mEDR: SentinelOne Agent Upgrade Process

mEDR: SentinelOne Agent Upgrade Process

Overview

CyFlare’s mEDR service includes the continuous management and upgrading of SentinelOne agents across customer environments. This ensures endpoints remain protected with the latest detection capabilities, performance improvements, and security enhancements at all times.

CyFlare has transitioned to a continuous upgrade model, eliminating scheduled upgrade windows in favor of automated, policy-driven updates to the latest validated agent versions.

Scope

This process applies only to:

  1. CyFlare Managed SentinelOne Instances
    1. https://usea1-cyflare.sentinelone.net/

Continuous Upgrade Model (New Standard as of May 2026)

CyFlare maintains all SentinelOne agents using an Auto-Upgrade Policy set to the latest General Availability (GA) version (or most stable).

Under this model:
  1. Scheduled upgrade windows are no longer used
  2. Agents are upgraded continuously and automatically
  3. New or reinstalled agents running older versions will be automatically upgraded
  4. All endpoints are expected to remain on the latest validated version

Why This Change?

This approach ensures:
  1. Improved operational hygiene (eliminates version drift)
  2. Stronger security posture with the latest protections
  3. Enhanced telemetry and feature availability
  4. Faster adoption of engine updates and bug fixes
  5. Reduced administrative overhead and coordination delays

Upgrade Strategy & Versioning

CyFlare deploys General Availability (GA) versions of SentinelOne agents after:

  • Vendor release validation
  • Internal testing to confirm stability and compatibility

GA releases may include:

  • Detection enhancements
  • Engine updates
  • Bug fixes
  • Performance and operability improvements

Early Access (EA) Versions

  1. CyFlare may access EA versions for testing purposes
  2. Customers may opt-in to participate via:

Upgrade Deployment Process

Upgrades are managed through centrally enforced SentinelOne policies.

CyFlare:
  1. Maintains Auto-Upgrade Policies targeting the latest GA version
  2. Uploads required agent packages per operating system
  3. Monitors upgrade activity and health via the SentinelOne console
Key Behaviors
  1. Endpoints must be online to receive upgrades
  2. If offline:
    1. The upgrade is queued
    2. It is expected to execute upon reconnection
  3. Agents may:
    1. Upgrade directly to the latest version, skipping intermediate versions
  4. Newly deployed or reinstalled agents:
    1. Will automatically upgrade if not on the latest version

Supported Operating Systems & Requirements

For optimal performance and upgrade success:
  1. Systems must run supported operating systems
  2. Systems should be fully patched and up to date
  3. Hardware must meet SentinelOne minimum requirements
Note: Systems outside of these requirements may experience increased risk of disruption.

What to Expect During Upgrades

  1. No reboot required
  2. Minimal to no user disruption in supported environments
  3. Temporary increase in:
    • CPU utilization
    • Memory usage
  4. Resource usage returns to normal after upgrade completion
  5. No loss of protection or visibility
In rare cases:
  1. New agent versions may detect previously unidentified threats
  2. These are handled through standard SOC escalation procedures

Performance & Risk Considerations

While upgrades are designed to be seamless, risk may increase in:
  1. Outdated or unsupported operating systems
  2. Resource-constrained endpoints
  3. Unique or highly sensitive environments
If you believe your environment may be impacted:
  1. Contact CyFlare prior to the upgrade window
-- -- (or your assigned CSM)

Opt-Out & Upgrade Control

Partners have flexibility in how upgrades are applied:
  1. Opt-out is available at:
    1. Account level
    2. Site level
However:
  1. Customers who opt out are responsible for coordinating upgrades with CyFlare Operations Engineering
  2. Customers assume risk associated with running outdated agent versions, including:
    • Reduced protection efficacy
    • Missed detection improvements
    • Compatibility limitations
CyFlare strongly recommends remaining on the automated upgrade policy.

Failure Handling & Remediation

  1. Upgrade failures are:
    1. Monitored within the SentinelOne console
    2. Remediated by CyFlare when identified
  2. If necessary:
    1. Agent rollback may be used as a resolution
In rare cases where failures are not visible in the console, customers should notify CyFlare to investigate.

Customer Responsibilities

To ensure successful upgrades, customers should:
  1. Maintain supported and fully patched systems
  2. Ensure endpoints are periodically online
  3. Notify CyFlare of:
    1. Sensitive systems
    2. Known performance constraints
    3. Any concerns prior to scheduled upgrades

Communication Model

  1. Routine agent upgrades are not pre-announced
  2. CyFlare will communicate proactively in cases of:
    • Significant changes
    • Elevated risk scenarios
    • Potential customer impact

Frequently Asked Questions (FAQs)

1. Do SentinelOne agent upgrades require a reboot?
            Answer: No, reboots are not required.

2. What happens if an endpoint is offline during the upgrade?
            Answer: The upgrade command is queued and will execute when the endpoint reconnects.

3. Will there be any performance impact?
            Answer: A temporary CPU or Memory increase may occur during installation. This returns to normal after completion.

4. Can agents skip versions during upgrades?
            Answer: Yes, agents can upgrade directly to the latest version without installing intermediate versions.

5. What happens if an upgrade fails?
            Answer: CyFlare monitors and remediates failures when identified. Rollback is available if needed. If not visible in the console, customers should notify CyFlare.

6. Will upgrades impact detection or visibility?
            Answer: No. There is no expected loss of protection or visibility.

7. Can we participate in testing new versions?
            Answer: Yes. Customers may opt into Early Access (EA) versions to assist in testing.

8. Where can I review SentinelOne release notes?
            Answer: You must be an active user within our SentinelOne instances, and then navigate to the following link: https://usea1-cyflare.sentinelone.net/docs/en/agent-release-notes.html (OneBox Instance)

If you have any questions or would like to coordinate upgrade preferences, please contact:

📧 TechOps@cyflare.com

    • Related Articles

    • mXDR: Stellar Cyber Agent Upgrade Process

      Overview CyFlare’s Managed XDR (mXDR) service includes proactive management and upgrading of Stellar Cyber Agents (Sensors) on behalf of our customers. This article outlines: How Stellar Agent upgrades are managed What customers should expect from ...

    • Use Case #5: Scan/Remediate/Rollback Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • Use Case #6: Isolate Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...

    • Use Case #3: Disable User Account

      Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...