At SentinelOne, we believe AI should do more than just assist security teams – it should act as an extension of every analyst, reasoning and acting like an experienced human defender to help stop attacks in real-time.
Today, SentinelOne is rolling out a new agentic AI strategy with the Purple AI Athena release built on three key pillars: deep security reasoning at machine speed, full-loop workflows with automation and response, and data source agnostic integration to detect, investigate and respond to threats across the SOC. Together, these pillars represent a unified, intelligent approach to cybersecurity – one where agentic AI acts as a true partner to help overstretched teams protect their environments and stay ahead of threats.
This blog will explore our approach to AI innovation for security teams and show how the Purple AI Athena Release will execute the most comprehensive set of agentic AI workflows in the industry: AI-powered Data Integrations, Auto-Threat Hunting and Detections, Auto-Triage and Auto-Investigations, Novel Detection Rule Creation, Auto-Response and Reporting, and AI-powered Support.
Deep Security Reasoning at Machine Speed
At the heart of the Purple AI’s Athena release is its ability to reason and act like a seasoned SOC analyst. While traditional automation follows static rules, agentic AI focuses on driving outcomes. Purple AI’s agentic framework leverages specialized security models that replicate the analytical thought process of experienced security analysts. This agentic deep security reasoning is fine-tuned by the combination of advanced neural networks working across trillions of security relevant data points, along with a human feedback loop made up of a global network of elite security professionals. By mirroring how expert analysts triage and respond, Purple AI’s Athena release reduces alert fatigue, dramatically accelerates SecOps, and helps scale the capacity of overstretched security teams. This is AI security that isn’t just faster — it’s smarter.
The first phase of our Purple AI Athena Release is Auto-Triage. Automatically applying deep security reasoning to assess alerts through the analysis of trillions of data points, Purple AI determines if an alert poses a common or novel threat before providing a verdict on the likelihood that this alert is a true positive. Auto-Triage is generally available today, bringing the critical capability of deep reasoning to power agentic AI security use cases.
Full-Loop Workflows with Automation & Response
Together, AI and automation pose an incredible opportunity for security teams to radically reduce mean time to respond. Purple AI’s Athena release combines agentic AI capabilities with Singularity Hyperautomation’s powerful, no-code automation to easily create novel detection rules and to evolve insights from Auto-Investigations into autonomous full-loop response workflows.
During the Auto-Triage and Auto-Investigations process, AI agents will execute the necessary steps to investigate and respond, and propose a workflow to automate future responses to similar incidents. The next time a similar alert occurs, Purple AI will automatically trigger this pre-defined workflow. The agentic system investigates and resolves alerts while learning over time – improving its ability to autonomously investigate and remediate on behalf of analysts. As a result, security teams can go beyond rudimentary rules-based automation to automating fully orchestrated detections, investigation, and response to stay ahead of attacks.
Seamless, Data Source Agnostic Integration
To unlock the full potential of end-to-end agentic workflows, organizations need complete visibility across their data. With Purple AI’s Athena release, SecOps teams can further leverage their investments in third-party SIEMs, data lakes, and other security tools – bringing Purple’s power to these environments without complex or costly data migrations. Purple connects directly to where your data already lives, applying its intelligence, agentic framework, and automation capabilities to analyze, correlate, and act on alerts in real time.
Alerts are ingested into the Singularity Platform, enabling Purple to triage, investigate, and respond within a consistent, unified AI workbench. And as Purple is also the only AI cybersecurity analyst built on normalized data at ingest via the Open Cybersecurity Schema Framework (OCSF), human analysts have access to instant querying across both native and third-party sources–no need to learn new schemas or query languages. No matter how many data sources are in play, the result is the same: faster investigations, immediate outcomes, and a streamlined analyst experience.
Embedding AI in Everything We Do
AI and automation must be embedded across every stage of the security lifecycle to properly defend against accelerating cyber threats. At SentinelOne, we believe that AI is a force multiplier, enabling security teams to move faster and scale their defenses without operational complexity or overwhelming costs. Today, Purple AI’s core capabilities are now included as part of our endpoint and cloud security offerings in Singularity Complete, giving more security teams direct access to the latest in AI-powered defense across every surface they protect.
Now, SentinelOne’s endpoint and cloud customers will have access to Purple AI’s natural querying, accelerated investigations, AI-powered hunting, intelligent summaries, auto-reporting, and AI for support, with multi-lingual support. No steep learning curves, no barriers to entry – just actionable intelligence, available when and where it’s needed most.
A First Look at Purple AI’s Athena Release
Today, at the RSAC Conference 2025, we released the preview of Purple AI’s Athena Release. As part of our broader agentic AI strategy, this release represents the next evolution of Purple AI with advanced agentic AI workflows across triage, investigation, and response. Let’s take a look at what this release looks like in action.
Integrate with Third-Party Data Sources
Connecting data sources to Purple AI is designed to be simple and fast. With Purple AI’s Athena release, configuration can begin with a single click to connect Splunk as a telemetry source. From there, Purple will recommend which data sources to onboard, ensuring broad visibility across your security stack. Alerts will begin flowing in almost immediately, allowing teams to move from setup to insight in minutes. This streamlined onboarding experience lowers operational overhead and accelerates time to value so analysts can immediately benefit from Auto-Triage and Auto-Investigations.
Auto-Triage
As soon as alerts begin streaming in, Purple AI steps in to Auto-Triage. Rather than overwhelming analysts with every event, Purple evaluates incoming signals in context.
Purple AI’s Auto-Triage, now generally available, uses AI Similarity Analysis and global community intelligence to determine whether an alert represents a common issue or is something novel. Analysts get immediate visibility into how others in the SentinelOne community, along with SentinelOne’s own threat experts, have handled similar alerts. This combination of automation and shared insight helps teams reduce alert fatigue, focus on the highest-priority issues, and make decisions with confidence.
Auto-Investigations
We see a critical alert that would normally require an analyst to spend considerable time investigating manually. Though the anomaly was noted in Splunk, Purple can identify it for further investigation. Users have the option to trigger an Auto-Investigation, and Purple AI will immediately begin to investigate, mirroring the thorough, multi-step process a human analyst would follow.
Auto-Investigations can be both triggered or autonomously run behind the scenes, executing on prioritized, Auto-Triaged alerts. In the demo, Purple starts with a login from an unusual location and systematically checks associated devices, user activity, and network traffic. It flags anomalies like the presence of the TeamViewer remote access tool, assesses its prevalence in the environment, and connects observations to build a clearer picture of what’s happening.
What sets Purple AI apart is how its agentic reasoning mirrors expert investigation workflows. It doesn’t stop at identifying symptoms — it builds a full narrative, confirms whether an intrusion has occurred, and takes the next step by recommending precise actions. Once a threat is validated, Purple recommends tailored responses, such as generating a custom rule or drafting a Hyperautomation workflow. This level of autonomous investigation streamlines a process that often takes hours and multiple team members, reducing time to resolution and helping organizations respond to threats more effectively and consistently.
Novel Detection Rules and Full-Loop Remediation
In this case, Purple AI triaged multiple data sources and uncovered a previously unseen attack technique. After confirming malicious activity, it recommended a precise course of action: creating a detection rule to prevent similar threats in the future. By proactively suggesting response actions and enabling rule creation within the same investigation flow, Purple AI not only identifies the threat, but drives full-loop remediation.
Together, Purple AI and Singularity Hyperautomation can harness the insights and reasoning from Auto-Triage and Auto-Investigation to create fully autonomous full-loop workflows for faster incident response and boosted operational efficiency.
Once the incident has been resolved and a new detection rule is added, Purple AI and Singularity Hyperautomation create an automated workflow to address future similar incidents triggered by the newly created detection rule. In this scenario, Purple AI created and recommended an automation workflow to block similar files, gather user credentials that have logged into the alerted machine, and revoke all sessions from relevant users.
Conclusion
Today’s organizations are challenged with how to properly harness AI while contending with the potential risks introduced by its usage. At SentinelOne, our mission is to be a force for good and to help our customers stay protected against threats. The Purple AI Athena release is a reflection of this commitment – to introduce purpose-built AI security to provide full data visibility, to seamlessly integrate into the work of security teams, and to thoughtfully develop agentic AI capabilities that work in service to human security teams.
Ready to experience agentic AI innovation that transforms SecOps? Learn more about Purple AI and schedule your personalized demo today.
