TTechclick ⚡ XP 0% All lessons
SentinelOne · Endpoint Security / XDR · Singularity CloudInteractive · L1 / L2 / L3

SentinelOne Singularity Cloud — CWPP, CNAPP & Kubernetes Protection

SentinelOne Singularity Cloud Security wraps a single AI-powered platform around every cloud workload — VMs, containers, Kubernetes pods and serverless — running across AWS, Azure and GCP. This lesson maps the agent-based CWPP runtime layer, the agentless CNAPP/CSPM posture engine, container and Kubernetes protection, the Cloud Funnel data-export pipeline, and how they combine into one console that detects, responds and prevents in real time.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master SentinelOne Singularity Cloud Security in 2026: agent-based CWPP runtime protection, CNAPP/CSPM posture management, container and Kubernetes defence, Cloud Funnel data streaming, and cloud workload security across AWS, Azure, and GCP.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

One CNAPP platform, two protection modes.

 2

CWPP runtime

Agent AI, threats, autonomous response.

 3

Kubernetes & containers

Node agents, admission, runtime policy.

 4

Cloud Funnel & CSPM

Posture, data streaming, full coverage.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is CWPP agent-based, agentless, or both in Singularity Cloud?

Answered in What it is.

2. What does the Singularity CWPP agent do at runtime?

Answered in CWPP runtime.

3. What is Cloud Funnel used for?

Answered in Cloud Funnel & CSPM.

Most engineers think…

Most people assume cloud workload security is just 'an antivirus installed on the VM'. That mental model will fail you in an interview and leaves real workloads unprotected.

SentinelOne Singularity Cloud Security is a full CNAPP platform: an agent-based CWPP layer that uses behavioural AI to detect and autonomously stop threats at runtime — zero-days, ransomware, cryptomining, lateral movement — plus an agentless CSPM/CNAPP layer that continuously audits posture, misconfigurations and cloud entitlements without touching the workload. Container and Kubernetes support extends that same agent to node-level with admission-controller hooks, and Cloud Funnel streams every telemetry event to your own SIEM or data lake so you own the data. Understanding each layer is what separates 'I deploy an agent' from 'I design cloud workload security'.

① What Singularity Cloud Security actually is — one platform, two protection modes

The core idea: SentinelOne Singularity Cloud Security is one AI-powered platform that protects cloud workloads through two complementary modes. The CWPP layer puts a lightweight Singularity agent directly on each workload — VM, container or serverless — giving real-time, behavioural AI detection and autonomous response. The CNAPP/CSPM layer scans cloud accounts agentlessly, auditing misconfigurations, over-privileged IAM roles, exposed storage and compliance drift continuously.

Both modes share a single Singularity console. Alerts, incidents and posture findings all land in one place, correlated with the broader XDR story across endpoint, identity and network. The platform covers AWS, Azure, Google Cloud, private clouds and hybrid data-centre workloads from the same policy and incident pane.

Figure 1 — Singularity Cloud Security layers
Three layers — agentless posture, agent runtime, and data pipeline — combine in one console.Singularity Cloud Security layersCSPM / CNAPPAgentless posture, CIEM, compliance auditCWPP AgentRuntime AI detection, autonomous responseCloud FunnelTelemetry stream to SIEM or data lake
Three layers — agentless posture, agent runtime, and data pipeline — combine in one console.
Quick check · Q1 of 10 · Understand

How does Singularity Cloud Security combine CWPP and CNAPP?

Correct: b. Singularity Cloud Security uses an agent-based CWPP for real-time runtime protection and an agentless CNAPP/CSPM for posture auditing — both feeding a single shared console for unified visibility.
👉 So far: Singularity Cloud Security = agent-based CWPP for runtime + agentless CNAPP/CSPM for posture, both sharing one console across AWS, Azure and GCP.

② CWPP at runtime — the agent, behavioural AI and autonomous response

The Singularity CWPP agent runs as a lightweight process on each protected workload: a Linux or Windows VM, a container sidecar, or an AWS Lambda-compatible instrumented layer. It does not rely on signature updates. Instead, it uses behavioural AI — modelling every process, file, network and memory event — to identify malicious patterns like ransomware encryption loops, privilege-escalation chains, cryptomining side-channels and fileless lateral movement in real time.

Autonomous response options

When a threat is confirmed, the agent can kill the process, quarantine the file, isolate the workload from the network or roll back malicious changes — all without waiting for a human analyst. Every action is logged to the Singularity console with a full attack storyline, so the SOC understands exactly what happened rather than receiving a raw alert. This is the key differentiator versus a traditional AV or log-only CSPM tool.

Figure 2 — CWPP threat-to-response loop
The Singularity agent moves from observe to contain without waiting for a human.CWPP threat-to-response loopObserveall process/file/neteventsDetectbehavioural AI verdictContainkill/quarantine/isolateRollbackundo malicious changesStorylinefull attack chain inconsole
The Singularity agent moves from observe to contain without waiting for a human.
🛡️
Singularity CWPP Agent
tap to flip

Lightweight agent on each workload (VM, container, K8s node) that uses behavioural AI to detect and autonomously respond to threats — zero signatures needed.

☁️
CNAPP / CSPM layer
tap to flip

Agentless cloud-API scanning for misconfigurations, compliance drift and excessive IAM entitlements — no software installed on workloads.

⚙️
Cloud Funnel
tap to flip

Continuous pipeline streaming all EDR & XDR telemetry to customer-owned Amazon S3, GCS or SIEM — you own the data, no throttle.

🐳
Kubernetes DaemonSet
tap to flip

Singularity agent deploys as a DaemonSet across every node, giving the same runtime AI coverage to every pod on the cluster.

Storyline is the interview differentiator

When asked how SentinelOne handles cloud threats, mention the attack storyline — the platform stitches every process, file, network and memory event into a single causality graph. That is what lets an analyst understand the full attack chain, not just a raw alert, and it is what separates SentinelOne from log-only CSPM tools.

Quick check · Q2 of 10 · Remember

What detection method does the Singularity CWPP agent rely on at runtime?

Correct: d. The Singularity agent uses behavioural AI — not signatures — enabling detection of zero-days, fileless malware and novel ransomware patterns in real time.
👉 So far: The CWPP agent uses behavioural AI — no signatures — to detect zero-days, ransomware and fileless malware, then autonomously kills, quarantines, isolates or rolls back without waiting for a human.

③ Container and Kubernetes protection — nodes, admission and runtime policy

Container and Kubernetes environments need protection at three levels. Node-level: the Singularity agent deploys as a DaemonSet on each Kubernetes node, giving the same behavioural-AI runtime coverage to every pod running on that node. Admission control: the platform integrates with Kubernetes admission controllers to block deployment of images with known critical vulnerabilities or forbidden configurations before they run — the shift-left gate. Runtime policy: once running, process allow-lists and network micro-segmentation rules enforce the expected behaviour of each container, flagging any drift.

Agentless image scanning complements the runtime layer — scanning container-image registries (ECR, ACR, GCR, Docker Hub) for CVEs and secrets before images are ever deployed. The combination of pre-deploy scan, admission gate and runtime agent means a malicious or misconfigured container is caught at whichever layer it first appears — not just one of them.

Figure 3 — Kubernetes protection coverage
One Singularity platform covers every layer of a Kubernetes deployment.Kubernetes protection coverageSingularityK8s protectionNode DaemonSetAdmission controlRuntime policyImage registry scanCVE prioritiseSecrets detection
One Singularity platform covers every layer of a Kubernetes deployment.
DaemonSet coverage gap

A common misconfiguration is deploying the Singularity DaemonSet on worker nodes but forgetting control-plane or system nodes. Those unprotected nodes become the entry point for cluster-level privilege escalation. Always verify coverage across all node pools in the Singularity console before declaring a cluster protected.

▶ Watch a cryptominer get caught and killed inside a Kubernetes pod

How a runtime threat in a container is detected and autonomously contained. Press Play for the healthy path, then Break it to see the classic coverage gap.

① Pod launchA new pod starts on a Kubernetes node covered by the Singularity DaemonSet agent. The agent immediately begins behavioural monitoring of every process in every container on that node.
② Anomaly detectedA container spawns an unexpected child process and opens a TCP connection to an external mining pool. The behavioural AI flags this as a cryptomining pattern — zero-day, no signature needed.
③ Autonomous containThe agent kills the malicious process and isolates the pod's network egress within seconds. No human approval required; the action is logged with full context.
④ Storyline & alertThe Singularity console shows a complete attack storyline — image pulled, process chain, network call, kill action — so the SOC can triage, understand and remediate the root-cause image in minutes.
Press Play to step through the runtime detection and containment. Then press Break it.
Quick check · Q3 of 10 · Apply

A DevOps team wants to block deployment of container images with critical CVEs before they reach production. Which Singularity feature handles this?

Correct: b. Admission-controller integration is the shift-left gate — it intercepts Kubernetes deploy requests and blocks images with critical CVEs or forbidden configs before the container ever starts running.
👉 So far: Kubernetes protection = node DaemonSet (runtime AI) + admission-controller gate (shift-left CVE block) + runtime policy (process allow-list) + registry image scanning — all in one platform.

④ Cloud Funnel, CSPM and closing the full coverage loop

Cloud Funnel is the data-streaming pipeline that replicates all EDR and XDR telemetry — every process, file, network and threat event from every protected workload — to a customer-owned destination: Amazon S3, Google Cloud Storage, or a SIEM such as Splunk or Microsoft Sentinel. This means you own your data, can build custom detection rules in your own SIEM, and are never locked to SentinelOne's storage alone. Cloud Funnel exports continuously and automatically with no per-event throttle.

CSPM closes the agentless gap

The CSPM layer connects to cloud provider APIs — no agent needed — and audits every resource for misconfigurations (open S3 buckets, unencrypted RDS, over-privileged roles), compliance drift (CIS Benchmarks, PCI-DSS, NIST), and CIEM excessive entitlements. Findings are risk-scored and surfaced alongside runtime alerts in the same console, so a single analyst can pivot from 'exposed bucket' to 'active threat on that VM' without switching tools.

Figure 4 — Agent-based CWPP vs agentless CSPM
Use CWPP for runtime threats; CSPM for posture and compliance. Both share one console.Agent-based CWPP vs agentless CSPMCWPP (agent)Installed on VM / container / nodeReal-time behavioural AIAutonomous kill, quarantine,Best for runtime threat preventionCSPM / CNAPP (agentless)Reads cloud provider APIsMisconfiguration & complianceCIEM entitlement risk scoringBest for posture and drift
Use CWPP for runtime threats; CSPM for posture and compliance. Both share one console.

Priya at a Pune-based fintech startup faces this

A Kubernetes pod on the production cluster starts spawning unexpected child processes and making outbound connections to an unknown IP — a cryptomining implant injected through a vulnerable base image.

Likely cause

The container image was pulled from a public registry without CVE scanning; no admission controller was configured; the CWPP agent was not deployed as a DaemonSet on production nodes.

Diagnosis

Singularity console shows no coverage on the affected node; the CSPM audit flags the base image from an unscanned registry and the absence of a runtime policy for that namespace.

Singularity Console ▸ Cloud Workloads ▸ Kubernetes ▸ Coverage & CSPM Findings
Fix

Deploy the Singularity DaemonSet to all production nodes; enable image-registry scanning on ECR; add an admission-controller webhook to block images with critical CVEs; create a runtime policy allowing only expected processes for that pod spec.

Verify

Re-test: the next deployment of a CVE-bearing image is rejected at admission; the Singularity agent on the node detects the cryptominer process, kills it and raises a storyline incident in the console within seconds.

Confirm Cloud Funnel is flowing before an incident

Cloud Funnel must be configured and tested before you need it — not during a live incident. In the Singularity console, check that the export destination (S3 bucket or SIEM endpoint) shows active event flow and recent timestamps. An untested funnel that fails during a breach is as dangerous as no funnel at all.

Quick check · Q4 of 10 · Analyze

A security team needs to run their own correlation rules against SentinelOne telemetry in Splunk. Which feature enables this?

Correct: d. Cloud Funnel exports all EDR and XDR telemetry continuously to customer-owned S3, GCS or directly to SIEM endpoints — giving the team full access to raw events for custom correlation without any throttle.
👉 So far: Cloud Funnel streams all EDR/XDR telemetry to customer-owned S3, GCS or SIEM with no throttle; CSPM audits cloud APIs agentlessly for misconfigurations, compliance drift and CIEM entitlement risk.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which deployment model does the Singularity CWPP agent use on Kubernetes?

Correct: c. The Singularity agent deploys as a Kubernetes DaemonSet, which schedules one agent pod on every node automatically — giving runtime behavioural-AI coverage to all pods on each node without manually sidecar-injecting each one.
Q6 · Understand

What distinguishes CWPP from CSPM in the Singularity Cloud Security platform?

Correct: b. CWPP (agent-based) provides real-time behavioural-AI detection and response on running workloads; CSPM (agentless) reads cloud provider APIs to audit misconfigurations, compliance drift and entitlement risk. Different layers, shared console.
Q7 · Apply

A container image in ECR contains a critical CVE. Which Singularity capability catches this before the image reaches production?

Correct: b. Agentless registry scanning finds the CVE in the image before deployment; the admission-controller integration then blocks any attempt to deploy that image to the cluster — a shift-left gate before the runtime agent is even needed.
Q8 · Analyze

Why does behavioural AI in the CWPP agent matter more than signatures for cloud workloads?

Correct: c. Cloud-targeted attacks frequently use zero-days, fileless techniques and novel cryptomining or ransomware variants with no existing signature. Behavioural AI models normal activity and flags anomalies, catching threats that signature-based tools miss entirely.
Q9 · Evaluate

A CISO asks why Cloud Funnel should be configured even if the team primarily uses the Singularity console. Best answer?

Correct: c. Cloud Funnel gives data sovereignty — the team owns raw events in their own S3/GCS/SIEM, can write custom rules, and retains data beyond SentinelOne's own retention limits. During forensics or audit, independence from a single vendor's query interface is invaluable.
Q10 · Evaluate

What is the risk of deploying the DaemonSet only on worker nodes and not on system/control-plane node pools?

Correct: d. System and control-plane nodes have elevated Kubernetes privileges. Leaving them unprotected creates a blind spot where an attacker can escalate to cluster-admin without triggering any Singularity detection. Full DaemonSet coverage across all node pools is mandatory for real protection.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does SentinelOne call Singularity Cloud a CNAPP rather than just a CWPP? Then compare with the expert version.

Expert version: Because CNAPP (Cloud Native Application Protection Platform) is a broader category that combines CWPP (agent-based runtime workload protection), CSPM (agentless cloud posture management), CIEM (entitlement risk), and vulnerability management into one platform and one console. Calling it only CWPP would undersell the agentless posture-auditing layer that scans cloud APIs for misconfigurations, compliance drift and over-privileged IAM without touching any workload. The Singularity console unifies runtime alerts and posture findings so analysts don't switch tools — that integration is the CNAPP promise.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CWPP
Cloud Workload Protection Platform — agent software on VMs, containers or Kubernetes nodes providing real-time behavioural AI threat detection and autonomous response.
CNAPP
Cloud Native Application Protection Platform — a unified category combining CWPP, CSPM, CIEM, vulnerability management and shift-left security in one platform.
CSPM
Cloud Security Posture Management — agentless scanning of cloud provider APIs for misconfigurations, compliance violations and entitlement risks.
Cloud Funnel
SentinelOne's continuous telemetry-export pipeline that streams all EDR and XDR events to customer-owned Amazon S3, Google Cloud Storage or a SIEM with no throttle.
Singularity Storyline
An automatically generated causality graph linking all related process, file, network and memory events into a single attack chain — the key forensic artefact in Singularity.
DaemonSet
A Kubernetes workload object that schedules exactly one pod on every node in a cluster — the standard way SentinelOne deploys the CWPP agent across a Kubernetes cluster.
Admission controller
A Kubernetes extension that intercepts API requests before resources are created, allowing SentinelOne to block images with critical CVEs or forbidden configurations pre-deployment.
CIEM
Cloud Infrastructure Entitlement Management — identifying and remediating excessive or unused IAM permissions across cloud accounts to enforce least-privilege.

📚 Sources

  1. SentinelOne — Singularity Cloud Workload Security: CWPP product page. sentinelone.com/platform/singularity-cloud-workload-security/
  2. SentinelOne — Singularity Cloud Security: CNAPP platform overview. sentinelone.com/platform/cloud-security/
  3. SentinelOne — Singularity Cloud Funnel: telemetry export to SIEM and data lakes. sentinelone.com/platform/singularity-cloud-funnel/
  4. SentinelOne — Singularity Cloud Workload Security datasheet (AWS, Azure, GCP, containers). sentinelone.com/resources/datasheets/singularity-cloud-workload-security/
  5. SentinelOne — Gartner Magic Quadrant for Endpoint Protection Platforms 2026 recognition. sentinelone.com
  6. SentinelOne — Singularity Complete: endpoint and cloud security combined. sentinelone.com/platform/singularity-complete/

What's next?

Solid on cloud workload protection? Go deeper on Singularity XDR correlation — how endpoint, cloud and identity telemetry fuse into one threat story across your whole estate.

Next · All interview lessons → Practice on exam.techclick.in →