SentinelOne Outage: So What?

6–2–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, June 2, 2025, and like you, I’m also surprised to learn that it’s June, but here we are.

This week, we’re looking at an outage at leading Endpoint Detection & Response (EDR) platform SentinelOne and talking about the takeaways from such an event.

SentinelOne Outage: So What?

To be honest with you, I haven’t seen as much coverage in the larger media space of this story as I might have thought, given the history from last summer with CrowdStrike.

As a reminder, an error in Crowdstrike’s SDLC caused millions of computers to fall over, somewhat famously causing Delta to ground all of their flights - and that lawsuit was actually just given the green light by a judge last week to proceed.

So what happened to SentinelOne this week? Well - we know what happened, because they’ve published a full post-mortem on their site that includes a root-cause analysis and full timeline.

In short, an error in their “infrastructure-as-code” architecture pushed a blank routing table into their AWS environment, resulting in the portal being unreachable. It ultimately resulted in a period of about 5 hours where customers - whether you monitor your own console, or you pay a third-party SOC to do it for you, had no visibility or insight as to what was happening.

During this time, SentinelOne notes that endpoints were still protected, because the agents on those devices were still functional, but and that “A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.”

That said - I can understand the skepticism, given the feeling of flying blind, and the echos of the Crowdstrike event from last year.

Still, I want to emphasize a few things that are worth adding as context to this overall effort.

While SentinelOne may have had an own goal here, customers weren’t left unprotected. They also got back up relatively quickly, and have been up front about it all throughout.

In fact, their timeline indicates that engineering began investigating the error within 13 minutes after the update with the breaking change, and knew what the issue was within 90 minutes.

It’s tempting to write these tools off as something that adds complexity and can create a false sense of security or actually be the cause of the incident. And, while it’s true that they can be the cause of an incident - demonstrated now by both SentinelOne and Crowdstrike - these tools, especially for small and medium businesses, are far more likely to detect and prevent anomalous or malicious activity than they are to be the cause of it.

We need to think about whether we’re able to staff an engineering team that can respond with this type of velocity and comprehensiveness, because the answer for nearly every company - including technology firms - is probably not.

I’ll grant that this isn’t a great look for SentinelOne, but they handled it as best as anyone could be expected to, including the transparency about the situation and inclusion of design concepts that mean outages like this don’t undercut the fundamental value of the tool.

They’ve made (and shared) plans to get better, and are playing with their cards on the table. I think a lot of us could take some lessons from how they handled this adversity, to be honest.

Fundraising

From a fundraising perspective this week, we are back in the double digit billions, with more than $12.7B in newly committed capital.

Most of that, however, comes from L Catterton, who raised around $11b in new fund commitments, including $6.75B for its tenth flagship buyout vehicle.

Up to about $133B in Q2 commitments, which seems to be enough to delay a good number of IPOs as those top end private companies look for an additional transaction before going public. Plenty of dry powder to support that strategy, and the roll up plays that are being deployed underneath them as the strong point solution players are gobbled up by platform players.

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.sentinelone.com/blog/update-on-may-29-outage/

https://www.bankinfosecurity.com/judge-lets-deltas-cyber-failure-suit-vs-crowdstrike-proceed-a-28443