Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


It was an interesting juxtaposition of news items today for incident response powerhouse Mandiant.

On the one hand, Bloomberg reported that Mandiant is in discussions with Microsoft, potentially leading to a tie-up of the two companies. Microsoft acquiring Mandiant would plug a major gap in the tech giant’s portfolio of security offerings with the addition of incident response (IR) services. While Microsoft is a serious player in most major security segments at this point, the company is notably absent, for instance, from Gartner’s recent Market Guide for Digital Forensics and Incident Response Services. So, the reported Microsoft-Mandiant talks, coming just a few months after Mandiant re-gained its independence from FireEye, make sense.

Then there’s the second news item from today about Mandiant — this one based on an announcement by the company. Mandiant disclosed a new partnership with cyber firm SentinelOne, a key part of which involves Mandiant using SentinelOne’s Singularity XDR platform as part of its IR work.

SentinelOne is, among other things, a fast-growing challenger to Microsoft and its security business aspirations. While not as vocal as fellow Microsoft rival CrowdStrike, SentinelOne has still made efforts to tout advantages for its technology compared to Microsoft.

“While Microsoft Defender for Endpoint may provide ‘Advanced Threat Protection’ for Windows 10+ endpoints, they lag severely behind in features and coverage for macOS, Linux, and earlier Windows versions,” SentinelOne says on its website, on a page dedicated to comparing Microsoft vs SentinelOne. “SentinelOne is better equipped for the unique needs of every organization with support for modern and legacy operating systems and feature parity across Windows, macOS, and Linux.”

And while SentinelOne is still establishing itself and just went public last year, it has plenty of momentum: As of its most recently reported quarter, annual recurring revenue had surged 131%, year-over-year, to $237 million.

Thus, the juxtaposition: Mandiant is reportedly in talks with Microsoft about an acquisition, and Mandiant is simultaneously launching a relationship with a rising Microsoft competitor.

Mandiant expanding its horizons

CRN offers some insights into what Mandiant is up to on the SentinelOne side of things. Plain and simple, Mandiant needs to support more endpoint detection and response (EDR) platforms than just Trellix (formerly FireEye) and Microsoft, Mandiant chief technology officer Marshall Heilman told the site.

And SentinelOne is a natural choice for Mandiant to go with, for many reasons. SentinelOne not only offers advanced analytics for IR — derived in part from the company’s acquisition of Scalyr last year — but SentinelOne also doesn’t itself compete with IR services providers, said Nicholas Warner, chief operating officer at the company, in a recent interview.

“We made a strategic decision a few years ago to totally focus on being a solution and technology provider, not a services firm,” Warner said.

Both of these developments — Mandiant partnering with SentinelOne, and Mandiant potentially looking at an acquisition by Microsoft — make all sorts of sense, individually.

But do they make sense when put together? Does Mandiant leveraging SentinelOne’s technology for its IR work make the company even more appealing to Microsoft — since now Mandiant is more diversified and has access to some of the most cutting-edge analytics out there for IR?

Or, does Mandiant working with a Microsoft rival like SentinelOne actually suggest that maybe getting on Microsoft’s good side isn’t the top priority now?

The answer is not yet clear, but these are interesting, and important questions.

Microsoft’s strategy

It’s known that tech companies are prone to partner with each other on one side, and compete on another side.

So, it’s very possible that Mandiant would cozy up to SentinelOne and explore a tie-up with Microsoft at the same time. The outcome here could all depend, perhaps, on what type of IR services business Microsoft would prefer to own — one that keeps the focus on the Microsoft security ecosystem, or one that is willing to go broader.

To know the answer to that, you’d have to know what Microsoft’s strategy is here. And given that Microsoft isn’t saying anything right now about what it is reportedly up to with Mandiant, we’ll have to wait and see on that.

But, for Microsoft’s purposes, at least Mandiant so far isn’t using CrowdStrike.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.