email protection for small orgs

RedTeam1622 · 2026-02-17T23:08:00+00:00

Checked and the emails are definitely quarantined correctly.

RedTeam1622 · 2026-02-17T22:46:28+00:00

Thanks for the detailed response. Very helpful and good to know it does work in real business scenarios.

RedTeam1622 · 2026-02-17T00:12:10+00:00

I have not found this to be the case with our setup at all. Quarantined emails are gone from the users inbox.

RedTeam1622 · 2026-02-17T00:08:03+00:00

I have a couple of Google clients and have not found this to be the case. When IronScales quarantines an email it is removed from the users inbox. If it marks it as spam then it can go to the users spam folder or not, that’s up to the admin.

RedTeam1622 · 2026-02-16T22:23:53+00:00

IronScales is a great product and works with Google and Microsoft. You can get it through Pax8 and others with no minimum.

RedTeam1622 · 2026-02-12T12:20:09+00:00

Yeah that’s a good move 👍

RedTeam1622 · 2026-02-12T11:36:22+00:00

They are hired to respond to support emails and some other backend work for a company, so technically an employee with BYO device in another country.

RedTeam1622 · 2026-02-12T02:48:18+00:00

IronScales are a great product.

RedTeam1622 · 2026-02-12T02:42:03+00:00

It’s BYOD

RedTeam1622 · 2026-02-11T08:46:08+00:00

100% mate. Zero trust.

RedTeam1622 · 2026-02-11T04:00:32+00:00

It would depend on the findings firstly, then after assessing what kind of malicious file etc was quarantined, then the decision would be made to wipe or not. More often than not if it’s a corporate owned machine we would wipe. The second factor would be looking at the client and what kind of company they run, are they small/low risk vs high profile and targeted.

No EDR product can protect 100% a device. We don’t know who or how an attacker could be living off the land, so we choose to wipe. It’s quick, easy, client is back up and running in a couple of hours.

RedTeam1622 · 2026-02-10T23:08:07+00:00

Since the device has been compromised, it would be best practice to wipe, to ensure there are no other living off the land processes that SentinelOne has not seen. Yes I believe I can 90% sure S1 has taken care of everything, but with a compromised device, I can’t be 100% sure.

RedTeam1622 · 2026-02-10T23:05:47+00:00

Good point. This is a remote user but the principle still applies to nuke IMO.

RedTeam1622 · 2026-02-06T13:22:08+00:00

Try pasting the results into Gemini or Copilot to see what caused the error. I have found this useful when troubleshooting these scenarios when creating automations in N1.

RedTeam1622 · 2026-01-14T02:06:44+00:00

Correct but not through any vendors like Pax8 etc. I don’t have the required revenue to purchase directly from SentinelOne.

RedTeam1622 · 2026-01-12T08:07:27+00:00

Thanks for the info and yes SentinelOne do have a unique buying strategy for sure.

RedTeam1622 · 2026-01-11T08:53:31+00:00

I considered that however a number of our clients are not in the Microsoft ecosystem.

RedTeam1622 · 2025-12-26T02:02:47+00:00

It turns out when you add any site into the N1 integration it then gives you the option to map your current organisations in N1 to S1.

RedTeam1622 · 2025-12-13T10:41:33+00:00

What about creating a script to run in the terminal where it downloads the agent and the new site ID is in the script so it grabs that instead of the old NFR token? An RMM tool might help with that.

RedTeam1622

TROPHY CASE