SentinelOne installs a small program called an agent deep inside the operating system — at the kernel level — on Windows, Linux, and macOS machines, where it watches every process and file change in real time and can quarantine or reverse an attack entirely on the device, without contacting the internet. That speed matters because ransomware can encrypt files in seconds, and an agent that has to phone home for instructions will always be too slow. The catch is that running code at the kernel level requires a signed certificate from Microsoft on Windows, a notarized extension from Apple on macOS, and separate module permissions on each Linux distribution — and whenever any of those vendors changes its rules, SentinelOne has to rebuild the relevant part of the agent from scratch to keep the same capabilities. If Microsoft, following its review of kernel access after the CrowdStrike outage, decided to block third-party drivers from that level of the operating system, the agent would lose the visibility that makes autonomous remediation possible and would become just another sensor that depends on a cloud connection — which is exactly what the product charges a premium for not being.
How does this company make money?
SentinelOne charges a yearly fee per endpoint, meaning for each computer, server, or cloud workload it protects. Customers pay more depending on which modules they add — core endpoint protection, cloud workload security, and identity threat detection each sit at different price tiers. The company also earns fees for professional services, including helping customers deploy the platform and providing managed detection and response where SentinelOne's own analysts monitor threats on the customer's behalf.
What makes this company hard to replace?
Removing a kernel-level agent requires security team approval and a privileged uninstallation process — it is not a simple uninstall. The AI behavioral models in SentinelOne learn patterns specific to each organization's environment, and that learned context is lost when switching vendors. Customers also build custom connections between SentinelOne and their existing SIEM platforms and security orchestration workflows, and rebuilding those integrations through new API development takes significant time and effort.
What limits this company?
Every time Microsoft, Apple, or a major Linux distribution changes how their kernel handles outside software, SentinelOne's engineers must rebuild the interception layer for that specific OS version and hardware combination. That work requires specialized kernel engineers and cannot be spread across all the affected versions at once, so each OS update is a bottleneck that a larger sales team or more marketing budget cannot fix.
What does this company depend on?
SentinelOne cannot operate without Microsoft Windows kernel APIs and driver signing certificates, Apple's macOS System Extensions framework and its notarization process, Linux kernel module loading mechanisms across major distributions, AWS cloud infrastructure for its Security Data Lake, and NVIDIA GPU compute resources for running its AI models.
Who depends on this company?
Enterprise IT security teams rely on SentinelOne for automated threat remediation; without it they would have to handle every incident by hand. Managed security service providers use it for real-time visibility into customer endpoints and would need to hire more staff to compensate for losing it. Cloud workload protection customers depend on it to catch attackers moving laterally through containerized environments — without it, that movement could go undetected.
How does this company scale?
As more customers use the platform, the AI behavioral models see more threat patterns and get more accurate, so the product improves without proportional cost. What does not scale automatically is keeping the kernel-level agent working correctly across the constantly growing list of OS versions, hardware configurations, and enterprise software stacks — that requires specialized kernel engineers every time something changes.
What external forces can significantly affect this company?
The EU's NIS2 Directive requires critical infrastructure operators to meet specific cybersecurity standards, which can drive purchasing decisions toward or away from particular products. U.S. export controls on AI technology limit where SentinelOne can sell and what it can deploy internationally. Cyber insurance companies are increasingly requiring specific endpoint detection capabilities, which shapes what corporate buyers feel they must purchase.
Where is this company structurally vulnerable?
If Microsoft, following its post-CrowdStrike kernel-access review, seriously restricts what third-party drivers are allowed to do inside the Windows kernel, SentinelOne's agent would lose the system-call visibility it needs to act autonomously. It would be reduced to a sensor that reports to the cloud rather than a remediator that acts on-device, erasing the air-gapped and low-latency use cases that make the platform worth its price.