Built-in Threat Intelligence enriched with CrowdStrike Threat Graph, which uses trillions of telemetry events to correlate known adversaries, malware families, and attack techniques.

Includes adversary attribution: Shows whether an attack is linked to known threat actors (e.g., nation-states, cybercriminal groups).

Falcon OverWatch (optional): Proactive human-led threat hunting that can identify stealthy attackers missed by automation.

Mandiant. SentinelOne integrates Mandiant's frontline expertise in incident response and threat intelligence. Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services.

SentinelLABS. SentinelOne's elite research team. They conduct in-depth security research, uncovering vulnerabilities, new attack vectors, and advanced threat actor behaviors to enhance defense capabilities

Endpoint Security. AI-powered threat hunting with real-time protection.

Identity Protection. Monitors identity-based threats and lateral movement.

Antivirus. NGAV uses machine learning and indicators of attack (IOAs) to detect and prevent malware, ransomware, and zero-day threats without relying solely on signatures.

Endpoint Security. Uses AI-driven behavioral detection to stop threats in real-time.

Identity Protection. Monitors and blocks credential misuse and lateral movement attacks.

Antivirus. Provides autonomous, signatureless protection against known and unknown malware.

Real-Time Response. Instantly terminates malicious processes and isolates compromised endpoints.
Remote Remediation. Allows analysts to investigate, delete files, and execute scripts remotely via Falcon Real Time Response (RTR).
Forensics. Offers forensic-level insights for root cause analysis and fast response.
Integrated Playbooks. Automates responses based on detections for consistent and rapid remediation.

Automated response. Instantly kills malicious processes, quarantines files, and disconnects endpoints from the network.
Rollback Capability. Reverses malicious changes using Windows Volume Shadow Copies (for supported systems).
Remote Remediation. Allows analysts to run scripts, delete files, or clean up endpoints remotely.
Threat Containment. Isolates infected devices to prevent lateral movement during investigation.

Cloud-native platform, Falcon operates through a Software-as-a-Service (SaaS) model hosted on CrowdStrike's cloud infrastructure.
Local agent (less than 20 MB), no reboots required.

Cloud-based or on-premise virtual appliance. Offers flexibility with both cloud-based and on-premise deployment options.
Local agent size varies between 35 MB and 200 MB depending on the operating system and configuration. 

SentinelOne Singularity is better suited for enterprises, though it can also serve SMBs with strong IT teams.
For SMBs, the platform may be more complex or feature-rich than necessary unless they have specific security needs or managed service support.

Hybrid Approach. Combining AI/ML, behavior heuristics, and definitions, resulting in superior pre- and post-detection rates across various areas, including XDR functionality.

Unified Management Console. The platform's single management console with a unified agent simplifies deployment and management.

Occasionally blocking applications without providing alerts or logs, making it challenging to identify and troubleshoot issues.

SentinelOne agent has been associated with significant CPU and disk usage, particularly during software deployments or on servers, affecting overall system performance.