SentinelOne is no stranger to being a target, and this week the company pulled back the curtain on the range of threats it faces, from nation-state actors to cybercriminals looking for a tactical edge over its security products.

Among the more alarming developments is the sheer volume of fake job applications submitted by North Korean IT operatives. SentinelOne uncovered over 1,000 fraudulent applications tied to 360 fake personas, many of which were aimed at sensitive roles, including intelligence engineering. While none were hired, the company engaged early in the hiring process to gather intelligence on tactics and behaviors, which could help other recruiters spot and block these infiltration attempts.

At the same time, the company has been targeted by ransomware groups and financially motivated attackers—not for the sake of compromising SentinelOne’s internal network, but to access its products. Adversaries are using tactics such as:

• Renting access to stolen security software
• Using stolen credentials from malware infections
• Bribing insiders, with offers reported to go as high as $20,000
• Impersonating real companies to obtain legit product licenses

The goal? Bypass or weaken endpoint security—a way for threat actors to test malware, suppress forensic visibility, or manipulate agent behavior in compromised environments. As SentinelOne puts it, privileged console access can let attackers disable protections or silence alerts entirely, giving them the upper hand in later-stage attacks.

Then there’s the state-sponsored side of the threat landscape. SentinelOne was recently targeted by Chinese APTs in a campaign it tracks as PurpleHaze. The incident stemmed from a hardware logistics partner—a reminder of how supply chain and third-party relationships can become soft targets. Although no evidence of deeper compromise was found, the attackers had clearly conducted reconnaissance on SentinelOne infrastructure and on client organizations the company protects.

The bigger message here is that security vendors aren’t exempt from the threats they’re built to defend against. SentinelOne’s visibility into these attacks is helping them better understand how modern threat actors operate, whether they’re slipping into job applications, buying access behind the scenes, or lurking in third-party ecosystems.

What stands out is the layered nature of the attacks. It’s not just phishing or brute force anymore. It’s recruitment manipulation, supply chain targeting, credential abuse, and insider threats—all tailored to find cracks in even the most hardened environments. And for anyone leading a cybersecurity team, it’s a real-world reminder of how adversaries adapt—not just to exploit vulnerabilities, but to weaponize access and trust.