TTechclick ⚡ XP 0% All lessons
SentinelOne · Endpoint Security / XDR · ArchitectureInteractive · L1 / L2 / L3

SentinelOne Singularity Architecture — One Agent, One Console & ActiveEDR

SentinelOne Singularity is built around one core idea: a single autonomous agent on every endpoint that prevents, detects and responds without calling home to the cloud — then syncs everything to one Singularity management console. This lesson maps the architecture (agent, console, site/group hierarchy, ActiveEDR) and shows you exactly how to deploy it across Windows, Linux and macOS without over-alerting.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear 2026 guide to SentinelOne Singularity architecture: the single autonomous agent, Singularity console, site/group structure, ActiveEDR, OS coverage and deployment best practices for endpoint security.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

One agent, one console, one data lake.

 2

The Sentinel Agent

Engines, ActiveEDR, offline autonomy.

 3

Console & hierarchy

Account, Site, Group, policy flow.

 4

Deploy it safely

OS coverage, modes, phased rollout.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does the SentinelOne agent need a cloud connection to block a threat?

Answered in The Sentinel Agent.

2. What is the management hierarchy in Singularity?

Answered in Console & hierarchy.

3. What should you enable first when deploying to production endpoints?

Answered in Deploy it safely.

Most engineers think…

Most people picture next-gen AV as 'cloud lookup plus a thin client'. That mental model fails you in an interview and in a real air-gapped or high-latency environment.

SentinelOne Singularity is built on the opposite idea: a single autonomous agent that runs its full detection stack — reputation, StaticAI, BehavioralAI, and ActiveEDR — entirely on the endpoint, with or without a cloud connection. The Singularity Console is the management brain (cloud SaaS or on-premises), but it is not in the detection critical path. The Storyline model is what makes the difference: every process, file, registry and network event on the endpoint is tagged with a Storyline ID that ties the whole attack chain together automatically — no analyst correlation required.

① What SentinelOne Singularity actually is — one agent, one data lake

The single most important idea: SentinelOne Singularity is one autonomous agent per endpoint feeding one centralised data lake, not a cloud-lookup service. The Sentinel Agent runs the full protection stack on-device; the Singularity Console aggregates all telemetry, manages policy and exposes investigation tools — but the agent does not wait for the console to respond before taking action.

The platform fuses EPP (endpoint protection / prevention), EDR (detection and response), CWPP (cloud workload protection) and IoT visibility into one codebase, one agent binary and one management interface. That single-agent model is the interview answer that separates SentinelOne from multi-agent legacy stacks.

Figure 1 — Singularity end-to-end flow
Every endpoint runs the full detection stack locally; the console aggregates and manages — but is not in the detection critical path.Singularity end-to-end flowEndpointagent installedDetect locallyStaticAI +BehavioralAIStoryline IDfull chain correlatedRespondkill / quarantine /rollbackSync consoletelemetry + alerts
Every endpoint runs the full detection stack locally; the console aggregates and manages — but is not in the detection critical path.
Quick check · Q1 of 10 · Understand

SentinelOne Singularity is best described as…

Correct: b. Singularity centres on a single agent that runs detection locally and autonomously, then syncs to the Singularity Console. The console manages policy and exposes telemetry but is not in the detection critical path.
👉 So far: SentinelOne Singularity = one autonomous agent per endpoint + one Singularity Console. The agent detects and responds locally; the console manages and aggregates — it is not in the detection path.

② The Sentinel Agent — engines, ActiveEDR and offline autonomy

The agent runs multiple layered detection engines in sequence. Reputation checks known-bad hashes. StaticAI inspects file attributes before execution. BehavioralAI monitors process behaviour at runtime. ActiveEDR — powered by SentinelOne's TrueContext engine — tags every OS event with a Storyline ID that links every file write, network connection and child process back to the root-cause process, automatically. When a threat is confirmed, the agent can kill, quarantine and roll back all malicious artefacts with one click — or autonomously, without analyst input.

Why offline autonomy matters

Because detection and response run locally, the agent protects endpoints even when the console is unreachable — on an aircraft, in a data centre with no outbound internet, or during a network outage. Decisions are made on-device; telemetry syncs when connectivity resumes. This is a hard differentiator against cloud-lookup-only architectures.

Figure 2 — Sentinel Agent detection layers
Cascading engines mean earlier layers catch easy threats cheaply; ActiveEDR handles complex behavioural chains.Sentinel Agent detection layersReputationknown-bad hash lookup (fast)StaticAIpre-execution file inspectionBehavioralAIruntime process monitoringActiveEDRStoryline correlation + auto-response
Cascading engines mean earlier layers catch easy threats cheaply; ActiveEDR handles complex behavioural chains.
🤖
Sentinel Agent
tap to flip

A single binary on every endpoint running reputation, StaticAI, BehavioralAI and ActiveEDR locally — acts autonomously even when the console is offline.

🔗
ActiveEDR / Storyline
tap to flip

Every OS event is tagged with a shared Storyline ID by the TrueContext engine, automatically stitching the full attack chain. Analysts see root cause instantly — no manual correlation.

🏢
Account ▸ Site ▸ Group
tap to flip

The Singularity management hierarchy. Policies inherit downward: Account defaults flow to Sites, then to Groups. Override at any level; endpoints in a Group share one policy.

🔄
Rollback
tap to flip

The agent can reverse all filesystem changes made by a malicious process — including ransomware encryption — using Windows Volume Shadow Service or a proprietary mechanism on Linux/macOS.

Name the engine stack in interviews

Examiners want you to say: Reputation ▸ StaticAI ▸ BehavioralAI ▸ ActiveEDR (TrueContext). Each layer catches a different threat class. ActiveEDR is what makes SentinelOne self-healing — it does not just detect; it correlates the full Storyline and rolls back automatically.

Quick check · Q2 of 10 · Remember

What does a Storyline ID represent in SentinelOne ActiveEDR?

Correct: c. The TrueContext engine tags every process, file, registry and network event with the same Storyline ID, automatically correlating the entire attack chain without analyst effort.
👉 So far: Detection layers: Reputation ▸ StaticAI ▸ BehavioralAI ▸ ActiveEDR (TrueContext Storylines). The agent acts offline; Storyline IDs auto-correlate entire attack chains without analyst effort.

③ The Singularity Console and management hierarchy

The Singularity Console is delivered as a cloud SaaS (multi-tenant, globally available) or as an on-premises appliance for regulated environments. It is the single pane of glass for policy, alerts, investigations and reporting. The management tree has three levels: Account (the top-level tenant), Sites (logical divisions — e.g. by geography or business unit), and Groups (endpoint sets within a Site that share a policy). Policies inherit downward: Account defaults flow to Sites, then to Groups, with overrides allowed at each level.

Key console features include the Threat Centre (all detections across all endpoints), the Activity timeline, Deep Visibility (the threat-hunting query interface into the Storyline data lake), and the Ranger network discovery module that finds unmanaged devices without deploying an agent to every node. The console URL for cloud tenants follows a regional pattern (e.g. usea1.sentinelone.net for the US East region).

Figure 3 — Singularity Console — one pane
The Singularity Console is the single management hub; all endpoint agents report to it across every OS and environment.Singularity Console — one paneSingularityConsoleWindows agentsLinux agentsmacOS agentsKubernetes nodesIoT / RangerCloud workloads
The Singularity Console is the single management hub; all endpoint agents report to it across every OS and environment.
'Just one big Group' anti-pattern

Putting all endpoints in a single flat Group means you cannot apply different policies to servers vs. workstations vs. developer machines. Always model the Account ▸ Site ▸ Group tree to reflect business units or risk tiers before deploying agents — retrofitting the hierarchy later is painful.

▶ Watch a ransomware execution get detected, killed and rolled back

How the Sentinel Agent handles a ransomware payload end-to-end — on-device, without cloud dependency. Press Play for the healthy path, then Break it to see the classic failure.

① ExecutionA user opens a phishing attachment. The process launches and begins encrypting files in the Documents folder.
② ActiveEDRThe TrueContext engine assigns a Storyline ID to the root process and all child file-write events, flagging the rapid-encryption pattern as ransomware.
③ Kill + quarantineIn Protect mode, the agent autonomously kills the malicious process tree and quarantines the binary — no cloud call required.
④ Rollback + alertThe agent reverses all filesystem changes (encrypted files restored), raises an incident in the Singularity Console with the full Storyline, and marks the threat resolved.
Press Play to step through the healthy detection and rollback path. Then press Break it.
Quick check · Q3 of 10 · Apply

A security team wants different policies for Finance endpoints versus Developer laptops within the same organisation. How does Singularity support this?

Correct: c. The Account ▸ Site ▸ Group hierarchy allows policy overrides at each level. Finance and Developer endpoints can be in separate Groups or Sites with distinct policy settings, all managed from one console.
👉 So far: Management hierarchy: Account ▸ Site ▸ Group. Policies inherit downward with per-level overrides. One console, cloud SaaS or on-premises, covers Windows / Linux / macOS / Kubernetes.

④ Deploying Singularity safely — OS coverage, modes and phased rollout

The Sentinel Agent supports a wide range of operating systems: Windows (including legacy versions such as Windows XP and Server 2003 on specific agent builds), macOS (with a kextless model on modern Apple Silicon), and Linux (major distributions including RHEL, CentOS, Ubuntu, Debian, SLES, Amazon Linux and ARM variants on AWS Graviton). Kubernetes container workloads are also covered. Deploy via the Singularity Console (download link + site token), your RMM, SCCM / Intune, or a Golden Image that includes the agent pre-installed.

Phased rollout: Detect first, then Protect

The safest rollout starts all new endpoints in Detect mode (alerts raised, no automatic mitigation), baselines for one to two weeks, reviews false positives, adds exclusions for legitimate tools, then promotes Groups to Protect mode (automated kill + quarantine + rollback). Enable rollback before going to Protect — this is the safety net that reverses ransomware file changes. Never deploy straight to Protect across a large estate without a pilot group first.

Figure 4 — Detect mode vs Protect mode
Always pilot in Detect mode before promoting to Protect — the phased approach prevents false-positive disruption.Detect mode vs Protect modeDetect modeAlerts raised, no auto-actionBaseline legitimate toolsAdd exclusions safelyZero disruption to usersProtect modeAuto kill + quarantineRollback reverses changesStoryline auto-resolvedEnable only after baseline
Always pilot in Detect mode before promoting to Protect — the phased approach prevents false-positive disruption.

Ravi at a Pune financial-services firm faces this

After deploying SentinelOne in Protect mode across all 800 Windows laptops overnight, the treasury team's macro-heavy Excel files are being quarantined and users cannot open critical reports on Monday morning.

Likely cause

The deployment skipped Detect mode and went straight to Protect, with no exclusions added for the finance team's legitimate VBA macros.

Diagnosis

Open the Singularity Console ▸ Threat Centre — the incidents show VBA macro launches being flagged as BehavioralAI threats. The quarantined files are restorable but the policy was too aggressive from day one.

Singularity Console ▸ Threat Centre ▸ Incidents + Sentinels ▸ Groups ▸ Policy
Fix

Restore quarantined files, downgrade the Finance Group to Detect mode, add SHA256 / path exclusions for the trusted macro files, baseline for one week, then re-promote to Protect only after confirming true-positive rate.

Verify

Re-test: finance macros open without quarantine; the Threat Centre shows only genuine threats; the Finance Group policy now has documented exclusions.

Confirm rollback is enabled before Protect mode

In the Singularity Console ▸ Sentinels ▸ Group policy, verify the Rollback toggle is ON before you switch a Group to Protect. Rollback is the safety net: if a legitimate file is incorrectly quarantined or ransomware hits, it reverses all filesystem changes. Without it, Protect mode has no undo.

Quick check · Q4 of 10 · Analyze

What is the primary risk of deploying SentinelOne straight to Protect mode on all production endpoints on day one?

Correct: d. Without a Detect-mode baseline period, legitimate security tools, scripts or applications that trigger behavioural rules will be automatically killed and quarantined, potentially disrupting operations. Always baseline in Detect mode first.
👉 So far: Deploy in Detect mode first, baseline, add exclusions, then promote to Protect with Rollback enabled. Never go straight to Protect on a large estate — you will quarantine legitimate tools.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which SentinelOne engine tags every OS event with a shared identifier to auto-correlate an attack chain?

Correct: a. ActiveEDR, powered by TrueContext, assigns a Storyline ID to every process, file, registry and network event in an attack chain, automatically linking root cause to all child events — no analyst correlation needed.
Q6 · Understand

An endpoint loses internet connectivity mid-shift. How does SentinelOne handle a new malware execution during the outage?

Correct: b. All detection engines (reputation cache, StaticAI, BehavioralAI, ActiveEDR) run locally on the agent. The agent acts autonomously without cloud connectivity; telemetry and incidents sync to the console once the connection is restored.
Q7 · Apply

You need Finance servers to allow a specific signed backup script while blocking all other unsigned PowerShell. Which Singularity feature enables this?

Correct: b. Group-level policy overrides let you add a targeted exclusion (by hash or path) for the trusted backup script in the Finance Group only, without relaxing policy for any other endpoints in the Site.
Q8 · Analyze

Why does SentinelOne's single-agent model reduce deployment complexity compared to legacy multi-agent stacks?

Correct: b. Legacy stacks require separate agents for AV, EDR and CWPP that can conflict and require separate management. Singularity consolidates all capabilities into one codebase, one binary and one management interface.
Q9 · Evaluate

An interviewer asks how you would prove SentinelOne blocked a ransomware attack three days ago. Best answer?

Correct: c. The Storyline in the Threat Centre provides the complete forensic record: root process, all child events with timestamps, the kill action and the rollback result. This is the authoritative source for incident verification.
Q10 · Evaluate

What is the strongest reason to enable Rollback before switching a Group to Protect mode?

Correct: c. Rollback is the safety net for Protect mode. If a legitimate file is incorrectly flagged, the agent can reverse all changes it made — preventing data loss and avoiding costly backup restores. Without it, a false positive in Protect mode can cause lasting disruption.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does SentinelOne call its model 'autonomous' rather than 'cloud-assisted'? Then compare with the expert version.

Expert version: Because the Sentinel Agent runs the full detection and response stack — reputation, StaticAI, BehavioralAI, ActiveEDR — entirely on the endpoint, without a real-time cloud call. The TrueContext engine correlates entire attack chains locally using Storyline IDs, and the agent can kill, quarantine and roll back without waiting for analyst approval or cloud confirmation. The Singularity Console is the management and visibility layer, not the detection brain. That autonomy is what lets SentinelOne protect air-gapped environments and act in seconds rather than minutes.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Sentinel Agent
The single autonomous binary installed on every endpoint. Runs reputation, StaticAI, BehavioralAI and ActiveEDR locally; acts with or without console connectivity.
Singularity Console
The cloud SaaS or on-premises management interface for policy, telemetry, threat hunting (Deep Visibility) and Ranger network discovery. Manages but does not detect.
ActiveEDR
SentinelOne's autonomous detection-and-response engine. Uses TrueContext to assign Storyline IDs, auto-correlate attack chains, and trigger kill + rollback without analyst input.
TrueContext
The patented engine inside ActiveEDR that tags every OS event with a shared Storyline ID, linking every file write, network call and child process back to the root-cause process.
Storyline ID
A shared tag assigned to every event in an attack chain. Lets analysts and the agent see the complete root-cause-to-impact picture in one click.
Account / Site / Group
The three-level Singularity management hierarchy. Policies inherit downward; Groups contain endpoints that share one policy.
Detect mode
Agent mode where threats are alerted but no automatic action is taken. Used for baselining and exclusion tuning before promoting to Protect.
Protect mode
Agent mode where threats are automatically killed, quarantined and (if enabled) rolled back. Requires Rollback to be enabled as a safety net.
Rollback
Agent capability that reverses all filesystem changes made by a malicious process — including ransomware encryption — restoring the endpoint to its pre-attack state.
Ranger
SentinelOne's agentless network discovery module that finds unmanaged endpoints, IoT and OT devices on the network without deploying an agent to every node.

📚 Sources

  1. SentinelOne — Singularity Platform overview: one agent, EPP + EDR + CWPP + IoT. sentinelone.com/platform/endpoint-security/
  2. SentinelOne — ActiveEDR and TrueContext: autonomous detection and response. sentinelone.com/press/sentinelone-unveils-activeedr/
  3. SentinelOne — Singularity Operating System Coverage datasheet (Windows, macOS, Linux, Kubernetes). assets.sentinelone.com/remoteops/singularity-operating-system-coverage-en
  4. SentinelOne — Singularity Core: endpoint security to replace legacy AV. sentinelone.com/platform/singularity-core/
  5. ITECS — SentinelOne for MSPs: complete deployment & feature guide including Detect vs Protect modes. itecsonline.com/post/sentinelone-for-msps
  6. SentinelOne FAQ — Deployment, console access, site tokens and agent management. sentinelone.com/faq/

What's next?

Got the architecture? Next, go deep on SentinelOne detection engines — StaticAI, BehavioralAI and ActiveEDR Storylines — and how they layer to catch threats that bypass signatures.

Next · All interview lessons → Practice on exam.techclick.in →