We just raised a $30M Series A: Read our story

Compare CrowdStrike Falcon vs. SentinelOne

Cancel
You must select at least 2 products to compare!
Cisco Secure Endpoint Logo
21,139 views|13,974 comparisons
CrowdStrike Falcon Logo
71,243 views|53,450 comparisons
SentinelOne Logo
43,372 views|29,508 comparisons
Comparison Summary
Question: What do you recommend to choose when replacing Symantec EDR: SentinelOne or CrowdStirke Falcon?
Answer: Hi Ron - SentinelOne without a doubt - it has not been breached.
Featured Review
Find out what your peers are saying about CrowdStrike Falcon vs. SentinelOne and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"Integration is a key selling factor for Cisco security products. We have a Cisco Enterprise Agreement with access to Cisco Email Security, Cisco Firepower, Cisco Stealthwatch, Cisco Talos, Cisco Threat Grid, Cisco Umbrella, and also third-party solutions. This is key to our security and maximizing operations. Because we do have the Email Security appliance and it is integrated with Threat Response, we have everything tied together. Additionally, we are using the Cisco SecureX platform, as we were a beta test for that new solution. With SecureX, we are able to pull all those applications into one pane for visibility and maintenance. This greatly maximizes our security operations.""The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious.""The threat Grid with the ability to observe the sandboxing, analyze, and perform investigations of different malicious files has been great.""One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an Internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned.""Among the most valuable features are the exclusions. And on the scalability side, we can integrate well with the SIEM orchestration engine and a number of applications that are proprietary or open source.""Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us.""It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it.""The most valuable feature is signature-based malware detection."

More Cisco Secure Endpoint Pros »

"There's almost no maintenance required. It's very low if there's any at all.""The solution can scale easily.""CrowdStrike Falcon is a very light solution. It does not use too much processor or RAM.""Their endpoint is pretty flawless. There is no lag on the machines at all. Even though I have a good overview of all the machines, that's pretty much the most valuable feature of CrowdStrike Falcon.""It seems to do a pretty good job of protecting the host. It offers good insights that it gives you when it has a detection. It's pretty incredible.""CrowdStrike Falcon has done an excellent job at detecting breaches. It has allowed us to stay in business and keep our systems up.""The Protect functionality on the laptops provides great visibility into what's occurring, and the cloud management of the platform is what we needed.""Probably the most valuable thing to me is the real-time response piece. The fact that I can connect to an endpoint as long as it is on the Internet, no matter where it is globally. I can remove files from the endpoint, drop files on the endpoint, stop processes, reboot it, run custom scripts, and deploy software. Pretty much no other tool can do all that."

More CrowdStrike Falcon Pros »

"Our clients have been able to survive a ransomware attack without even knowing that they had had files encrypted and automatically rolled back - even their Point of Sale (POS) system did not miss a beat and the business continued as normal without interruption.""Previously, we had some processes related to incident response which required more steps. We needed to upload to VirusTotal, Sandbox, et cetera. Now, this process is shortened because all of the information we need is already in SentinelOne. We can briefly analyze and even respond from one management console. If someone has SOC, using the API, they can control everything. It's very cool. I think this is the future.""It is easy to manage and install. It has a very nice graphical interface that is very intuitive when end users are using it. You don't have to follow or read a book about 600 pages to have knowledge on how to use it. When SentinelOne is up and running, you can easily find your way.""SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's... There are cost savings not only on licensing but because I don't have to have different people managing different consoles.""The strength of SentinelOne is that it has an automated, active EDR. It does that first level of what a SOC analyst would do, automatically, using artificial intelligence, so we can focus on other things. Active EDR not only notifies you, but it actually fixes that first level. That is unheard of. Very few, if any, companies do that.""The most valuable feature is that it just unintrusively works in the background to carry out the protection.""When there is an incident, the solution's Storyline feature gives you a timeline, the whole story, what it began with, what it opened, et cetera. You have the whole picture in one minute. You don't need someone to analyze the system, to go into the logs. You get the entire picture in the dashboard. The Storyline feature has made our response time very fast because we don't need to rely on outside help.""In terms of the engines that SentinelOne uses, it has stopped various scripts from running and it's highlighted lateral movement that we weren't expecting."

More SentinelOne Pros »

Cons
"We had a lot of noise at the beginning, and we had to turn it down based on exclusions, application whitelisting, and excluding unknown benign applications. Cisco should understand the need for continuous updates on the custom Cisco exclusions and the custom applications that come out-of-the-box with the AMP for Endpoints.""The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications.""Maybe there is room for improvement in some of the automated remediation. We have other tools in place that AMP feeds into that allow for that to happen, so I look at it as one seamless solution. But if you're buying AMP all by itself, I don't know if it can remove malicious software after the fact or if it requires the other tools that we use to do some of that.""The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on.""I would recommend that the solution offer more availability in terms of the product portfolio and integration with third-party products.""The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time.""I would like to see integration with Cisco Analytics.""The thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself."

More Cisco Secure Endpoint Cons »

"I would like them to improve the correlation of data in the search algorithms. When we run an investigation, malware, phishing, etc., I want to look at multiple endpoints at once to correlate that data to see the likenesses, e.g., how are they not alike or what systems and processes are running across those systems? I don't want to have to run the same search in their Spotlight module five, 10, 15, or 100 times to get 100 different results, copy that data out, and then correlate it on my own. In a very simple way, I want to be able to load up a comma-delimited list giving me the spotlight data on these X amount of hosts, letting me search for it quickly. We have had to go back to CrowdStrike, and say, "Our search are taking far too long for even one host." They did bump up the cores and that did improve performance, but it is still kind of slow to get that Spotlight data. That is probably our biggest pain point. I think that needs some help. I understand this kind of information access is probably not the easiest thing to do. It is probably a big ask depending on how their back-end is setup.""Support, particularly related to after-sales and after deployment, could be improved a bit. If you need to connect to support, it takes at least a day to reach the support team and get a proper reply.""A year and a half ago or more, if you put in a support request by email, then it wasn't timely addressed. It could be a day to three days before you received a response, which was a bit frustrating. There was a lot of customer feedback around this issue, which has been greatly refined.""It does take more time to scan than other solutions.""In the six months that I have been using CrowdStrike, it has not been able to detect anything.""Basically, they don't cover legacy OS or applications. That's the only issue we're concerned about""It would be nice if the dashboard had some more information upfront, and looked a little better.""The solution needs to have integration with on-premises security devices and security facilities. That means all the security products, including the perimeter firewall, the DMZ."

More CrowdStrike Falcon Cons »

"The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.""We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future.""It would be nice if the console stored data daily, so that you could look at a timeline of events on a machine over a period of time, and currently this is not possible.""There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap.""If it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.""Communication and documentation could be improved.""With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately.""One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system."

More SentinelOne Cons »

Pricing and Cost Advice
"Our company was very happy with the price of Cisco AMP. It was about a third of what we were paying for System Center Endpoint Protection.""There are a couple of different consumption models: Pay up front, or if you have an enterprise agreement, you can do a monthly thing. Check your licensing possibilities and see what's best for your organization.""Licensing fees are on a yearly basis and I am happy with the pricing.""There is also the Cisco annual subscription plus my management time in terms of what I do with the Cisco product. I spend a minimal amount of time on it though, just rolling out updates as they need them and monitoring the console a couple of times a day to ensure nothing is out of control. Cost-wise, we are quite happy with it.""We have a license for 3,000 users and if we get up to 3,100 users, it doesn't stop working, but on the next renewal date you're supposed to go in there and add that extra 100 licenses. It's really good that they let you grow and expand and then pay for it. Sometimes, with other products, you overuse a license and they just don't work.""The pricing and licensing are reasonable. The cost of AMP for Endpoints is inline with all the other software that has a monthly endpoint cost. It might be a little bit higher than other antivirus type products, but we're only talking about a dollar a month per user. I don't see that cost as being an issue if it's going to give us the confidence and security that we're looking for. We have had a lot of success and happiness with what we're using, so there's no point in changing.""The visibility that we have into the endpoint and the forensics that we're able to collect give us value for the price. This is not an overly expensive solution, considering all the things that are provided. You get great performance and value for the cost.""The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable."

More Cisco Secure Endpoint Pricing and Cost Advice »

"Years ago, when we bought CrowdStrike, you got everything it had. I was a little concerned when they broke this out into a la carte modules where you can buy EDR, Spotlight, etc., picking and choosing off the menu. I was a little worried that the solution would get watered down. However, I realized in my previous organization when we had the full suite that there were a bunch of features in it that we didn't have time to operationalize. So, I warmed up to it. I get the whole, "Look, you can pick and choose. Okay, everybody buys a steak, but do you want mashed potatoes, or do you want lobster mac and cheese?" So, you can pick the sides that you want, so you can buy the solution that you want and operationalize versus paying a lot of money and getting a bunch of things, but not using 60 percent of the tools in the box.""The pricing is good and there are no costs in addition to the standard licensing fees.""The price of CrowdStrike Falcon could be better. It is very expensive, we pay approximately $900 per month for the licenses. There are not any additional fees.""The pricing on CrowdStrike is per license. It was about $42 per seat yearly.""With respect to pricing, my suggestion to others is to evaluate the environment and purchase what you need.""Our company pays approximately US$ 65,000 annually for 900 machines.""All I can say about the licensing cost is that it's negotiable.""Pricing and licensing seem to be in line with what they offer. We are a smaller organization, so pricing is important. Obviously, we would make a business case if it is something we really needed or felt that we needed. So, the pricing is in line with what we are getting from a product standpoint."

More CrowdStrike Falcon Pricing and Cost Advice »

"The larger count you have, the deeper discount you will receive in your contract.""We are on a subscription model by choice. Therefore, we are paying a premium for the flexibility. We would have huge cost savings if we committed to a three-year buy-in. So, it's more expensive than the other solutions that we were looking at, but we have the flexibility of a subscription model. I think the pricing is fair. For example, if we had a three-year tie-in SentinelOne versus Cylance or one of the others, there is not that much difference in pricing. There might be a few euro or dollars here and there, but it's negligible.""USD$6 per end point which decreases as end points increase.""It was cheaper than McAfee, which was a way to convince management to go with the solution.""Our licensing fees are about $5 USD per endpoint, per month.""You have to look at the kinds of problems you can end up with and the fact that you want security against them, and then SentinelOne is not expensive.""The solution's price/performance ratio is reasonable.""SentinelOne is more affordable than some competing products, and it's not overly expensive for what you're getting."

More SentinelOne Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Endpoint Protection for Business (EPP) solutions are best for your needs.
552,305 professionals have used our research since 2012.
Answers from the Community
Ron Dutta
author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

We RFI/POC'd them all. 


Sentinel One came out on top for every aspect of the requirements that we needed to fulfill from our architect.


That said, CrowdStrike is a good tool as well but I think ends up being more expensive. The best bang for the buck was S1.

author avatarSteffen Hornung
Real User

We are currently in the process of looking for "new tools" in regards to endpoint security. We use McAfee at the moment and we lean more towards S1.


But I am interested how your POCs go. Please come back with some insight!

author avatarreviewer1653270 (User at tiberium)
User

It really depends what you want as outcomes, reporting integration with other security technologies. Be happy to discuss.

author avatarAJITH H G
Consultant

BetterI would suggest moving it to Microsoft Defender for Endpoint, which will help more in feature.

author avatarEric Rise
Real User

S1 for sure. 


Disconnect Falcon from the internet and it looses its ability to do anything. Falcon is still a fine product, for EDR I'd go S1.

Questions from the Community
Top Answer: The most valuable feature is signature-based malware detection.
Top Answer: Licensing fees are on a yearly basis and I am happy with the pricing.
Top Answer: The GUI needs improvement, it's not good. There are false positives in emails. At times, the emails are blocked and… more »
Top Answer: Cortex XDR by Palo Alto vs. CrowdStrike Falcon Both Cortex XDR and Crowd Strike Falcon offer cloud-based solutions… more »
Top Answer: Both of these products perform similarly and have many outstanding attributes. CrowdStrike Falcon offers an amazing… more »
Top Answer: The CrowdStrike solution delivers a lot of information about incidents. It has a very light sensor that will never push… more »
Top Answer: Cortex XDR by Palo Alto vs. SentinelOne SentinelOne offers very detailed specifics with regard to risks or attacks.… more »
Top Answer: Which solution is better depends on which is more suitable specifically for your company. Darktrace, for example, is… more »
Top Answer: IMO, it depends on whether you have abilities to validate and/or correlate telemetries - these guys brings out quite a… more »
Comparisons
Also Known As
Cisco AMP for Endpoints
CrowdStrike
Sentinel Labs
Learn More
Overview

Advanced Malware Protection (AMP) is subscription-based, managed through a web-based management console, and deployed on a variety of platforms that protects endpoints, network, email and web Traffic. AMP key features include the following: Global threat intelligence to proactively defend against known and emerging threats, Advanced sandboxing that performs automated static and dynamic analysis of files against more than 700 behavioral indicators, Point-in-time malware detection and blocking in real time and Continuous analysis and retrospective security regardless of the file's disposition and Continuous analysis and retrospective security.

CrowdStrike is the leader in cloud-delivered next-generation endpoint protection. CrowdStrike has revolutionized endpoint protection by being the first and only company to unify next-generation antivirus (AV), endpoint detection and response (EDR), and a 24/7 managed hunting service — all delivered via a single lightweight agent. 

Many of the world’s largest organizations already put their trust in CrowdStrike, including three of the 10 largest global companies by revenue, five of the 10 largest financial institutions, three of the top 10 health care providers, and three of the top 10 energy companies.

Request a free trial here: https://go.crowdstrike.com/try-falcon-prevent

SentinelOne delivers autonomous endpoint protection through a single agent that successfully prevents, detects, responds, and hunts attacks across all major vectors. Designed for extreme ease of use, the S1 platform saves customers time by applying AI to automatically eliminate threats in real-time for both on-premise and cloud environments and is the only solution to provide full visibility across networks directly from the endpoint. To learn more visit www.sentinelone.com or follow us at @SentinelOne, on LinkedIn or Facebook.

Offer
Learn more about Cisco Secure Endpoint
Get Fast and Easy Protection Against All Threats

Protect your organization from all threats - not just malware - even when computers and servers aren’t connected to the internet. Start your free trial and deploy CrowdStrike Falcon within minutes to start receiving full threat protection.

Learn more about SentinelOne
Sample Customers
Heritage Bank, Mobile County Schools, NHL University, Thunder Bay Regional, Yokogawa Electric, Sam Houston State University, First Financial Bank
Information Not Available
Havas, Flex, Estee Lauder, McKesson, Norfolk Southern, JetBlue, Norwegian airlines, TGI Friday, AVX, Fim Bank
Top Industries
REVIEWERS
Healthcare Company19%
Government13%
Manufacturing Company13%
Financial Services Firm6%
VISITORS READING REVIEWS
Comms Service Provider24%
Computer Software Company23%
Government7%
Financial Services Firm5%
REVIEWERS
Financial Services Firm17%
Manufacturing Company10%
Insurance Company10%
Hospitality Company10%
VISITORS READING REVIEWS
Computer Software Company25%
Comms Service Provider19%
Government6%
Financial Services Firm5%
REVIEWERS
Retailer19%
Manufacturing Company13%
Healthcare Company13%
Energy/Utilities Company13%
VISITORS READING REVIEWS
Computer Software Company24%
Comms Service Provider23%
Government5%
Retailer4%
Company Size
REVIEWERS
Small Business36%
Midsize Enterprise18%
Large Enterprise46%
VISITORS READING REVIEWS
Small Business27%
Midsize Enterprise21%
Large Enterprise51%
REVIEWERS
Small Business24%
Midsize Enterprise24%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business23%
Midsize Enterprise31%
Large Enterprise47%
REVIEWERS
Small Business29%
Midsize Enterprise18%
Large Enterprise54%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise52%
Large Enterprise25%
Find out what your peers are saying about CrowdStrike Falcon vs. SentinelOne and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

CrowdStrike Falcon is ranked 1st in Endpoint Protection for Business (EPP) with 27 reviews while SentinelOne is ranked 2nd in Endpoint Protection for Business (EPP) with 19 reviews. CrowdStrike Falcon is rated 8.8, while SentinelOne is rated 9.8. The top reviewer of CrowdStrike Falcon writes "Speeds up the data collection for our phishing playbooks dramatically". On the other hand, the top reviewer of SentinelOne writes "Made a tremendous difference in our ability to protect our endpoints and servers". CrowdStrike Falcon is most compared with Microsoft Defender for Endpoint, Cortex XDR by Palo Alto Networks, Darktrace, FireEye Endpoint Security and Symantec End-User Endpoint Security, whereas SentinelOne is most compared with Microsoft Defender for Endpoint, Carbon Black CB Defense, Darktrace, Cortex XDR by Palo Alto Networks and Kaspersky Endpoint Security for Business. See our CrowdStrike Falcon vs. SentinelOne report.

See our list of best Endpoint Protection for Business (EPP) vendors and best Endpoint Detection and Response (EDR) vendors.

We monitor all Endpoint Protection for Business (EPP) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.