SentinelOne Takes a Different Approach to AI: It's Not About Identifying Vulnerabilities but Understanding Which Can Truly Be Exploited

Cybersecurity is entering a phase where the issue is no longer counting vulnerabilities but understanding which are actually exploitable in a given environment. This distinction changes the perspective of both attackers and defenders and redefines how security providers build their platforms. On this front, SentinelOne presented its Wayfinder Frontier AI Services during a press briefing, a new offering that integrates cutting-edge AI models with the work of offensive and defensive security experts, aiming to identify exploitable vulnerabilities in advance and suggest the fastest countermeasures.

The starting point, noted at the outset by Paolo Cecchi, Area VP, Sales Director of the Mediterranean Region at SentinelOne, is a double asymmetry. On one hand, AI allows attackers to identify targets and weaknesses in seconds, broadening the range of attackable organizations. On the other hand, the proliferation of vulnerabilities does not linearly correspond to their actual exploitability, as many are already covered by runtime controls, and others have no viable paths in real environments. In practice, the value lies not in the number of discoveries but in the ability to prioritize them relative to the customer's real context. This is precisely the problem that the new service addresses.

Wayfinder Frontier AI Services and the value of proprietary telemetry

The service fits into the Wayfinder portfolio, alongside threat hunting and managed detection and response offerings, and introduces a proactive vulnerability management layer that goes beyond detection. The reference technological framework is the Singularity Platform, SentinelOne's proprietary platform that integrates endpoint, cloud, and identity protection and serves as the operational basis for the company's entire offering.

While detection is accelerated by cutting-edge AI models accompanied by SentinelOne experts, prioritization is based on actual exploitability in the customer's context. Mitigation aims to disrupt the attack chain at the point where it costs the adversary the most, combining architectural changes, identity controls, and the activation of countermeasures from the Singularity platform, SentinelOne's proprietary security suite.

Wayfinder Frontier AI Services initially relies on Claude Opus 4.7 from Anthropic under the Claude Security variant, but the most significant choice is methodological: SentinelOne adopts a multi-model approach, where no model is the definitive answer, and the orchestration of information remains validated by human judgment. The strength of the service lies not only in the model but also in the proprietary telemetry that SentinelOne gathers from tens of millions of endpoints and cloud workloads, enriched by information from SentinelLABS and Google Threat Intelligence.

This interplay is the basis for the recent recognition received from Google Cloud, which declared SentinelOne the Partner of the Year 2026 in the Security category: Google Threat Intelligence. Cecchi attributed the award to three lines of work: the opening of the platform on new Google cloud regions outside the historical US-Europe axis, the native integration of Google Threat Intelligence into Wayfinder services (the former Vigilance line rebranded and expanded), and the growth of joint projects on the Google Cloud marketplace.

SOC at machine speed and agentic investigation

The strategic framework outlined by Cecchi centers another asymmetry because SOCs continue to operate at human speed while attacks run at machine speed. It is in this context that the agentic evolution of Purple AI, illustrated by Marco Rottigni, Global Solutions Architect at SentinelOne, comes into play. In a lab environment populated by alarms simulating an Apollo ransomware infection, Rottigni demonstrated the difference between traditional conversational searches stuck on known indicators of compromise and the initiation of Auto Investigation with a single click. From that moment, an orchestrating agent, Asimov, distributes the work to a team of specialized sub-agents: one connects related events in telemetry, another analyzes the involved user and their privileges in Active Directory, and a third reviews the asset inventory for vulnerabilities and lateral movement. Within four to five minutes, the system produces a structured report comparable to the work of a level one analyst.

The point, Rottigni emphasized, is not to replace the analyst but to provide them with a semi-finished product that would otherwise take two to three hours, leaving people to make decisions that require judgment. The logic is the same that drives the integration with Google Mandiant's threat intelligence, adding validated context, not inferences, to link an event to an actor or campaign.

Regarding the pricing of Purple AI's functions, SentinelOne sought to avoid a recurring critical issue in agentic services, that of token consumption rendering costs unpredictable. The generative AI functions are delivered with an “action” model, a monthly volume included in the subscription, proportional to the protected endpoints, with additional packages available for separate purchase.

"We wanted the cost of using specialized generative AI to be predictable; otherwise, as appealing as it might be, it would remain just marketing," Rottigni summarized. The functionality is generally available to customers who have activated the Purple AI SoC Analyst add-on, while the extension of agentic logic to Hyperautomation, the response automation engine of the Singularity platform, is in preview and will be released to general availability in the coming weeks.

The framework that SentinelOne proposes to security leaders is coherent: an open platform that integrates third-party sources, from mail protection systems like Mimecast and Proofpoint, to SASE platforms like Zscaler and Netskope, up to cloud environments like AWS, selected cutting-edge AI models for each task, human experts validating outputs, and a contractual perimeter that keeps data, telemetry, and interactions within the customer's subscription. It is the response that the company offers to the paradox of the identity of autonomous agents and the operational need to bring SOCs to the same speed as attacks.