a. SentinelOne 101
Endpoint & Data Cores:
SentinelOne's endpoint and Security Information and Event Management (SIEM) suites are the core pillars of its operations. It’s also quickly expanding into cloud security, which adds pretty much every large next-gen platform as competition.
- SIEM: Aggregating data (or “logs”) to help organizations uncover and remediate threats.
It specializes in small-and-medium-sized business (SMB) clients and is expanding up-market. While CrowdStrike’s overarching platform is called Falcon, SentinelOne’s comparable suite is called the “Singularity Platform.” Core products include Endpoint Detection and Response (EDR). EDR offers constant monitoring and protection of endpoints (like a company iPhone). It unveils, prioritizes and responds to observed threats. Like CrowdStrike, it offers highly autonomous services and a slick, lightweight agent to drive efficient work and interoperability. This, in turn, means overarching coverage and superior breach protection vs. legacy incumbents.
Also similarly to CrowdStrike, SentinelOne boasts a complementary data analytics platform (which it calls Singularity Data). This ingests data from a multitude of diverse security products. It’s the perfect sidekick for everything SentinelOne offers, as it can seamlessly collect data once, and recycle that data across as many relevant use cases as it needs to. This capability is especially important for the firm’s Extended Detection and Response (XDR). XDR is simply EDR with more diverse data usage to extend protection beyond solely the endpoint.
Singularity Data ingests data via “log scale,” which means logarithmically organizing and storing information. The company also says customers get lower cost and faster querying speeds with it.
Like Palo Alto and CrowdStrike, SentinelOne is looking to use its SIEM and endpoint talents to become a customer’s security operations center (SOC). This means the vendor of record that provides a holistic, end-to-end protection for its clients. And just like those two larger competitors, SentinelOne is trying to expand into cloud, identity and exposure management to enhance cross-selling and retention. It’s behind larger competitors in this regard, but is making progress:
All in all, there are three compelling effects of its product architecture:
- Open, inter-platform data sharing leads to more effective algorithm seasoning to drive better coverage and false positive minimization.
- Cross-selling is especially margin accretive for this business model. SentinelOne incurs most of its customer costs as it deploys its first module; cross-sells are almost pure margin.
- Seamless expansion into other relevant security niches…
Just like CrowdStrike (noticing a theme?), it’s also actively expanding into cloud security. Important cloud security acronyms:
- CNAPP = Cloud Native Application Protection Platform. This is a buzz phrase used to describe a firm’s full set of cloud tools.
- CWP = Cloud Workload Protection. It’s an agent-based, runtime cloud protection tool to observe any bad behavior by cloud environment entrants. It sounds the alarm bell for SentinelOne’s automated breach prevention and, if needed, the Managed Detection and Response (MDR) threat hunting team (called Vigilance).
- CSPM = Cloud Security and Posture Management. CSPM reports vulnerabilities and conducts configuration analysis in any cloud environment. It can flag improper permissions or hygiene. It doesn’t stop breaches in isolation, but does offer needed alerts, which frees other cloud tools like CWP to do so.
- It acquired PingSafe to expedite delivery of this key cloud capability and bring its product suite closer to parity with CrowdStrike.
- Launched AI Security Posture Management (AI-SPM) to extend its CSPM offering to AI apps and models. CSPM tools are repurposed here to offer the same misconfiguration and hygiene issue-flagging services in the world of GenAI.
- Cloud Infrastructure Entitlement Management (CIEM). CIEM offers seamless oversight of access controls/entitlements for cloud assets. It can “detect over-privileged humans and machines, pinpoint toxic permission combinations and curtail risk with greater speed and efficiency.” This was one of the largest product gaps remaining between SentinelOne’s suite compared to Palo Alto and CrowdStrike.
- It more recently added runtime security to stop breaches in cloud environments.
GenAI:
PurpleAI is SentinelOne’s overarching GenAI platform layer to up-level its product offering. It’s quite similar to CrowdStrike’s Charlotte AI, in that it can actively detect anomalies, summarize cases, help orchestrate remediations and fix issues with a human analyst’s permission. All of this pushes beginner-level security analysts to much higher levels of capability. This matters a lot in our budget and talent-constrained world.
The company does have exposure management (vulnerability management) and identity tools, but the aforementioned offerings drive the vast majority of its current business.