SentinelOne: A Strong Defender and Q4 Review
The marketing language between Crowdstrike and SentinelOne is thick, and I don’t expect this to change anytime soon. We’ve called SentinelOne a “stellar product” in our first analysis and an “exceptional product” in our second analysis. This is based not only on detection, where Crowdstrikes rank high, but also on accuracy of triggering a response.
The product differentiation is best summed up by the fact other vendors require data to be sent to the cloud for analysis and often have many humans monitoring the alerts to take action. Meanwhile, SentinelOne uses automation to find the threat which reduces the number of false positives. Instead of getting every piece of telemetry that requires the security team to investigate, SentinelOne’s endpoint detection and response solution eliminates the noise so that the security team is only responding to those that have the potential to be critical.
SentinelOne often emphasizes the fact that legacy antivirus powered by human-generated signatures still remains a widely used security technology. This is in spite of the fact that they are ineffective and reactive. Human-powered endpoint detection and response, or EDR, emerged as the alternative in which people became the detection and response crew.
Speed is everything in security and SentinelOne asserts Crowdstrike’s 1-10-60 rule is outdated. The 1-10-60 response rule claims the best achievable cybersecurity outcome is capped at one minute to detect an attack, 10 minutes to investigate, and 60 minutes to respond. Meanwhile, recent ransomware attacks have proved that it only takes milliseconds to breach an organization and cause damage.
Data + AI = Storylines
SentinelOne believes that cybersecurity is fundamentally a data problem. The company’s Singularity Platform ingests, correlates, and queries petabytes of structured and unstructured data from ever-expanding disparate external and internal sources in real-time. It builds rich context and delivers greater visibility by constructing a dynamic representation of data across an organization. As a result, the company’s AI models are often highly accurate in triggering a response.
The company’s distributed AI models run both locally on every endpoint and every cloud workload, as well as on the company’s cloud platform and the AI models predict threats in milliseconds. The behavioral AI model maps and links all behaviors on the endpoint to create Storylines. When an activity is deemed to be a threat, the system automatically takes action to kill the attack.
In the cloud, the company’s platform aggregates these Storylines. The streaming AI detects anomalies that surface when multiple data feeds are correlated with additional external and internal data. By providing full visibility into the Storyline of every secured device across the organization through one console, the platform makes it fast for analysts to search and hunt for threats.
Storylines maintain a complete record of unauthorized changes that are made during an attack and can roll back or remediate any damage done during an attack very quickly. The ability to turn back time on a device is unique to SentinelOne. According to the company, this is the “ultimate safety net” and eliminates costly incident cleanup.
S versus CRWD = No Clear Answers
The challenge for analysts and investors is that Crowdstrike also has a strong product and is certainly the heavyweight in the space with SentinelOne being the defender. We’ve written a more thorough overview on product comparing SentinelOne and Crowdstrike here.
In our previous analysis, we’ve discussed SentinelOne’s strength in ranking at the top in Peer Reviews despite ranking lower across industry analyst reviews. The most recent MITRE ATT&CK evaluations showed a very strong report for Crowdstrike on 100% detection yet showed very strong results for SentinelOne on 100% visibility and no misdetection.
If public investors are looking for clarity directly from the source, there will be none offered as these two companies are committed to battling it out on earnings calls, marketing materials and anywhere else they can find an opening.
It probably says something about S, however, that CRWD would even bother to defend itself given its annual revenue will be over $2 billion when S is at roughly $400 million. In other words, why bother with a competitor 1/5th your size in a crowded endpoint security vendor market? I imagine it’s because S makes bold, ongoing statements like this in their earnings calls and elsewhere: “We've maintained incredibly strong win rates in all competitive situations against both legacy and next-gen vendors. This is because of the breadth of our platform, covering endpoints and surfaces of all types, cloud workloads, Kubernetes, mobile devices and IoT devices and soon, identity.”
Cloud Security Segment Could Rival Endpoint Security
Cloud is a growth lever for SentinelOne as the company leverages a microservices architecture for rapid and frequent updates. The company offers support for Kubernetes workloads with additional runtime protection and simplified deployment.
In our previous write-up, we had stated this was the most important statement on the Q3 call:
“Cloud still remains our fastest-growing module. About 10% of endpoints are covered by cloud and servers. It has been our fastest-growing module for some time. Cloud is a piece of the business, I think that we think will expand greatly in the future. We anticipate that at some point, it will be the similar size to the endpoint market.”
The company stated that across the company, it’s the “cloud workload protection and data retention modules that outperformed the most with year-over-year ACV growth of over 10X.” We are talking outsized growth on small numbers but this is key to watch moving forward with the more revelatory statement long-term coming from Q3 about the market matching the endpoint market.
In August, the company released SentinelOne Storyline Active Response (STAR) which is the cloud-based automation engine that allows security teams to create custom detection and response rules.
The company stated DataSet was up 20% year-over-year. The product DataSet is what became of last year’s Scalyr acquisition, a leading cloud-native data analytics platform that serves as a big data engine for the XDR platform. This speeds up the process and drives down costs by ingesting and correlating terabytes of data at machine speed and also makes SentinelOne more competitive against SIEM tactics for data correlation and response.
Here is the advantage of DataSet when comparing to the competition, as stated in the call: “And I think that a lot of the large enterprises out there are looking at that because otherwise, if they're going with a different EDR vendor, they suddenly need to figure how are they going to retain data on the back of maybe a different platform. And that's sometimes going to be just incredibly costly. With us, it comes on the back of a single platform.”
Attivo Acquisition
SentinelOne extends the definition of XDR beyond “endpoint’ to include other data points on a network, such as containers, cloud-native applications, and even email or messaging. With the Attivo acquisition, the company will have more in-network and identity detection in the event a hacker is mimicking an employee or authorized user. This is especially important given the recent SolarWinds hack.
Attivo Networks specializes in Active Directory, which helps IT departments connect users to Windows-based IT systems. This means it could help SentinelOne’s cross-sell into more traditional enterprises, which was alluded to on the call. There were many questions on the Attivo acquisition, but ultimately management stated it would be accretive on gross margin and accretive on operating margin (whew – you could feel the collective sigh of relief on the call – we do not want those margins going in the wrong direction right now).
“So obviously, we have stated that [Attivo] accretive to our gross margin. From an operating margin standpoint, I think this current year, while we take into account our expected integration costs, the margin profile will be very similar to ours. If you take out those costs on a go-forward basis, it would be accretive to ours on an operating margin basis. And we'll have that guidance, obviously, when we specifically guide next quarter.”
Attivo’s specialization with Active Directory lends the acquisition to a post-SolarWinds world. Active Directory is the widely-used authentication system that was leveraged by hackers in the SolarWinds hack.
SolarWinds is known to be the “largest and most sophisticated operation that [Microsoft] has seen” with over 1,000 skilled engineers likely working on the operation. Although Crowdstrike was not infiltrated due to not using Microsoft’s email client, the cybersecurity company also did not detect the abnormal API calls until after FireEye disclosed their breach. The blog published by Crowdstrike said that they later discovered “abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago.” In response, Crowdstrike released a reporting tool to manage permissions for Azure AD environments.
Crowdstrike has cited issues with the authentication architecture with Active Directory on Windows and Azure Active Directory, which was exploited to move laterally in the SolarWinds hack. The CEO of Crowdstrike called Microsoft’s Active Directory “antiquated.”
It may be a boon for SentinelOne that Crowdstrike is throwing shade on Microsoft as a large percentage of the Fortune 500 are committed to Microsoft. Notably, SentinelOne specifically stated in the past it covers email and will now cover Active Directory with best-of-breed identity threat detection and lateral movement prevention, which was used in SolarWinds.
The acquisition price is $617 million in cash and stock contributing $40 million in revenue for the full year. Attivo has ARR growth of 50% with primarily large enterprises making up the customer base with an analyst pointing out that ARR per customer for Attivo is double Sentinel.
Q4 Earnings Overview
SentinelOne leads their earnings calls with ARR growth as the top key metric for the company. In Q4, ARR growth was 123% and revenue growth was 120% year-over-year for total revenue of $65.6 million.
Total ARR is nearing $300 million while annual revenue for the upcoming fiscal year 2023 is guided at $368 million, with ARR suggesting this guide could be easily met over the next four quarters. Most importantly, customers over the $100K range are growing at a rate that is double overall customer growth at 137% and 70%, respectively.
The overall customer growth represents a slowdown from 79% YoY to 70% YoY while larger account growth was fairly flat at 141% in Q3 to 137% in Q4.
The company guided for Q1 revenue of $74.5 million, compared to revenue in Q4 of $65.6 million. This is important because management has stated in the past, Q1 revenue was down sequentially by 20% to 25%. “Our revenue guidance for Q1 implies that we should be at or better than typical Q1 net new ARR seasonality, which has been down between 25% to 35% sequentially in the past 2 years.”
Notably, the I/O Fund is unable to track where the ARR was down “for the past 2 years” but the sequential growth is headed in the right direction. The numbers we have show Q1 FY2021, net new ARR declined 37% QoQ to $8 million yet in Q1 FY2022 it grew +8% QoQ to $30 million. This year, the sequential growth will be +13.5%.
Higher ARR sequentially for the upcoming Q1 is likely driven by the record number of 100,000-plus deal and a record number of million-dollar plus deals. International is another area of strength as the company saw revenue grow 140%. This represents 31% of revenue – so something to watch closely as a near-term driver.
Net retention is higher at SentinelOne at 129% down from 130% compared to Crowdstrike in the 121-123% range.
In the current macro climate, across all growth stocks, the top line is battling the bottom line. On one hand, the market is trying to price in a slowing growth environment, and on the other hand, the market wants a perfect bottom line. Rarely do these two things coexist – strong growth in a slowing growth environment with a great bottom line. We are tech growth investors so we want to be careful of demanding that tech growth stops acting like tech growth.
What we are looking for at I/O Fund is what companies can maintain growth with an improving bottom line.an improving bottom line. We think to dump resilient growth in a slowing growth environment isn’t necessarily the correct answer. Obviously, we are well diversified with top holdings that have strong bottom lines (AMD, NVDA) but we are also not dismissive of growth-oriented business models.
With that said, SentinelOne has adjusted operating losses of ($63) million. The company has GAAP-operating losses of 109% or ($71) million. The margins noted include a 12% improvement to gross margin and a 38% improvement to operating margin.
It would be easy to discount the company based on the losses and to look at Crowdstrike with positive free cash flow and believe it’s the better stock. In this fierce debate, we are siding with SentinelOne primarily for its ability to run automated security from the data lake, as well as next-gen EDR/endpoints.
SentinelOne’s forward guidance is for 80% growth in FY2023 for $368 million in revenue and 99% growth for the first fiscal quarter ending in April for $74.5 million in revenue. The company is guiding for “high 60% gross margins by year-end” on a Non-GAAP adjusted basis and operating margins of negative (57.5%) operating margin by year-end for an improvement of 25%. The company’s long-term target is EBIT margin of 20%-plus.
Sales and marketing costs are improving over time with S&M trending closer to 100% of revenue in the past to 65% of revenue. Usually if an incumbent has strong margins like Crowdstrike, it serves as a model to help alleviate concerns of profitability long-term. Crowdstrike became profitable around the $200 million quarterly mark in July of 2020 so that could put us around H2 CY2023 for SentinelOne. Bradley goes into more depth below.
Notably, Crowdstrike had a rocky road with the stock being down 50% during the Q3 2019 selloff and then a total of 68% from peak to trough during March 2020. However, even if an investor had terrible timing and bought at IPO, the stock is now up 251% following yet another major selloff of Q1 2022. At its most recent peak, the returns were 390% if you had bought at IPO.
I’m sure you can see the parallel I’m drawing with SentinelOne and some of our more recent buys – which are at/near the low. In the fierce debate between Crowdstrike and SentinelOne, the only thing that matters to us is whether SentinelOne’s product can potentially carry the newly public company on a similar path in terms of price action. We believe it can.
Comments on SentinelOne’s margin relative to CrowdStrike’s
By Bradley Cipriano
SentinelOne and CrowdStrike are peers, so it makes sense to compare the two. However, CrowdStrike’s financials are much stronger than SentinelOne’s largely because CrowdStrike has significant scale (CrowdStrike is at nearly 6x the revenue run rate as SentinelOne). To account for the differences in scale, I compared SentinelOne’s latest results to CrowdStrike’s results when it was at a similar revenue run rate. As I’ll discuss below, SentinelOne’s results appear in-line with CrowdStrike’s but there are important differences in accounting treatment that impact the comparison.
SentinelOne’s Q4 FY2022 sales of $65 million are about equal to CrowdStrike’s Q3 FY2019 sales of $66 million. I use Q3 FY2019 for my base period for CrowdStrike, but also make comparisons to Q4 FY2019 to better account for seasonality.
At this stage, SentinelOne is similar to CrowdStrike based on both sales growth and gross margins. For instance, SentinelOne grew sales 17% QoQ in Q4 FY2022 vs CrowdStrike’s 19% QoQ growth in Q3 FY2019. SentinelOne’s gross margin was 63%, which was slightly below CrowdStrike’s gross margin of 66% in Q3 FY20219.
An area where SentinelOne is showing leverage is sales efficiency. SentinelOne’s Q4 FY2022 Sales and marketing expense was 64% of sales, which compares favorably to CrowdStrike’s 70% S&M margin (as of Q3 FY2019). However, Q4 tends to be a seasonally strong quarter for Enterprise, and relative to CrowdStrike’s Q4 FY2019 S&M margin of 61%, SentinelOne was slightly above that metric.
Further down the income statement, the differences grow between the two peers. SentinelOne’s R&D and G&A margins were much higher than CrowdStrike’s at this stage. For instance, SentinelOne’s R&D margin was 65% vs 39% for CrowdStrike, and its G&A margin was 42%, or double CrowdStrike’s 21% margin at a similar revenue run rate. As a result, SentinelOne’s operating margin of -108% as of Q4 FY2022 compares unfavorably to CrowdStrike’s -63% and -39% operating margin as of Q3 and Q4 FY20219, respectively.
However, there are important differences in accounting that impact this comparison. For instance, SentinelOne has accrued much more expenses than CrowdStrike at this stage, which essentially pulls forward expenses. For instance, SentinelOne’s accrued expenses increased 252% YoY to $84 million, which represented 61% of quarterly operating expenses. A rise in accrued expenses leads to a concurrent rise in operating expenses on the income statement, and is a sign of conservative accounting.
It appears that SentinelOne has more conservative accounting than CrowdStrike did at a similar run rate. For instance, in Q4 FY2019, CrowdStrike’s accrued expenses were 46% of total operating expenses. Had SentinelOne’s accrued expense profile been similar to CrowdStrike’s, it would have reported ~$20 million less in quarterly expenses. Stated differently, SentinelOne’s operating margin would have been closer to -78% in Q4 had it not ramped the accrual of expenses, which compares more favorably to CrowdStrike’s operating margin at a similar run rate.
Another important concept to consider is the capital intensity of both business models. If a company capitalizes more expenses to the balance sheet, its earnings will look relatively stronger. It is noteworthy that SentinelOne has just $25 million in net PP&E while at a $65 million quarterly revenue run rate, while CrowdStrike had $74 million in PP&E, or nearly 3x as much, at a similar run rate. During the latest quarter, SentinelOne capitalized just $1 million of expenses to the balance sheet, versus $15 million for CrowdStrike in Q4 FY2019. This $14 million delta impacts comparisons between the two.
Taken altogether, SentinelOne recognized ~$20 million more in accrued expenses, and CrowdStrike capitalized ~$14 million more in expenses while at similar revenue run rates. If we adjust SentinelOne’s earnings for this $35 million delta, its Q4 operating margin would be closer to -55%, which compares more favorably to CrowdStrike’s -39% operating margin as of Q4 FY2019 and -63% operating margin in Q3 FY2019.
To summarize, SentinelOne is at a similar run rate as CrowdStrike in Q3 FY2019. Sequential revenue growth is about even and gross margins are comparable. SentinelOne has moderately stronger sales leverage but has much higher R&D and G&A expense. However, SentinelOne has more conservative accounting, as it has expensed more costs to the income statement rather than to the balance sheet relative to CrowdStrike. For instance, had SentinelOne accrued expenses at a similar rate as CrowdStrike, its quarterly operating expenses would be ~$20 million lower. Furthermore, CrowdStrike has capitalized more expenses than SentinelOne has at a similar run rate, which added a further ~$14 million delta between the two. By accounting for these timing differences, SentinelOne’s operating margin appears more in-line with CrowdStrike’s at a similar run rate.
Finally, SentinelOne guided for 80% topline growth for FY2023, which is slightly above CrowdStrike’s guide for 74% topline growth for FY2020. SentinelOne is expected to grow slightly faster than CrowdStrike did at a similar run rate. The faster growth rate will front load more expenses, and also contributes to a lower margin profile. In all, SentinelOne’s margins appear relatively in-line with CrowdStrike’s after considering accounting differences and projected growth rates.





























