EPP vs EDR
To understand SentinelOne's differentiated endpoint security strategy, it's useful to be aware of the evolution of the antivirus, or AV, industry. Since the early 1990s, various tweaks were made to signature-based AV in an attempt to make it more effective at stopping things like malware. By the 2010s, after the realisation that signature-based AV could no longer cut it in the mobile era, there were two camps that emerged. There were EPP vendors and EDR vendors.
EPP was more of the natural evolution from signature-based AV, focusing the brains of AV in the agent deployed on the endpoints. EDR was more divergent, opting for a lightweight endpoint agent only capable of sending out telemetry, and having the brains of the AV operation in the cloud.
There are pros and cons to both approaches. EPP is more distributed by nature, giving more power to the endpoint agent to fully remediate threats and thus minimise dwell time. The downsides being the agent drains device resources and EPP vendors don't have big picture views offering rich context of the threat landscape.
EDR is more centralised by nature, relying on a team of security professionals to correlate telemetry and remotely handle threats, benefiting from big picture context. The downside being the operation is labour intensive and there is dwell time as a result of manual investigation and remediation.
SentinelOne's Hybrid Approach
SentinelOne's differentiation is their hybrid approach. They have built in AI/ML autonomy into a lightweight agent and they have developed a sophisticated cloud operation also. Their approach takes the best of both worlds from EPP and EDR, covering the gaps of using either solution on its own. SentinelOne claims their endpoint agent can detect, investigate, and eliminate 95% of all threats. The more sophisticated attacks that evade the agent are captured by the team of security professionals in the cloud.
SentinelOne has certainly gained a clear edge on rivals in the EPP aspect of AV, by leveraging a highly autonomous agent backed by AI/ML. More recently, they have also gained an edge in the EDR aspect.
Endpoint security vendors with EDR operations utilise a SIEM provided by the likes of Splunk; or perhaps more recently utilise a data lake by the likes of Databricks or Snowflake. Neither are highly tuned to the requirements of cybersecurity. In short, SIEMs are slow and data lakes have data integrity and governance issues. In understanding the importance of better data management in a future of surging data volumes and increasing cyber attack sophistication, SentinelOne made a bold move to get their own proprietary and highly performant data lake, specially tuned for their own operations.
So, we like SentinelOne because they are winning technologically at both ends of the AV spectrum - EPP and EDR. The autonomous EPP component alleviates the burden of pervasive cybersecurity talent shortages. The highly performant backend supports an EDR operation with faster querying, investigation, and remediation of sophisticated attacks.
From a business perspective, they are also winning - at the time of writing they have achieved several successive quarters of triple-digit growth. This is largely attributed to their out-the-box product predicated on the autonomous nature of the software. Additionally, the hyper growth is coming from third parties such as MSSP and IR partners that enjoy the performant data lake for faster investigations.
The business is currently loss making, though if they can continue steady QoQ margin improvements while maintaining high growth, this should be an outperforming cybersecurity stock for the next few years.
For institutional investors, on request, we can do tailored research or memos into any specific aspect of SentinelOne. For all types of investors, here are individual reports either solely focused on SentinelOne or including SentinelOne to some degree.
For institutional inquiries, or to pay for individual (a' la carte) reports, please click Subscribe for more information. From there you can also sign up as Premium subscriber if you wish to.
Why We Believe SentinelOne Is Better Than CrowdStrike (September 2021) - Free
The Ultimate Investor Guide To Zero Trust (January 2022) - Free
SentinelOne – Data Engineering Brings In Paradigm Shift To The Security Industry (April 2022) - $50
Tailored research/memo - price negotiable