Cyber Resilience

SentinelOne vs Carbon Black

23 February 2023 | ITHQ Tech Team


SentinelOne or Carbon Black? Both platforms take a single-agent approach that meet multiple use cases to include EPP, EDR, threat hunting and remediation. Both also have innovator/visionary statuses (as of 2021) from independent comparisons.

SentinelOne is now a Leader on Gartner's Magic Quadrant whereas Carbon Black retains its Visionary status. This could be because Carbon Black is more of a NGAV platform, whereas SentinelOne delivers a full EPP.

This was highlighted in the recent MITRE ATT&CK APT 29 report, where Carbon Black missed 28 detections with SentinelOne only missing 7 (the lowest number of misses across all platforms tested).

If you're looking for a next generation endpoint protection solution and these two are on your long list, here's a direct comparison page to help.


Got questions about SentinelOne? Talk to an expert


Endpoint Protection: Key considerations

  • Is it easy to deploy and manage?
  • Is it dependent on cloud command and control for detection and response?
  • How effective has it been against zero-day attacks?
  • Do you have feature parity across Windows, Mac and Linux?
  • How does it perform in real world test scenarios?
  • What do other customers say about it?


Comparison of Business Benefits and Features

  carbon black logo SentinelOne logo
Business Benefits
Autonomous prevention, detection, and recovery from threats in real-time. Yes - Leverages cloud-delivered threat intelligence and custom watchlists to automate repetitive hunts. Yes
Fast Recovery
Partial / Manual Yes - Can be automated or 1-click
OS freedom (Windows / Mac / Linux feature parity)
No feature parity Yes
Fewer alerts with more context
Tanzu Observability dependent - context includes both the metrics and traces. Yes
AI-powered prevention, detection, response, and threat hunting. Yes Yes
API integration
Yes - pull metrics from the Kubernetes APIs.
Scalability Yes - scale to thousands of containers. Yes - Support for containers and serverless workloads, especially Kubernetes dynamic workloads.
Higher accuracy across entire attack surface.  Yes - Visualise entire attack chain with corresponding easy-to-follow details to uncover root causes. Yes - Consistent identification of tactics and techniques in the MITRE Phase 2 evaluations.
Centralised Visibility  Yes - single agent and console. Yes - full storyline.
Automation & Control Yes - VMWare uses Infrastructure as Code (IaC) so modifications are completely repeatable and can be processed automatically.  Yes - Automated mitigation options via the Storyline Active Response Capability.
Data analytics  Yes - Store detailed forensic data for post-incident investigation. No - SentinelOne does not have its own network security sources to add.

Collection and reporting of; inventory, config and policy management of endpoint devices.

Yes - automate ongoing reporting on patch levels, user privileges, disk encryption status, and more to track and maintain a desired posture. Yes

Mobile Threat Defence

No  Yes

Ease of deployment

Yes - Simplify deployment with out-of-the-box policies. 

Yes - Excellent timeliness and quality of customer support.


AI across user endpoints, containers, cloud workloads, and IoT devices.

Yes - New IoT discovery and protection capabilities in its Ranger product.
Static & Behavioural AI
Yes - Consolidate threat intelligence for your environment to automatically detect suspicious behaviour.
Exploit protection Partial - cloud dependent. Yes + context
Lateral movement Yes- Isolate infected systems and remove malicious files to prevent lateral movement. Yes + context
Remediation Yes Automated



Integrated threat feeds Yes
Remote shell Yes - but limited command set. Yes
Device control Yes - Gain visibility into precise details about current state of all devices - on and off the network.
Yes - Device discovery via Ranger.
Firewall control Yes - Secure end-of-life systems with allowlisting policies. Yes
Bluetooth control No
Threat hunting
Yes - full storyline
Deep visibility Yes - distributed tracing via Tanzu Observability. Yes
Event Correlation  Yes Yes
Execution Restriction

 Yes - but false positives.

Vulnerability scanning  Yes - built-in risk scoring. Yes - Priority list of vulnerable applications.
Security patching  Yes Yes
Triage  Yes - Gain alert coverage and threat triage across your entire deployment. Yes - Investigate in seconds with automated correlations and Storyline.
Disk Encryption  Yes No - Missing add-on for fully featured DLP.


Book my SentinelOne Demo I want to see complete XDR in action


Industry and Peer Reviews

Gartner Peer Insights

carbon black logo

VMware Carbon Black  EDR

SentinelOne logo

SentinelOne Endpoint Protection Platform by SentinelOne



Gartner Magic Quadrant for Endpoint Protection Platforms May 2021



Independent Testing

carbon black logo


Scored good results in Telemetry

Mitre no background

APT29 2020

Scored record results:

  • Least missed detections
  • Most high-quality detections
  • Most correlated detections
Top ROI score 2019
NSS labs Top ROI score and Recommended rating 2019
N/A VB100virus 99.8% block rate across Windows testing
Only 1 false positive detection on Windows 1

100% protection against zero-day malware attacks on Windows

BestNDRWinner2021 SentinelOne_SE_Labs_Best_Innovator_WINNER_2021

In top 10 vendors

Recognized for the commitment to pushing the boundaries of autonomous technology — delivering innovation at scale and speed, and shaping the endpoint market.

 N/A PassMarkLogo

Performs better than several legacy AV products for the following:

  • Quickest boot time
  • Quickest install time
  • Smallest install size
  • Lowest CPU usage during scan



All prices calculated at per endpoint per month, for comparison purposes.

Pricing is 'starting from' and based on list pricing. It can be subject to change, volume discounts etc.

Correct at February 2021

Pricing questions? Get in touch


SentinelOne logo

 Minimum purchase - 5 endpoints - only through ITHQ

Payment can be billed monthly - only through ITHQ

To achieve these prices below, minimum purchase 100 endpoints, billed annually.

Quote always required for accurate pricing

Core Control Complete
$4.16 $4.90 $9.00
Includes full advanced EDR
All Core features plus device, firewall and bluetooth control
All Control features plus threat hunting and deep visibility


carbon black logo

Minimum purchase - 100 endpoints

Payment always billed annually

Standard Advanced Enterprise
Includes NGAV and behavioural EDR only All Standard features plus audit & remediation
All Advanced features plus threat hunting & incident response


Get my copy Forrester: SentinelOne TEI report shows 353% ROI