Blog · Platform Separation

SentinelOne protects every endpoint, so its exit re-arms the whole fleet.

SentinelOne TSA separation is the work of standing up a dedicated Newco Singularity console, rebuilding the site and group structure and the protection policies, re deploying or re tokenizing the agents across the fleet, handing over threat data, and exiting the seller console before Newco endpoints keep reporting to the seller security operations. The work sits inside the broader carve-out advisory program because endpoint detection and response is the security control that protects every device. Treated casually, it leaves Newco endpoints monitored by the seller and Newco without visibility into its own threats.

5
Workstreams
2 to 4 Mo.
Typical Timeline
7 min
Read Time
2026
Last Updated
Section 01

Console inventory and target tenant strategy.

SentinelOne separation starts with an inventory of the seller console. The buyer needs the agent estate across endpoints and servers, the site and group structure, the protection and detection policies, the exclusions and allowlists, the integrations into the security operations stack, the threat and incident history, and the administrators. Endpoint detection and response is the control that watches every device, so the inventory maps how the whole fleet is protected.

The seller runs Newco agents inside a shared console, organized as sites and groups alongside the rest of the seller estate. The clean end state is a dedicated Newco console or management tenant, contracted and administered by Newco, with its own sites, policies, and security operations. A shared seller console is acceptable only as a bridge during the TSA, because the seller controls the console, sees Newco threat data, and can change Newco protection.

Target tenant strategy turns on whether Newco runs its own console or a dedicated tenant under a managed arrangement. A standalone business with its own security team takes a full console, while a smaller Newco may run a managed detection and response service over a dedicated tenant. The decision is settled early because it drives the agent re deployment and the security operations handoff.

A clean inventory drives the sequence: the console build, the site and policy rebuild, the agent move, the integration reconnection, and the cutover. Because the agents protect every endpoint, the inventory is also the basis for re arming the fleet without leaving a gap in coverage.

Section 02

Contracting and the SentinelOne commercial.

SentinelOne is licensed per endpoint across its Singularity tiers, often inside a broader seller agreement. That agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real endpoint count and the tier it needs, whether core endpoint protection, the fuller detection and response capability, or the extended platform. The risk is that Newco inherits a tier and module set scaled for the seller estate.

SentinelOne reads a carve-out as a buyer that must protect a defined fleet. Negotiating leverage comes from the endpoint commitment and from a credible alternative endpoint detection platform. The buyer scopes the Newco subscription from the agent inventory before negotiating, and writes onboarding support into the contract so the console and policies are validated before the agents move.

Where the seller continues to protect Newco endpoints through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA defines who runs Newco detections, how threat data and incident history are returned, and what visibility the seller retains. Security coverage cannot lapse, so the TSA keeps the seller console protecting Newco endpoints until the Newco console is proven.

Implementation, where a partner is engaged, is fixed fee for defined deliverables under disciplined change control. A console stand up and an agent re deployment have a finite scope, contracted against named sites, policies, and an endpoint count rather than open ended consulting time. The engagement model is Fixed Fee plus Portfolio Retainer.

Section 03

Sites, policies, and the agent move.

The Newco console is built with the site and group structure Newco needs, and the protection policies are rebuilt. The detection and response policies, the exclusions that keep legitimate software from being flagged, and the remediation settings are recreated so Newco enforces its own protection. The buyer reviews the seller policies, keeps what fits, and tightens or relaxes settings for the standalone estate rather than copying the seller configuration.

Moving the agents is the core technical step. A SentinelOne agent reports to the console identified by a site token, so re homing an endpoint to the Newco console means re tokenizing or re deploying the agent against the Newco tenant. Where the platform supports moving an agent between consoles with a new token, that is the lighter path, and where it does not, the agent is uninstalled and redeployed. The buyer confirms the mechanism before planning the fleet move.

The agents are moved in waves so coverage never drops. The buyer ensures an endpoint is protected by the Newco console before it leaves the seller console, avoiding a window where a device runs unmonitored. Servers and high value endpoints are handled with extra care because a misstep on a production server is costly.

Because the agent often sits quietly on the endpoint, the move can be driven centrally where the deployment tooling allows, which makes the agent re deployment less user dependent than a device re enrollment but no less important to track to completion.

Section 04

Integrations, threat data, and the security operations handoff.

The integration estate is rebuilt around the Newco console. SentinelOne feeds detections into the security information and event management platform, the ticketing system, and the security orchestration tooling, and pulls threat intelligence in. Each integration is reconnected to the Newco console so detections reach the Newco security operations rather than the seller. An integration left pointing at the seller console sends Newco alerts to the wrong team.

Threat and incident history is handed over deliberately. The seller console holds the detection history, the incident records, and the forensic data for Newco endpoints, and the buyer decides what Newco needs for continuity and compliance versus what stays under the seller retention. The history that informs ongoing investigations and satisfies regulatory obligations is exported so Newco does not lose its security record at the boundary.

The security operations handoff is the human side. The seller security team or its managed service watched Newco endpoints, and that watch must transfer cleanly to the Newco team or a Newco managed service with no blind spot in between. The buyer aligns the handoff with the broader CrowdStrike security separation discipline where the same continuity of monitoring applies.

Identity for the console is reconnected to the Newco identity provider so Newco analysts authenticate to the Newco console through Newco single sign on, and seller analysts lose access to Newco threat data at the right moment.

Section 05

Cutover, validation, and continuous coverage.

Cutover moves endpoint protection from the seller console to the Newco console, agent by agent, with coverage maintained throughout. Because security cannot lapse, the cutover is sequenced so every endpoint is protected by one console or the other at all times, and the runbook covers the policy activation, the agent re deployment waves, the integration reconnection, the security operations handoff, and the threat data export.

Validation confirms protection works on real endpoints. A re homed agent reports to the Newco console, enforces its policy, and raises detections that reach the Newco security operations, and a test detection flows end to end into the Newco ticketing and response process. The buyer validates the detection pipeline before scaling the agent move, because a console that does not surface a real detection is not yet protecting the fleet.

Stabilization runs while the fleet completes the move. Agents that failed to re home, policy misconfigurations, and broken integrations are triaged within agreed service-level commitments and treated with priority because a gap in endpoint detection is a security exposure. The buyer tracks the share of the fleet reporting to the Newco console before certifying endpoint protection for TSA exit.

Decommissioning the seller protection is explicit. Once Newco endpoints report to the Newco console and the TSA tail closes, the seller removes the Newco agents from its console, confirms the seller security team no longer sees Newco threat data, and the agreed threat history has been returned to Newco.

Section 06

Cost discipline and where carve-outs go wrong.

SentinelOne separation cost is driven by the per endpoint subscription and by the effort of re deploying agents and rebuilding the security operations integrations. The discipline is to size the tier to Newco real needs, decide between a self run console and a managed service deliberately, and plan the agent move so coverage never drops rather than treating it as a simple software push.

The common failure mode is creating a coverage gap during the move. An endpoint that leaves the seller console before the Newco console protects it runs unmonitored, which is exactly when an incident is most costly. Buyers that sequence the move so every endpoint is always protected by one console avoid the gap.

The common operational mistake is neglecting the security operations handoff and the threat history. A console that raises detections no one is watching is not protection, and a separation that drops the incident history loses the security record. The fix is to transfer the watch cleanly and export the history. A PMO maintains the dependency map across the console, identity, and the security operations stack, escalating blocks inside forty eight hours.

A clean SentinelOne separation produces a Newco that protects its own endpoints from its own console, with its own security operations and its threat history intact, and a seller that no longer sees Newco threats. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.

FAQ

Questions buyers ask about SentinelOne separation.

Does Newco need its own SentinelOne console?

Yes. The clean end state is a dedicated Newco console or management tenant, contracted and administered by Newco, with its own sites, policies, and security operations. A shared seller console is acceptable only as a bridge during the TSA, because the seller otherwise controls protection, sees Newco threat data, and can change Newco policy.

How do SentinelOne agents move to a new console?

An agent reports to the console identified by a site token, so re homing an endpoint means re tokenizing or re deploying the agent against the Newco tenant. Where the platform supports moving an agent with a new token that is the lighter path, and where it does not the agent is uninstalled and redeployed. The buyer confirms the mechanism before planning the fleet move.

How is a security coverage gap avoided during separation?

By sequencing the move so every endpoint is protected by one console at all times. The buyer ensures an endpoint is reporting to the Newco console before it leaves the seller console, so no device runs unmonitored. A coverage gap is most costly precisely when an incident occurs, so the move is planned to prevent one.

What happens to the threat and incident history at exit?

The seller console holds the detection and incident history for Newco endpoints. The buyer decides what Newco needs for continuity and compliance, exports that history before exit, and confirms the seller retains only what its own obligations require, so Newco keeps its security record across the boundary.

Related Reading

More on platform separation.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

SentinelOne protects every endpoint, so its exit re-arms the whole fleet.
TSA Exit Acceleration

Off the seller’s security console. Watching its own fleet from Day One.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The Cybersecurity Day-One Playbook

Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →