Updates - S - Strong Performance
The 2Q23 ER was really positive amid a gloomy macro outlook: triple-digit growth, notable margin improvements, and upwardly revised FY23 guidance.
In this report we take a look at the GTM factors, the key tailwinds, and SentinelOne’s key technological differentiators, that are contributing to the hyper growth.
Recent new product releases are geared toward enabling security analysts to extract the most value out of SentinelOne’s leading technology stack.
The mega losses are too great for most investors to accept right now; however, management are keen to maintain an elite Rule of 40.
By our model calculations, sustaining a Rule of 40 leads to an attractive valuation. We've included the link to the valuation model.
2Q23 ER Review
On 31st August, SentinelOne released their 2Q23 ER and on the whole, it was really positive: triple-digit growth, margin improvements, and upwardly revised FY23 guidance. The losses – GAAP and non-GAAP – are staggering, but perhaps somewhat validated with S achieving a Rule of 40 of c. 60%.
Source: Convequity. The Google Sheet for this table and DCF model can be accessed here https://docs.google.com/spreadsheets/d/1PJkPvvLmE1O-shLQt46KkPh2PgLxB52R/edit?usp=sharing&ouid=106779751770256425853&rtpof=true&sd=true
The above table shows many impressive and staggering metrics; we’ll just comment on a few. Firstly, as we pointed out in September 2021, a key catalyst to the sustained triple-digit growth appears to be the out-the-box nature of Singularity XDR – S’ endpoint security platform. The zero config changes for the series of MITRE tests is a significant testament that S works right out-the-box. Such an easy deployment is clearly supporting this level of hyper growth.
Secondly, the number of customers is very supportive for future growth and Net Dollar-Based Retention, or NDR, which has impressively increased from 130% to 137% this quarter. The high majority of these 8,600 customers will have completed their POC (Proof of Concept) and subsequently deployed S on perhaps 50 to 200 endpoints, subject to the size of the org. Then, over time, if the product performs well and is cost-effective, gradually more endpoints will be added. The expansion needs to be careful and gradual because of dealing with agents (not agentless deployment), which have the potential to significantly impact production. So, the majority of these customers present substantial future land-and-expand sale opportunities that presumably won’t impact S&M % too much.
Thirdly, the 117% growth in customers with ARR over $100k offers further insights. We strongly infer that the elevation of this metric is largely attributable to S’ appeal to the MSSPs and IRs. Because of the pervasive cybersecurity talent shortages, enterprises need to outsource much of their SecOps to third-parties. The talent shortages are probably hardest felt in the larger enterprises, as it is these types of orgs that have the bigger cyber risks. To summarise, large enterprises are requiring more services from MSSPs and IRs, and to serve this demand, MSSPs/IRs need a platform that is architecturally optimised for automation and security analytics – the Singularity XDR.
Fourthly, the gross margins, both GAAP and non-GAAP, are trending in an upward direction. Clearly, gross margin is benefitting from the platform’s greater number of solutions. It is also benefitting from the successful integration of Scalyr into DataSet (for a deep dive into S and Scalyr see our April 2022 article), which is optimising backend costs associated with SOCs ingesting, retrieving, and storing data. There is further scope for gross margins to improve, however. Management’s non-GAAP gross margin guidance for FY23 is 71%, which will lift the TTM figure a few hundred basis points higher. Though, if/when S eventually migrates away from public clouds over to colocation data centres, expect gross margin to go even higher – CrowdStrike’s TTM non-GAAP gross margin of 78% is a good longer-term guide because they are already operating out of colo DCs. Or perhaps using CrowdStrike as a gross margin guide is a little too conservative because S is way less reliant on manual security operations and has a more efficient backend.
A fifth observation - mentioned already in the second but we'll add some colour - is the impressive NDR of 137%. This is a high number against SaaS peers generally at 120% or lower. This is because S has historically been selling at competitive discounts. Now, with revenue scaling up, channel partnerships blossoming, new modules being released, enterprise customers moving from POC to multi-functional and multi-regional deployments, we expect this NDR to remain strong. This is similar to Snowflake's momentum where its high NDR stands out as one-of-a-kind because customers typically get started with small spending, and then realise the attractive ROI later on and go on to spend 10x or higher.
Lastly, GAAP and non-GAAP EBIT margins have improved thanks to S&M, R&D, and SBC trending lower as a percentage of revenue. To many, a S&M percentage of 77% is still far from justifiable. Though, with CrowdStrike as the formidable market leader that is aggressively defending its brand, we’re not sure S would be succeeding like it is without such S&M aggression. And readers should note that S' S&M efficiency has radically improved in the past two quarters. The gross profit adjusted magic number was 0.77 in 1Q23 and 1.07 for 2Q23, which, as shown in the following table, is a big jump in efficiency.
Furthermore, endpoint security and market adjacencies represent a colossal amount of TAM. And S is also competing with CrowdStrike in cloud and identity. With that in mind, perhaps it is worth losing a few hundred million dollars today to become a dominating leader across these markets in the future. Well, of course, that’s the way S’ management is looking at it. And we do too, especially after having noticed the vast improvement in S&M efficiency. However, we also want to see steady QoQ margin improvements and for S to reach profitability, on all measures, before too long.
For those who prefer charts, here are a few from the Shareholder’s Letter.
GTM Remains Strong
A few factors are contributing to S’ solid GTM success:
Very aggressive marketing, especially the type that pits S directly against a rival in an analytical comparison.
Aggressive pricing – even though the pricing structure is different, they are clearly undercutting CrowdStrike.
As aforementioned, the light weight of the agent and its off-the-shelf characteristics make customer deployments less intensive and risky.
Compared to CrowdStrike, S is more suitable for hybrid environments because it can be deployed both in the cloud and on-prem.
Compared to CrowdStrike, there is much less head-to-head competition with channel partners (MSSPs and IRs), if any. If there is rising demand for MSSPs/IRs, it makes less sense for them to choose CrowdStrike to do their work if there is a large degree of overlap.
The front-end agent autonomy alleviates a lot of operational burden from in-house SOCs, MSSPs, and IRs. The highly performant and cost-effective back-end (DataSet) allows these parties to investigate faster and retain logs for longer. These technological advantages at both ends of the endpoint security spectrum are very attractive to enterprise SOCs and channel partners.
The outcome of the MITRE test series, whereby S came out on top, is a significant tailwind for the GTM efforts. S has also performed best-in-class in other independent tests, such as from AV Tests, Virus Bulletin, and PassMark Software.
S received the highest overall score in Gartner’s Peer Insights, Voice of the Customer. In the May 2021 Magic Quadrant, they were also recognised as a leader.
Key Tailwinds & Differentiators
Despite the macro deterioration, it looks as though the GTM momentum will continue in the near-term. Here we list some of the primary tailwinds and the respective technology that gives S a competitive advantage:
Talent shortages >>> S’ AI/ML supported agent autonomy and rich contextual information from Storyline.
These technologies remove much of the laborious, repetitive tasks from SecOps workloads.
More complex threats >>> S’ STAR (Storyline Active Response) and RSO (Remote Script Orchestration).
These allow security professionals to execute custom detection rules and customise responses, with the ability to control entire or subsets of fleets.
Slow SIEMs (Security Incident & Event Management) >>> S’ proprietary data lake.
The Scalyr acquisition now transformed into DataSet is a superior alternative for ingesting and trawling through logs when investigating threats.
Data governance and integrity issues with data lakes >>> S’ proprietary data lake.
Snowflake and Databricks are adapting more to cybersecurity use cases, offering a better alternative than traditional SIEMs; however, there is more improvement needed. Additionally, endpoint vendors operating on Snowflake or Databricks are going to be more expensive to use versus S. This is probably why S is undercutting the competition on price.
Credential theft and privilege escalation >>> S’ acquisition of Attivo.
Security defenses like NGFWs and endpoint agents are actually good at stopping the bad guys. Hence, the bad guys have now refocused more efforts toward stealing credentials and escalating privileges to pose as a legitimate user in order to move through the network. In essence, this is one reason why identity has increased in importance within cybersecurity. Attivo is designed to prevent such behaviour with Zero Trust principles, as well as provide Active Directory visibility, alert of suspicious password and account behaviour, and provide deception tools to fool attackers.
Data volume surges >>> S’ proprietary data lake.
DataSet can retain logs for 365 days whereas most competitors like CrowdStrike store for a maximum of 90 days. This will become more of a distinct advantage as data volumes grow.
The increasing importance of real-time security >>> S's proprietary data lake.
DataSet can do analytics and ML processing over petabyte scale of data in real-time. This is rare as most data engineering is centred around vendors like Snowflake which can only deliver near real-time performance. Owning DataSet that has a vastly different architecture could be the main ingredient that deepens S' moat against XDR competitors, as well as data engineering focused players.
More IoT requires more network scanning >>> S’ Ranger.
Ranger uses a combination of agents and active and passive network scanning techniques to locate all known and unknown IoT devices. (Active means probing ports to elicit responses; passive means wait by for traffic to pass in order glean info regarding where it’s come from).
Evidently, S has a technological advantage within many tailwinds driving the cybersecurity industry.
Recently, S has released a few new products to market that compliment and bring the most out of DataSet.
XDR Ingest >>> is the compute layer of the Singularity XDR technology stack. XDR Ingest is designed for optimised ingestion, querying, and retrieval of log data from DataSet, and then presents analysts with analytical insights. It is a modern alternative to using a SIEM.
Skylight >>> is the new and improved UI that empowers SOC analysts to swiftly shift from workflow to workflow. It also presents data from S and all third-party vendors, integrating with Storylines.
XDR Process Graph >>> accompanies XDR Ingest and Skylight by presenting data visualisations so analysts can be quicker in understanding patterns and the series of events leading up to an attack.
Additionally, all of S’ customers have now been fully migrated to DataSet.
In summary, the recent product innovations have been introduced so that SOC analysts and third parties can get the most out of S’ existing technologies – STAR, RSO, and DataSet. Generally, we see that S firstly innovated at the front-end, and then the back-end, and then introduced STAR and RSO so that analysts can fully leverage the front-end/back-end power of Singularity XDR. The latest releases are more about improving the user interaction with the technologies. Now, S is leading in various areas >>> autonomy, SaaS, PaaS, security analytics engine, back-end data infrastructure, and managed services.
SentinelOne's Venture into Cloud Security
S' cloud security offerings continue to evolve and it is very clear that S is both strong at adopting new technologies and expanding its reach. Its container security is based on eBPF technology, which is one generation ahead of PANW's sidecar, which itself is one or two generations ahead of other heavy agent based approaches. This shows that S has a strong emphasis on fundamental technology leadership even compared to the youngest startups.
Furthermore, according to management, many cloud-native software firms use S. Also many enterprises that have existing EDR deployments choose to deploy S for cloud workload, giving opportunities for cross-selling to replace incumbent EDR for endpoints. S is also maturing its API agentless connection and cloud-related contextual enrichment technology, that will compete more with Wiz and Orca potentially. Overall, we are surprised to see that S is not only able to lead the core XDR space but also grow its competitive edge on cloud security.