Replacing legacy AV with SentinelOne Singularity across 100+ endpoints in a multi-site manufacturing environment — policy design, staged rollout, IR playbook creation, and real breach containment.
| Field | Detail |
|---|---|
| Organization | Manufacturing company (anonymized) |
| Environment | ~100 endpoints, Windows-based, mixed hardware age |
| Objective | Replace legacy AV with modern EDR/MDR, reduce MTTR |
| Previous State | Legacy Webroot AV, no centralized monitoring, zero IR playbooks |
| Outcome | SentinelOne deployed 100+ endpoints · MTTR 48hr → 6hr · 5 incidents contained |
| Tools Used | SentinelOne Singularity, Datto RMM, Windows Event Viewer, PowerShell |
The organization was running legacy signature-based antivirus with no behavioral detection, no centralized visibility, and no formal incident response process. Five security events had occurred in the prior 12 months — none were detected by tooling. Incidents were discovered by end users reporting performance issues or strange behavior, meaning average detection time was measured in days, not minutes.
The objective was to deploy SentinelOne Singularity with full behavioral AI detection, configure policies appropriate for a manufacturing environment (including OT-adjacent workstations where process disruption would halt production), and build a repeatable incident response workflow. MTTR was reduced from 48 hours to 6 hours within 60 days of deployment.
Before any deployment, a complete endpoint inventory was pulled via Datto RMM to understand the environment:
Endpoints were classified into three groups to guide policy design: production-floor machines (highest disruption risk — strict exclusions needed), office/admin workstations (standard policy), and servers (most aggressive detection, Vigilance mode).
Policy design was the most critical step. A single policy applied to production-floor machines and servers alike would either cause false positive lockouts on industrial software or leave servers under-protected. Three distinct policies were designed:
Rollout strategy: staged over 3 weeks via Datto RMM MSI deployment — IT/admin machines first, then office workstations, then production floor last. Webroot was uninstalled 48 hours after SentinelOne confirmed healthy enrollment to avoid AV conflicts.
Deployment proceeded across all 100+ endpoints over approximately 3 weeks. Key execution details:
The organization had never had a written incident response process. Post-deployment, a tiered playbook was built:
SentinelOne Vigilance MDR was configured for server policy with automated network isolation on Critical threats. Alert routing was configured: P1 triggers SMS + email immediately; P2 triggers email to security contact within 30 minutes.
Within 90 days of deployment, 5 security incidents were detected and contained that would have gone unnoticed under the legacy AV environment. One representative case:
SentinelOne flagged suspiciouspowershell.exeexecution on an office workstation — process spawned fromwinword.exe(a macro-enabled document opened via a phishing email). Behavioral AI classified it as a credential harvesting attempt. Automatic network isolation triggered within 8 seconds of detection. Hash analysis confirmed Meterpreter-style payload. Endpoint cleaned, credentials for the affected user rotated, phishing email domain blocked. Total time from detection to clean: 4.5 hours.
Without SentinelOne, this incident would have been discovered days later when the user reported performance issues or when credentials were used to access corporate systems.
| Metric | Before | After |
|---|---|---|
| Detection Time | Days (user-reported) | <15 minutes (SentinelOne alert) |
| MTTR | ~48 hours | ~6 hours |
| Security Incidents Detected | 0 formally (discovered incidentally) | 5 detected & contained |
| Endpoint Visibility | 0% | 100% |
| False Positive Rate | N/A | <2% after 2-week tuning |
| Finding | Severity | Recommendation |
|---|---|---|
| No behavioral detection capability | Critical | Deploy EDR with AI behavioral analysis (SentinelOne Singularity) |
| Zero incident response playbooks | High | Establish tiered IR playbook with defined SLAs and escalation paths |
| No centralized endpoint visibility | High | Deploy RMM + EDR management console with alert routing |
| Legacy AV — inconsistent deployment | Medium | Standardize endpoint security via RMM policy deployment |
| Production floor on same flat network | Medium | VLAN segmentation to isolate OT-adjacent machines (see FortiGate Refresh) |
This EDR deployment addresses the following techniques by providing behavioral detection and automated containment:
| Technique | ID | How SentinelOne Addresses It |
|---|---|---|
| Command and Scripting Interpreter | T1059 | Behavioral AI detects anomalous PowerShell/script execution lineage |
| Data Encrypted for Impact (Ransomware) | T1486 | Rollback capability + auto-isolation on ransomware behavioral signatures |
| Impair Defenses | T1562 | Tamper protection prevents EDR agent modification |
| Obfuscated Files or Information | T1027 | Static AI + behavioral engines detect obfuscated payloads pre-execution |
| Valid Accounts | T1078 | Identity-based behavioral anomalies flagged via Vigilance MDR |