SentinelOne launched Purple AI in August 2023. It reached 40% attach rate on new licenses by late 2025. That's a fast ramp — and a signal worth examining honestly, because a 40% attach rate means a lot of practitioners are using it in production, and what they report does not always match the launch press release.
This is the fourth advisory in the 5pyderWatch AI Agents in Security series. Charlotte AI scored 8.5/10. Microsoft Security Copilot scored 7.5/10. Purple AI scores 7.0/10. Here is why.
What Purple AI Is
SentinelOne Purple AI
AI Security / SOC AnalystAuto-triage and one-click investigations GA, but hallucination rate in production exceeds Charlotte AI's 98% bar.
OCSF-native from ingestion; Zscaler, Okta, Palo Alto, Microsoft, Fortinet, Proofpoint out-of-box — broadest third-party story of the three.
Practitioners report base-64 misclassification and false positives; no published accuracy rate equivalent to Charlotte's 98%.
Guardrails exist but bounded autonomy controls are less mature than CrowdStrike's ISO 42001-certified model.
No public pricing; bundled from Complete tier up; mid-market total $80K–$250K+/yr — sales-gated.
Low friction for existing Singularity customers; data-lake onboarding requires initial schema normalization work.
Purple AI is SentinelOne's generative AI security analyst, embedded directly in the Singularity platform console. The core product is straightforward: analysts type natural-language questions — "show me lateral movement attempts using privileged accounts in the past 7 days" — and Purple AI translates that into structured queries against the Singularity Data Lake, executes them, and returns a timeline, artifact list, and suggested next questions.
That query-translation capability is genuinely useful. Anyone who has spent time writing Power Queries or STAR custom rules in the Singularity Data Lake knows the learning curve is real. Purple AI shortens it significantly for routine hunts.
Beyond the query box, Purple AI now includes:
- Auto-Triage (GA from the Athena release): Deep reasoning applied to incoming alerts. Purple AI evaluates each alert against trillions of data points, assigns a true-positive/false-positive verdict, and surfaces it with reasoning.
- Automated Investigations: One-click investigation workflows triggered from the alert panel. Now GA as of RSAC 2026.
- Shared Investigation Notebooks: Collaborative workspace where analysts annotate findings and Purple AI continues to suggest next steps.
- MCP Server Integration: An open-source Purple AI MCP Server released at OneCon 2025 allows analysts to extend Purple AI into their own AI-driven tooling.
The Architecture That Matters: OCSF at the Foundation
The single most meaningful architectural decision in Purple AI is OCSF — the Open Cybersecurity Schema Framework. SentinelOne was an early commercial adopter (co-founded by AWS with security vendor cooperation). Every data source ingested into the Singularity Data Lake is normalized to OCSF schema on ingestion.
This means when Purple AI executes a query, it runs against a single, normalized schema regardless of whether the underlying log came from SentinelOne's own endpoint agent, Zscaler, Okta, Palo Alto, Fortinet, or Proofpoint. This is a real advantage over Microsoft Security Copilot, where schema consistency is plugin-dependent. Purple AI does not have a "grounding failure" problem driven by inconsistent schemas — the schema problem is solved at ingestion.
The third-party integration catalog is the broadest in this advisory series: Zscaler Zero Trust Exchange, Palo Alto Networks Firewall, Okta, Proofpoint TAP, Fortinet FortiGate, Microsoft Office 365, plus native Amazon Security Lake via OCSF 1.1.0. For teams operating globally across heterogeneous stacks, this is the strongest story of the three vendors reviewed.
Query performance is also notable: SentinelOne reports ~96% of queries return within one second on the massively parallel query engine. All data is stored "hot" — no cold-tier retrieval delays within your retention window.
What Works in Production
Junior analyst uplift is real. The most consistent finding from practitioners using Purple AI is that it meaningfully helps less-experienced analysts get to a working hypothesis faster. An L1 analyst who would spend 30 minutes writing a STAR query can instead describe what they're looking for in plain English and get a structured result in seconds.
Time-to-hunt reduction. SentinelOne's published metric is "response time slashed from hours to minutes" for threat hunting workflows. Directionally accurate and supported by the query mechanism.
MITRE ATT&CK 2024 Round 6. SentinelOne achieved 100% detection and 100% protection across all tested attack techniques. Zero delays, zero configuration changes required. This validates the underlying platform — not Purple AI specifically — but the AI layer runs on top of independently validated detection infrastructure.
IDC MarketScape Leader for XDR 2025. The report specifically cited Purple AI: "The addition of Purple AI as an agentic SOC analyst is particularly noteworthy, enabling security teams to accelerate threat hunting, triage, and reporting with natural language and AI-driven workflows."
Where It Falls Short
Hallucination rate in the field. This is the finding that separates 7.0 from 8.5. Practitioners on r/SentinelOneXDR report a consistent pattern: Purple AI misclassifies benign scripts as base-64 encoded when they are not. It generates false-positive investigation paths. It produces confident-sounding summaries that do not match the underlying query results. One practitioner summarized: "You're much better off writing actual queries."
CrowdStrike publishes a specific accuracy benchmark for Charlotte AI: 98%+ agreement with elite MDR analyst decisions. SentinelOne has published no equivalent number for Purple AI. That gap is telling. A vendor with 98% accuracy cites the number. A vendor without it does not.
Training corpus disadvantage. CrowdStrike's MDR team annotated millions of real-world intrusion decisions, and those decisions directly train Charlotte AI. SentinelOne has substantial telemetry — 15 billion security events analyzed weekly across 11,000+ customers — but the nature of that training data, annotation quality, and MDR-expert-in-the-loop mechanism are not publicly documented in equivalent detail. Corpus quality beats corpus size; annotated expert decisions on real intrusions are the valuable signal.
Data-lake lock-in. Purple AI's query layer operates against the Singularity Data Lake. Organizations with existing Splunk, Elastic, or other SIEM investments cannot route Purple AI against those stores without the Athena release — still in early deployment as of 2026.
Pricing opacity. No public list price. Bundled from Singularity Complete tier upward. Mid-market total cost runs $80,000–$250,000+/year depending on data-lake size and endpoint count. Budget modeling requires a sales conversation.
FedRAMP uncertainty. In April 2025, an executive order revoked security clearances for individuals affiliated with SentinelOne, citing its connection to Chris Krebs. This introduced real FedRAMP uncertainty for public-sector buyers that requires active monitoring.
Head-to-Head: Purple AI vs. Charlotte AI vs. Security Copilot
| Dimension | Purple AI (SentinelOne) | Charlotte AI (CrowdStrike) | Security Copilot (Microsoft) |
|---|---|---|---|
| Published triage accuracy | Not disclosed | 98%+ vs. MDR analysts | 6.5x phishing alert lift |
| Schema normalization | OCSF-native at ingestion | Proprietary Falcon schema | Plugin-dependent, variable |
| Third-party data breadth | Broadest (Zscaler, Okta, Palo Alto, Fortinet, Proofpoint, M365, AWS) | Falcon ecosystem primarily | Microsoft-native strong; third-party thinner |
| Training data moat | Broad telemetry; methodology undisclosed | Expert-annotated MDR decisions; documented | 65T Microsoft signals; SOC curation less clear |
| Autonomous triage GA | Yes (Athena release) | Yes (Feb 2025) | Phishing Triage Agent (RSA 2026) |
| Pricing transparency | None published | None published | SCU model documented |
| FedRAMP status | Uncertain post-April 2025 EO | FedRAMP High (November 2025) | Available via Microsoft GCC |
| Practitioner hallucination reports | Documented (r/SentinelOneXDR) | Lower, per MDR validation | Grounding failure mode documented |
Winner per dimension: Accuracy → Charlotte AI. Integration breadth → Purple AI. Schema architecture → Purple AI (OCSF). Training data quality → Charlotte AI. Government deployments → Charlotte AI (FedRAMP High confirmed).
Pricing and Deployment
| Item | Details |
|---|---|
| Purple AI inclusion | Singularity Complete tier and above ($179.99/endpoint/year list; field pricing varies) |
| Mid-market total cost | $80,000–$250,000+/year inclusive of platform and data lake |
| Wayfinder MDR | $17–$35/endpoint/year standard; $35–$50/endpoint/year Pro with forensics |
| Query caps | Not documented publicly |
| Deployment effort | Low for existing Singularity customers; 2–4 weeks to baseline, 60–90 days to meaningful tuning |
| Procurement | Channel-driven; get competing quotes via Pax8, Sherweb, or direct sales |
You are already running SentinelOne Singularity Complete or Enterprise, need broad third-party data lake integrations across a heterogeneous stack, and want an AI analyst that works without ripping out your existing SIEM. Purple AI's OCSF-native query layer is the most stack-agnostic of the three advisories reviewed.
Your primary concern is triage accuracy at scale. CrowdStrike's 98%-validated, MDR-trained Charlotte AI is the better choice for high-volume SOC operations. If you are evaluating SentinelOne adoption specifically for Purple AI, understand you are committing to a full platform — not a point product.
Hallucination rate is not publicly benchmarked — field reports from r/SentinelOneXDR document misclassification and false positive investigations. The Athena cross-SIEM capability is still in early stages. FedRAMP uncertainty for public-sector buyers post-April 2025 executive order. Pricing opacity means TCO modeling requires multiple sales conversations before you have a number you can defend.
Sources
- SentinelOne Purple AI GA announcement, August 2023, and Athena release blog — SentinelOne.com/blog
- SentinelOne press release: "Purple AI brings power to Zscaler, Okta, Palo Alto Networks, Proofpoint, Fortinet and Microsoft data" — BusinessWire, January 2025
- IDC MarketScape: Worldwide XDR Software 2025 Vendor Assessment — SentinelOne named Leader; Purple AI cited as differentiator
- SentinelOne Q3 FY2026 earnings: $258.9M revenue, $1.055B ARR — EDGAR filings, November 2025
- FinancialContent: "SentinelOne: The Billion-Dollar Pivot to Autonomous AI Security" — Purple AI 40% attach rate on new licenses, late 2025
- r/SentinelOneXDR: "Anyone know any good threat hunting prompts for Purple AI?" — practitioner hallucination reports, base-64 misclassification
- SentinelOne blog: "Simplifying the Security Analyst Experience with OCSF" — ~96% query return within 1 second, OCSF architecture detail
- SentinelOne: "Agentic Cyber Defense Redefined — The Purple AI Athena Release" — cross-SIEM support, Auto-Triage GA
- MITRE ATT&CK Enterprise Evaluation Round 6, 2024 — SentinelOne 100% detection, 100% protection
- UnderDefense: "CrowdStrike vs. SentinelOne 2025" — mid-market pricing range $80K–$250K+/year
- White House executive order, April 2025 — clearance revocations for SentinelOne-affiliated individuals
- SentinelOne RSAC 2026: Auto Investigation general availability announcement