- CRWD's endpoint security moat will continue to be solid, but S1's competitive advantages will close the gap in the years to come.
- We compare CRWD and S1 within the endpoint space across a number of categories, providing a detailed summary of their differences.
- CRWD is a formidable foe in endpoint but will unlikely sustain itself as a strong rival to S1 in cloud security.
- We explain why the differences in technology give S1 a significant upper hand when it comes to cloud security.
Year founded: 2013
Headquarters: Mountain View, California
Company status: Public >>> $15/share (ticker: S >>> note we will refer to it in the report as S1)
Founders: Tomer Weingarten CEO, Ehud Shamir, Almog Cohen
Market: Started in endpoint security and has since expanded into identity and cloud security
TTM revenue & ARR: $362m & $584m
Key competitors: CrowdStrike, Palo Alto Networks, Microsoft, NGAV names like Cybereason and Tanium, and legacy AV incumbents like Symantec
Estimated number of employees: 980
DCF Valuation: in the Updates - SentinelOne 3Q23 report published in December, we arrived at a value of c. $50/share.
Spending more time on PMF (Product Market Fit) in the company’s early days, has led to S1 having superior product fundamentals and architectural design. Indeed, this did sacrifice the GTM momentum, allowing CRWD to rapidly grow and dominate the endpoint EDR market. However, S1’s gear shift into aggressive GTM coupled with a cleaner slate and sophisticated architectural design, ought to keep pushing the company forward to grab increasingly more market share and close the gap with the market leader CrowdStrike.
S1's move into ITDR (identity Threat Detection & Response) is a smart move. ITDR is considered an important future defense to thwart credential-based attacks, and fills in an important gap between EDR, IAM, IGA, and PAM.
Though, it is cloud security where we think S1 will convincingly outcompete CRWD thanks to technological factors. Really, S1's cloud security competition will be the likes of PANW and Lacework more than it will be CRWD.
The endpoint security market has undergone a number of evolutions since the early 1990s. Initially, endpoint security was entirely focused on signature-based AV (antivirus) software, that would check inbound file hashes against a database of known malicious file hashes, aka signatures. The efficacy of this method was dependent on the updates to the signature database. At the dawn of the mobile era when the iPhone was released in 2007, there was an explosion of data, which was also accompanied by surges in new (and hence unknown) types of malwares. Thus, updating the signature-based databases in a timely manner was simply not possible.
Some vendors attempted to improve protection on the endpoints with different methods and approaches, such as using sandboxes, heuristics, anomalous behaviour detections, and device vulnerability management. All these device-focused approaches fell under the EPP (Endpoint Protection Platform) umbrella, and to be fair, they provided adequate patches for the ineffective signature-based AVs. However, when AWS emerged, it was realised that the scale of the cloud could provide the compute and storage to conduct threat analysis on a huge scale, while also using a bunch of SecOps folks to remotely protect and control endpoints from the cloud. This concept gave birth to the era of EDR (Endpoint Detection & Response), pioneered by CRWD and Carbon Black.
The brain of EDR is in the cloud, which means the agent on the endpoint can be very lightweight, as it only needs to send telemetry to the cloud. The main benefit is that it consumes very little device resources. The drawback, however, is that the agent can’t confirm a threat or stop and remediate a threat autonomously and immediately, and hence EDR is very dependent on manpower in the cloud.
S1, perhaps with the benefit of a last-mover advantage (having being founded roughly 14 months after CRWD and growing much slower), decided to take a different product and architectural approach. They opted to focus the brain of their product equally on EPP and EDR – making the agent intelligent to confirm and eliminate threats autonomously, while also reaping the benefits of cloud scale threat hunting and analysis.
CRWD vs S1
The majority of corporations still have legacy AV deployments. As previously mentioned, these are signature-based, and therefore provide significantly less than 100% protection at any given time. So, it’s no surprise that both next-gen EPP and EDR vendors are destined to replace these incumbents. CRWD and S1 are two of the elite vendors (we believe these two and Palo Alto Networks are the top three), which are also the fiercest of rivals, therefore much of this report will be comparing the two. CRWD is the undisputed market leader with a strong moat. Therefore, to evaluate whether S1 can close the gap on this EDR giant, requires consideration of the product and architectural advantages of both rivals.
CRWD’s advantage is its moat, that has been built by developing a sterling reputation for EDR. Its founder and CEO, George Kurtz, came from an IR (Incident Response) and forensics background. His pioneering concept was to therefore design a super lightweight agent that just sent telemetry to the cloud, ready for teams of CRWD’s analysts to use to hunt for threats, respond to incidents, and conduct investigations. Such a business model is more conducive to serving enterprises, as these types of companies are the targets of most attacks (and most sophisticated attacks), even more so when CRWD was starting out. So, CRWD’s novel approach and highly successful GTM led to them quickly accumulating thousands of large customers and basically catapulting itself to EDR category dominance.
As it stands, compared to S1, CRWD has multifold more enterprises, which are generating multifold more data, which in turn has led to a more polished AI/ML. And a more polished AI/ML leads to fewer false positives. SecOps teams love lower false positives because it means they aren’t wasting as much time chasing red herrings. And this is one reason why CRWD has developed a great reputation among SecOps and SysAdmin communities.