“We’re Building the AI-Native SOC”:
SentinelOne’s Jackie Lehmann on the Observo AI Acquisition
When SentinelOne announced its acquisition of Observo AI, it wasn’t just another addition to the company’s technology stack. It was a statement of intent. The California-based cybersecurity firm, best known for its AI-driven endpoint protection, is setting its sights on transforming the Security Information and Event Management (SIEM) market—and ultimately, on building what it calls the AI-native Security Operations Centre (SOC).
To understand what’s at stake, MoveTheNeedle.news spoke with Jackie Lehmann, Director Security Data and Analytics at SentinelOne, about why SIEM is ripe for disruption, how Observo AI fits into the company’s vision, and what the future of SOC economics might look like.
Why traditional SIEM is no longer enough
SIEM has long been the foundation of enterprise security. It pulls together logs and telemetry from across the IT estate—servers, endpoints, applications, cloud environments, firewalls—so that analysts can detect suspicious activity.
But as Lehmann points out, the model has struggled to keep up with today’s data volumes.
“In today’s cybersecurity landscape, the sheer volume and complexity of data has unfortunately created challenges for enterprises to securely move their data,” she says. “Not only that, but traditional SIEMs are not designed for these massive data volumes.”
The result is inefficiency, spiralling costs, and noisy alerts.
“A robust data pipeline that can move data from any source to any destination is a critical need to successfully modernise any IT environment, and on all clouds – this is why we acquired Observo AI,” Lehmann explains. “Enterprises will now be able to filter and optimise their data at the source before reaching Singularity AI SIEM. This dramatically reduces irrelevant data, cutting down the noise to help improve detection and surface high-fidelity threats.”
The cost–visibility trade-off
For many security leaders, the biggest pain point with SIEM has been cost. Compliance rules force organisations to keep logs for months or even years, but storing and processing that volume of data with legacy systems is expensive.
“Organisations are forced to choose between the high cost of data ingestion and the need for comprehensive long-range data retention for compliance and forensics,” Lehmann says. “This leads to compromises on what data to keep, which creates dangerous security blind spots.”
That is the dilemma SentinelOne hopes to resolve. With Observo AI’s pipeline integrated into its platform, the company claims organisations can manage massive data volumes at 99% lower storage costs, eliminate 100% of redundant data storage across platforms, and lower ingest and retention costs by up to 50%.
“Our AI SIEM, with the new Observo AI pipeline, allows you to manage massive data volumes … so you never have to make that trade-off again,” Lehmann says.
Cleaner data for smarter AI
If economics are one side of the story, data quality is the other. SIEMs are only as effective as the information fed into them, and legacy systems ingest vast amounts of raw telemetry with little filtering. That, Lehmann argues, is a recipe for inefficiency.
“Observo AI's pipeline processes, enriches, and filters data in real-time, before it ever reaches our AI SIEM,” she says. “This eliminates the noisy, raw telemetry that bogs down traditional systems, resulting in much cleaner data for analysis. By providing our platform with higher-quality, pre-enriched data, with Observo AI, our machine learning models and AI-driven detections are even more accurate and efficient. Instead of training on a sea of irrelevant information, our models are working with the most relevant and contextual data.”
The company believes this will accelerate progress towards an autonomous SOC—a security operations centre where AI systems make decisions and take actions at machine speed, with human-like reasoning.
“A key part of our vision is to build a truly autonomous SOC,” Lehmann says. “Observo AI's ability to deliver high-fidelity, contextual data in real-time is the foundation for our agentic AI workflows. Where autonomous systems can make decisions and act at machine speed with human-like reasoning.”
Quantifying the gains
So what does this mean in practice for SentinelOne’s customers? Lehmann points to specific performance improvements.
“Customers can expect ML-based summarisation to reduce data volume up to 80%, without losing critical information,” she says.
And the capabilities don’t stop there. “They can also expect open integration, real-time streaming anomaly detection, contextual enrichment (GeoIP, threat intelligence, asset metadata, scoring), field-level optimisation, automated PII redaction, policy-based routing, and a natural language agentic pipeline interface.”
For security teams accustomed to juggling fragmented tools, these features promise to streamline operations and cut down manual work.
From endpoint protection to platform
The Observo AI acquisition also marks an evolution in SentinelOne’s own identity. The company made its name in endpoint security, using AI to detect and respond to threats without manual intervention. Since its IPO in 2021, it has broadened into cloud workload protection, identity security, and threat intelligence.
Now, with SIEM in its sights, SentinelOne is positioning itself as more than a point solution vendor.
“Our strategy is to go beyond just another SIEM,” Lehmann says. “With the Observo AI acquisition, we are building a full-stack, end-to-end platform that solves the entire security data lifecycle from ingestion and enrichment at the source to a unified AI SIEM, and finally, to an autonomous response. This makes us a truly distinct player, not just another option in a crowded market. We will evolve from a leading endpoint security provider to the definitive platform for the AI-native SOC.”
The bigger market picture
The SIEM market is in flux. Cisco has acquired Splunk. IBM, Microsoft, and Google are investing heavily in cloud-native solutions. Startups like Exabeam and Sumo Logic are carving niches with AI-driven approaches.
Against this backdrop, SentinelOne’s ambition to create an AI-native SOC stands out. Rather than layering machine learning on top of existing architectures, it is rethinking the security data pipeline itself—starting with ingestion and enrichment at the source.
If it works, the company could solve not only the cost and performance issues that plague SIEM users today, but also accelerate the transition to autonomous SOC operations—something that many in the industry view as inevitable, but not yet achievable.
Looking ahead
For Lehmann, the Observo AI acquisition is not just a tactical move. It is part of a long-term strategy to put SentinelOne at the centre of enterprise security operations.
“We will evolve from a leading endpoint security provider to the definitive platform for the AI-native SOC,” she emphasises.
It’s a bold claim—but one that reflects both the urgency of the cybersecurity challenge and the speed at which the market is changing. For organisations overwhelmed by data, noise, and cost, SentinelOne’s new direction could offer much-needed relief. And for the industry at large, it raises the bar for what SIEM—and SOCs—should look like in the age of AI.