SentinelOne, Inc. (S) Earnings Call Transcript & Summary

I think we're live. Well, thank you, everyone, for coming here, and good afternoon. Looking forward to this conversation with SentinelOne. And from SentinelOne, we have the CEO, Tomer Weingarten, with us today. Tomer, thanks so much for coming down here.

Sure thing.

All right. Well, before I begin the presentation, just a brief disclaimer. So for important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/disclosures. And if you have any questions, please reach out to your Morgan Stanley sales representative. All right. So Tomer, you just came off your IPO, which I believe was also largest cybersecurity IPO, so congratulations.

Thank you.

Maybe for investors who may not be as familiar with the story, could you kind of give a high-level background of what the company does, like when did it start, what sort of problem were you trying to solve that you felt like some of the other vendors were neglecting?

Yes. No, sure thing. We started SentinelOne about 8 years ago. And it was really mostly about trying to find a more effective way to deal with what we knew the attack landscape is going to become. We were very sure that the cloud is going to have a pretty distinct impact on how machines interact and kind of the concept of the entire network. So knowing that the weight of protection and also the center of most attacks will be on the endpoint on these devices that we all use, we kind of said, "You got only the antivirus there. It's a very antiquated approach." Obviously, as someone who has been on the offensive side, it's one of the easiest systems to circumvent. So that represents to us kind of a great place to embark on an innovation quest to build something better. And then that's something better is something that we thought could be sold with machine learning basically and kind of say, we can devise a real-time system that with machine learning, we'll be able to infer in real time, again, what's happening on the device, find these anomalies, find the bad stuff, but not only detect it and alert on it, which was kind of what others were trying to do around the same time, but really get to the point that the algorithm is so accurate that it can actually take an autonomous decision in real time and deflect the attack with no human intervention whatsoever. And if we can do that in a complete vector agnostic way, so it doesn't really matter if it's malware, hands on keyboard attacker, lateral movement, zero-day exploits, if you can just observe the behavior, understand that it's outside the norm and then basically tailor a response to it, again, just by letting the machine do its thing, then you're going to have something that's pretty special and something that could probably inherit the antivirus. We labeled it immediately as an antivirus replacement. I think most competitors in our space, even the bigger ones, they've started as EDR as this augmentation to the antivirus. So that was, right from the get-go, a very different approach. There was one other company back then, Cylance, that was also trying to be a next-gen AV, but took a very, very narrow approach to it. So all in all, that's kind of our inception. I mean, obviously, as I've heard many questions throughout the past few days around our cloud capabilities, which was kind of funny to me is probably the first person that wrote code for our console. I mean we were born in the cloud. Any company that starts in 2013 starts in the cloud. And what seems unfathomable is that we actually, after starting in the cloud, took parts of it and miniaturize it, so we can deploy it on-prem. And today, on-prem is not a huge business for us. It's about 3% of our revenue. So it's something fairly insignificant. So I'd say we're a complete cloud-native company. Everything we do is based on the cloud, and that's kind of where we are today.

Yes. That's a good clarification there. So I think that's a good segue into my other question just around the endpoint market, I would say, historically has been one that's highly competitive. You mentioned Cylance, there's also Carbon Black and CrowdStrike, and sort of the 3 Cs, if you will, that we see here a lot about 5 years ago. And it seemed like SentinelOne was certainly always out there, but it was kind of perceived as sort of the underdog in this space. And as the market has started to come around to you in the last, I think, a couple of years in particular, what would you attribute that to? What's kind of giving you the staying power in a market that's seen a lot of different next-gen endpoint EDR vendors kind of fizzle out?

I'll try and give my perspective because I think this market, more than many other markets, is very fueled with rumors and kind of outside conversation and who's doing what and they're doing well, they're not doing well. Sometimes I hear about myself that I'm not doing well. But at the end of the day, I -- and you can look at our growth rate throughout the years. I look at our graph and I see consistent quarter-after-quarter growth exactly to the forecast and expectations that we have. So to me, I don't care what everybody else is saying or seeing. I know what I'm seeing. I know what I'm seeing with my sales engine. And to date, our ability to grow has never been hindered. I think we've been hitting more than 12 quarters in a row now, obviously, just one as a public company still, but all of them as a private company. So to me, a lot of it was just believing in the technology that we built, seeing just the traction that we're having, little by little but very consistently. You had someone like Cylance grow phenomenally in kind of the first couple of years to $100 million of revenue and then just splashing splatter on the floor. And that's kind of a product of overmarketing and overhype. And I think that was never our tack. I mean we kind of said, "Look, I mean, this is our product. This is our scale. This is how fast we can go." And we're going pretty fast. So to us, it was really just looking at our own performance. I think our technology approach was, again, something that was a bit more forward-looking than the others. We -- the first Magic Quadrant for Gartner that -- by Gartner that we showed up in, we were actually the most visionary company in endpoint security. We were positioned in the, I think, at the rightmost axis on being visionary because we said EDR and EPP will converge. Now this is 2014, 2015. So it's blasphemy at that point to even say something like that. Even to be for a new start-up to enter the Magic Quadrant for endpoint protection at that point in time was something that no one believed that could have been done. CrowdStrike and the EDR vendors, Carbon Black, they came in after us to the major quadrant for endpoint protection. You can check me. I mean this is all true, all factual. It was us and Cylance, the first newcomers in the Magic Quadrant for endpoint protection, and EDR vendors then started adding more and more EPP capabilities so they can be included as well.

Maybe just shift a little bit to a bit of a macro question. So right now, the secured demand environment is really hot. And like any other security upcycle, investors are asking, "Okay, this is way too good to last, and so when is it going to start to slow down?" So from your perspective, how much of this really strong demand environment do you think is structural -- sort of structural TAM expansion versus maybe cyclical uptick? And why do you think it's more structural this time versus cyclical?

Yes. So I do absolutely think it's structural. And I think so many different things happened in the last couple of years that were just an amplification of trends that we are seeing regardless. We were seeing anyways the attack landscape evolving. So that's something that naturally will drive more spend towards security. Attackers have understood that they can easily compromise integrated infrastructure. So that is structural. It's happening. It's not changing and it didn't change. It didn't change over time. I mean, again, our consistency in growing in this space really means that we have known what to forecast to. So we didn't have any anomalies or hockey stick. We had like really, really nice growth curve over time. So the threat landscape, obviously, is one main driver. The cloud coming in, that's a 2-decade, 3-decade journey for everybody to transition to the cloud. And we knew that when we started the company. I mean, for us, part of the thesis, as I just mentioned, was that you're going to have to put more emphasis on endpoint protection because the endpoint is going to be directly accessing the cloud, and the concept of the network will be changing. Lo and behold, Zero Trust. So all of these are very, very structural themes. And then you get something, an outlier like COVID, which kind of changed the work mode to put even more emphasis on remote work and on the endpoint that everybody is using outside the corporate perimeter, accessing directly the service that needs to be accessible via the cloud. So it's like more emphasis on the structural things that we've seen. The mode of work that we all are in right now is not going to go away. I mean no one is going to not return to 100% office [ inhabitance ]. No one is going to return to putting all their applications on-prem. So these things are kind of unlocked and now are going to be the way the future works, I'm assuming. So again, cybersecurity is super important. Infrastructure changing at an insane pace right now. So all of that is just good news for us in some perspective, but our work is very hard. I mean the attack landscape is just -- it's insane right now. And at the same time, what you all need to understand about cybersecurity, it's the only segment in the software where you don't only fight your competitor, you're also fighting the attackers. So -- and mostly, you're fighting the attackers, at least in our case. I think our competitor sometimes confuses us with maybe someone more malicious. But for us, it's a very demanding environment in terms of what you need to do, what you need to deliver, the outcome of the platform. But all in all, I think it's going to remain. It's hard to see something changing in the climate that we see today.

So we're seeing this evolution in the market from EDR, endpoint detection and response, to XDR, the extension detection response, which I think to me is more sort of a data-intensive approach to threat detection and response just generally. Can you talk a little bit about SentinelOne's threat [ privacy ] capabilities, particularly with Storylines, how does that position you uniquely within the marketplace versus some of the other vendors out there, not any specific one, but just generally?

Yes. And I think, honestly, in the market today, you see maybe 3 or 4 or 5 different approaches to XDR. So everybody is really using the same acronym, but at the same time, everybody is taking -- and everybody has the right to take their own path in what they feel is XDR. You see some vendors kind of going the alliance route and basically saying, "We're going to work only with these vendors." You're going to see even more closed platform vendors that say, "Yes, XDR is just for our stuff, right? I mean we got the firewall, we got the endpoint, we got the cloud. If you're buying XDR, our XDR is really just the sum total over of our capabilities." And I think our stance is, first and foremost, XDR has to be open, like period. There's no question about it. You have to be able to work with all security vendors out there. You have to be able to ingest every piece of data from every product in the enterprise. And the reason I'm saying that is relatively simple. XDR will eventually -- and it's going to take a good amount of years until it's going to probably inherit some of the same spending or some of the same use case. The same vendors were always neutral. There's no alliances in SIEM land. They can pick and choose who they work with. They need to support -- they're the UN. They're the United Nations. They need to work with everybody. And that's exactly what we're doing. I mean to us, yes, I mean, of course, you can buy our endpoint stuff. You can buy our cloud stuff. But if you bought cloud workload security from someone else, you'll still be able to ingest it into our data lake and still will produce value for you. We'll produce automation for you. We'll fuse the data for you. That's the beauty in ingesting unstructured data from every source in the enterprise. And that is, to me, what our vision for XDR is. And if you kind of just kind of layer Storyline on top of it, Storyline is important because it actually deals with all data, not just threat data. Some people are focused on building threat graphs, Storyline is about all benign data, all telemetry data. Every piece of machine telemetry that we can actually collect is sent to the platform, and you can search it and you can retain it. And I think that's something that's incredibly important that we see today. Our customers are buying low retention and data retention for years, for years, and we're able to offer that because we have already started transitioning our platform to be built on top of a native data analytics platform. So when you see something like the cybersecurity mandate by the Biden administration that tells everybody go save your logs, you're going to have to save your logs. We're one of the only companies out there that can give you data retention for endpoint data for full benign EDR data, everything that's been collected for years and at a pretty decent cost versus what it would take you to maybe put it in the SIEM. A lot of folks out there don't put endpoint data in their SIEM. It's cost prohibitive. Endpoint data, if you put it inside of a SIEM, will be about 70% of the total data that you'll find in the SIEM. So most people just opt not to do it. So think about the power that it brings to vendors like us who already stored the endpoint data. I would argue, give me the other 30% we'll probably be more cost-effective. I think that's kind of what we're building towards.

Yes. No, it's kind of a good segue into next question, is, yes, I would agree. I think the knock on SIEM has been, one, the inefficiency as far as alert fatigue, but also some of the high throughput costs that might entail. How are you guys building with the XDR technology you have, the ability to do what SIEM couldn't do or sort of a much better alternative to SIEM while being able to scale with the data -- with the more data-intensive approach that you have?

Yes, it's a great question. And I think we're not going to replicate everything that is the SIEM. That's not the tact here. Otherwise, we'll just call it a SIEM and call it a day. To us, it's really about 2 main things that we know are big deficiencies with the same today. One, it's not cloud native, which means that you cannot really enjoy the cost efficiency that you can drive in a multi-tenanted architecture in the cloud. That's what next-generation data analytics solutions bring into the fold. So cost, which is obviously a huge component. Next-generation data analytics platforms like Scalyr were built for petabytes, Splunk was built for terabytes. Splunk was built for a single-node environment on-prem. Their transition to the cloud is something that is very -- take what you had on-prem to get in the cloud and call it a cloud offering, not the way it goes. That's not cloud-native solutions. That cannot help you enjoy those economies of scale. So being cloud-native is more than just a buzzword. It's something that's material to how you distribute cost across tenants instead of preallocating nodes and storage for one single customer. So it's a big deal. And the certain element, which I think you kind of touched upon as well is how passive the SIEM is and was. The SIEM is a storage system. In the best case, it's a great dashboarding system, but it's also to many extent, just by dashboard. There is no action to be taken. There's no enforcement, there's no orchestration of action. The SIEM providers will sell you a SOAR solution and will tell you, "Oh, no, forget about what's in the SIEM, layer the SOAR solution, the SOAR solution will be your automation. But SOAR is not automation. That's another complete fiction. SOAR is workflow. It's a collaboration tool, and it's designed for a fraction of the market. Not everybody can use SOAR to automate. On the flip side of it, when we look at XDR and we look at something like our STAR capability, which is a complete automation engine, easy to use, easily scripted, basically wizard-like automation then you kind of say, "Why would I devise a workflow when I can do complete product-to-product automation on top of the data that I already collected than paying for ones that are retained for years and it's completely cloud native and managed by someone else, and I don't need to worry about what I have on-prem?" I feel it's a very compelling proposition. And again, it's something that's going to happen overnight. But obviously, we're making strides towards that. We're putting more and more emphasis on integrating more and more data sources. And we're starting with what we feel is very important. And to us, I mean, it's just kind of a road map to get there and over time. And even now, we're seeing that some of the data retention spend is going towards XDR platform. Whether the entire SIEM pie will go, I think it's going to take some time.

And have you guys monetized any of that data retention at all?

Absolutely. I mean it's -- we sell it as a different SKU. It's actually a consumption model type of module. So it's not just the same per node subscription base we have for the endpoint. Yes, absolutely. I mean it's actually becoming something that's really nice in terms of revenue contribution and absolutely a great way for us to extract more from the same -- extract more revenue from the same endpoint footprint that we're deployed on.

So I think in the past, it seems like there's been a different endpoint security vendor that's come up almost every week. Obviously, a lot of them have fizzled out, like we mentioned earlier. As this sort of space evolves towards XDR, that's more AI-driven, more data-driven approach, how do you think that sort of changes for the moat around your business and that it's harder now for net new vendors to come up because they don't have that data lake, and they don't have sort of the same adaptive capabilities that the traditional endpoint vendors didn't?

Yes. I think it's a much more significant moat than it was, obviously, 5 years ago and 6 years ago, I think that also, if you look at the true platforms in endpoint security today and I'd say there's 2. I mean, honestly, I think everybody else is giving you some [ polished ] product, some niche abilities. But in terms of fully fledged products that use the endpoint as a platform to deliver more capabilities, more modules and unlock more applications in the enterprise, you really see basically 2 vendors out there. Think about our Ranger product line, now we have complete device discovery. So our tap into your network is becoming deeper and deeper by the day. We've built complete auto deployment capabilities. So now you can use SentinelOne not only to secure your endpoints, but also to manage your endpoint fleet, to deploy security software and other pieces of software to your endpoint state, remote script orchestration. So we're giving people many more abilities on top of that one small footprint that we take over the endpoint. You got one agent, and that agent now allows you to almost have complete remote access to that end point and to orchestrate every action that you want. And there aren't many up and comers that can do that. I think it's something that just takes time to develop. And first and foremost, I mean, detection and protection, I think that's still -- a lot of these vendors that might be out there, I haven't seen them rise up and really deliver great prevention capabilities, complete coverage from attacks and the MDR proficiency, the ability to monitor environments from the cloud. I mean all of that is something that, again, you kind of see 2 companies out there that can deliver that and a lot of companies that can talk about that.

So one of the new sort of modules that you've come out in recent years is Ranger on the IoT side. It seems like IoT security is a huge problem that hasn't really been solved. So I'm wondering how do you guys approach the space, and what do you think the opportunity is there? Because there's obviously billions of IoT devices out there, much more than sort of your traditional end users and servers that endpoint protection solutions often serve. So...

Yes. I think we -- again, all these things are very, very gradual. So it's not like overnight you can secure these devices. So the tack that we're taking is finding an immediate pain for the enterprise, and then that to us is kind of a catalyst to deploy a product like Ranger. And what we found is a very great complement to what Ranger is doing is the ability to do a complete device discovery and inventory and again, do it in a complete cloud-delivered way with no deployment. It's highly, highly unique. You don't need -- if you're a customer of ours, if you've deployed, call it, 100 agents or 1,000 agents or 100,000 agents, each and every one of them now becomes a sensor that can really find everything else around it in the network and inventory it for you and tell you exactly what it is. And if it's something that is applicable for a security agent that can then automatically deploy the security agent on top of it and, thus, you just not only see for the first time -- for a lot of folks for the first time they see their entire network, they see the entire attack surface. Most of these devices are things that they have not known about and then you just help them reduce the massive amount of risk. So when we look at the IoT security problem in the prism of the enterprise, to them, it's less about securing the IoT devices themselves. It's about segmenting out all of these rogue devices to an extent so they don't become that weakest link where you can hack one of those, attack one of those, exploit one of those and then move laterally into the rest of your estate. And that's kind of our prism, what we see with Ranger. And obviously, seeing what you have in your network today is such a desired capability that every time we talk about it, every time we quote it, every time a customer even remotely want to hear what Ranger is, it kind of ends up with something that we sell. Obviously, it's a great upsell vector for us on the existing estate front. So again, I mean, we feel it's something that over time will continue to grow. We're actually very focused at not -- it might sound counterintuitive to a lot of folks here, but we're really trying to not oversell many products and many modules in the initial land. For us, we're very focused on the net new motion, and we just want more accounts. So to us, we can land with endpoint and monetize later with Ranger. That's okay with us. I mean we just want more and more endpoint business. Obviously, there's a land grab going on right now and has been going on for quite a while. It doesn't seem like it's near its end. And to us, it's really about adding net new business. And I think if you kind of look at our growth rate, where it becomes, I think, most prominent is really in the net new business that we're getting versus some other competitors where you look at their growth, and it's great, but it's coming a lot from the existing estate, from big deals but for a single customer. In my mind, getting more customers with maybe smaller deals, given that we all got a finite amount of quota for our sellers is a more effective way to go to the market.

So cloud workload protection is one -- an area that's getting a lot of interest. Can you remind us what percent of the business today comes from securing cloud workloads? And how do you see this opportunity? Do you think this could be bigger than the endpoint protection market is today?

Yes. We do less than 10% in revenue that comes from cloud workloads. With that, it's growing very fast. It's growing faster than the overall business, so we're very encouraged by it. I think the one thing to understand about when we say workload protection or when we say cloud security, there's probably 3 main pillar offerings that are different in this space between cloud workflow protection platforms, cloud security poster management and cloud native application something. So it's CNAPP, CSPM and CWPP and the CIEM, right? There's another one. And that is just a very wide gamut of different capabilities and different use cases that different customers want to solve. Our focus right now is with CWPP. It's the most immediate, I think, hop from endpoint protection and from threat detection to do practically the same thing, but natively on cloud workloads. We actually do it when it comes down to the Kubernetes containerized platform. We do it with no agents. So we kind of chose a different tack than immediately applying the agent methodology everywhere. I mean it's not a good fit everywhere. And in the cloud, especially if you can immediately deploy it across all containers with no need for an agent, I mean, why wouldn't you want to do that? You get the same fidelity with the same enforcement. So that's really our focus. And I think we're seeing just a massive amount of opportunity not only CWPP, but also maybe at some point, extending to some of these other pillars. I don't know if to all of them obviously, but we're definitely seeing customers trying to understand where they need to invest. I think right now, the most obvious part is CWPP. I think CSPM is an interesting approach on how you gain visibility to your entire cloud footprint. And I think it's an intriguing approach. On the other hand, we see offerings that are very immature still. I mean even who would -- the vendor I'd consider probably the most mature in that space is going to be Palo Alto Networks, by fusing 4 different offerings into 1 basically. But you guys are analysts, you talk to customers, they don't like the offering. I mean they constantly are looking for something better. And I think that that's kind of where we kind of meet these customers and we hear what they want. And we were always very good listeners. We want to truly solve the solution -- the problems for these customers with the right solutions. And I think it's going to be a very, very dynamic space in the years to come. To your point, probably a bigger TAM than endpoint in kind of the next 5 to 10 years, completely greenfield. And obviously, it's not bound by the amount of people you have in a given enterprise, which is kind of typically endpoints are very linear to the amount of folks that you have in a given enterprise, the amount of employees. Cloud workloads, the more data, the more services, the more stuff you have, the more workloads, the more cloud footprint you have, the more cloud spend you have, and all of that obviously needs security.

The pricing is sort of more of a consumption basis. How does it work today? How are you...

Yes. We actually -- I mean on the cloud piece, we tried avoiding the consumption model just because it's not exactly like how we see it in terms of just threat protection. I mean when you go to CSPM land, it's very, very different. But with CWPP, we kind of look at these nodes and we devise pricing per cluster, pricing per node. So we give you some degree of freedom on how you want to price it, but in essence, it's -- I'd say it's an efficient pricing scheme for us.

I want to take a break here. If there's any questions from the audience, if you can make your way the mic.

Congrats on all the success thus far. I wanted to talk about 2 points that you brought up in your conversation. One on your emphasis about this stuff has to be open, right, and sort of the data exchange. And when I think -- I cover the observability market on the software team. What are the forces that helped drive that convergence that we had things like open telemetry and open tracing that allow that exchange of data commoditized proprietary agents. And so I was wondering, is there any sort of movement out there in security land like an open telemetry that's sort of -- is there any groundswell for a movement like that?

No. I wish. And I'll tell you, I mean, true story. I went to a couple of the incumbent antivirus CEOs, probably, call it, 4 or 5 years ago, and -- into Microsoft as well. And I told them, "Look, why do we need to work so hard to gain telemetry from your operating system to build our security product, and why wouldn't you device an open API?" Doesn't give us the ability to monitor these environment without tapping into the [ core ] on and building drivers and really in many senses, sometimes hacking into the system to try and get the data out. And no one wants to do that. No one agreed to do that. No one was open to it. And I think it's something that today is just so proprietary that I just don't see it happening anytime soon. All that said, to me, and I've said it many times to the folks within SentinelOne, our IP is not in monitoring, like there's -- monitoring is monitoring. The IP is what you do after with the data: the threat detection, the AI, the ability to protect the other applications that you build. The monitoring layer itself, I mean, to me, if tomorrow, there's an open API that we can get the data in a more efficient way from, let's do it. The last thing I'll say there is that some of it, when we say open XDR, is also to try and say, "Hey, there should be a uniform way to send data between all these products, and it should be bound to an alliance or to a platform or to a vendor. There should be a simple unified way to share all that data." And once again, and I'll say it on the stage, I'm absolutely willing to share, and we are sharing endpoint telemetry data with other vendors as well. I mean if you want to ingest our data, we open a [indiscernible] stream and send it all away. You're going to have to pay for it, but we do it. I mean we're actually open to do that, and I don't see any reason why other vendors would want to oppose that outside of maybe being very concerned about what it would do to their business. I think, all in all, the market is so big that I just don't see it as a detrimental factor for growth.

Understood and super insightful answer. The other question that I had was kind of our job as analyst is to figure out when do technology shifts matter and when they don't. And in the context of your Scalyr acquisition, the concept of index research, is there a way you can put into context how much of a shift that means in terms of your ability to execute on your product strategy, whether it's on the cloud workload side, the EPP side, the XDR side? Do you sort of see that as the kind of foundational technology that you need to enable all this? I just want to kind of understand this concept of index research and how important it is.

Yes. I mean, look, barring becoming a true cloud provider, I think that's kind of as far down as we can go in the stack. And I think that, generally, you're now seeing so many different approaches to data processing in the enterprise from a data warehouse from Snowflake versus a more SDK-bound platform from data bricks. And you're seeing very, very different approaches for very different challenges. I feel -- and I'll be limited in what I can say here, but I feel like the approach we're taking and the product that we're building is really designed to solve what I believe is one of the biggest pains right now in data processing, data exploration and insights. And I think that we haven't seen anybody at scale doing something relatively similar. It's a problem that we've had internally, which is also why Scalyr is such a great fit to what we do today. But the challenge that we had, a lot of other folks have as well. And today, there are ways of solving that, is mainly to go with a platform like Elastic as an example. And Elastic, again, huge, huge respect to what they've built over time. But the one truth today is that if you don't continuously innovate all the time, just incrementally adding abilities to your 10 years old platform, it's not going to cut it. I mean I sincerely believe it. And it just opens up opportunities for vendors like us, maybe like some of the others, but there aren't many new next-gen data analytics companies out there. I think it's -- now I know firsthand and very closely how hard that problem is, both for customers and to solve it in a cost-efficient manner. And that's another thing that a lot of people miss. Everything sometimes seems very trivial. What's the problem? I can search petabytes of data for sure. I can probably write code that can search petabytes of data. So if those are going to be effective, it's going to cost a lot of money because it's going to spin up a ton of compute power. So it's not just about solving the problem. It's about solving it not only in an elegant, seamless and consumable way, but obviously in a very cost-effective way. Otherwise, I mean, it's just not a viable solution.

All right. I guess we'll wrap it up there. Thank you so much, Tomer.

Thank you. Appreciate the time. Appreciate your attention. Thank you.