1 Introduction

The sheer number of threat vectors, both external and internal, that organizations are facing are a direct consequence of the continuously increasing size and complexity of modern IT infrastructures. It has long become commonplace that traditional perimeter-focused security tools no longer can provide adequate protection in the era of distributed networks, hybrid cloud architectures, and employees working from home. This realization has led to a major paradigm shift in cybersecurity: modern tools focus primarily on quickly detecting, analyzing, and remediating threats before they manage to cause significant damage.

Almost a decade ago, this gave birth to a new class of Endpoint Detection and Response (EDR) products that focused on detecting and investigating suspicious activities on endpoints (and various artifacts and traces left by malware after an attack). In their basic form, EDR solutions collect various telemetry from endpoints using software agents, store that data for a period of time, and enable security analysts to examine affected endpoints remotely to identify and mitigate the root cause of a security incident.

Retaining a sufficient time span of historical data is more critical than ever since adversaries now commonly craft slow and stealthy attacks that might remain dormant for weeks or months before triggering. For example, the Sunburst attack was designed to trigger after 15 days and is but one example of why organizations increasingly seek several months of historical look back.

Originally emerging as an alternative to traditional Endpoint Protection (EPP) tools, these products have evolved into comprehensive, combined protection, detection, and response platforms for desktops, laptops, and servers. In addition, modern EDR/EPDR solutions use machine learning to identify anomalies in security telemetry, map them to known attack tactics and techniques (such as MITRE ATT&CK), and help security analysts make decisions faster and avoid alert fatigue.

Unfortunately, although such tools offer a substantial improvement both in quality and usability over legacy security technologies, monitoring endpoints alone does not provide sufficient coverage for modern, highly distributed, and heterogeneous IT environments. A classic example of convergent evolution, other classes of detection and response tools have emerged in parallel, focusing on the networking layer or cloud infrastructures (NDR) or specifically on cloud-native workloads like virtual machines and containers (CWPP).

The latest development in the security analytics and incident response market is XDR (eXtended Detection & Response). XDR solutions are designed to consolidate and replace multiple security tools for endpoints, networks, and clouds and provide a modernized take on traditional Security Information and Event Management. As opposed to SIEMs, telemetry is pushed into XDR platforms in real-time, not pulled from logs, allowing for much more rapid correlation and analysis. Just like EDR, XDR solutions rely heavily on AI and ML methods to reduce false positives, improve detection and categorization of anomalous activities, and provide a high degree of automation of threat hunting, forensic analysis, and remediation workflows.

SentinelOne is a security vendor headquartered in Mountain View, CA. Founded in 2013, the company's strategic vision is an integrated endpoint security platform to replace multiple disjointed security tools with a single solution to prevent, detect, analyze, and respond to cyberthreats across all enterprise IT assets, on-premises and in the cloud. Powered by an autonomous AI engine built directly into its endpoint agent, the solution aims to respond to a wide range of threats in real-time without the latency of the cloud.

In early 2020, KuppingerCole had already reviewed the company's flagship product, the SentinelOne Singularity Platform[^1]. However, since that time, the company has introduced several major changes in its solution's architecture that enables an expansion of its detection and response capabilities across multiple security layers and beyond just endpoints. These developments warrant an updated look at the SentinelOne Singularity Platform's capabilities.