Security policy has to be applied to groups of devices — you can't write a separate rule for every endpoint. Traditionally those groups are static: an administrator defines them, assigns devices, and maintains the lists by hand. The problem is that environments change constantly. Devices come and go, change roles, move between networks, and the hand-maintained groups drift out of sync with reality. Stale groups mean policy applied to the wrong devices, which means gaps.
The grant US12206698B2, "Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking" (issued January 21, 2025, assigned to Sentinel Labs Israel Ltd.), automates the grouping. Its CPC classifications span the intrusion-detection and access classes H04L 63/1425, H04L 63/1416, H04L 63/1441, H04L 63/102, and H04L 63/104, along with the network-management classes H04L 41/0893 and H04L 41/16 — grouping driven by the system, not by manual lists.
“Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network.”— U.S. Patent No. 12,206,698 source
The mechanism worth understanding is modeling endpoints by what they actually are and do. Rather than relying on an administrator's static assignment, the system observes each endpoint's characteristics and behavior and groups it dynamically, so the groups reflect the current reality of the environment. As a device changes role or behavior, its grouping — and the policy that follows from it — updates automatically.
For defenders, the practical takeaway is that static configuration is a liability at scale. Manual group maintenance can't keep pace with a large, changing fleet, and the gap between the configuration and reality is exactly where misapplied policy lets attacks through. Dynamic grouping keeps policy aligned with the environment as it actually is, not as it was last documented.
That SentinelOne — a major endpoint-security vendor — holds a family of patents in this area signals how central it considers the problem. As environments grow more dynamic, especially at the edge where devices are numerous and fluid, the ability to model and group endpoints automatically becomes foundational to applying security policy correctly, which is the unglamorous prerequisite for every other defense working as intended.