SentinelOne’s executive team celebrates the company’s IPO last June. SentinelOne bought Attivo Networks today for $616.5 million. (Credit: SentinelOne)

SentinelOne on Tuesday added the identity management capability it was looking for to complete its XDR portfolio by acquiring Attivo Networks for $616.5 million.

Nicholas Warner, chief operating officer at SentinelOne, said the shift to hybrid work and increased cloud adoption has established identity as the new perimeter, highlighting the importance of visibility into user activity — and thus, the impetus for the acquisition.

“Identity threat detection and response is the missing link in holistic XDR and zero-trust strategies,” said Warner. “Our Attivo acquisition is a natural platform progression for protecting organizations from threats at every stage of the attack lifecycle.”

Frank Dickson, program vice president for security and trust at IDC, saw the acquisition as an impressive step forward for SentinelOne as it looks to strengthen its XDR approach. Dickson said Attivo Networks has been a deception vendor that offers an Active Directory protection platform. He said the strength of the platform is that it helps to mitigate risk, harden the AD system, and detect live attacks. In terms of protection, Dickson said Attivo obfuscates, establishes authentic decoys, and creates paths of misdirection for assets in AD registries. Attivo Networks AD Secure is used to deny unauthorized queries and prevent access to high-value objects.

“The challenge with deception historically is that it’s yet another tool to implement and manage and usually requires another agent,” Dickson explained. “No IT administrator ever said, ‘I wish that I had another agent on my endpoints.’ The acquisition by SentinelOne offers the potential of delivering the benefits of deception while ameliorating the complexity issues. Clearly, execution is key and will determine the success of this acquisition.”

Jack Poller, senior analyst at the Enterprise Strategy Group, said that identity-related security threats are often overlooked, which is a “travesty” given that identities are one of the most common attack vectors, allowing attackers to easily move laterally within an organization. Poller added that privileged identities are, literally, the keys to the kingdom, and a most prized target.  

“Attivo’s identity detection and response solution includes sensors and analysis to detect and respond to attacks targeting identities and the identity-management systems, including Microsoft’s Active Directory,” Poller said. “By acquiring Attivo, SentinelOne is expanding its XDR platform to cover identity-related threats across the IT landscape, including on-premises AD, cloud, and endpoints.”

David Holmes, a senior analyst at Forrester, said Attivo was a darling of deception technology, but SentinelOne was really after their Active Directory protection portfolio, including ADAssessor and ADSecure.

“Deception tech, while super cool, was never able to achieve escape velocity on its own, and many of its shining stars are disappearing into portfolios of larger vendors,” Holmes said.

Including today’s SentinelOne acquisition of Attivo, Holmes pointed out two other significant acquisitions of deception technology in just the past two years:

  • Crowdstrike acquired Preempt for a reported $96 million in 2020, a move that presaged the SentinelOne acquisition.
  • ZScaler acquired Smokescreen in 2021, has sold it as ZScaler Deception since, but will ultimately integrate it into their popular ZPA and ZIA services.

“What acquisitions like this one ultimately mean for security and risk decision makers is that they can pivot from deploying a standalone deception tech product and start evaluating how deception gets paired with one or two key tactical domains like identity,” Holmes said.