SentinelOne Purple AI

Overview

Purple AI is SentinelOne's answer to CrowdStrike's Charlotte AI and Microsoft's Security Copilot. It's a conversational AI threat hunting and investigation assistant built into the Singularity platform that lets analysts ask questions in plain English and get answers grounded in their endpoint, cloud, and identity telemetry. SentinelOne launched Purple AI in 2023 and has been iterating quickly, adding support for their Singularity Data Lake, third-party data ingestion, and automated investigation workflows.

What makes Purple AI interesting in the crowded AI-for-security space is SentinelOne's data architecture. The Singularity Data Lake is designed to ingest and normalize data from third-party sources — not just SentinelOne's own agents — which means Purple AI can theoretically query across your entire security data set, not just endpoint telemetry. Whether that theory holds up in practice is a more nuanced story, but the architectural decision gives Purple AI a wider potential field of view than some competitors.

The product is aimed squarely at SOC analysts and threat hunters, with a secondary audience of security engineers building detection rules and response playbooks. SentinelOne positions it as both a productivity tool (faster triage, faster hunting) and a skills equalizer (junior analysts can do intermediate-level work). In our testing, it delivered on the first claim more consistently than the second.

How It Works

Purple AI uses a large language model — SentinelOne hasn't publicly disclosed which base model, but the behavior suggests a fine-tuned version of a major foundation model — combined with RAG (retrieval-augmented generation) against the Singularity Data Lake. When you ask a question, the system translates it into PowerQuery (SentinelOne's query language), runs it against your data, and presents the results with natural language analysis. The translation pipeline is similar in concept to what Microsoft does with KQL, but PowerQuery is a simpler language, which actually works in Purple AI's favor — there's less room for subtle translation errors.

The data pipeline is where SentinelOne's architecture pays off. The Singularity Data Lake can ingest logs from a wide range of sources: endpoint telemetry from SentinelOne agents, cloud trail logs from AWS and Azure, authentication logs from Okta and Active Directory, network flow data, and more. Purple AI queries against all of this normalized data, which means you can ask cross-domain questions like "did any user who logged in from an unusual location also have a new process spawn on their endpoint within 30 minutes?" That kind of correlation across data sources is the holy grail of security analytics, and Purple AI handles it reasonably well when the data is properly ingested.

SentinelOne has also built what they call "AI-suggested next steps" into the investigation flow. After Purple AI answers your initial question, it proposes follow-up queries based on the results — essentially guiding you through an investigation tree. This is particularly helpful for less experienced analysts who might not know what to ask next after an initial finding. The suggestions aren't always relevant, but they hit the mark often enough to be useful rather than distracting.

On the automation side, Purple AI can generate STAR (SentinelOne Threat Automated Response) rules from natural language descriptions. You describe the detection logic you want, and it produces a working rule. This is still somewhat brittle for complex multi-condition rules, but for straightforward detections, it saves time and reduces the barrier to creating custom content.

What We Liked

The cross-data-source querying is Purple AI's differentiator, and when it works, it's impressive. We set up the Singularity Data Lake with endpoint telemetry, AWS CloudTrail, and Okta logs, and asked Purple AI to identify users whose cloud activity was anomalous relative to their usual patterns. It correctly identified a test account we'd set up with unusual S3 access patterns and correlated it with the Okta authentication event that preceded the activity. That kind of cross-domain correlation usually requires a SIEM analyst writing custom rules — getting it from a natural language question is a meaningful step forward.

The investigation speed matched CrowdStrike's Charlotte AI in our testing. Triage workflows that took 10-15 minutes manually were completed in 2-4 minutes through Purple AI. The PowerQuery generation was accurate on roughly 85% of our test queries, which is slightly better than what we saw from Microsoft's KQL generation. The simpler query language probably helps — there are fewer ways for the translation to go subtly wrong.

Purple AI's handling of Linux and macOS endpoints was noticeably better than Charlotte AI's. SentinelOne has always had strong cross-platform support, and that extends to the AI layer. Questions about container workloads, Kubernetes node behavior, and macOS-specific persistence mechanisms all produced relevant, accurate answers. If your fleet is heterogeneous — which most modern environments are — this matters more than you might think.

One thing that caught us off guard in a good way: Purple AI's suggested investigation paths were genuinely useful about 60% of the time. After asking about a suspicious process, it suggested checking for persistence mechanisms, network connections, and similar processes across the environment — exactly the follow-up steps a senior analyst would take. For junior analysts, this kind of guided investigation is more valuable than the query translation itself.

What Fell Short

The Data Lake ingestion setup is a real hurdle. Getting third-party data sources properly ingested, parsed, and normalized in the Singularity Data Lake is not a quick project. We spent the better part of two days getting AWS CloudTrail and Okta logs flowing correctly, and the documentation was unhelpful in places — particularly around custom log parsing. If you don't invest the time to get the Data Lake populated with diverse data sources, Purple AI is just an endpoint query tool, and you lose its main advantage over the competition.

The autonomous response features default to settings that are too aggressive. During testing, Purple AI's automated response actions quarantined a legitimate system administration tool (PSExec, predictably) within minutes of us enabling autonomous mode. SentinelOne would argue that PSExec is commonly abused by attackers, and they're right, but the default should not be "quarantine first, ask questions later" for tools that are also used legitimately in many environments. You need to spend time configuring exclusions and tuning the response sensitivity before going live, and the product doesn't make this obvious enough during onboarding.

Response times for complex queries were inconsistent. Simple questions about a specific host or user came back in 3-5 seconds, but cross-data-source queries over longer time windows sometimes took 30-45 seconds, and we hit a few timeouts on queries spanning 30 days of data. SentinelOne is clearly aware of this — they've been optimizing the Data Lake query engine — but as of our testing, the performance wasn't where it needs to be for fast-paced incident response work. When you're in the middle of an active incident, a 45-second wait for each question breaks the investigative flow.

Pricing and Value

Purple AI is available as an add-on to SentinelOne Singularity Complete and Enterprise tiers. SentinelOne doesn't publish pricing publicly, but based on customer conversations, expect $2-5 per endpoint per month for the Purple AI add-on. The Singularity Data Lake, which you'll want for the cross-domain querying capability, is priced separately based on data ingestion volume. Total cost for a 5,000-endpoint deployment with Purple AI and a moderate Data Lake allocation typically lands in the $150,000-$350,000/year range. That's broadly competitive with CrowdStrike Charlotte AI and cheaper than Microsoft Security Copilot for most deployment sizes.

The value proposition is strongest when you use the Data Lake to consolidate multiple data sources, because then Purple AI replaces some of the correlation work you'd otherwise do in a SIEM. If you're only using it for endpoint queries, the premium over base SentinelOne licensing is harder to justify — you're paying for an AI interface to data you could already query with PowerQuery. The key question is whether your team will actually use the Data Lake's multi-source ingestion. If yes, the combined value is strong. If not, you're overpaying for a chatbot skin on your existing EDR console.

Who Should Use This

Purple AI is the best fit for organizations running SentinelOne as their primary endpoint platform who also want to consolidate security telemetry into the Singularity Data Lake. If you're looking to reduce your dependence on a traditional SIEM by routing more data through SentinelOne's platform, Purple AI becomes the query and analysis layer that makes that strategy work. Teams of 5-20 security analysts will see the most benefit, particularly if the team has a wide range of experience levels.

It's not the right choice if you're running a competing EDR, if you don't plan to use the Data Lake (in which case you're paying for a less capable product than Charlotte AI), or if your environment is primarily Windows — SentinelOne's cross-platform strength is wasted on homogeneous fleets. Organizations that have already invested heavily in a SIEM with extensive detection content should also think twice, since ripping that out to go all-in on the Data Lake is a multi-quarter project with real migration risk.

The Bottom Line

Purple AI is SentinelOne's strongest product move in years. The cross-data-source querying gives it a genuine architectural advantage over Charlotte AI, and the investigation experience is polished enough for daily SOC use. It's not the finished product yet — the Data Lake onboarding is rough, the performance on complex queries needs work, and the autonomous response defaults will absolutely bite you if you don't tune them. But the trajectory is right. If you're already a SentinelOne customer, adding Purple AI is a straightforward decision. If you're evaluating EDR platforms, the Purple AI + Data Lake combination is a compelling reason to put SentinelOne on your shortlist.