As security teams look for ways to handle rising alert volumes without adding more manual work to the SOC,
SentinelOne has opened Purple AI Agentic Investigation to customers, extending its autonomous investigation capability across the Singularity Platform.
The capability starts investigating when a threat reaches a set risk level. Purple AI gathers evidence, connects the data, builds a timeline, and gives analysts a verdict inside the tools they already use. Analysts can still review the work and decide how much control they want Purple AI to have.
What changes for analysts on day one
The main change is where the analyst starts. Instead of opening an alert, gathering evidence, and building the timeline from scratch, the analyst can begin with a verdict and the supporting evidence already assembled.
Chris Corde, chief product officer at SentinelOne, told MSSP Alert, “Before Agentic Investigations, customers needed to handle alerts through static playbook automation in traditional SOAR or by having humans perform triage and investigations manually. In most cases, human analysts initiated the investigation, pulled evidence, built a timeline, and made the triage call, 20 to 30 minutes per critical alert, assuming someone got to it at all. Nights, weekends, surge events: those were gaps where critical alerts simply waited.”
That backlog is the problem SentinelOne is targeting. Security teams already have alerts coming from endpoint, identity, cloud, and other tools. The harder part is deciding which alerts matter, proving what happened, and moving quickly enough to contain real threats.
“On day one with Agentic Investigations active, customers can autonomously drive both efficiency and efficacy benefits in the SOC,” Corde said. “Efficiency comes from reducing the volume of alerts humans need to investigate on their own, saving significant time. Efficacy comes from expert-level investigation happening across every critical alert in a comprehensive manner, and having that done immediately when the alert fires, reducing mean time to detection and response.”
Corde said Purple AI collects evidence, correlates telemetry across the Singularity data estate, builds the attack timeline, and delivers a verdict with a full evidence chain before the analyst opens the console. The analyst still owns the response decision, but gets to that point faster.
A focus on the investigation bottleneck
For many SOC teams, detection is no longer the only pressure point. More tools usually mean more signals. More signals create more work for analysts who have to separate noise from real risk.
Purple AI Agentic Investigation is built to move more of that early investigation work into the platform. It runs on telemetry already inside Singularity, including endpoint, identity, cloud, and third-party security data. SentinelOne said the capability requires no separate deployment, integration or tuning.
“Security teams using Purple AI report 63% faster threat identification and 55% faster resolution,” Corde said. “The queue doesn’t build unchecked overnight.”
Why this matters for MSPs and MDR providers
Managed service providers and MDR providers need to improve response times while protecting margins, and they often support many customer environments with lean teams.
Corde said the efficiency and efficacy benefits apply directly to partners.
“Every investigation that resolves autonomously is 20 to 30 minutes of analyst time back, allowing partners to drive greater efficiency in their operations and increase the amount of customers they can cover for every human analyst in their service,” he said. “For a provider running lean teams across dozens of client environments, that means fewer escalations per technician, more endpoints per headcount.”
That could make Agentic Investigation part of a managed security service, not just a platform feature. Corde said partners could package autonomous investigation as a distinct service tier, with base triage and verdict delivery, premium analyst response, and advisory services around credit consumption planning and SOC optimization.
He also pointed to the timeline for managed service use cases. “Full multi-tenant support with credit allocation and spend controls lands in Phase 2, targeting mid-August 2026,” Corde said. “The 60-day free trial is the window to get clients experiencing the capability, build the ROI case with real usage data, and own the conversion conversation when credits go live.”
Singularity Credits bring AI consumption into pricing
The company has also introduced Singularity Credits, a unified currency for AI-powered work across the Singularity Platform. Customers can use credits for Purple AI Agentic Investigation during a complimentary trial, and SentinelOne said they can buy credits later through partners, direct billing, and e-commerce.
“Singularity Credits are how SentinelOne meters AI-driven work on the platform,” Corde said. “Every AI-driven action takes up compute and processing power, and Singularity Credits are the currency units used to consume AI-driven activity.”
Corde said SentinelOne has put usage controls in place. “Daily auto-trigger caps bound the number of investigations that fire each day automatically, tiered by threat volume and endpoint count,” he said. “When the cap is hit, auto-triggered investigations pause until the next calendar day, unless customers ask to expand their daily usage capacity.”
Customers can also configure where and how agentic investigations run, so they can align usage with their own priorities. If credits run out, Corde said customers can top off their balance or continue using the capability and get invoiced for usage in arrears. Past investigation results remain accessible regardless of credit balance.
Security vendors are moving AI deeper into the SOC workflow. The focus is expanding from search, query assistance, and alert summaries to the work that happens after detection: pulling evidence, building timelines, triaging alerts, and supporting response decisions. For SOC teams, automated investigations need to show how a verdict was reached. Analysts still need to see the evidence, review the reasoning, and decide when a human should approve the next step. SentinelOne is trying to address those concerns with evidence-backed verdicts, adjustable autonomy, role-based activation, and usage guardrails. For partners, if autonomous investigation reduces manual triage time and gives customers faster answers, it becomes part of the managed security economics conversation, not just another AI feature in the console.
