We just raised a $30M Series A: Read our story
SP
Network and Security Engineer at a energy/utilities company with 1,001-5,000 employees
Real User
Top 20
Easy to manage and install; gives time back to our team

Pros and Cons

  • "It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way."
  • "We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running."

What is our primary use case?

SentinelOne monitors our infrastructure 24/7.

How has it helped my organization?

We are a very small team. Recently, we had to add an extra person; we had two guys, but now there are three. We have about 2000 endpoints and servers, which is a lot if you have to do it on your own. The SOC monitoring that we now have from SentinelOne gives us more time to focus on other important stuff and go to bed without any worries, since SentinelOne is watching over us.

They also guarantee an insurance. For example, if your company has been infected by ransomware, then they provided one million dollars or something as an assurance. For us, if SentinelOne has the balls to say, "Okay, if endpoints are infected, we will give you $2,000 per endpoint that is infected." That's a way for them to convey that we can trust their company.

What is most valuable?

It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way. 

They do updates all the time. It's very nice to see how they constantly evolve. New features are being added each time that I take a look at the interface, which is really nice. It's not something you have to do for yourself all the time. You just go to the interface of the management portal, and you will see each time a new feature has been deployed. For example, when we started with SentinelOne, we had some applications that needed to be whitelisted, where we had to go through a whole bunch of licensing rules provided by the distributor. Now, we have the possibility to select from a catalog which rules we want to whitelist, since we are using that application. It is such an easy step for us, which is nice. It makes our life comfortable when managing all our endpoints and very complex infrastructure.

The Behavioral AI recognizes novel and fileless attacks and responds in real-time. The nice thing about SentinelOne is that it is behavior-based, so the AI is smart enough to detect when something is moving. For example, an external person was doing some administrative tasks for us, and he used a tool that is also used by attackers. He called me, and says, "I'm blocked. I think SentinelOne is seeing my tool as a virus or malware." Then, I looked at SentinelOne, and it says this guy is using hacker tools. That is what I found very nice. SentinelOne can immediately identify the tools used by hackers. In this case, it was immediately blocked, even though it was not a malicious application, Trojan, or something like that. Because the solution knows hacker tools and behaviors, it says, "Okay, this cannot work on this environment. This will be blocked." That's something that I really like.

It is a good use as an EDR solution because it immediately reacts on stuff. It also quarantines endpoints.

What needs improvement?

We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running. 

For how long have I used the solution?

We installed the agent a little more than a year ago.

How are customer service and technical support?

One of the nicest things about SentinelOne is their support. I never met a company which gives such fast, great support. It's extremely fast. When I create a case with some questions, they answer immediately. They provide us with information on how to do stuff, and if we have issues, then they give us an update immediately. Normally, when I open a case with other products it takes days, but with SentinelOne, I get a response in about half an hour. Most of the time, it's cleared in about two hours time.

If we have a remaining question that has nothing to do with the things that the case was created for, SentinelOne will still answer. Some companies need you to create a new case for this, but SentinelOne just says, "Okay, we will help you also with this and provide you with more info," which is magnificent.

The support is very handy because, when you have an issue, it's like working with an extra colleague. If you ask a question to recall it, SentinelOne support can solve it in about two hours, which is nice because then you can go to the next thing. You don't have to focus anymore on the problem. With other vendors, it takes some days to solve it, then it hangs.

Which solution did I use previously and why did I switch?

Our previous antivirus server was on-premise. When we did the updates, then all the clients needed to be connected to that on-premise server. However, with COVID-19 happening, we have been very happy that SentinelOne is in the cloud because even when an endpoint leaves the company, they are still protected by SentinelOne and receiving updates. SentinelOne gives more time back to a small team as well as always being accessible, even if you're not at the company.

How was the initial setup?

The initial setup was easy. We did it step-by-step, so we didn't deploy it to all our endpoints in one shot. We deployed 300 or 400 endpoints per week. This was in case there were any issues, then we could act immediately so we wouldn't have an impact on the whole business. However, we didn't experience any issues. We were up and running in about three or four days and had migrated 2000 clients to SentinelOne.

For our implementation strategy, we deployed one day, then another day we would watch. Then, we deployed another day and would watch the next. So, in about two weeks, we were up and running. We decided to do it that way because we have had issues with mass rollouts in the past. Now, we are very careful when rolling out stuff to the whole company. Perhaps, it might have not been a problem to roll it out in one day, but we did it very slowly to have a kind of a control outcome.

What was our ROI?

The solution gives us more time. We can divide our productivity and time to other products. We don't have to look at SentinelOne a lot.

What's my experience with pricing, setup cost, and licensing?

The pricing level for this service and application was very interesting for us. I don't know exactly what the price was, but apparently it was a big surprise that the SOC was also included in our pricing model.

The Deep Visibility feature practically double the price. Because we have a SOC, we rely on them to have insights about all the threats, so we are not monitoring our environment ourselves. It is mostly done by the SentinelOne SOC. That is the reason why we decided not to go for this feature.

Which other solutions did I evaluate?

We believe the traditional antivirus protection that is using signature-based validation is outdated. We had a look at different solutions, like CrowdStrike and SentinelOne. These solutions are more AI-based that go on behavior. When we spoke to SentinelOne, they also offered a SOC as service. This means that SentinelOne is monitoring all our endpoints with us, and we don't have to do anything, because they do all the hard work. They validate the detections. So, if SentinelOne detects something on the endpoint, the SOC of SentinelOne will validate and see if it is a false positive or true positive. In case of a true positive, it will then see if there are extra steps needed. If that is the case, then SentinelOne contacts us through email asking us to do some final steps or provide them with the info.

SentinelOne was lucky because we first looked at CrowdStrike. However, they were pushing us all the time to get the deal. My manager got furious, and said, "Okay, let's stop everything. We told you we cannot decide before the end of October. That's our company rule." The pressure was too high from CrowdStrike. Therefore, we decided to have another look at SentinelOne. The first time when we saw SentinelOne, it was never mentioned in any Magic Quadrant, so it was hard for us to have a view on what the public experience was with SentinelOne. We were a little bit scared in just believing the vendor and their marketing people that it was a great, innovative product which uses smart technology and behavioral-based analysis. 

SentinelOne will not scan my hard disk. SentinelOne does not care about the hard disk. It only reacts when you execute something. So, I know when I connect my hard disk to my desktop with my tools on it, I don't have to be scared. SentinelOne will not respond, as long as I don't use the tools. A lot of other antivirus vendors, they will immediately start scanning the USB drive or external drive, and they quarantine all the tools. I don't like that. I know it seems a bit strange that it doesn't scan the USB drive. However, I don't care, as long as it protects the USB drive as soon as someone is executing or installing something. This is more convenient for me than something that scans all the time.

What other advice do I have?

We have a partially view of the Storyline technology because we don't have the full license of SentinelOne. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques is very clear and nicely presented. They make it very clear on what phase it is in the attack. If it's a lateral movement, they make it very easy. I'm very happy with that.

I would rate this solution as a 10 out of 10.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
AM
Network & Cyber Security Manager at a energy/utilities company with 51-200 employees
Real User
Top 20
Cut our response times down to "nothing" and reduces our dependency on a SOC

Pros and Cons

  • "When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help."
  • "All they need to do to improve it is for it to grow further. The hackers don't sleep. If the hackers don't sleep, the solution continually needs to be updated. They need to keep ahead of the hackers."

What is our primary use case?

We have the solution deployed on-premises and, for the last year, on the cloud as well. We have two systems.

Over the last year of Corona, we provided a lot of laptops to our workers to work at home. But because they're not connected, at first, to our network, they can't connect to the SentinelOne instance on-premises. We wanted something that would protect them when they're on the internet, and not only after they connected to our network. That is why we got the system that is in the cloud, to protect all the company laptops.

We don't have a lot of incidents because ours is a very closed network. We don't connect directly to the internet. So SentinelOne is only a barrier between us and the emails or between us and the files that go into our network. 

How has it helped my organization?

Three years ago, one of our employees got an email from someone and opened a file. It was ransomware. It started to infect the disks and I didn't know if it had started to encrypt the network routes. I stopped the computer, but I didn't know if another computer had also been infected. I waited for a company that was giving us support for those kinds of things. They got the disk and they started to check and analyze it. After four hours—and that was very quick, by their standards—I got the first analysis. If I had had SentinelOne the whole thing would have taken between 10 seconds and one minute. And then there was the cost of the SLA that we paid to the support company for that kind of support. A four-hour SLA costs a lot of money; the basic SLA is eight hours.

It has cut the response times to nothing. When we have an incident, we get an email in seconds and I can respond in a second to any threat. Even if it's a false alarm, I get the alarm immediately. For example, when we started to work from home, I accidentally installed a program that writes to the MBR partition in the laptop. It wanted to write to the MBR partition and SentinelOne stopped the file and it saved me from having to install the whole computer again. So it not only protects against threats but against mistakes. It's like having a big brother sitting behind you who protects you.

When you pay for a system like SentinelOne, along with the other systems that we have, we're less dependent on a SOC.

The solution gives me peace of mind when it comes to the reliability of the computers on our system. We can work through the internet, as has been happening recently with half of the company working from home, and I know that I have a system that has my back, that protects me. I know it does because I have tested it.

What is most valuable?

There isn't a single valuable feature, it's the whole engine and system. It's working online in  real-time and gives us alerts, on-click. We chose SentinelOne because in the millisecond that I clicked on the file, I got a block-alert.

SentinelOne's Static AI and Behavioral AI technologies are among the most effective for protecting against attacks because they analyze not only the file's surface, but the behavior of the file. When I described to my manager what I was going to buy, I described a system that analyzes file behavior. If you open a calculator, calc.exe, you know it's going to open calc.exe, and maybe open service X or Y, but it won't go to the internet, to an IP, and spread something. When you analyze the behavior or reaction of each file that works on your PC, it's something else. It's a different level of EDR.

When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help. We see the whole picture in front of us, from the beginning to the end. We can see, with the click of a button, if that file ran on more computers, not only one or two, and how it spread to other computers. We can see the whole tree and we can immediately respond. We don't need to wait for analysis.

The UI is very clear. You don't need to look for something or to dig to understand where it is. It's all in front of your eyes.

What needs improvement?

All they need to do to improve it is for it to grow further. The hackers don't sleep. If the hackers don't sleep, the solution continually needs to be updated. They need to keep ahead of the hackers.

For how long have I used the solution?

I have been using SentinelOne for two years.

What do I think about the stability of the solution?

It has never gone down. In two years I haven't had any software or hardware problems.

What do I think about the scalability of the solution?

The scalability is driven by demand. If I need to buy 100 licenses, I can buy 100 licenses. We started with 50 and now we have 200 on-premises and 100 on the cloud.

In terms of expanding our usage, we have a SCADA network. It is our operational network. That network is 100 percent disconnected from the outside world. It's not connected to any network, not to IT and not to the internet. We use a regular antivirus there. We plan on deploying SentinelOne to support that and to remove the old antivirus.

Which solution did I use previously and why did I switch?

Prior to using Sentinel one we were using McAfee Endpoint Security. We switched because I understood that the systems that are only checking file signatures don't work anymore.

How was the initial setup?

We installed it, in the beginning, on-premises on our computer inside the network, and the installation was done with an integration company. Every three or four months we upgrade because our location is not connected to the internet directly.

The on-premises deployment took something like a week to get it deployed to everyone, but the installation itself was very quick, half a day. Then, to see what should be put in the blacklist or what to exclude took about two weeks. The deployment was done by me and the IT manager.

The cloud version was very simple, no problem. Things were done automatically.

What about the implementation team?

The integrator we used was DnA-IT. They only did the installation for the first implementation.

Now that we are going back to the workplace, I will start to work with them on an hourly basis, and we'll learn about all the features from them. They have good guys who know what I need and what we're going to do. I am one person who supports 400 people, so I need the time to sit with the system and to learn it. The system has a lot of features that we don't use or that we don't understand how to use because we haven't had a lot of time in the past year to research them and sit with the company to teach us. We work with the basic features, things like the blacklist and the USB restrictions. The integrator will show us how to use the more advanced features. I'm starting to think that if we can implement all the features from SentinelOne, I will be able to cut the antivirus that we are paying for.

We also use DnA-IT for support. If necessary, they open a ticket with SentinelOne.

What was our ROI?

It's cost-effective. The price of 100 licenses that I need in the cloud is cheaper than one Bitcoin I would need to pay in the case of ransomware. It's already paying for itself.

What's my experience with pricing, setup cost, and licensing?

The pricing is very fair for the solution they provide.

Aside from the standard licensing fee, the only other costs are for the hardware, because we use Hyper-V on-premises.

Which other solutions did I evaluate?

I don't remember the names of the other solutions we tested because it was more than two years ago. At that time, SentinelOne was a very young, small, Israeli company with a new product. We were using another startup on our OT network and I asked them if they knew of a good EDR company and they told me there's a little company like ours, our friends, check them out. We also checked two other companies.

We did a penetration test on some solutions. A company that we work with on pen testing planted malware in Excel files, in a macro. We tested how each of the solutions alerted us on the macro and about what it was doing. SentinelOne alerted us at the moment I clicked on the mouse. When I got the popup alert from SentinelOne, I said, "That's it."

In the other software that we checked, there was a little delay because the software got the file, transferred it to the cloud, waited for the cloud to handle the file, and then got the answer back. It took about half a minute or a minute. But in half a minute or a minute, an attack can destroy half of the network. In fact, one of the others didn't detect it at all.

What other advice do I have?

My advice is check out SentinelOne. See how the system works in a real-time attack. Only when you see how it works in real life, in real time, will you understand the ROI of the system. Simulate an attack, simulate a file, simulate that file changing something, and see how it works. I can say to my manager, "I have McAfee installed on my system, I'm safe," and they'll check the checkbox and move on, without understanding what they are doing. I need to sleep well at home and I can do so by knowing I have a system that has my back. That is what SentinelOne is.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Learn what your peers think about SentinelOne. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,407 professionals have used our research since 2012.
AE
Sr. Information Security Manager at a computer software company with 1,001-5,000 employees
Real User
Top 20
Shortened our incident response process because all of the information we need is already there

Pros and Cons

  • "Previously, we had some processes related to incident response which required more steps. We needed to upload to VirusTotal, Sandbox, et cetera. Now, this process is shortened because all of the information we need is already in SentinelOne. We can briefly analyze and even respond from one management console. If someone has SOC, using the API, they can control everything. It's very cool. I think this is the future."
  • "In terms of improvement, they should work on agents' updates because that is not a strong part. It's not their strong point. It's not straightforward to upgrade agents. I send them questions about it. They already worked on this and they promised that in the next release that they will show me their solution for it. But this year I have had complaints about agents' updates, that they aren't clear."

What is our primary use case?

SentinelOne has completely replaced the antivirus solution that we used before. It's also an EDR solution. In the case of any suspicious malware, we can control the system with this agent.

How has it helped my organization?

Previously, we had some processes related to incident response which required more steps.  We needed to upload to VirusTotal, Sandbox, et cetera. Now, this process is shortened because all of the information we need is already in SentinelOne. We can briefly analyze and even respond from one management console. If someone has SOC, using the API, they can control everything. It's very cool. I think this is the future.

Behavioral AI does recognize novel and fileless attacks but we hope not to experience an attack like this. These days, there is no life without the internet. I don't think it is really a plausible scenario because we all use Microsoft services, 365, etc. If you don't have an internet connection, then you don't have anything. The guys from SentinelOne showed me an example where they can actually work without an internet connection and it worked just fine, like a common antivirus solution. But it wasn't important to us that it can do this because we know that in the real world, there are not many scenarios that wouldn't involve the internet.

We do use the storyline feature because it's SentinelOne's main feature that they are proud of. We don't see a lot of viruses in our environment and from what we have seen, it doesn't really help because a user will download a virus, the antivirus blocks it, and that's the end of the story. So there isn't much of a storyline behind it. But the SentinelOne guys showed us how it works and in the case of a difficult attack, it should work fine. 

We work with the storyline feature when we are suspicious of something and we need to check. But we didn't have an exact case where something highly critical was in our systems.

What is most valuable?

I find all of the features to be valuable. It's a cool and very informative tool. The management console analyzes, stops, and prevents the spread of malware. You only need to work with the console. There is nothing to do on the agent side. The user does not need to be involved in this process. 

The level of information it provides is enormous. You have all you need in case something happens. If we need to have an incident response with third-party external companies, we can give them the data that they can analyze further. The information about what's happened on the computer is absolutely amazing.

It's very comprehensive. It offers a lot of data but you can see only what you need or you can go further. If you need to investigate a little further, you can do that in any process. It's a SOC-analyst style.

If you are not an analyst, you can still do a lot with it. It's very convenient. We have workers who are not in the office, who are working from home. This is a good solution for them because it's Cloud-based. I can control everything from one console and even for users who are not in the office. We work with lots of vendors and not many of them have this solution. Traditional antivirus software doesn't have these features.

In terms of its impact on the endpoint, when you have a house computer working on antivirus, it doesn't make a huge impact on the system resources and even more, it can be installed parallel to antivirus. We have had scenarios where we have traditional antivirus and SentinelOne installed in parallel. It's two antiviruses on the computer and users won't know about it. They know about it when they start to download bad stuff and the antivirus starts yelling. 

According to what I see in the console, I do think that SentinelOne covers a wide variety of operating systems. It's even more than it needs to. In the traditional way, it's like antivirus but it does even more because it's also like an EDR solution. It covers all processes, what it does, where it goes, et cetera. There's a lot of stuff under the hood. I'm surprised it doesn't use a lot of resources because I thought it would be more aggressive for CPU memory.

What needs improvement?

In terms of improvement, they should work on agents' updates because that is not a strong part. It's not their strong point. It's not straightforward to upgrade agents. I send them questions about it. They already worked on this and they promised that in the next release that they will show me their solution for it. But this year I have had complaints about agents' updates, that they aren't clear.

They have a lot of updates on their management console. They have a lot of features. There is not enough time to read about it all. It's really a lot. The features that they apply are great and I would love to use them, but it's lots of things to know. And if you're not only working with antivirus on SentinelOne like me, there isn't much time to learn about it. 

For how long have I used the solution?

I have been using SentinelOne for almost a year. 

What do I think about the stability of the solution?

I'm very excited to work with SentinelOne but they have a problem with agent updates. We lose connectivity when we update agents. When users are working from home it's not good to lose connection because you don't have options to connect or have meetings. 

I think they started working very closely on this problem. This solution will be better but so far, that's been my experience. 

What do I think about the scalability of the solution?

We use the Cloud. It's completely scalable. They use a management console for lots of companies. It's tremendously scalable, it can be used with hundreds of thousands of computers.

Right now, we protect only 100 endpoints, it's for highly critical systems. Before the COVID crisis, we had plans to increase usage. We need to renew at the end of the year. We will for sure renew for 100 endpoints. I'm not sure about expanding though.

We don't need to do anything related to updating service backend sites. For agents, we only need to click "select all" and "run update," that's it. It only requires one person for maintenance, to see events and analyst information, technology, etc. It has access for three people who are security engineers and our CSO.

How are customer service and technical support?

They have excellent support. There are security vendors who take up to 48 hours to just answer back a "Hello," without an explanation to my problem. The SentinelOne guys answer within the hour with a solution to any concerns expressed in an email. Support is very awesome. They also connect me with engineers who can help me. I can share a screen with them to show them the exact problem. This is important because a lot of vendors don't do this.

How was the initial setup?

The initial setup is very easy and straightforward. We don't use the on-premise solution, we are Cloud-based. It's important because we have a lot of resources on our side who work fast. We can deploy in minutes. The initial deployment took one hour. 

What about the implementation team?

We did the deployment ourselves. It's really easy. We have a Wiki page where end-users can see what they can install themselves. They just need to click on it, type, tell us where they want us to put a computer, and that's it. The users can do it themselves.

We installed it for a pilot group of 10 users and then deployed for others.

What was our ROI?

Our analysts spend less time doing his job because he has everything he needs in one management console. He can programmatically do everything and only react to real incidents. It reduced the costs of analysts' work. Their work costs a lot of time and money and having SentinelOne enables us to save on these costs. 

What's my experience with pricing, setup cost, and licensing?

There are actually three versions of this product: the user version, professional, and professional plus. If analysts need to see something, like what the users are doing, what processes are running, we can go to the console and see. The traditional version only shows when incidents happen. I think the next time we renew, we'd go with the lesser version because it shows enough information. 

There aren't additional costs to the standard licensing.

Which other solutions did I evaluate?

We have the option to choose different vendors. We briefly looked at other vendors. We looked at Carbon Black, Kaspersky, and ESET EDR.

We evaluated them one year ago. These vendors are comparable to traditional antivirus while SentinelOne is and all in one solution. It has everything you need. SOC analysts is straightforward and they gave us a straightforward proposal. 

It takes the same amount of time for SentinelOne to catch malware as it does other solutions. There's not much of a difference. In our case, we don't see a lot of viruses because we have a lot of levels of security that prevent them. 

What other advice do I have?

We can see the difference between traditional antivirus and what we can do with SentinelOne. Even if the price is a little bit more, we can see what we can do with it. We can use EDR, stop network activity, do whatever we need on the endpoint, from the security engineer side. We can see that it's at a completely different level. We have a traditional antivirus but we're going to rid of them at the end of the licensing period.

My advice would be to go with the Cloud version, not on-prem. 

I would rate SentinelOne a ten out of ten. It's a ten out of ten in terms of the EDR. It's also a 10 of 10 for the product and company. The solution does a lot. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PS
Software Engineer at a healthcare company with 51-200 employees
Real User
Top 20
Lets us centrally manage our active endpoints

Pros and Cons

  • "It delivers the type of security which we were hoping for, since we have a lot of different endpoint users utilizing different types of software. We have people who only use Office software, like email, Word, and PDFs. Then, we have people who use some applications that other people wrote. We also write applications in-house using people who develop software. Therefore, we have some machines using very high-end developer software for mechanical development, electronic development, and software development. Those users are used to managing their PC on their own. The centralize platform allows us to differentiate between those three groups of people. We have overall control and can oversee the security levels at all the endpoints. They have not yet been blocked in any way when performing the functions"
  • "We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future."

What is our primary use case?

We are a company with several types of PC users. Our office ranges from marketing to sales, and we also have people who are remote on laptops all over the world, as well as an R&D department. Those people use PCs in different ways. 

We wanted a platform that has ways of dealing with various kinds of users, but we also wanted a central management so we could overview the state of all our endpoints with one view.

We use the central cloud interface to manage all our endpoints.

We only use it on Windows machines.

How has it helped my organization?

It delivers the type of security which we were hoping for, since we have a lot of different endpoint users utilizing different types of software. We have people who only use Office software, like email, Word, and PDFs. Then, we have people who use some applications that other people wrote. We also write applications in-house using people who develop software. Therefore, we have some machines using very high-end developer software for mechanical development, electronic development, and software development. Those users are used to managing their PC on their own. The centralize platform allows us to differentiate between those three groups of people. We have overall control and can oversee the security levels at all the endpoints. They have not yet been blocked in any way when performing the functions.

I have one instance where we had a trigger of an attack. Luckily, it appeared to be in an unregistered program created a lot of threats by renaming files. This was something that the employer developed by his own. This was an unknown program that generated a lot of threats to very quickly rename a thousand files. However, it was not an actual attack, but the behavior of that program was such that the AI protection of SentinelOne kicked in and alarmed us of a possible attack. One of our employees created a program just for his benefit. It had exactly the same behavior as a ransomware attack would have had, then it kicked in. This is why I'm confident that SentinelOne will also detect real ransomware actions. That is the only one instance where I encountered the Behavior AI software kicking in.

We haven't had any real attacks over the last year. We did have some intrusions mainly from suspicious files that people were getting via their browser and some attachments that I tried to open with double extensions. Luckily, in the last year, we haven't had any actual attacks.

The effectiveness of the solution’s distributed intelligence at the endpoint is 100 percent. We haven't had any incidents break through. We only see a very small reduction in PC performance.

What is most valuable?

The main reasons that we use SentinelOne are the antivirus and Behavioral AI protections. We have this solution centrally managed to see what endpoints are active, along with the latest software protection running. It also provides us external control, so we can block machines remotely, even if they are in another country, because we have account managers all over the world. All these features together protect us against strange behavioral programs.

SentinelOne's one-click, automatic remediation and rollback for restoring an endpoint is very handy. We had some issues with programs that were unknown by SentinelOne, then marked as suspicious and quarantined, because we also develop software ourselves and have software packages that were compiled in 1995 and don't conform to the normal rules. SentinelOne always marks those packages as suspicious because they do something different than they should when you compile them with current libraries of Windows, etc. Therefore, we had some interventions of SentinelOne where you can easily whitelist them and rollback the quarantine action so people who use those old-fashioned programs could easily continue with their work. 

This was only an issue during the first month when we rolled out the software, then it starts doing scans mainly on the R&D PCs, which was our great concern. Normal office use is fairly straightforward, but when you develop software (and we also develop software to communicate with our embedded systems), then the demands are a bit different. However, until now, we have been very happy with it.

What needs improvement?

We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future.

For how long have I used the solution?

We have been using it for about a year now. We rolled it out in December 2019.

What do I think about the stability of the solution?

All the endpoints are running without problems. It is very stable. We have deployed several versions of agents. I haven't encountered any issues, apart from when that rollback occurred, and the SentinelOne agents were locked out of the cloud platform, and the only way to retrieve that was by installing it again by hand. 

Up until now, SentinelOne's effectiveness has been 100 percent.

What do I think about the scalability of the solution?

We are a relatively small company with about 80 employees. Most things are offsite. We do not use automated things very much.

There are four users from the admin side.

Together with another colleague, we chose SentinelOne, then tested and deployed it. A few other colleagues have monitoring views in SentinelOne, e.g., if a site has to be whitelisted. 

How are customer service and technical support?

I had one issue that I brought up with customer support. They delivered a solution in about two hours. It was related to the issue with the agent. I just issued an email, and in about an hour, the problem was solved. I was delivered a good solution: an uninstalling procedure and how to go about it. That's the only thing that we needed it, and the only time we needed the technical support.

Which solution did I use previously and why did I switch?

Before this solution, we used McAfee, which was not enough for our use. Then, SentinelOne came into the picture. It not only had static virus checking (antivirus), but it also had the Behavioral AI features, like triggers, that we could investigate.

The McAfee solution that we had was more demanding, more expensive, and had less functionality. Three to four years ago, we had an incident with ransomware, and it wasn't detected at the time by the McAfee on all the points. There were two points that were affected. Since it wasn't noticed by the McAfee. we were considering other software solutions from that point on.

SentinelOne offered a good solution, which is the main reason that we went with them. It was easy to manage, although we didn't use McAfee the way we use SentinelOne right now. McAfee was incorporated in our company about 20 years ago, so we probably didn't use all the facilities that McAfee can offer now. 

SentinelOne made us a good offer, especially regarding the Behavioral AI aspect of the protection. Therefore, we just wanted to see what they could offer us. After a year, we are still very satisfied.

SentinelOne had a smaller footprint, both in resources and time-wise, as in load, than the McAfee solution that we had previously.

How was the initial setup?

The initial setup was fairly straightforward. It was very easy to start up. You didn't have to go into a lot of documentation to roll it out. We used the management from the central platform, not our own central platform on-premise, and did it on the cloud version. This way, it could be delivered and updated remotely.

The deployment took a week. We deployed it to about 90 endpoints.

What about the implementation team?

We just had a discussion with the SentinelOne service provider onsite. He gave a revision of how SentinelOne should be deployed along with some examples. Before we deployed it to the entire company, we had a testing time of about two months. 

What was our ROI?

SentinelOne has reduced incident response time. The two main pillars that SentinelOne helps us with: 

  1. Central management: I can ensure management that if there is a breach all the machines and endpoints are up-to-date and protected. 
  2. SentinelOne allows us to switch off an endpoint remotely, which we could do previously. Most people are on-premises, but there are 15 to 20 people all over the world with laptops connected everywhere. 

It saves a few hours a week for one person, because you can see the statuses of all the machines in one place. 

What's my experience with pricing, setup cost, and licensing?

It was cheaper than McAfee, which was a way to convince management to go with the solution.

What other advice do I have?

At the moment, we are very pleased with the solution.

We saw the Storyline technology briefly. However, the Storyline is only when you have actual attacks, and they are not caught in the beginning. Most of our attacks were caught just by static recognition of the files, so there was no story because the file was not allowed to activate. In the beginning, we did some fake file checks in an enclosed surrounding and in a CM setup, which is how I saw the Storyline facilities, but we don't use it.

I would rate this solution as a nine (out of 10).

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Roel Schreurs
System Engineer at Lyanthe
Real User
Top 20
The rollback worked flawlessly, saving me a couple of days of work

Pros and Cons

  • "The best part of the agent is that users can't remove or disable it, so endpoints will be safe. I can control it from the portal. I can see when it's updated and I can push updates from the portal. The greatness of SentinelOne is that our end-users don't see anything to do with the agents. Some of them don't even know it's on their laptops. And that's a good thing."
  • "It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning for scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything."

What is our primary use case?

It's for our regular laptop users, desktops, and our production servers. For the production servers we use it to make sure there is nothing coming from the outside. And for our regular users it works everywhere, so they can do everything with a laptop.

It's a cloud solution. We don't have a large business. We have a lot of services but we don't have many users. Everything is in the cloud and we have about 20 clients or 20 agents for normal users in the Netherlands and we have between 100 and 200 users in the Philippines. The rest is for server safety.

How has it helped my organization?

There is a lot of remote work at the moment and SentinelOne provides the safety I want. Everything goes outside now and the only control I have is Sentinel One, but it gives me enough control.

We have developers who do a lot on their laptops and sometimes they create problems. When that happens, SentinelOne is pretty fast with them. We have configured it to disconnect them from the network so we don't end up with more problems. Now, those developers know they have to contact our IT department if they want to fix it. The great thing there is that we know that when something happens on a laptop it is isolated.

We see what is mitigated and what is not. And when SentinelOne is in doubt, it asks the managers what to do with what it has found. When you have arranged that once, it will take care of it the next time. That's great.

Overall, it's effectiveness is 100 percent because we don't see many outbreaks anymore. Nobody's complaining about using their endpoints.

I've only done a rollback once and it worked flawlessly at that moment, but that was nine months or a year ago. It saved us a lot of time because the problem didn't spread over the network. It affected one machine because it was disconnected from the network. We then rolled it back and it was up and running again. If the rollback hadn't worked well, it would have meant a couple of days of additional work. If the outbreak had reached my network I would have had to clean everything. I was able to do everything from the portal. The connection with the manager was still there. We just had to click on two buttons and everything went.

Overall, it has helped to reduce our response time by about 20 percent. 

What is most valuable?

The most valuable feature is the information it finds and what it is doing with that information. I can check if the info it sends is true. It's very clear. 

And if you configure it in the right way, it does a lot automatically. And that's what you want. You don't have to use it every day. I only log in to the SentinelOne portal once a day, just to check if there are alarms or the like and that's it. The rest is flawless.

Now that we've been using it for six months, SentinelOne knows what we want to have, what it has to do and it works that way. So it's very simple to use and that's pretty nice for the team. 

The best part of the agent is that users can't remove or disable it, so endpoints will be safe. I can control it from the portal. I can see when it's updated and I can push updates from the portal. The greatness of SentinelOne is that our end-users don't see anything to do with the agents. Some of them don't even know it's on their laptops. And that's a good thing.

What needs improvement?

It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning of the scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything.

For how long have I used the solution?

I have been working in my current company since April 1, so I have been using it here for six months. But I used it in another company in Eindhoven for a couple of years. That company was also a provider of SentinelOne and that's why I know how it works and what it does.

What do I think about the stability of the solution?

It has great stability. We haven't experienced any downtime or any kinds of bugs. If the users use the endpoints normally, nothing happens. We have some users who think they have to bypass SentinelOne, and then we sometimes have problems with those endpoints. But that's because of user action. It has nothing to do with SentinelOne.

What do I think about the scalability of the solution?

We started with about 50 endpoints and now we have over 300. We haven't had a problem with it.

There will be more servers to watch over so our usage will be increasing. When the business grows, our IT will grow with it, and SentinelOne has to grow along with us.

How are customer service and technical support?

I have used their technical support and my experience with them has been very good. They are fast. They know what they're talking about. Those are two great things for support to have.

Which solution did I use previously and why did I switch?

Before SentinelOne the company was using F-Secure. It started as an antivirus and then F-Secure also made a cloud-based endpoint protection solution from it, with a managed base and automation and checking for updates. It works with a database, which is not the way SentinelOne works. F-Secure is much cheaper.

They switched to SentinelOne because it is more for malware. F-Secure doesn't do anything in malware, just virus scanning.

How was the initial setup?

The initial setup of SentinelOne is straightforward. It's fairly logical. Everything works in the way you think it has to work. It's pretty simple to work with. It's just a matter of installing the agent and go. It takes about two minutes. There is an agent client with token codes. You just install the token code in it and reboot your endpoint and it's working.

We have it installed on 305 endpoints. This is a work in progress. We didn't have all of those endpoints when SentinelOne came in. We've rolled out new endpoints. But, it doesn't take long for a machine to get an agent and to make a connection and to get updates. Once you are in the portal, you can update from there. And then, you only have to check if it's already there and if the agent is working.

If we push an update, within an hour everything is there. If they are all online it will go pretty fast.

What was our ROI?

It's working simply. You don't have to learn a lot to know what it does and how to work with it, and that saves time. And it gives you a solid solution for security.

What's my experience with pricing, setup cost, and licensing?

You have to look at the kinds of problems you can end up with and the fact that you want security against them, and then SentinelOne is not expensive. That's the way I would sell it. 

If you avoid having one outbreak a year, just one, then SentinelOne is worth the money. When you have that one outbreak and it spreads across your complete network, it means days of work are gone. For a complete environment like ours, with 300-plus users, it would be very expensive.

Which other solutions did I evaluate?

I've also used Sophos with customers. If you want to have a safe environment, then you have to work with tools like SentinelOne. F-Secure and Sophos work with databases for virus knowledge and that creates a delay.

Also, SentinelOne has the rollback which works flawlessly, whereas F-Secure and Sophos don't have that.

What other advice do I have?

My advice is start working with it. You're going to love it.

The biggest lesson I've learned from using SentinelOne is that security tools can be different. SentinelOne has taught me that you can do security in different ways. If it sounds expensive, I would not always say that it is expensive.

We are a very small business. We don't have somebody who specializes in security. Our IT is just three people who do everything. That makes it difficult to say we are going to focus on SentinelOne and try to use it completely. We put it into use for malware security and that's it. We only have a WatchGuard firewall on the front-end and that's it in terms of security on SentinelOne.

They are improving the management tools. They are getting better. The portal is functioning with more logic. Those are good improvements. It's user-friendly enough. People with low IT knowledge can work with it.

It's a very good program. It does what it says it does, and I'm very glad that I have it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
AG
Head of IT at a transportation company with 501-1,000 employees
Real User
Top 20
Straightforward to install, quick and detailed technical support, and application inventory is helpful

Pros and Cons

  • "In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting."
  • "With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately."

What is our primary use case?

Our primary uses are endpoint protection and application inventory.

The management is done through the SentinelOne web interface.

We work strictly in a Windows environment, using it for both workstations and servers.

How has it helped my organization?

At the moment, using SentinelOne brings us peace of mind. It has only highlighted a few things and generally, we've been quite lucky.

In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting. From that perspective, it's been good.

We don't have a lot of incidents but SentinelOne has reduced our response time by a couple of hours, per incident. It does a lot more than what the previous AV products did.

What is most valuable?

The most valuable features are application auditing and malware detection.

Application inventory and auditing highlight which applications are installed on the endpoints, and whether there are any known vulnerabilities. If the endpoint is not patched then it will be reported. This helps us in terms of validating our patch management methodology.

On the malware protection, it looks like it stops all malware and detects things such as suspicious activity.

The automatic monitoring of OS processes is a good thing to have. However, I'm not totally familiar with the product in-depth. It gives peace of mind in terms of our security and it doesn't seem to have any impact from an end-user perspective.

We use the threat detection feature.

The Deep Visibility feature is something that we have used once or twice. It gives us visibility of all of the activities that took place, to determine what exactly was caused. We don't use this feature very much, purely because we don't have many things to look at. We did find some things that were suspicious, and we were able to resolve them. It highlights certain things that we weren't aware of, and then we were able to go in and understand them further. At that point, we either marked an issue as a false positive, or we denied it permission to continue. In either case, SentinelOne stopped it from proceeding. 

At the moment, my confidence is quite high with respect to the effectiveness of the distributed intelligence at the endpoint. I haven't had reason to determine if it's not working and at the moment, it seems to be doing what it says it does.

What needs improvement?

With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately. As it is now, it shows you what products require patching, but you need a separate application to install the patch. If you could initiate an update to the application from SentinelOne, that would be a nice feature. 

For how long have I used the solution?

I have been using SentinelOne for approximately a year and a half.

What do I think about the stability of the solution?

Overall, the stability is very good. We have had one version where it had a high CPU usage, but the later versions were better.

What do I think about the scalability of the solution?

We have not run into problems with scalability. It can be very good.

There are three users in the company including the IT department, helpdesk, and operations manager. At the moment, we have implemented 100% of our endpoints. Probably, as we add endpoints over time, our usage will increase slightly.

How are customer service and technical support?

The technical support is excellent. We have only had to use them two or three times, and the response has been very fast, very detailed, and very explanatory.

Which solution did I use previously and why did I switch?

Prior to SentinelOne, we used Symantec Endpoint Protection. We switched because SentinelOne offered various features such as Deep Visibility, threat analysis, and application inventory. There were a lot of features that SentinelOne had that Symantec didn't, at the time.

How was the initial setup?

The initial setup is very straightforward. It was pretty much all done for us. Essentially, all we had to do was install the agent on each workstation that was upgraded.

It took about three weeks to deploy, covering all 212 of our endpoints.

We didn't have a specific implementation strategy. We somewhat phased it in, and all of the new devices would be installed with SentinelOne. As we go through the different workstations, we replace what is necessary and upgrade the agent. It was a case of going through our four different offices and because we're quite small, we did it one by one.

There is no maintenance required, post-deployment.

What about the implementation team?

SentinelOne support assisted us with deployment and it was done pretty much right away. They were very good.

Once the tenant was created, they gave us an overview of how to use it. The product is quite straightforward and easy to use and. There are probably elements we could go through further with SentinelOne, but I don't know if it's because I buy through a third party. Maybe, the third party is supposed to do more, but I'm not sure.

The reseller that we purchased SentinelOne from is O2 Mobile, and the experience was fine.

What was our ROI?

Although there isn't a tangible ROI, the product gives us a lot more detail and insight into the threats, which is valuable. There has been ROI, but it's more time value rather than a hard dollar value.

What's my experience with pricing, setup cost, and licensing?

The price is reasonable in terms of what the product offers. SentinelOne is more affordable than some competing products, and it's not overly expensive for what you're getting.

Which other solutions did I evaluate?

We looked at Trend Micro before choosing this product. SentinelOne looked easier to use and it was almost a complete product. We didn't go into too much depth, and I cannot compare the detection capabilities, but the cost was a factor.

What other advice do I have?

My advice for anybody who is implementing this product is to fully understand all of the elements that it provides and to be aware of all of the features. For myself, I think it's important to have a deeper and better understanding of all of the functionality that the product offers.

At the moment, we have a lot of trust in SentinelOne. If it continues to stop future threats then I will continue to rate it highly, or even perfect. At this time, I wouldn't say it's perfect because I can't say that I haven't been compromised because of it.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
MV
IT Manager at Telecorp Inc.
Real User
Top 5Leaderboard
Protects our network end users from malware and eliminates ransom ware with timely alerts and automatic resolution

Pros and Cons

  • "Prevents ransomware getting through."
  • "Communication and documentation could be improved."

What is our primary use case?

My primary use case for this solution to protect my clients and sites that I support from malware and ransom ware. It is installed on the end point clients and servers as a client and then it clean and protects after a reboot. As a managed service provider we found it instrumental at preventing viruses and especially preventing ransom ware. We went from 30% ransom ware infections to zero. The software stops the infection before it executes.

How has it helped my organization?

It has saved hundreds of hours fixing destroy and encrypted computers. In the old days even if you restored the files Windows was still damaged. This stops the software from executing.

What is most valuable?

The valuable feature of this solution is the ability for it to stop a virus or ransom ware. It uses a SOC for active monitoring and AI software that watches where you go and what gets executed. If it sees danger I get alerted and the machine is frozen. If the SOC believes it to be a virus the machines network card is frozen or the machine is automatically returned to the state before the file was executed and the file is erased. If it's safe the machine is auto unfrozen. I can go in look at the logs, verify if it's a false positive and unfreeze the machine. If I believe it is a virus I can return the machine to before the file got executed. Erasing any damage. If I believe it's a false positive I can mark it benign and re execute the file. So far it's stopped four ransomware cases from getting through, so it's doing a good job.

What needs improvement?

I think communication and documentation could be improved in the solution. When you get a virus alert, there's not a lot of upfront training to let you know how to resolve a situation when it occurs. The first couple of times you're flailing a little bit until you get it sorted. I would probably also suggest that the interface could use a little bit of help. It's a little hunt and peck. 

For additional features, I'd like to see the ability to control it on a cell phone. It would be great if I could have it in the palm of my hand so that if I get a false positive, I can just look at the dashboard on my phone.

For how long have I used the solution?

I've been using this solution for seven months. 

What do I think about the stability of the solution?

The solution seems super stable, although you do get some false positives, especially when it encounters a new piece of software. But the SOC is able to quickly whitelist and adopt to the new software fairly quickly.

What do I think about the scalability of the solution?

The solution is scalable. I'm able to put it both in a script and I can see it being able to be deployed in a large environment as well as a small one. I have 285 end points and the roles are anywhere from financial traders to insurance agents. All employees have access to the solution, it's actually turned into my main route for antivirus end protection and the product doesn't require any maintenance except for when it finds a virus.

How are customer service and technical support?

I've used technical support a few times and it's very good. They're very responsive and they alert you very quickly when there's an issue. They lean heavier on protection, which can sometimes be a problem. A lot of times, by the time I'm logged in to look at it, they've already figured out that it's a false positive and they mark it and whitelist it and put the machine back online. All that can take less than a couple of seconds.

Which solution did I use previously and why did I switch?

I've previously used several antivirus programs and then I got to the point where I wanted to use an artificial intelligence program. Originally I used CrowdStrike, which I also liked, but the main reason I switched to SentinelOne is because it's incorporated as part of my MSP solution suite.

How was the initial setup?

The initial setup is very straightforward. When you implement, it goes through and does the initial scan and it makes the configuration changes that it needs. I haven't had a problem with any deployment at all and it's a very quick process. 

What about the implementation team?

It's deployed in house

What's my experience with pricing, setup cost, and licensing?

The cost of the solution varies and depends on your relationship with the supplier. My cost is USD $6 per end point. I don't have additional costs on top of that.

Which other solutions did I evaluate?

I evaluated, Norton 360, Windows antivirus, Webroot, Crowdstrike, and ESET

What other advice do I have?

With solutions like these it's important to keep in mind that any automated system can give false positives, especially when they first encounter your software. Be patient, work with the SOC and the technical support team. If your work is implementation, then do whole sites at one time. It's best to do it in sections, let it sit for a couple of weeks and then do the rest.

I would rate this solution a ten out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CC
CIO at a manufacturing company with 1,001-5,000 employees
Real User
For the first time we have global knowledge of what's happening in all of our subsidiaries

Pros and Cons

  • "One of the features that convinced us to adopt SentinelOne was that the solution can recognize and respond to attacks with or without a network connection. That is very important."
  • "Generally, the stability is good, but I would like to see better stability from the solution. The stability issue is partially a con of a behavioral-based product, but being behavioral-based, it also has a lot of pros."

What is our primary use case?

We were looking for an EDR solution to get the best protection available, especially against ransomware. For us, any EDR solution needed to be supported by a 24/7 SOC.

We deploy it on-premise, in all of our factories and branch offices, worldwide.

How has it helped my organization?

Security operations have been improved as SentinelOne is easier to manage and update compared to most traditional anti-malware products. It enables us, for the first time, to have global knowledge of what's happening in all of our subsidiaries. Previously, each of them had a local antivirus solution.

What is most valuable?

  • Easy to install and update
  • Management Console in the cloud
  • Ability to partition it in "sites" (our subsidiaries) with local site admin
  • Overall good quality protection

Also, in terms of impact on the endpoint, we carefully manage endpoints for specific purposes (such as for connection to industrial machines) to avoid the false positives that are quite typical in a behavioral engine like SentinelOne. But generally, the impact is quite low, and the Management Console and SOC support allow us to check if everything is working properly or not.

In addition, one of the features that convinced us to adopt SentinelOne was that the solution can recognize and respond to attacks with or without a network connection. That is very important.

For how long have I used the solution?

We started to install SentinelOne on the first endpoints in August of 2019.

What do I think about the stability of the solution?

Generally, the stability is good, but I would like to see better stability from the solution. The stability issue is partially a con of a behavioral-based product, but being behavioral-based, it also has a lot of pros.

What do I think about the scalability of the solution?

The scalability is good. At present, I can't see scalability limits.

We have SentinelOne installed on almost 1,700 endpoints and have one main admin for deployment and maintenance and about 20 local site admins.

We have some factories and branch offices where the solution is not yet installed. We hope to complete most of them by the end of this year and, by then, have it installed on about 2,300 endpoints.

How are customer service and technical support?

Support is quite fast to solve problems. The SOC is very good and really operates 24/7. When necessary, they contact SentinelOne support directly and their replies, generally, are quite fast.

Which solution did I use previously and why did I switch?

We used traditional antivirus solutions. None of them could stop ransomware attacks and that's the main reason we choose SentinelOne.

In terms of the time it takes for SentinelOne to catch malware compared to our previous platform, the results are similar, with an advantage of SentinelOne being its discovering of Zero-day threats and ransomware.

A SOC provider showed us the product, and we worked out a global agreement for EDR and SOC with them.

How was the initial setup?

The initial complexity was mainly related to finding the right exclusions to avoid false positives, especially with endpoints running technical and industrial software.

The rollout in our main company, with about 600 endpoints, was completed in about three months, including the initial fine-tuning for the AI engine.

In terms of our deployment strategy, in the first company where we installed SentinelOne, we chose to maintain our traditional antivirus product, and run SentinelOne together with it. The decision came about because we were not initially confident with SentinelOne. When we deployed it later to all of our subsidiaries, SentinelOne replaced the local antivirus solution.

What about the implementation team?

Main support was provided by the SOC company, working together with our IT Staff.

What was our ROI?

We have seen a good ROI about the SOC service and the product.

What's my experience with pricing, setup cost, and licensing?

The solution's price/performance ratio is reasonable.

In addition to the standard licensing fees there is, of course, the SOC service fee.

Which other solutions did I evaluate?

We evaluated main SOC companies and the solutions they provide. Most of them required a SIEM platform but not specifically an EDR solution. In the end, we chose the best and most affordable combination of SOC and EDR.

What other advice do I have?

My advice is to start with a few endpoints and become comfortable with SentinelOne, and test the exclusion rules for endpoints running specific software.

At present, it looks like the most advanced EDR solution on the market, but I think we have to stay tuned to the market and to what's happening in cybercrime, as 100 percent security doesn't exist.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free SentinelOne Report and get advice and tips from experienced pros sharing their opinions.