If you could only choose one; ThreatLocker or Sentinel One?
Posted by incompletesystem@reddit | sysadmin | View on Reddit | 24 comments
I'm working for a small company and budget is tight. We can probably only afford ThreatLocker or Sentinel One but not both.
If we used ThreatLocker we'd rely on Defender for AV. but if our rules are tight then the AV won't be needed much. Plus solving the Administrator elevation problem is a huge bonus.
But I love Sentinel One and its effectiveness. And having EDR to dig into an incident is great
NB: I used both at previous gigs. Would you rely on good Application Whitelisting or is EDR not negotiable?
smc0881@reddit
What version of SentinelOne and add-ons are you looking at? Second do you have a team of people that know their shit, respond to alerts, and monitor it? S1 is not a set it and forget type of EDR, which most IT/MSP's end up doing or set it up wrong and still get ransomed. I work in DFIR and my company is a S1 reseller. If you are not going to monitor yourself (I don't mean Joe the sysadmin either) then either find a reputable MSSP or hire a security team. One other option that we resell too is Huntress and I have had nothing but great experience with them. You get a 24/7 SOC that is pretty good, they offer basic SIEM, and pretty good at monitoring M365 too.
incompletesystem@reddit (OP)
Probably Control. I've got alot of experience with S1, Cylance and Defender; I'm hand-ons (how i like it) so it will probably be me managing/monitoring this. Not a big company so I'm not concerned.
smc0881@reddit
I'd upgrade to Complete if you could, so you can get deep visibility and maybe add their vulnerability management. It will scan for outdated apps, patches, and show CVEs. We normally deploy S1/Huntress in tandem for new DFIR engagements and then sell one or both to clients if they are interested. Huntress is real good about finding persistence mechanisms too. If you have M365, I also highly recommend Huntress ITDR they are awesome when it comes to monitoring tenant accounts.
incompletesystem@reddit (OP)
Not sure its in the budget at 2.25x the price. I feel Control is a good start. Gives as the Auto remediation, Remote shell, and EEP controls.
Myriade-de-Couilles@reddit
Sentinel one does offer a 24/7 SOC as well with MDR, no need for another product.
smc0881@reddit
That's if you buy their Vigilance add-on.
Slicester1@reddit
We went a different route. Blackpoint with Bus Prem MDE and AutoElevate for PAM.
incompletesystem@reddit (OP)
From my memory auto elevate was only through an msp and was nearly as much as S1 or TL. Nb I used to be an SDM
RaNdomMSPPro@reddit
This is a business decision, not an it department decision. What business risks are you trying to mitigate or potentially eliminate? What is the impact to the various business units if those identified (by the c level or owner) risks become reality? Somewhere in there is the real budget. Lots more details I and a number of others in the r/msp community have answered numerous times. Bonus info: almost all edr/mdr will have people saying they suck - most of the time it’s because their tenant was misconfigured or they didn’t understand what they were trying to prevent. Edr with host isolation turned on to automatically engage will prevent most attacks from spreading. Surprising number of it folks (not cybersecurity folks) want to have control over the isolation process, giving attackers their window to own everything. Good luck.
laserpewpewAK@reddit
Depends on what you mean by defender. Defender for endpoint is a good EDR, built-in windows defender is useless. EDR is non-negotiable IMO, app control is a nice to have. I have a very poor opinion of ThreatLocker though so maybe I'm biased. I have run multiple incidents where Threatlocker was either useless, or in 2 cases, an attacker used social engineering to take control of a tenant which is just inexcusable.
Junior-Section323@reddit
Can you elaborate more on how an attacker was able to accomplish that?
laserpewpewAK@reddit
Unfortunately I can't, I'm not the TA and I don't work for threatlocker. I was on the IR team, in each instance we found that Threatlocker had been totally disabled a few minutes before the attack was launched, and the client subsequently found an admin account in the tenant that they did not create. In one case a Threatlocker tech confirmed someone had contacted support to have the account added before their manager stepped in and ended the call on us. I assume they had some kind of problem with their verification process that allowed a saavy TA to get an account created in the tenant.
ThreatLocker-Oliver@reddit
Would you be able to contact me with more information about your experience with ThreatLocker? We have a verification process for customers so I would really like to understand your experience around social engineering.
oliver.plante@threatlocker.com
Kind regards
Oliver
Oliver Plante
Vice President of Support
ThreatLocker
incompletesystem@reddit (OP)
Any solution is susceptible to social engineering. I don't see TL as any different from S1 in that regard.
Small business so currently only M365 Business Standard.
Only been here 2 weeks FYI.
Price difference for Business Standard to Business Premium would pay for S1 or TL.
incompletesystem@reddit (OP)
Just a comment; I appreciate the responses.
The majority seem to go for EDR over App Whitelisting.
So for EDR; Sentinel One or something else? Small business 50-100 seats
Mr-ananas1@reddit
sentinal one personaly, only because i have never tried threat locker
gwrabbit@reddit
I would lean towards EDR and then suffer through Applocker or WDAG
incompletesystem@reddit (OP)
Having managed Applocker and WDAG I found them both impossible to be responsive and handle config issues in a timely manner.
ThreaterLocker was good for it real-time alerts and quick policy response.
incompletesystem@reddit (OP)
Shudder. Although doesn't solve the Admin Elevation issue
smoke2000@reddit
Threatlocker is relatively new to the edr market, their applocker functionality however works. Yes it is a pain to manage sometimes, but it has stopped stupid shit from happening.
Think , user asks chatgpt code to help rename files. Chatgpt returns code to rename entire pc recursively. User launches code, threatlocker stops it.
I've never used sentinel one, but they're named often together with crowdstrike , which I do have, and I'd never replace crowdstrike with threatlocker alone.
RelativeVanilla9629@reddit
EDR is not negotiable, but also ThreatLocker sucks to manage.
One_Poem_2897@reddit
One thing I haven't seen mentioned yet: think about who’s going to be handling incidents when they do happen.
If you go with SentinelOne, do you have someone on your team who can actually interpret EDR telemetry, pivot through timelines, and act quickly on what they find? EDR is powerful, but only if you can use it effectively. Otherwise, it’s a lot of noise and dashboards.
On the flip side, ThreatLocker can prevent more upfront, but requires discipline—tight policies, constant tuning, exception management. If your environment changes frequently or you're strapped for time, that can become a burden too.
Do you have time to tune proactively? Or would you rather investigate reactively?
Because the tool you pick will lean hard on one of those muscles.
techvet83@reddit
Be aware of the recent outage SentinelOne recently had. I think they will come out the better for it.
icial Root Cause Analysis (RCA) for SentinelOne Global Service Interruption - May 29, 2025
Open-Relative-5169@reddit
Leaning towards Sentinelone. Having proper EDR in place just gives way more peace of mind mostly if something slips through. App whitelisting’s good but it feels like more maintenance long term unless your environment’s super locked down.