23 February 2023 | ITHQ Tech Team
SentinelOne or Carbon Black? Both platforms take a single-agent approach that meet multiple use cases to include EPP, EDR, threat hunting and remediation. Both also have innovator/visionary statuses (as of 2021) from independent comparisons.
SentinelOne is now a Leader on Gartner's Magic Quadrant whereas Carbon Black retains its Visionary status. This could be because Carbon Black is more of a NGAV platform, whereas SentinelOne delivers a full EPP.
This was highlighted in the recent MITRE ATT&CK APT 29 report, where Carbon Black missed 28 detections with SentinelOne only missing 7 (the lowest number of misses across all platforms tested).
If you're looking for a next generation endpoint protection solution and these two are on your long list, here's a direct comparison page to help.
|Autonomous prevention, detection, and recovery from threats in real-time.
|Yes - Leverages cloud-delivered threat intelligence and custom watchlists to automate repetitive hunts.
|Partial / Manual
|Yes - Can be automated or 1-click
|OS freedom (Windows / Mac / Linux feature parity)
|No feature parity
|Fewer alerts with more context
|Tanzu Observability dependent - context includes both the metrics and traces.
|AI-powered prevention, detection, response, and threat hunting.
Yes - pull metrics from the Kubernetes APIs.
|Yes - scale to thousands of containers.
|Yes - Support for containers and serverless workloads, especially Kubernetes dynamic workloads.
|Higher accuracy across entire attack surface.
|Yes - Visualise entire attack chain with corresponding easy-to-follow details to uncover root causes.
|Yes - Consistent identification of tactics and techniques in the MITRE Phase 2 evaluations.
|Yes - single agent and console.
|Yes - full storyline.
|Automation & Control
|Yes - VMWare uses Infrastructure as Code (IaC) so modifications are completely repeatable and can be processed automatically.
|Yes - Automated mitigation options via the Storyline Active Response Capability.
|Yes - Store detailed forensic data for post-incident investigation.
|No - SentinelOne does not have its own network security sources to add.
Collection and reporting of; inventory, config and policy management of endpoint devices.
|Yes - automate ongoing reporting on patch levels, user privileges, disk encryption status, and more to track and maintain a desired posture.
Mobile Threat Defence
Ease of deployment
|Yes - Simplify deployment with out-of-the-box policies.
Yes - Excellent timeliness and quality of customer support.
AI across user endpoints, containers, cloud workloads, and IoT devices.
|Yes - New IoT discovery and protection capabilities in its Ranger product.
|Static & Behavioural AI
|Yes - Consolidate threat intelligence for your environment to automatically detect suspicious behaviour.
|Partial - cloud dependent.
|Yes + context
|Yes- Isolate infected systems and remove malicious files to prevent lateral movement.
|Yes + context
|Integrated threat feeds
|Yes - but limited command set.
|Yes - Gain visibility into precise details about current state of all devices - on and off the network.
|Yes - Device discovery via Ranger.
|Yes - Secure end-of-life systems with allowlisting policies.
|Yes - full storyline
|Yes - distributed tracing via Tanzu Observability.
Yes - but false positives.
|Yes - built-in risk scoring.
|Yes - Priority list of vulnerable applications.
|Yes - Gain alert coverage and threat triage across your entire deployment.
|Yes - Investigate in seconds with automated correlations and Storyline.
|No - Missing add-on for fully featured DLP.
VMware Carbon Black EDR
SentinelOne Endpoint Protection Platform by SentinelOne
|Scored good results in Telemetry
Scored record results:
|Top ROI score 2019
|Top ROI score and Recommended rating 2019
|99.8% block rate across Windows testing
|Only 1 false positive detection on Windows
100% protection against zero-day malware attacks on Windows
In top 10 vendors
Recognized for the commitment to pushing the boundaries of autonomous technology — delivering innovation at scale and speed, and shaping the endpoint market.
Performs better than several legacy AV products for the following:
All prices calculated at per endpoint per month, for comparison purposes.
Pricing is 'starting from' and based on list pricing. It can be subject to change, volume discounts etc.
Correct at February 2021
Minimum purchase - 5 endpoints - only through ITHQ
Payment can be billed monthly - only through ITHQ
To achieve these prices below, minimum purchase 100 endpoints, billed annually.
Quote always required for accurate pricing
|Includes full advanced EDR
|All Core features plus device, firewall and bluetooth control
|All Control features plus threat hunting and deep visibility
Minimum purchase - 100 endpoints
Payment always billed annually
|Includes NGAV and behavioural EDR only
|All Standard features plus audit & remediation
|All Advanced features plus threat hunting & incident response