Taking the simplest to digest information first we will talk about the partnership of Mandiant and SentinelOne. This is almost a no-brainer. After Mandiant became an independent company, they needed to expand their horizons as far as the tools they use to support their primary business, incident response. By adding in another major player in the XDR market space they can cater to a wider audience and expand their footprint. Having worked with IR teams in the past I can tell you that a dependence on a single tool (regardless of how good it is) can be a turn off when making a deal. The reliance on a single product to gather information and to respond to a incident in progress is just not a good business solution.
Their options are relatively limited here. Most other XDR companies already have their own internal IR team. Only SentinelOne does not play in the services pond. It makes them an excellent technology partner and with the reputation of their product (Singularity) with its Deep Visibility scanning can make data forensics and responding to a threat actor simpler in practice. The pairing is good for both parties. If Mandiant is working with someone that already has SentinelOne in place, they can work directly with it, if not the completeness of the tool could lead to follow-on business for SentinelOne. Easy right?
Now for the more complex part. Talks by Microsoft to acquire Mandiant might seem simple on the surface. Microsoft has no public IT service offering although they do have response teams. You might not see Microsoft out in front in an incident but trust me they are going to be present for just about any major breach. Scooping up Mandiant would fill that void nicely. On the other hand, things might not be as simple as wanting an IR offering. Microsoft has been working very hard to improve security around their own products. They have rolled out a very nice information and risk tracking dashboard that allows security teams to see and respond to threats through this portal. They have if broken out into different functions like Defender for Endpoint, Azure ATP, Defender for MS365 and so on. Grabbing up a company like Mandiant could allow them to add excellent data collection and context tools to the existing set.
Either way is a win for Microsoft, and it is likely that they are looking to do both here. Picking up Mandiant give Microsoft access to a lot of tools and talent that would make for a nice IR service and boost their existing product stack. It would make it very attractive for security conscious organization admins and security teams. It would also allow for streamlining tools sets that an organization would need to maintain to ensure at least that part of their infrastructure was secure. If Microsoft allows for ingestion of other logs and data streams from AWS, GCP and more then it could become a very nice cloud security platform. I can envision this as a goal for Microsoft given their recent security push.
As for Mandiant’s partnership with SentinelOne? Well, that is probably not going to be an issue for any of the three companies. Mandiant is still smart for building the relationship as is SentinelOne. If there is no buy of Mandiant, they still must keep the lights on and a partnership like this one will help do that. If Microsoft does buy them, the “rivalry” between Microsoft as a security provider and SentinelOne still won’t matter. If anything, it will strengthen the two remaining company’s positions. It might also lead to additional technology partnerships between the two. Plus, maybe Microsoft will look to buy SentinelOne in the future. We know they are not above spending money if the technology and the market show that is makes sense. This one will be an interested trio to watch.