SentinelOne Review

Easy to manage and install; gives time back to our team

What is our primary use case?

SentinelOne monitors our infrastructure 24/7.

How has it helped my organization?

We are a very small team. Recently, we had to add an extra person; we had two guys, but now there are three. We have about 2000 endpoints and servers, which is a lot if you have to do it on your own. The SOC monitoring that we now have from SentinelOne gives us more time to focus on other important stuff and go to bed without any worries, since SentinelOne is watching over us.

They also guarantee an insurance. For example, if your company has been infected by ransomware, then they provided one million dollars or something as an assurance. For us, if SentinelOne has the balls to say, "Okay, if endpoints are infected, we will give you $2,000 per endpoint that is infected." That's a way for them to convey that we can trust their company.

What is most valuable?

It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way. 

They do updates all the time. It's very nice to see how they constantly evolve. New features are being added each time that I take a look at the interface, which is really nice. It's not something you have to do for yourself all the time. You just go to the interface of the management portal, and you will see each time a new feature has been deployed. For example, when we started with SentinelOne, we had some applications that needed to be whitelisted, where we had to go through a whole bunch of licensing rules provided by the distributor. Now, we have the possibility to select from a catalog which rules we want to whitelist, since we are using that application. It is such an easy step for us, which is nice. It makes our life comfortable when managing all our endpoints and very complex infrastructure.

The Behavioral AI recognizes novel and fileless attacks and responds in real-time. The nice thing about SentinelOne is that it is behavior-based, so the AI is smart enough to detect when something is moving. For example, an external person was doing some administrative tasks for us, and he used a tool that is also used by attackers. He called me, and says, "I'm blocked. I think SentinelOne is seeing my tool as a virus or malware." Then, I looked at SentinelOne, and it says this guy is using hacker tools. That is what I found very nice. SentinelOne can immediately identify the tools used by hackers. In this case, it was immediately blocked, even though it was not a malicious application, Trojan, or something like that. Because the solution knows hacker tools and behaviors, it says, "Okay, this cannot work on this environment. This will be blocked." That's something that I really like.

It is a good use as an EDR solution because it immediately reacts on stuff. It also quarantines endpoints.

What needs improvement?

We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running. 

For how long have I used the solution?

We installed the agent a little more than a year ago.

How are customer service and technical support?

One of the nicest things about SentinelOne is their support. I never met a company which gives such fast, great support. It's extremely fast. When I create a case with some questions, they answer immediately. They provide us with information on how to do stuff, and if we have issues, then they give us an update immediately. Normally, when I open a case with other products it takes days, but with SentinelOne, I get a response in about half an hour. Most of the time, it's cleared in about two hours time.

If we have a remaining question that has nothing to do with the things that the case was created for, SentinelOne will still answer. Some companies need you to create a new case for this, but SentinelOne just says, "Okay, we will help you also with this and provide you with more info," which is magnificent.

The support is very handy because, when you have an issue, it's like working with an extra colleague. If you ask a question to recall it, SentinelOne support can solve it in about two hours, which is nice because then you can go to the next thing. You don't have to focus anymore on the problem. With other vendors, it takes some days to solve it, then it hangs.

Which solution did I use previously and why did I switch?

Our previous antivirus server was on-premise. When we did the updates, then all the clients needed to be connected to that on-premise server. However, with COVID-19 happening, we have been very happy that SentinelOne is in the cloud because even when an endpoint leaves the company, they are still protected by SentinelOne and receiving updates. SentinelOne gives more time back to a small team as well as always being accessible, even if you're not at the company.

How was the initial setup?

The initial setup was easy. We did it step-by-step, so we didn't deploy it to all our endpoints in one shot. We deployed 300 or 400 endpoints per week. This was in case there were any issues, then we could act immediately so we wouldn't have an impact on the whole business. However, we didn't experience any issues. We were up and running in about three or four days and had migrated 2000 clients to SentinelOne.

For our implementation strategy, we deployed one day, then another day we would watch. Then, we deployed another day and would watch the next. So, in about two weeks, we were up and running. We decided to do it that way because we have had issues with mass rollouts in the past. Now, we are very careful when rolling out stuff to the whole company. Perhaps, it might have not been a problem to roll it out in one day, but we did it very slowly to have a kind of a control outcome.

What was our ROI?

The solution gives us more time. We can divide our productivity and time to other products. We don't have to look at SentinelOne a lot.

What's my experience with pricing, setup cost, and licensing?

The pricing level for this service and application was very interesting for us. I don't know exactly what the price was, but apparently it was a big surprise that the SOC was also included in our pricing model.

The Deep Visibility feature practically double the price. Because we have a SOC, we rely on them to have insights about all the threats, so we are not monitoring our environment ourselves. It is mostly done by the SentinelOne SOC. That is the reason why we decided not to go for this feature.

Which other solutions did I evaluate?

We believe the traditional antivirus protection that is using signature-based validation is outdated. We had a look at different solutions, like CrowdStrike and SentinelOne. These solutions are more AI-based that go on behavior. When we spoke to SentinelOne, they also offered a SOC as service. This means that SentinelOne is monitoring all our endpoints with us, and we don't have to do anything, because they do all the hard work. They validate the detections. So, if SentinelOne detects something on the endpoint, the SOC of SentinelOne will validate and see if it is a false positive or true positive. In case of a true positive, it will then see if there are extra steps needed. If that is the case, then SentinelOne contacts us through email asking us to do some final steps or provide them with the info.

SentinelOne was lucky because we first looked at CrowdStrike. However, they were pushing us all the time to get the deal. My manager got furious, and said, "Okay, let's stop everything. We told you we cannot decide before the end of October. That's our company rule." The pressure was too high from CrowdStrike. Therefore, we decided to have another look at SentinelOne. The first time when we saw SentinelOne, it was never mentioned in any Magic Quadrant, so it was hard for us to have a view on what the public experience was with SentinelOne. We were a little bit scared in just believing the vendor and their marketing people that it was a great, innovative product which uses smart technology and behavioral-based analysis. 

SentinelOne will not scan my hard disk. SentinelOne does not care about the hard disk. It only reacts when you execute something. So, I know when I connect my hard disk to my desktop with my tools on it, I don't have to be scared. SentinelOne will not respond, as long as I don't use the tools. A lot of other antivirus vendors, they will immediately start scanning the USB drive or external drive, and they quarantine all the tools. I don't like that. I know it seems a bit strange that it doesn't scan the USB drive. However, I don't care, as long as it protects the USB drive as soon as someone is executing or installing something. This is more convenient for me than something that scans all the time.

What other advice do I have?

We have a partially view of the Storyline technology because we don't have the full license of SentinelOne. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques is very clear and nicely presented. They make it very clear on what phase it is in the attack. If it's a lateral movement, they make it very easy. I'm very happy with that.

I would rate this solution as a 10 out of 10.

Which deployment model are you using for this solution?

Public Cloud

Which version of this solution are you currently using?

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More SentinelOne reviews from users
...who work at a Healthcare Company
...who compared it with CrowdStrike Falcon
Learn what your peers think about SentinelOne. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
456,966 professionals have used our research since 2012.
Add a Comment
1 Comment

author avatarRick Bosworth (SentinelOne)

Thank you, Stephen, for the thoughtful and thorough review.  We are always glad to hear how customers are using SentinelOne.