SentinelOne (S) – Earnings Review -March 16, 2024
SentinelOne directly competes with CrowdStrike, Microsoft Defender and Palo Alto in endpoint security. It specializes in small-and-medium-sized business clients and is now expanding up-market. While CrowdStrike’s overarching platform is called Falcon, SentinelOne’s comparable suite is called the “Singularity Platform.” It offers Endpoint Detection and Response (EDR) and much more. Just like CrowdStrike, it is actively expanding into cloud security, data analytics and some identity use cases too. The two have very similar product roadmaps, with CrowdStrike a bit ahead in bringing its roadmap to market.
I consider this to be the 2nd best company in endpoint security. It’s also much cheaper than CrowdStrike on a gross profit multiple basis, but is still burning a little cash, still not at EBIT breakeven, and still very far from GAAP EBIT breakeven. Following this earnings report, I added SentinelOne to my portfolio for the first time. This earnings review is a bit more detailed than typical. I wanted to spell out SentinelOne’s product suite, competitive positioning, prospects, risks and my reason for starting the position.
Demand
SentinelOne’s revenue result was 2.8% better than expected and 3.1% better than its guide. $61 million in net new annual recurring revenue (NNARR) was lighter than some institutions on the buy-side had pegged. My sell-side estimate data includes just 2 analysts, so it is too anecdotal to cite.
Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases
Profitability
- Beat -$23 million EBIT estimate by $7.2 million & beat guidance by $7.9 million.
- 10th straight quarter of 2500 basis points (bps; 1 bps = 0.01%) of EBIT margin leverage.
- Operating expenses rose 11% Y/Y (+10% Y/Y non-GAAP) due to more headcount. It’s enjoying strong leverage across all 3 major OpEx buckets.
- Beat 77.5% gross profit margin (GPM) estimates by 50 basis points (bps; 1 bps = 0.01%).
- Beat -$0.04 EPS estimates by $0.02.
Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases
Balance Sheet
- $1.2 billion in cash, investments & equivalents.
- No debt.
- Share count rose by 6.3% Y/Y.
Dilution is my least favorite part of the company. Still, this is being amplified by M&A. Furthermore, stock comp dollars grew at half the pace of revenue Y/Y this quarter as it continued to better control this expense. I will be laser-focused on seeing share count growth diminish going forward. That’s what I expect; that’s what we’ve been told to expect. Make it happen.
Guidance & Valuation
The outlook “assumes macro uncertainties persist all year.” For the full year, its revenue guide missed by 0.4% and represents 31.2% Y/Y growth. Its EBIT guide missed -$20 million estimates by a material $12.6 million. It also guided to a 78% gross margin for the year, which was roughly in line. Selfishly, the reasons for these misses, paired with the negative price action are exactly what I needed to start a position.
First, I’m confident that revenue guidance for the year will be raised throughout 2024 as the firm always sandbags. Dialogue about the formation of this guide was very similar to previous reports. For EBIT, the large miss is due to plans to invest in two acquisitions (both discussed later) to bring the products to market as best-in-class offerings. These investments reduced its EBIT guidance by 250 basis points. Without this item, EBIT guidance of -$12 million would’ve been $8 million (or 60%) better than expected. I’m all for continued investments to support long-term growth, especially as it reiterated its path to positive free cash flow (FCF) and EBIT by the end of this year. And still, it will improve EBIT margin by 1500 bps Y/Y. As one of these acquisitions was recent (Stride Security), it’s likely that it was not modeled by analysts in forward profit estimates.
“There’s no question that we could grow even more. But we are prioritizing profitability.” – Co-Founder/CEO Tomer Weingarten
SentinelOne trades for about 11x gross profit. Gross profit should grow by about 35% Y/Y. Mature S&P 500 companies trade at about 5x gross profit. This is an expensive company like it should be considering the growth and margin trends. Still, that sets the bar very high for continued execution.
Assumptions:
Revenue growth estimates are based on sell-side estimates, my buy-side contacts, management’s own targets, all other relevant context and my own personal opinion. The small range of 2024 revenue scenarios is based on SentinelOne’s strong annual demand visibility, given the subscription nature of its model. Consumption-based revenue continues to shrink as a % of total to strengthen this visibility.
Margin estimates assume SentinelOne reaches FCF positive by Q4 of this year at the worst. It uses sell-side consensus margin estimates of 0% for calendar 2024 and 10% for calendar 2025. The margin estimate then assumes the 1000 bps of Y/Y margin improvement slows to anywhere from 250-500 bps from 2025 to 2027. FCF multiples are based on relative valuation of comparable firms that are a few years ahead of SentinelOne in terms of profitability. Mainly CrowdStrike, Zscaler, Okta, Cloudflare, Palo Alto and Datadog. I baked in a bit of conservatism here for my own comfort. What I view as the highest probability scenario is highlighted in yellow.
Product Suite, Letter & Call Highlights
The Singularity Platform:
The core use cases from SentinelOne’s Singularity Platform are in endpoint. Like CrowdStrike, it offers highly autonomous services and a slick, lightweight, single agent to drive interoperability. This, in turn, means overarching coverage and superior breach protection vs. legacy incumbents.
Also similar to CrowdStrike, SentinelOne boasts a delightfully complementary data analytics platform (which it calls the Singularity Data Lake). This lake can ingest structured data logs from identity, case management, threat intelligence and so much more. With this capability, SentinelOne can collect data once and utilize it throughout all client use cases with that single agent. Less data siloing means its platform’s models and algorithms can be more effectively seasoned to drive better efficacy. The use cases beyond solely endpoint security (covered next) mean it can recycle this data repeatedly with little incremental cost. That process yields ample cross-selling opportunities and a sky-high margin ceiling. Each incremental module sold is essentially pure margin. If you think this sounds eerily similar to CrowdStrike, you’re right.
Approach to Rounding Out its Non-Endpoint Offerings:
As mentioned, SentinelOne’s product roadmap closely mirrors CrowdStrike. It built this suite with some M&A, but not in the same rushed and stapled-together path that Palo Alto is now suffering from. It goes intentionally slowly with integrating M&A. It won’t even offer newly acquired products until that work is entirely finished. This is all in its successful effort to add value, rather than complexity, cost & false-positive inundation. That pursuit offers more sustainable and meaningful revenue growth. SentinelOne beautifully and intricately ties purchased products into the Singularity Platform to maximize customer value. There are multiple examples.
The Rest of the Platform – Data:
SentinelOne is hard at work on adding broad identity, data analytics, cloud and GenAI use cases to its overarching platform. As with CrowdStrike and Zscaler in network security, it’s this process that will make SentinelOne stand out vs. point solutions and legacy competition. It’s how SentinelOne will foster the most meaningful vendor consolidation to facilitate favorable total cost of ownership (TCO) AND superior protection. While it doesn’t quite have the module breadth that CrowdStrike does, it’s not far behind.
As briefly alluded to, SentinelOne’s Singularity Data Lake is a large growth opportunity for the firm. It can ingest data from a near-endless supply of sources to power an end-to-end view of data analytics. This ingestion is done via “Log Scale,” which means logarithmically organizing and storing data. This broader data ingestion means better breach protection as SentinelOne’s products are more properly trained on larger sets of relevant insight. Teams can intuitively organize and query data to turbocharge breach remediation and to guide strategic decisions. The service of aggregating data (or “logs”) to help organizations uncover and remediate threats is called Security Information and Event Management (SIEM).
Marrying SentinelOne’s EDR and other endpoint products with significant data log scale positions it well in the Extended Detection and Response (XDR) security wave. While XDR is technically part of endpoint, it’s an extension and upgrade to it. XDR is similar to EDR, but infuses non-endpoint data sources into the protection process to push XDR vulnerability protection and remediation beyond the endpoint. With more context, the endpoint can serve as merely a starting point for protection, rather than the only place in a client’s tech stack properly equipped to protect. XDR requires two things: Great EDR as a foundation and massive data ingestion scale. SentinelOne provides both.
Data Loss Prevention (DLP) offerings are also unlocked with this more complete view of a client’s and ecosystem’s data. It chooses to tie these DLP capabilities into its XDR platform, rather than offering them as a separate tool like CrowdStrike does. These DLP capabilities focus on the endpoint and include all sensitive data protection, regulatory compliance help and highly configurable permission controls. Its Scalyr acquisition was instrumental in bringing high-quality XDR and next-gen SIEM to market.
The Singularity Data Lake is currently SentinelOne’s fastest growing product. This past quarter, it represented a full 10% of its new bookings. Like CrowdStrike this quarter, SentinelOne also talked up its expeditious displacement of legacy SIEM vendors like Splunk. It clawed a Fortune 500 energy company away from them after the client grew tired of “rising cost and antiquated technology.” Combining all data analytics and endpoint security capabilities significantly lowered TCO and provided more evidence of SentinelOne’s increasingly complete platform.
The Rest of the Platform – Cloud & Identity
SentinelOne’s first foray into cloud security was within Cloud Workload Security (CWS). This is called Cloud Workload Protection (CWP) by CrowdStrike and other vendors. It’s an agent-based, preventative cloud protection tool to observe any bad behavior by cloud environment entrants. The tool also comes with forensic analysis, just like CrowdStrike offers (shocking, I know). It sounds the alarm bell for SentinelOne’s automated breach protection and, if needed, the Managed Detection and Response (MDR) threat hunting team (called Vigilance). It does not have a dedicated Cloud Infrastructure Entitlement Management (CIEM) tool to identify cloud entrants and establish permissions, but it’s broadly thought that this and also Application Security Posture Management (ASPM) will both be introduced soon.
Cloud Native Application Protection Platform (CNAPP) is the buzz phrase used to describe a company’s full set of cloud security tools. While SentinelOne had mainly been in CWS, it just announced an acquisition of PingSafe to fortify its cloud security presence. This will greatly accelerate its path to product parity with CrowdStrike. PingSafe offers an agent-less suite of cloud tools including Cloud Security & Posture Management (CSPM).
CSPM reports vulnerabilities and conducts configuration analysis in any cloud environment. It can flag improper permissions or hygiene. It doesn’t stop breaches in isolation, but does offer needed alerts, which frees other cloud tools like CWS to do so. This acquisition solidifies SentinelOne’s cloud security platform to cohesively join its robust endpoint security platform. CSPM will also bolster vendor consolidation and deliver a combination of cost savings and superior efficacy.
Beyond these additional high-value tools, SentinelOne sought something else that was unique to this acquired firm. PingSafe built a homegrown “Offensive Attack Engine” to simulate high-priority and complex breaches in a controlled, low-stakes environment. This not only trains security analysts and SentinelOne’s models, but also diminishes false positives. That’s because this engine delivers incremental context to better prioritize attacks.
“At SentinelOne, we have always believed that to stop an attacker, you must think like one. PingSafe embodies that framework.” – Co-Founder/CEO Tomer Weingarten
While SentinelOne’s CWS takes an agent-based approach, as we briefly mentioned, PingSafe is agentless. Agent-based requires a direct software installation, while agentless does not. One isn’t objectively better than the other. Agentless is considered cheaper, easier to deploy and easier to scale. It’s perfect for lower-stakes use cases like configuration analysis and is a perfect complement to CWS. Companies just starting out with finite budgets, massive potential scaling needs and a lack of hyper-sensitive data can adopt an agentless approach. Agent-based is considered more comprehensive and has more complete visibility. Industries with tighter regulation, more sensitive assets, a need for real-time EDR and more complex compliance are well served by agent-based. By offering both, SentinelOne can address both markets, thus eliminating the need for disparate point solutions.
Like it always does, SentinelOne will take a slow, methodical approach to integration here and assure it’s done perfectly. PingSafe’s products won’t be offered to SentinelOne’s clients until Q3 of this year. This could further diminish cross-sell friction, but that is NOT assumed in guidance. If that plays out, the stock will likely outperform.
SentinelOne also offers identity security tools through its acquisition of Attivo Networks two years ago. Importantly, this does not compete with Okta or Ping Identity. Attivo is not trying to be an identity broker. It is simply using its ideal endpoint foundation to secure identities as another form of endpoint. Other SentinelOne ID tools include “cyber deception” or “luring attackers into revealing themselves” with decoy accounts. It also provides minimum permission tools, flags suspicious behavior and protects companies against phishing attacks and, again, does so using the endpoint as the center.
This leads us to an important point. The vast majority of relevant security data and context (about 80%) comes from the endpoint. Not the network, not the identity brokers… the endpoint. This puts SentinelOne and CrowdStrike in arguably the best position to expand to new uses. Why? Because these new use cases can all pull from this context-and-data-rich center. This trains new products more quickly and more effectively than any non-endpoint company trying to do so. It’s not random that 12% of my portfolio is in cybersecurity and all of that is in endpoint security. Not random at all. EDR is poised for 20%+ industry compounding through 2030 per Grand View Research, Mordor Intelligence, Transparency Market Research and others. This market is just highly, highly attractive. Being the 2nd best (at a lower cost) in it is too.
Data, cloud and identity are now delivering 30% of the firm’s incremental bookings. They’re also contributing to double digit ARR per customer growth Y/Y. Both of these trends are expected to accelerate over time.
SentinelOne also just purchased Stride Security. Stride offers Security Orchestration, Automation and Response (SOAR) to guide and instruct more efficient workflows. This works across endpoints to automate threat protection; it works across cloud tools to expedite incident response; it also helps query the needed data lake context to augment remediation. SOAR unifies these product suites and drives more intuitive cross-selling. It will make this automated Singularity Platform… well… even more automated with even less reliance on human intervention.
SentinelOne vs. CrowdStrike & Competition:
SentinelOne is ranked very highly with all 3rd party research firms. Gartner calls it a leader in endpoint while IDC does too. It’s quickly approaching that label with Forrester. It continues to win “a significant majority” of competitive evaluations vs. legacy and next-gen competition, with a record number of $1 million+ deals won this quarter as it builds enterprise-level traction. It also continues to add a larger portion of business from new customers vs. existing client expansion. That’s important as it explains the downward net revenue retention (NRR) trend to 115% vs. over 125% just a few quarters ago. Per the team, it’s focused on grabbing land today and will worry about more cross-selling (more profitable to expand with existing clients) tomorrow. Rapid revenue and ARR growth now likely have legs as the firm won’t prioritize full platform selling for the time being. That will be future upside.
While CrowdStrike is its closest competition, it’s unfair to compare the two. CrowdStrike is world-class in its ability to combine rapid growth, scale, margin expansion, GAAP profits, cash printing and market share gains. No other company comes all that close. So while CrowdStrike is growing more quickly on a larger base and with far better margins, that doesn’t deter me from wanting to own SentinelOne as well. I think owning the second-best firm in endpoint is more attractive than owning best-in-breed in most adjacent niches for the reasons already covered.
When comparing SentinelOne to any other hyper-grower in software, it looks fantastic. It will significantly outgrow GitLab, Snowflake, Okta and Datadog while growing in line with Zscaler. Its pace of margin expansion is also much better than all others mentioned (though much less profitable than the last four) as it approaches EBIT and FCF breakeven. Comparing SentinelOne to CrowdStrike is like comparing an NBA all-star to Michael Jordan. It compares very favorably to every other all-star.
Demand Environment:
SentinelOne’s demand environment commentary, to me, is clear evidence that the company truly is the second best name in the space (sorry Palo Alto and Microsoft)… at a more compelling stock valuation than #1. It sees stable macro headwinds and no “budget fatigue.” It feels no pressure to “give away products for free” or aggressively discount like Palo Alto is now doing. It is simply executing, delivering incremental value and enjoying the coinciding pricing power. SentinelOne’s gross margin trends show that pricing power remains very strong.
“This is not about giving something for free. This is about creating synergies for customers and more cost efficiencies over time.” – Co-Founder/CEO Tomer Weingarten
There’s continued focus on efficiency and budget scrutiny, but again, it isn’t getting worse. Cyber security “remains mission critical” and clients continue to spend accordingly. Importantly, the firms’ guide assumes macro remains stable all year. Any improvement would mean upside.
“There are clear risks associated with aging infrastructure and legacy systems as they are simply not equipped to withstand these modern attacks. This reinforces the need for robust, modern security postures. Providers are playing whack-a-mole with capabilities to plug holes. This drains resources and gives a false sense of protection.” – Newest Shareholder Letter
AI:
SentinelOne has been an AI company since inception. Its entire infrastructure was built with machine learning algorithms directly infused throughout it. This wave isn’t new to the company.
In the coming weeks, SentinelOne will debut its security assistant called “Purple AI.” This directly competes with CrowdStrike’s “Charlotte AI” tool. Interest is “strong” with beta testing clients all loving the product. This pulls from the Singularity platform and data lake to automate manual and tedious pieces of a security analyst’s day-to-day. It saves them many hours and greatly enhances an analyst’s personal capabilities. This is yet another reason why the data lake is so important. Purple AI ranks vulnerabilities, offers the best course for remediation and “unleashes clients to operate at unprecedented performance and speed.” It unlocks greater data ingestion scale to better season these new models and applications. A demo last quarter led to one of its largest new client wins ever.
Risks:
The main risk tied to SentinelOne is extrapolating recent margin trends and assuming they continue while the growth engine hums. While it’s now much cheaper than CrowdStrike, this is still an expensive name. It still needs to execute flawlessly at the current multiple. The path to profit must be followed by continued rapid margin expansion and 30%+ revenue compounding. Those would be nearly impossible goals to realize for pretty much any other company. They’re not for SentinelOne.
Strengthen Go-to-Market:
Go-to-market is where SentinelOne has the most catching up to CrowdStrike to do. It’s excellent when it comes to working with managed security service providers (MSSPs), which is a large part of its smaller-client popularity. With the big boys, I’d love to see it work more closely with AWS, Google Cloud and even more System Integrators (like CrowdStrike has) to aid in winning more Global 2000 brands. It hired Michael Cremen as its new chief revenue officer a year ago to revamp the go-to-market and align sales incentives to support platform adoption.
It has also recently reorganized its product suites into Enterprise and Commercial bundles to motivate platform-wide adoption more quickly. These bundles combine large portions of SentinelOne’s product suite including its managed detection and response (MDR) threat team. The releases have already “accelerated conversion timelines and led to larger initial deal sizes.”
Accounting Drama:
In fiscal year Q1 2024, SentinelOne reported a damaging accounting blunder. It misclassified some usage-and-consumption-based revenue as ARR. This is a big fat no-no as those sources of revenue are inherently more volatile, lumpy and lack visibility. It has since strengthened internal accounting controls, added another big 4 auditor and has had no repeat mistakes since then. Accounting errors, to me, keep this company on a shorter leash than it typically would have. I likely will not tolerate a repeat mistake and will not stick around if it surfaces.
