SentinelOne opens Purple AI investigation to all customers

SentinelOne has opened Purple AI Agentic Investigation to all customers and introduced Singularity Credits for AI-related work across its Singularity Platform.

Available through an opt-in trial, the new feature is designed to let security teams run autonomous investigations within existing workflows on the platform.

The system starts investigations automatically when a threat passes a defined threshold. It then detects, investigates, verifies, and responds to threats without waiting for a human analyst, while leaving visibility and control with the customer's security team.

The launch targets a longstanding strain in security operations centres, where alert volumes often rise faster than teams can investigate them. For many teams, the constraint is no longer detection but the capacity to review and reach verdicts on a growing queue of alerts, particularly outside normal working hours and during spikes in activity.

Purple AI Agentic Investigation is built into the Singularity Platform and uses telemetry already held in the system across endpoint, identity, cloud, and third-party security data. Customers do not need to deploy new tools, build integrations, or tune the feature before use, and activation requires a single click.

The tool collects evidence, correlates telemetry, and builds an attack timeline before presenting a verdict to analysts. The aim is to shift analysts from working through raw alerts to reviewing investigation outcomes and deciding on further action where needed.

Customers can set how much autonomy the system has through a human-in-the-loop model. Verdicts can either trigger policy-driven automated responses or prompt analysts with recommended actions, while access remains admin-controlled, role-based, and reversible.

Each verdict also includes what SentinelOne described as a full evidence chain, allowing analysts to review how the AI reached its conclusion. This is intended to address concerns about opaque decision-making in AI-driven security tools.

Credit model

Alongside the wider rollout, SentinelOne introduced Singularity Credits as a common unit for consuming AI functions across the platform. Purple AI Agentic Investigation will use those credits during the trial period, though customers will not be charged and no payment method is required to take part.

After the trial, customers will be able to buy credits through partners, direct billing, and eCommerce channels. SentinelOne did not disclose pricing or the size of the complimentary credit allocation.

Purple AI acts as both the reasoning layer and the interface for the broader Singularity Platform. It uses a multi-model approach that combines models from Anthropic and OpenAI with SentinelOne's own Ultraviolet models.

That design reflects a wider shift in cybersecurity towards using generative AI and automated reasoning to handle labour-intensive tasks such as triage, investigation, and response. Vendors across the sector have been trying to show that AI can do more than summarise data or answer natural-language queries, and can instead take on operational work within the security workflow itself.

Security teams have also been weighing how far to trust those systems with live decisions. SentinelOne's emphasis on adjustable autonomy, auditability, and evidence trails suggests adoption may depend as much on governance as on speed.

Chris Corde, Chief Product Officer at SentinelOne, said the company sees investigation workloads as the central problem in modern security operations. "Today's security teams face more critical alerts than any staffing plan could investigate, and AI-powered threats are only going to make that worse," Corde said.

He added: "Investigation capacity has become the binding constraint of the modern SOC: detections climb, alerts queue, and verdicts wait on analyst availability. Purple AI's Agentic Investigation capability is designed to remove that constraint by making investigations automatic, continuous, and immediate."