Cybersecurity

How SentinelOne AI Detects Threats Before They Execute

17 November 2025 · 0x1m3 · 7 min read

Most endpoint protection reacts to threats after they run. SentinelOne AI threat detection works differently — it identifies and neutralises malicious activity before it causes damage, and it does so without relying on cloud lookups or signature databases.

This post breaks down the technical architecture behind SentinelOne's Singularity platform. If you manage IT security for your organisation, this is how the engine works under the hood.

<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="#4A7AB5"><path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-2 15l-5-5 1.41-1.41L10 14.17l7.59-7.59L19 8l-9 9z"/></svg>

The Dual AI Engine: Static + Behavioural

SentinelOne's detection methodology operates in two distinct phases, each powered by a separate AI model.

Phase 1: Static AI (Pre-Execution)

Before a file executes, SentinelOne's static AI engine analyses it. This is not signature matching — the model examines structural characteristics of the file: code patterns, entropy levels, imported libraries, packing techniques, and embedded strings.

The static AI model is trained on millions of malware samples and benign files. It identifies malicious characteristics in files that have never been catalogued in any signature database. This catches threats at the gate — before a single line of malicious code runs.

Key advantage: static analysis occurs on the endpoint itself. No cloud connectivity required. No latency waiting for a cloud verdict. The AI model runs locally, which means endpoints in air-gapped environments or during connectivity outages are still fully protected.

Phase 2: Behavioural AI (Runtime)

Files that pass static analysis are monitored during execution by the behavioural AI engine. This is where SentinelOne distinguishes itself from every signature-based solution on the market.

The behavioural engine tracks: - Process creation and injection — monitoring parent-child process relationships and detecting code injection into legitimate processes - File system activity — rapid file encryption, mass file modification, or suspicious write patterns - Registry modifications — changes to persistence mechanisms, security policy keys, or startup entries - Network connections — communication with known command-and-control (C2) infrastructure or unusual data exfiltration patterns - Memory operations — in-memory payload execution, reflective DLL loading, and process hollowing

When the behavioural model detects a pattern consistent with malicious intent, it triggers autonomous response — without waiting for human confirmation.

<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="#4A7AB5"><path d="M12 1L3 5v6c0 5.55 3.84 10.74 9 12 5.16-1.26 9-6.45 9-12V5l-9-4zm0 10.99h7c-.53 4.12-3.28 7.79-7 8.94V12H5V6.3l7-3.11v8.8z"/></svg>

Autonomous Response: Contain, Kill, Remediate, Rollback

Detection is only valuable if the response is immediate. SentinelOne's autonomous response engine executes four actions without human intervention:

1. Contain — The affected endpoint is network-isolated to prevent lateral movement. The device can still communicate with the SentinelOne management console, but all other network traffic is blocked.

2. Kill — Malicious processes are terminated immediately. The engine traces the full process tree to ensure child processes and spawned threads are also stopped.

3. Remediate — All changes made by the malicious process are reversed. Created files are deleted. Modified registry entries are restored. Persistence mechanisms are removed.

4. Rollback — SentinelOne's patented ransomware rollback uses Volume Shadow Copy integration to restore encrypted files to their pre-attack state. This operates at the file system level, reversing encryption without relying on decryption keys.

The entire sequence — from detection to rollback — completes in seconds. For comparison, the industry average MTTR (Mean Time to Respond) with manual processes exceeds 200 minutes.

<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="#4A7AB5"><path d="M19 3H5c-1.1 0-2 .9-2 2v14c0 1.1.9 2 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zm-5 14H7v-2h7v2zm3-4H7v-2h10v2zm0-4H7V7h10v2z"/></svg>

Storyline: Automated Attack Reconstruction

Security analysts spend a disproportionate amount of time correlating events manually — connecting a suspicious process to a file download to a network connection to a registry change. SentinelOne's Storyline technology eliminates this entirely.

Every event on every monitored endpoint is automatically linked into a directed acyclic graph (DAG). Storyline connects:

- The initial infection vector (email attachment, drive-by download, exploited vulnerability) - Process execution chain and privilege escalation - Lateral movement attempts - Data access and exfiltration - Persistence mechanism installation

The result is a complete, visual attack narrative that an analyst can review in minutes rather than hours. Each Storyline includes TTP (Tactics, Techniques, and Procedures) mapping to the MITRE ATT&CK framework, providing standardised context for incident response and reporting.

For POPIA compliance, Storyline provides the forensic evidence required for breach notification to the Information Regulator — what data was accessed, how the attacker gained entry, and what containment actions were taken.

<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="#4A7AB5"><path d="M20 2H4c-1.1 0-2 .9-2 2v18l4-4h14c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm0 14H5.17L4 17.17V4h16v12z"/><path d="M12 10V6h-2v4H6v2h4v4h2v-4h4v-2z"/></svg>

Purple AI: Natural Language Threat Hunting

SentinelOne's Purple AI transforms how security teams investigate threats. Rather than writing complex query syntax to search security telemetry, analysts interact with Purple AI using natural language.

Examples of Purple AI queries: - "Show me all processes that modified registry run keys in the last 24 hours" - "Which endpoints communicated with external IPs on non-standard ports this week?" - "Find all PowerShell executions with encoded commands across the environment"

Purple AI translates these queries into the underlying data model, executes the search, and returns results with contextual analysis. It recommends follow-up investigations and highlights anomalies that warrant attention.

For organisations without a dedicated threat hunting team — which describes most South African mid-market businesses — Purple AI acts as a force multiplier. It gives a two-person IT team the investigative capability of a staffed SOC.

Purple AI is available with the Singularity Complete tier and above.

<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="#4A7AB5"><path d="M4 6h18V4H4c-1.1 0-2 .9-2 2v11H0v3h14v-3H4V6zm19 2h-6c-.55 0-1 .45-1 1v10c0 .55.45 1 1 1h6c.55 0 1-.45 1-1V9c0-.55-.45-1-1-1zm-1 9h-4v-7h4v7z"/></svg>

Multi-Platform Coverage

SentinelOne's agent supports:

- Windows — Full EDR capabilities including ransomware rollback - macOS — Native agent with behavioural AI and autonomous response - Linux — Server and workstation coverage, including distributions common in enterprise environments (RHEL, Ubuntu, CentOS, SUSE) - Kubernetes — Container and pod-level protection for cloud-native workloads - Cloud workloads — AWS, Azure, and GCP virtual machine protection

The same AI models, the same autonomous response, and the same Storyline technology apply across all platforms. A single console manages the entire fleet — no separate tools for different operating systems.

How OAS Delivers SentinelOne

OAS deploys SentinelOne through our N-able MSSP integration as the Protect pillar of the Three Pillar Managed Security framework.

What this means in practice:

- Deployment and configuration — OAS handles agent rollout, policy configuration, and exclusion tuning for your environment - Continuous monitoring — Alerts are monitored through the same N-able console used for device management and backup health - Incident response — When SentinelOne contains a threat autonomously, OAS reviews the Storyline, validates the response, and provides a root cause analysis - Ongoing optimisation — Detection policies are tuned based on your environment to minimise false positives and maximise coverage

SentinelOne's Singularity Complete tier is the recommended deployment for OAS clients. It delivers full EDR, Storyline, autonomous response, and Purple AI — the complete SentinelOne AI threat detection stack.

With over 40 years of experience in enterprise IT and a proven track record in managed security, OAS ensures that SentinelOne's capabilities are not just deployed but operationalised. The technology is powerful. The expertise to run it effectively is what OAS brings to the table.

---

Want to see SentinelOne's AI in action? OAS can run a proof-of-concept deployment on a subset of your endpoints — no commitment required. See how behavioural AI detects what your current solution misses.

Request a SentinelOne Demo →

---

*Related reading: Cybersecurity & Endpoint Protection | SentinelOne vs Traditional Antivirus: What's Changed | 5 Ransomware Prevention Steps for SA Businesses*

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions