend."
"The certification training for Defender for 365 needs to be deeper and incorporate Sentinel. I took all the security courses except one, and Sentinel isn't included."
"The phishing and spam filters could use some improvement."
"They have moved features from one console to another. Things have been moved around in the interface and it takes me time to find where certain features are."
"They can improve their security in a way where a customer can know if all their attachments are safe or not to open through a report. The solution does its job perfectly, but it never reports to the customer whether those attachments have been stopped before or not."
"Microsoft sometimes has downtime, and we'll get several incidents coming in back to back. We have a huge backlog of notifications, many of which may be false positives. However, there might be serious alerts, so we can't risk dismissing all of them at once."
"Darktrace is a closed technology, meaning we know very little about how it works, including the architecture, which is significant. As a result, when we implement the system and find we're getting many false positives, we have minimal insight into why it's happening and what we can do to fix it. We don't know how the solution is configured, the criteria for threats to be determined, or the product's inner workings. We understand that they have to ensure privacy and their copyright, but we want to see some documentation or public research into the security Darktrace provides."
"The user interface and the configuration are a bit complex and should be improved or simplified."
"A reporting portal could be a great addition to help customize reports."
"The program is quite expensive."
"Needs to improve its collaboration with local partners."
"The main portal needs improvement as it is difficult to use."
"It's a very complex platform."
"It's quite expensive to have."
"The agent update is not the most intuitive process, but I understand why they do it. We have a pretty vertical 64-bit environment for Windows. That is pretty much all we have, but we get alerts for things like the new Linux endpoint or things that do not apply to us. That is probably the only thing that I do not like. There may be some way to turn that off so that I do not get endpoint update alerts from platforms that are not applicable to our system, enterprise, or network."
"Some reports could be better."
"My biggest complaint is that when you're logged into the console there is the Help section where you can review all the documentation. But when you log in to the support portal, there is documentation there as well. They need to sync those two into one place so that I don't have to search in two different locations for an answer."
"It would be nice if the console stored data daily, so that you could look at a timeline of events on a machine over a period of time, and currently this is not possible."
"They can improve the administrative interface. They can make it more user-friendly."
"It's fine. It's correcting all the EFC files with a virus. All the achievements, maximum EFC files. Many EFC files will be flagged as a virus. Some virus databases need to be updated. The model is good at finding many EFC files. The trouble is it needs to be updated."
"There is not much flexibility in terms of policy fine-tuning. We can turn it off or turn it on, but, there's nothing much else to do. Everything is predefined. It's good in a way, but you don't get much flexibility if you want to do something particular."
"The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do."
More Microsoft Defender for Office 365 Pricing and Cost Advice →
More SentinelOne Singularity Complete Pricing and Cost Advice →
Darktrace is ranked 11th in Email Security with 65 reviews while SentinelOne Singularity Complete is ranked 2nd in Endpoint Detection and Response (EDR) with 177 reviews. Darktrace is rated 8.2, while SentinelOne Singularity Complete is rated 8.8. The top reviewer of Darktrace writes "Great autonomous support, offers an easy setup, and has responsive support". On the other hand, the top reviewer of SentinelOne Singularity Complete writes "Provides peace of mind and is good at ingesting data and correlating". Darktrace is most compared with CrowdStrike Falcon, Vectra AI, Cortex XDR by Palo Alto Networks, Cisco Secure Network Analytics and ExtraHop Reveal(x), whereas SentinelOne Singularity Complete is most compared with Microsoft Defender for Endpoint, CrowdStrike Falcon, ThreatLocker Protect, Datto Endpoint Detection and Response (EDR) and Bitdefender GravityZone EDR.
We monitor all Email Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
You should not compare SentinelOne to Darktrace - they solve completely different problems. These types of questions show the ongoing challenges in cybersecurity. As written below, SentinelOne is an Endpoint Detection and Response tool. It is to protect a laptop or workstation from an attack. EDR is a core requirement for cyber defense.
Darktrace is a network detection and response tool. NDR tools detect attacks occurring against the network. NDR is also a core requirement for cyber defense.
Regardless of the quality of either tool, you need to cover both your endpoint and your network. So if you decide one is better and choose it, you remain vulnerable to attack.
Cover your endpoint only, and I am going to hit you with an attack on your network. Cover your network only, and I will get you via an endpoint.
EDR tools - SentinelOne, Cybereason, CrowdStrike, Carbon Black to name a few.
NDR tools - Darktrace, Vectra, ExtraHop, Cyglass to name a few.
Comparisons of these tools by category would be more valuable.
An easy answer for me - pretty much exactly what @Janet Staver described.
DT was a good east-west network traffic tool that could tell you all about communications between systems (think NDR) but limited capacity, expensive boxes, that we outgrew.
S1 is an endpoint tool with deep inspection, a central console, and is cost-effective.
I have done a POC with Darktrace three different times at different orgs.
They are actually a borderline scam company. On each POC, I set up tests that even a free install of Suricata could detect. DT failed to detect anything in each case.
The other thing is that they call their alerts breaches. This is a BAD idea and they would not listen to reason on this. They will send out young, good-looking salespeople, but by the time you are done with your POC, they will be gone and replaced by someone else.
Their sales engineers are too young to have any experience with a security issue you may be dealing with. And I suspect after a few POCs they see that this does not work, at all, and leave! Stay away from Darktrace!
You can't compare these two solutions - they are different.
SentinelOne is an EDR similar to known EDRs (Sophos, Sandblast, CrowdStrike, Palo Alto XDR, etc.).
You need an agent to install to the endpoint to manage. You can integrate via API if you want to integrate to existing networks like Clearpass and micro-segmentation software like Guardicore.
Darktrace is an AI-based tool to analyze traffic for known cyber threats from the network level without any agent. Either mirror the port or redirect traffic from VLAN to the Darktrace sensor. The sensor notifies you if any devices are newly discovered to the network, or new users access the particular device. You can block that traffic or device to mobile devices or web UI. In addition, Darktrace also has a module to integrate to SaS like the Office365 email.
Both @Janet Staver and @ITSecuri7cfd are spot on.
As a security vendor, like ITSecuri7cfd points out, one tool is for the endpoint and one tool is for the network side.
If you looking for an EDR tool, you should look to compare solutions from Carbon Black, Crowdstrike, etc.
As for Darktrace, they are classified as an NDR tool. Within the NDR market, there are essentially 2 types of solutions; tools for smaller organizations that have limited resources and tools that are designed for organizations that have SOC teams that need better visibility and data.
If you want to learn more about NDR solutions in general we have written an ebook called "What to look for in an NDR platform": https://bricata.com/wp-content...
Which solution is better depends on which is more suitable specifically for your company. Darktrace, for example, is meant for smaller to medium-sized businesses. It is also a good option for organizations who have limited security resources but still need deep insights into threats and network intrusions. Darktrace also has an invaluable feature that produces weekly reports.
A unique feature Darktrace has to its name is its use of artificial intelligence for cybersecurity and machine learning capabilities. Darktrace is able to successfully detect threats over networks before it's even possible for them to spread. In addition, it notifies you with all the threat details. Although Darktrace is geared toward smaller-sized organizations, it does come with a hefty cost. The cost increases as the number of products that need to be monitored increases.
SentinelOne is a great product and effective for mitigating threats. It allows you to have granular control over your environments and your endpoints. SentinelOne has a central management console. It also provides insight into lateral movement threats, by gathering data from anything that happens to be related to the security of an endpoint. Another SentinelOne feature that’s fantastic is their one-click automation remediation, along with rollback for restoring an endpoint, which can often be very helpful.
SentinelOne is also known for its ability to decrease incident response time and has deep visibility that comes in handy quite often. However, the dashboard design isn’t wonderful. In contrast to Darktrace though, SentinelOne is efficient because minimal administrative support is required, and it offers a lot for a solution that is cost-effective.
Conclusion
While both SentinelOne and Darktrace boast many beneficial features, one outweighs the other when it comes to price. If Darktrace is within your budget, I would recommend it. But if not, SentinelOne is a great solution that makes a lot of sense.