Updates - SentinelOne 3Q23

Summary

  • Even amid deteriorating macro conditions, S’ business is proving highly scalable from a front-end deployment perspective and a back-end data processing perspective.
  • This enables S to rapidly amass customers and also enables enterprise customers to quickly ramp up their usage of SentinelOne.
  • Management have factored in cautiousness to their guidance but the outlook is still largely positive.
  • Margins continue to improve and management have offered provisional guidance for FCF and non-GAAP EBIT breakeven milestones.
  • Though, in this environment where profitability trumps growth, S' stock will most probably be range bound for some time before it recovers to its fair value.
  • Contrary to general sentiment, we see tons of future efficiencies & operating leverage that will eventually turn S into a FCF/profit machine while generating market share winning growth.
SentinelOne headquarters in Silicon Valley

Sundry Photography

Audio Preview

audio-thumbnail
S 3Q23
0:00
/16:09

Overall Impression

SentinelOne has a very strong value proposition across endpoint, cloud, and identity, that is improving every quarter. In its core endpoint area, it is completely displacing legacy vendors and also CrowdStrike in many cases. Its lightweight agent, that is able to work with high-efficacy right out-of-the-box, makes SentinelOne a relatively easier deployment. This is a key factor in SentinelOne being able to land itself in hundreds of new enterprises each quarter with initially small deployments, or PoCs (Proof of Concept), with the opportunity to expand the customer’s wallet thereafter.

The following chart is a couple years old, but we think it offers a glimpse into why SentinelOne is displacing incumbents right now. Two years ago, you can see that the intention to keep Symantec and McAfee as the primary endpoint protector was waning (very significantly in the former's case). This has also been the case for SecOps teams using CrowdStrike, albeit at a lesser magnitude. These dynamics are certainly helping SentinelOne get its foot in the door in the industry and give it a chance to grow into the primary endpoint protector.

Source: Momentum is on CrowdStrike's Side: Will it Last? | Beth.technology

Another key factor in SentinelOne’s rapid growth is its appeal and compatibility with MSSPs (Managed Security Service Providers). SentinelOne’s autonomous EPP (the agent side of endpoint security) is a perfect fit with the labour-intensive EDR (the cloud-based SecOps side of endpoint security) run by the MSSPs. The EPP can detect, protect, and full remediate 90%+ of threats, empowering MSSPs to use SentinelOne’s Storyline technology to investigate and hunt the more elusive threats. This is in sharp contrast to CrowdStrike, whereby its entire endpoint security operation is predicated on the EDR side where it has hundreds of threat hunting and incident response experts, thereby very much overlapping with the work of MSSPs. The current climate is rather conducive to this part of SentinelOne's strategy. SMBs are feeling the macro decline, and they don't have a SOC (Security Operation Centre, aka SecOps) but need to ramp up their security defenses with a limited budget. Therefore, they're deciding to outsource their cybersecurity needs, or more of those needs, to MSSPs - it allows SMBs to bolster their cybersecurity in an affordable way.

SentinelOne’s cloud security offerings are also blossoming. Its CSPM (agentless) + CWPP (agent-based) is not BoB but still super attractive from the CWPP, real-time protection, XDR integration, and cost-effectiveness aspects.

Sidenote: SentinelOne doesn't actually market a CSPM solution but can do tons of agentless work hence why we're framing it this way - for simplicity and to align with prior reports on cloud security.

SentinelOne has good API-based capabilities thus making its CSPM highly effective and its lightweight, out-the-box, agent makes CWPP deployment and operation less intensive compared to many alternative vendors. Thus, customers have a lot of flexibility in using SentinelOne – they can tradeoff degrees of CSPM and CWPP when balancing their needs for ease of use, comprehensiveness, and real-time protection. It appears that many customers are using the CWPP for critical workloads and CSPM for other assets in their cloud environments. Having a good CSPM also feeds SentinelOne’s XDR engine and DataSet backend with broader and richer information in which to derive valuable insights.

Lastly, SentinelOne appears to have done a good job at integrating Attivo and expanding upon its capabilities. Attivo’s technology is BoB, able to spot vulnerabilities and malicious movements involving identities, and enable SecOps teams to leverage decoys to fool bad actors. SentinelOne has adapted their Ranger technology to work with Attivo to enhance the identity-related scanning and visibility capabilities, helping enterprises be more preventative in their security defenses. Identity offers a prosperous roadmap because legacy solutions for IAM, IGA, and PAM need patching to be interoperable in a hybrid world, and SentinelOne’s Identity platform fills in many of these gaps.

SentinelOne generated $115m of revenue in 3Q23, beating guidance by $4m, and growing YoY by 106%. However, the annualised QoQ growth of 50% indicates the slowdown SentinelOne is currently experiencing. The macro headwinds were acknowledged by management – mentioning that customers are becoming more cost-conscious which is leading to reduced budget availability and elongated sales cycles. The 4Q23 and FY23 guidance was also conservative, expressing management’s cautiousness in the intermediate term. Although, the overall tone and rhetoric from Founder & CEO Tomer Weingarten and CFO Dave Bernhardt was largely optimistic.

Supported by the growth in the number of $100k+ customers, they expressed that enterprises appear likely to continue their level of spend on cybersecurity. And even at the lower SMB end of the market, management articulated that thus far they are not experiencing signs of major slowdown – though much of this visibility is masked by MSSPs onboarding SMB customers. After the latest earnings calls from CrowdStrike and Microsoft, it seems as though the market is concerned with the former's traction with enterprises and the latter's traction with SMBs. However, SentinelOne has two advantages because 1) its enterprise adoption is still in the very early stages and should provide growth even if macro conditions worsen and begin to affect enterprises; and 2) it has more SMB experience versus Microsoft and also has growing MSSP industry advocacy.

As can be seen in the table below, it’s clear to surmise that SentinelOne’s continued exceptional growth is driven by large enterprises. As mentioned earlier, SentinelOne has amassed a huge number of customers – 9250 as of 3Q23 – by being really easy to deploy for initial PoC requirements. Then, SentinelOne’s platform breadth, BoB solution set, and backend cost-effectiveness, makes for very fruitful land-and-expand opportunities. The elite 130%+ NDR is testament to the company’s organic land-and-expand capabilities; the 99% YoY growth in the number of $100k+ customers is further evidence.

For a closer look at the financial trends table visit this Google Sheets that also shows the DCF valuation (which we discuss in the last section of the update).

We think investors should be particularly interested in the fact that SentinelOne has over 9000 customers but negligible market share at present. With the 130%+ NDR and the growth in the number of $100k+ customers, it will be very intriguing to see what the below chart looks like in 2-3 years from now. A PoC deployment may consist of 50-100 endpoints within an enterprise that has tens of thousands, and each one of those will be counted as one of the 9000+ customers. And by contemplating the ARR, the revenue level, and market share, compared to the number of customers, we surmise that a significant portion of these customers are at the PoC stage. This presents very durable land-and-expand growth for SentinelOne that will consist of additional devices and platform cross-sells for other solutions.