Morpheus automates Tier 1 and Tier 2 SOC work across Microsoft Sentinel, Defender, and Entra ID. Scale your MSSP, maintain SLA compliance and service quality.
This morning, SentinelOne entered an agreement to acquire Observo AI—a deal that we believe will prove to be a major accelerator for our strategy and a key step forward in realizing our vision.
Data pipelines are key to any enterprise IT transformation. Data pipelines, On-premise, and cloud-native are the modern-day router for how all information technology runs. This is especially pronounced today with the need to make accessible highly sanitized, critically contextualized data into LLM-based systems, to truly unlock an agentic AI future. At the same time, enterprises need to critically move data from legacy systems, and into scaleable, ideally real-time-enabling technologies. A robust data pipeline that can move data from any source to any destination is a critical need to successfully modernize any IT environment, and on all clouds, including Microsoft Azure, AWS, and GCP, and even move data between them. All in a completely secure way. Modern data pipelines don’t stop at just routing data, they filter it, transform it and enrich it, inline, and in real time—an imperative for data efficiency and cost optimization.
Simply put, moving data freely between systems is a huge technological advantage for any enterprise, especially right now.
This is why we acquired Observo.AI, the market leader in real-time data pipelines. It’s a deal that we believe will have huge benefits for customers and partners alike.
We want to make it clear that we pledge to continue offering Observo’s data pipeline to all enterprises, whether they’re SentinelOne Singularity customers or not. We support complete freedom and control to help all customers to be able to own, secure, and route their data anywhere they want.
For security data specifically, data pipelines are the heart that pumps the blood. Unifying enterprise security data from all possible sources, end products and controls, security event aggregators, data lakes, and any custom source on premise or cloud based. As I mentioned above, the data pipeline juncture is a critical one for the migration of data.
The best security comes from the most visibility.Observo.AI will give SentinelOne the ability to bring data instantly into our real time data lake—allowing for unprecedented outcomes for customers, and marking a huge leap forward towards, unified, real time, AI-driven security, and one step closer to supervised autonomous security operations.
Data pipelines and the state of security operations
Today’s security operations teams don’t suffer from a lack of data. They suffer from a lack of usable data, latency, and relevant content.
The major culprit? Legacy data pipelines that weren’t built for modern, AI-enabled SOCs and today’s ever expanding attack surface. The result is increased cost, complexity, and delay—forcing compromises that reduce visibility, limit protection and slow response.
Enter Observo AI—a modern, AI-native data pipeline platform that gives enterprises full control over their data flows in real time.
With the acquisition of Observo AI, SentinelOne will address customers’ most critical security data challenges head-on.
Observo AI delivers a real-time data pipeline that ingests, enriches, summarizes, and routes data across the enterprise—before it ever reaches a SIEM or data lake. This empowers customers to dramatically reduce costs, improve detection, and act faster across any environment. As a result, we can create significant new customer and partner value by allowing for fast and seamless data routing into our AI SIEM, or any other destination.
It’s an acquisition and decision many months in the making—the result of an exhaustive technical evaluation, deep customer engagement, and a clear conviction grounded in the same disciplined approach we apply to all of our M&A activities. When you are thorough and do the hard work to identify the best possible technology, you can shorten the time to market and improve customer outcomes. And, in this case, the conclusion was clear: Observo AI is the best real time data pipeline platform on the market, by far.
Growing data, growing complexity and growing attack surface
As data volumes grow across endpoints, identity, cloud, GenAI apps, intelligent agents, and infrastructure, the core challenge is no longer about collection. It’s about control. Security teams need to act faster—across an ever expanding attack surface—with greater context and lower overhead. But today’s data pipelines are bottlenecks—built for batch processing, limited in visibility, static, and too rigid for modern environments.
To move security toward real autonomy, we need more than detection and response. We need a streaming data layer that can ingest, optimize, enrich, correlate and route data intelligently and at scale.
By joining forces with Observo AI, SentinelOne can deliver a modern, AI-native data platform that gives enterprises full control over their data flows in real time—allowing for fast and seamless data routing into our SIEM, or any other destination.
It also strengthens the value we’re already delivering with Singularity and introduces a new model for reducing data costs and improving threat detection, across any SIEM or data lake—helping customers lower data overhead, improve signal quality, and extract more value from the data they already have, no matter where it lives.
Legacy data pipelines give way to the next generation
Yesterday’s security data pipelines weren’t designed for autonomous systems and operations. They were built for manual triage, static rules, and post-ingestion filtering. As organizations move toward AI-enabled SOCs, that model breaks down.
Data today is:
Duplicated and noisy
Delayed in enrichment and normalization
Inconsistent across environments
Expensive to ingest and store
Dynamic in nature while solutions are rigid
The result is that too many security operations teams are forced to compromise— compromise for cost, for speed, for complexity, for innovation, and worse of all—compromise on the right visibility at the right time.
Observo AI is defining the next generation of data pipelines that change that by acting as an AI-driven streaming control plane for data. It operates upstream of SIEMs, data lakes, and AI engines—applying real-time enrichment, filtering, routing, summarizing, and masking before the data reaches storage or analysis. All this is achieved utilizing powerful AI models that continuously learn from the data.
It doesn’t just process more data. It delivers better data, faster, and with lower operational overhead.
The result is that teams can now harness the full benefit of all data in the SOC without compromise.
Observo AI’s real-time data pipeline advantage
Observo AI ingests data from any source—on-prem, edge, or cloud—and routes data to any destination, including SIEMs, object stores, analytics engines, and AI systems like Purple AI.
Key capabilities include:
Open integration – Supports industry standards and formats like OCSF, OpenTelemetry, JSON, and Parquet—ensuring compatibility across diverse ecosystems.
ML-based summarization and reduction – Uses machine learning to reduce data volume by up to 80%, without losing critical signal.
Streaming anomaly detection – Detects outliers and abnormal data in flight, not after the fact.
Contextual enrichment – Adds GeoIP, threat intelligence, asset metadata, and scoring in real time.
Field-level optimization – Dynamically identifies and drops redundant or unused fields based on usage patterns.
Automated PII redaction – Detects and masks sensitive data across structured and semi-structured formats while streaming.
Policy-based routing – Supports conditional logic to forward specific subsets of data—such as failures, high-risk activity, or enriched logs—to targeted destinations.
Agentic pipeline interface – Enables teams to generate and modify pipelines through natural language, not just static configuration files.
What We Learned from Evaluation and Customers
Prior to today’s announcement, we conducted a hands-on technical evaluation of the broader data pipeline landscape. We started with nine vendors and down-selected to four based on architecture, maturity, and extensibility.
To evaluate potential technology OEM partners, we conducted a structured scoring process across 11 technical dimensions, each representing a critical capability for scalable, secure, and high-performance data ingestion and transformation.
The evaluation criteria included:
Scalable data ingestion
On-prem and cloud collection support
Monitoring and UX
Speed of integrationBreadth of pre-built security integrations
OCSF mapping and normalization
Data transformations and enrichment capabilities
Filtering and streaming support
Sensitive data detection (PII)
Anomaly detection
Vendor lock-in mitigation (e.g., open formats, agnostic routing)
Meets Expectations – functionally sufficient, may require optimization or future roadmap improvements
Does Not Meet Expectations – unsupported or significantly limited
Final vendor scores were calculated by normalizing across all 11 categories, enabling a comparative ranking based on technical depth, deployment readiness, and extensibility. Based on this methodology, Observo emerged as the clear front-runner, outperforming all other solutions in performance, UX, protocol support, and time-to-value.
Observo AI emerged as the clear leader—scoring highest across nearly every category. It wasn’t close.
We also conducted dozens of SentinelOne customer interviews across industries—ranging from high-scale technology firms to Fortune 500 enterprises. These organizations often operate at ingest volumes in the tens of terabytes per day, with clear plans to scale past 100+ TB/day.
Across those conversations, one theme was consistent: Observo AI was the best—the only next-generation, highly scalable data pipeline solution that was in serious consideration.
Other solutions were seen as either too rigid, too complex to manage, or lacking in automation and scale. Some were viewed as solid first-generation attempts—good for basic log shipping, but not built for real-time, AI-enabled operations.
Observo AI stood out for its ease of deployment, intuitive interface, rapid time to ROI, and overall maturity across cost optimization, AI support, and customer experience. As Lucas Moody, CISO of Alteryx, put it: “Observo AI solves our data sprawl issue so we can focus our time, attention, energy, and love on things that are going to matter downstream.”
In summary
Legacy data pipelines built for another era are forcing compromises that reduce visibility, limit protection and slow response for security operations teams managing today’s SOC
Observo AI is the defining AI-native, real-time data pipeline that ingests, enriches, summarizes, and routes data across the enterprise—before it ever reaches a SIEM or data lake
With Observo AI we will help customers dramatically reduce costs, improve detection, and act faster across any environment
This will be an accelerant to our AI SIEM strategy and our data solutions—creating significant new customer and partner value and bringing the autonomous SOC one step closer to reality
We’re excited to welcome the Observo AI team to SentinelOne, and even more excited about what this unlocks for our customers—a data pipeline built for the age of AI and autonomous security operations.
For any customer looking to route, ingest or optimize any type of enterprise data, with its vast integration ecosystem, and ML driven pipelines, Observo.AI is the best technology in the market, and the fastest to deploy, to start seeing real outcomes—now.
The era of evaluating AI on its potential is over. For CISOs, the only conversation about AI worth having in cybersecurity is about proven performance. The executive mandate is clear – every leader is being asked how they are using AI to get better, faster, and more profitable. For CISOs, this pressure transforms the conversation from if they should adopt AI to how to do it right. The right AI investment is one that strengthens the business by delivering faster threat containment, creating more efficient security teams, and providing a quantifiable reduction in overall risk.
In a landscape where every vendor claims AI supremacy, the measure of a platform’s worth is not its model size or an arbitrary LLM benchmark, but its ability to deliver on those business imperatives. It’s time to move beyond the hype and focus on the results of implementing AI for security operations.
Security teams face unprecedented pressure from a growing volume, complexity, and speed of cyberattacks – it’s more noise, more work, more risk. Tried-and-true security methods and manual workflows are struggling to keep pace, resulting in overwhelmed analysts, overlooked alerts, and greater organizational risk. In response, security teams not only need new tools, but also a fundamental shift in how they approach security.
To guide this transformation, SentinelOne created the Autonomous SOC Maturity Model, a framework showing how advanced generative and agentic AI are essential to augment human expertise, analyze data, and automate workflows to counter threats at machine speed.
Discerning Genuine AI Value from Market Noise
For CISOs, the challenge lies in cutting through the deafening market noise to identify actual AI-driven value. True AI value manifests when organizations can accelerate their threat detection and response times while reducing critical metrics such as MTTD and MTTR. By automating routine and repetitive tasks, AI enables experienced analysts to focus their expertise on proactive threat hunting and deeper investigation.
Organizations implementing AI in their security programs aim for substantial gains in efficiency, demonstrably lower risk, and a reduction in the probability and severity of security incidents. Tools driven by AI become essential to security teams when they improve the analyst workflow and provide security professionals of all levels with amplified capabilities. Most people are now familiar with generative AI: tools that help assist you with work.
In security, that means generating readable content from raw data (incident summaries, queries, investigative insights) to help an analyst understand what’s happening faster. It’s about speeding up comprehension. Agentic AI goes further. This isn’t about just providing assistance, it’s about systems that can do the work. Advanced AI systems, particularly those that leverage agentic capabilities, can now handle data recall and correlation, and even initiate decision-making steps with precision, enabling teams to respond faster and more accurately.
The most effective AI complements and amplifies human expertise and vice versa, driving towards a more resilient security posture. Ultimately, the goal of a well-designed AI system is where the human role is elevated to strategic oversight and supervision of AI actions, applying their expertise and deep institutional knowledge of tools and processes in a more effective way. The role of the analyst shifts from manually triaging and investigating a queue of alerts to applying their expertise for the supervision of an autonomous system. AI agents can reason through multi-step tasks, decide on next actions, prioritize what matters most, and move workflows forward autonomously, while maintaining transparency and keeping a human in the loop.
Navigating the AI Maze: What CISOs Should Look For In AI Tools
Navigating the AI vendor landscape is challenging. Use this checklist to prioritize solutions that deliver smarter, faster, and more integrated security, ensuring you invest in true value, not just hype.
1. Does It Deliver Unified, Actionable Visibility?
Can the AI break down data silos by ingesting and correlating intelligence from my entire security landscape, including endpoints, cloud workloads, identities, firewall, SASE, and threat intelligence feeds?
Does it provide a single, unified view to turn disparate data points into actionable insights?
2. Does It Support Open Standards for Better Detection?
Does the platform adopt open standards for data normalization, like the Open Cybersecurity Schema Framework (OCSF)?
Will this result in more accurate, context-rich threat detection by ensuring all my security tools speak the same language?
3. Does It Drive Action and Containment?
Does the AI move beyond simply identifying issues to actively helping my team contain them?
Can it transform raw telemetry into clear intelligence that drives automated response actions or provides prioritized, guided pathways to remediation?
4. Does It Empower Analysts and Foster Autonomy?
Is the AI designed to simplify complexity and empower analysts of all skill levels, reducing alert fatigue and freeing up human talent for the most critical threats?
Does it help my team move towards a more autonomous operational model?
5. Does It Act as a True Force Multiplier?
Does the platform leverage both generative AI (for insights and understanding) and agentic AI (for autonomous actions and decision-making)?
Is there clear evidence that the AI continuously learns, adapts, and enhances the capabilities and efficiency of my security team?
From Anecdote to Evidence: Outcomes of AI Deployments
Confronted with these challenges and choices, how can security leaders separate credible AI solutions from the hype? The answer lies in data-driven evaluations and an honest look at real-world implementations. Security leaders should evaluate solutions that demonstrate how advanced AI capabilities translate into measurable security and business outcomes.
A recent IDC white paper, “The Business Value of SentinelOne Purple AI” [1] offers precisely this kind of quantitative evaluation. IDC conducted in-depth interviews with organizations using SentinelOne’s Purple AI, a solution that leverages cutting-edge generative AI and agentic AI to accelerate workflows like investigation, hunting, triage, and response.
The findings from these real-world deployments provide compelling insights into the tangible benefits AI can deliver when aligned with the needs of security leaders for speed, efficiency, and risk reduction. With the Singularity Platform and Purple AI, customers experienced significant improvements:
63% faster to identify and 55% faster to resolve security threats, meaning incidents are contained in minutes, not hours.
Security teams became 38% more efficient, allowing them to support 61% more endpoints per team member.
A 338% three-year ROI with a payback period of just four months.
These customer outcomes are attributed to Purple AI’s capabilities, including natural language querying, automated event summarization, suggested next investigation steps, and the automation provided by its agentic AI features like Auto-Triage. Organizations found that Purple AI enabled them to enhance their security operations, become more operationally efficient, and improve overall security outcomes, reducing operational risk and increasing business confidence.
Don’t just take our word for it – hear from existing Purple AI customers featured in the report about how they:
Enhanced Security Operations: “Being able to ask a native question with SentinelOne Purple AI without needing to know specific keywords or learn new syntax is a massive force multiplier, saving us a lot of time.”
Improved Operational Efficiency: “With Purple AI, we don’t have to scale our security expert team. At this point, we are avoiding hiring and we’ll be able to leverage our existing application teams.”
Realized Risk Reduction: “Having Purple AI has been instrumental in improving our operational maturity. It allows us to conduct investigations with specificity, making informed decisions around security posture and ensuring nothing sneaks into our environment.”
Increased Business Confidence: “In terms of innovation, I think it will potentially help us take more risks in the future because we’ll have more confidence.”
Beyond the Buzz: Judge for Yourself
When AI – incorporating both generative and agentic strengths – is thoughtfully implemented to address the demands of security teams, it moves the needle for security operations in a very real and measurable way. The key is to look past the marketing slogans and focus on validated outcomes. Generative and agentic AI will undoubtedly shape the future of the security operations center, and CISOs must move from cautious curiosity to strategic adoption.
Is AI a distraction or your next competitive advantage? Get the definitive answer in our on-demand webinar, Beyond the Buzz: Separating AI Hype from Security Outcomes. We present IDC’s quantitative evaluation of real AI implementations and feature insights from current Purple AI customers, IDC Research Vice President Chris Kissel, and SentinelOne’s Senior Director of Product Management Adriana Corona.
To learn more about how to transform security operations with Purple AI’s revolutionary approach to the Autonomous SOC, visit our web page or request a demo from a product expert.
[1] IDC Business Value White Paper, sponsored by SentinelOne, The Business Value of SentinelOne’s Purple AI, #US53337725, July 2025
Purple AI
Your AI security analyst. Detect earlier, respond faster, and stay ahead of attacks.
Login
Exceeds Expectations – mature, production-grade capability
Meets Expectations – functionally sufficient, may require optimization or future roadmap improvements
Does Not Meet Expectations – unsupported or significantly limited
1. 
