SentinelOne, Inc. (S) Earnings Call Transcript & Summary

Hi, my name is Alex Henderson. I'm the Needham security and networking analyst. It's a distinct pleasure to have SentinelOne at our conference this year. We have a couple of guys from the company to talk in the fireside chat. Before we jump into it, let me remind you that you have a question-and-answer dialogue box. If you have a question that you want to ask, please do not hesitate. The more interactive it is with the audience, the better. And I'll pass that along to management as I see them come in. So welcome, guys.

Thanks for having us, Alex.

So you guys had an announcement this morning, right?

Yes. Yes, we did.

And do you want to tell us what it was?

Yes. We're partnering more deeply with ServiceNow. To us, we've released quite a few modules in our platform that speak more and more to endpoint management and really allowing folks to use our platform as a complete fleet control mechanism, something that allows them more capabilities even beyond just classic security and protection. And ServiceNow, again, one of the biggest, I guess, IT management of firms out there today. Now everybody that's using them can natively integrate into the SentinelOne platform and use that for quick management, remediation, threat, trade alerts and resolution. So all in all, again, just a great extension to the platform.

One of the most interesting hacks that -- or vulnerabilities that's happened in a long time, there's another news item that's out there, which is the LogJ4 stuff. How have you guys have been able to respond to that vulnerability and potential risk to your customers. Have you been able to control it?

Yes. To the extent that a vendor like us can, I mean, Log4j exists in different stacks than the one that we are typically in charge of. We are more around machine protection and trying to detect threats. So what we've done in the course of the 24 hours after the news broke on Log4j, we've actually shown customer how they can detect any post-exploitation, payload or malicious activity that stems from that attack. So short of actually patching it, patching and detecting the actual exploitation itself. It's the next best thing. Again, we're not a patching vendor, we're not a vulnerability management vendor, where at the same time, if you had SentinelOne installed on any server that was vulnerable, you could have detected any post-exploitation attempt. And that is something that our customers were leveraging. As the news broke, immediate hunting queries that can reveal any type of activity in real time. Obviously, the mapping of the entire estate in finding all these vulnerable instances of software, that's something that, again, we can do natively. So that was kind of our part in this entire, I'd say, complete chaos of a vulnerability. But all in all, I think it's something that gave a lot of peace of mind for some of these customers as they were rushing to actually deploy patches.

It's amazingly ubiquitous problem. So SentinelOne has been one of the most intriguing IPOs over the last year. Huge success in the IPO. You've delivered exceptional results over the course of the year. Frankly, I thought your original forecast look to be aggressive. And then you blew it away. So shame on me for not having more faith in your ability to scorch the numbers. Can you give us a little bit of a background on where you are in terms of your revenue, your growth rate, your profitability and the likes? You set the stage for people who may not be as familiar with the fundamentals of the company.

Yes. We're definitely on track for the long-term targets that we've defined. And last quarter, we've ended at about 130% ARR growth. I mean, that has been just an amazing achievement by the team here. And to us, I mean, as we look to the future, I mean, very robust pipeline, new product lines coming online for us, contributing more and more revenue. The way we built our business over time is really by seeding all these product lines and knowing that they will help us accelerate over time. So if you look at our net retention rate, our ability to also go back to our estate in upselling and cross selling to all these new offerings that we bring into the market, that becomes a growth engine in itself. The entire data retention and data capabilities that we bring into the market, that's becoming a needed ingredient. Cloud work protection, a complete new adjacency to endpoint and one that we, again, have a product that's completely best-of-breed, run time protection that we deliver on [indiscernible] environments is second to none today in the market. So all in all, I mean, just a lot of room for growth, a lot of things going right for us. And I think what we've been trying to do is just continue to sustain growth for as long as we can. On the, call it, on the flip side of it, if you look at our kind of expense line, I think we're showing progress there as well, and we're cutting in a pretty nice clip, our expenses, and aligning them better to our revenue growth, and that's going to continue into next year as well. So all in all, I mean, we're trying to balance investing and reinvesting in the business, but at the same time, becoming a more profitable type of company, and that's definitely our long-term target.

One of the points, and I make this point also on CrowdStrike, is you guys are a platform. People like to talk to you as an endpoint company, but that's really not the right way to think about it, is it? I mean at the end of the day, endpoint is a source of information. It's a source of the data that allow you to understand the truth of how an attack unfolds over time. But at the end of the day, your platform takes that data, has the ability to extend it into a variety of adjacencies. To that extent, you're much broader than just an endpoint company. We've seen an industry now recently take EDR, endpoint detection and response, and redefine it as extended detection and response. [Audio Gap] platform term, I find it really disingenuous when a company that's in one of these adjacencies redefines themselves as a CM -- from being a CM company to being an XDR company with a little bit of marketing glitz on their website. Can you talk to this issue? Because I really think The Street needs to fully grasp how important it is to understand the distinction between a true single micro service-based multi-tenant, scalable cloud platform and one that is designed to target a particular niche that's then now trying to redefine themselves. Because the XDR term is really misused, almost as bad as Zero Trust.

Yes. Almost.

Or maybe worse. I'm not sure which one.

Either works. I think they're both overly used. But to your earlier point, I mean, when you look at a platform like us today, I mean, yes, people call us an endpoint company. That's kind of where we started. But if you look at our ability to cover surfaces, an endpoint is just 1 surface in the enterprise. SentinelOne today delivers capabilities across endpoint, mobile security, IoT security and cloud security, not to mention data analytics capabilities. So the ability to also cover all these different services in the enterprise in itself is already becoming a capability that almost no other vendor has out there today. And obviously, the ability to deploy onto these services also gives you the ability to collect the telemetry and collect the data natively into that data platform. And when we say XDR, that's not just a passive SIEM data storage element. It's actually an active platform that doesn't only collect the data, it also processes the data at the same time in real time at cloud scale. And lastly, where I think almost every SIEM out there is severely lacking is the automation and enforcement element. Because we control all of these services, we can then automate action back and close the loop across every surface in the enterprise. So when we think about XDR, we think about a true step function improvement and a complete paradigm shift from the passive SIEM vendors that have been used to kind of store and ingest data, to a platform that allows you to collect data, action data, but then also obviously, is open to ingesting data from any other source. And that's another big caveat with some of the other XDR claimers out there that they devise their own alliance of XDR, and they kind of say, "You know what, we'll work with only this vendor and that vendor, and that's our XDR." And that is in complete contrast to what customers actually want to do. Customers have a variety of different vendors. They want to ingest all of them. That was one thing that was actually pretty good with the SIEM. It could have ingested data from any source. So to be a formidable XDR platform you got to really ingest any source of data, automate any source of data, enforce it, and that is something that I think most companies that claim to have XDR today don't really have.

I want to go back to the architecture matters point, which is you really are truly, from the get-go, micro service-based, agile CI/CD pipelining of additional functionality, multi-tenant cloud native, all of those things that allow you to be extremely nimble on improving functionality. Comparatively, some of these other companies have come at it with an architecture that is single tenant oriented, originally on-premise oriented, not designed with the right architecture to be extensible and scalable that's necessary for this true platform architected more that we're going to be fighting going forward.

Agreed. And I think that it really hits them in 2 main areas. And I think that everything is doable, right? I mean, you can absolutely port all of these integrated services into the cloud, but it's not cloud native. What does it mean? It means 2 main things, again. One, it's all going to be as fast. There's just no way that you can enjoy the true cloud scale and cloud efficiency if you're just porting single-tenanted solutions into the cloud. And the second thing it's not going to be, it's not going to be cheap. It's going to be quite expensive to achieve the speed that we can natively achieve with a solution like Scalyr with a next-generation data analytics solution that's already borne in the cloud and enjoys cloud scale, enjoys multi-tenancy, enjoys shared architecture to deliver more speed at a better cost. So to me, these 2 alone are such big advantages, and that just compounds when you think about the ease of deployment, the accessibility of data, the ability to store data for longer. All of that has just become just the icing on the cake. We're going to go up against some of these incumbent vendors in data analytics. And I think we're heading towards a pretty massive transformation in the data analytics market. I mean, not just by the virtue of SentinelOne deploying more and more of our data solution into that. I think there's plenty of opportunity there for most next-gen vendors to come in with a true robust offering and disrupt what people have been doing for a long while. Just because there's a massive data proliferation in the enterprise right now, and it's very cost prohibitive to put the newly found data into these old platforms. So folks are just looking for more solutions, predate the overages to deploy side by side. So I think all of that is something that's going to take even more steam as we go into the next couple of years.

But the other element of this is that by ingesting the right data at the right scale across multiple critical services and understanding the contextual information, both at a time -- on a time variable, as well as on the manifestation of an attack variable indications of attack and indications of compromise that give you that pattern of an attack unfolding, you're then able to automate and use machine learning and all of those artificial intelligence elements to intercede at machine speed. So can you talk to that point? Because I think it's absolutely critical, particularly in a world where there's 2 million open recs for people to work in security, because you can't train people fast enough. And even if you could, they couldn't intercede fast enough.

No. I mean the correlation element in delivering protection in real time is, I think, one of the most important aspects of our platform. And I think one of the most amazing manifestations of that, that I've seen is actually our work with the incidence response ecosystems. These are the folks that come in whenever someone gets breached, they pick up the phone and they are the cavalry, right? I mean it's KPMG, it's Booz Allen Hamilton, Alvarez and Marsal, some of these very repeatable incidence response firms. When they're using our platform to conduct breach response, they have an unprecedented ability to basically go in with one click via the cloud, deploy into every asset in the enterprise at machine speed, completely automatically. We discover all devices. We then automatically deploy on top of them. And then we do automatic remediation to profile every single machine out there, and that's even before the service starts. So think about the compounded power that, that type of a solution or that type of technology can bring to the incidence responder. And now it's something that every security analyst in the enterprise can enjoy as well. And that's why sometimes when we look at our platform, we kind of call it the security analyst in the box, because it automates a lot of the grant work away, and it allows you to really look at the insights of every incident. And then with one click, react in the way that you want or program the system to actually react for you and do it in real time. And to us, I mean, that's the true revolution in security. It's not just about deploying EDR and gaining more visibility and more telemetry in augmenting the antivirus, it's about delivering true automation, an AI brain, a machine learning brain that can actually take these decisions in real time and deflect attacks. It can deflect all attacks. I mean, nothing is completely bulletproof. But at the same time, if you can have that thing that allows you to now work at scale, that's just a massive improvement, then you, the security analysts, and even the 100 security analysts next to you trying to now fend off a malicious attacker, now you have technology that amplifies everything that you do. And that's what we deliver.

It's an important point. I think people really need to understand the mechanics are nontrivial. This is not easy to do. It's a complex task and really does take advantage of the most advanced AI and machine learning capabilities. One of the elements that you just brought up is the partnering with the incident response companies. And I think this goes to one of the key questions that people have about your business model, which is, yes, you're growing in triple digits, but your operating margins are quite low in this rising interest rate environment. But that provides a natural leverage to your sales cycle, which inherently would drive an improvement in your operating profits over time. Can you talk to the mechanics associated with the expansion of the VAR channel, the expansion of the incident response channel and the MSSP channel and how that is going to leverage your business model?

Yes. I'll let Dave take some of the operating margin question, and then I'll gladly talk more about the ecosystem itself.

You're on mute, Dave.

When I think about our long-term operating profits, we provided guidance of the IPO that we expected to be at 20%-plus EBIT contribution over time. And I think what you're going to see besides just natural scale of the business, is what you're seeing is as customers are expanding into these multiple modules. You're also seeing very high incremental margins on that because we're already capturing the data and retaining it. And now we make that data actionable across all those other things without having to ingest additional costs. So we have high incremental margin on that. So I think that's one of the things that you're going to see that helps our margin progression over time. And then just what you mentioned, there's natural expansion of MSP, MSSP, the VAR, everything else, that obviously helps us as we scale towards the future.

Yes. I mean the one thing I'd add there is when we work with these partners, we become critical to their business. And they grow themselves, right? And to us, we lend them once, and it's an ever growing engine for us with some of these MSSPs. I mean, we see just really nice growth in their business. And obviously, we're enjoying that with more and more licenses that they deliver. And if you look at the IR ecosystem, that's one of the most, I would say, most amazing engines that we have. These are fast flux deals that come in from all around the world. It's a pipeline that comes on top of the usual pipeline that we generate as an enterprise company. It opens up this massive amount of, call it, hot and ready deals that come in into the pipe. They're conducted mostly by these IR partners. So we're getting immense leverage of all the sellers that are basically part of these organizations, right? I mean, we got our own selling force or direct selling force, no question about that. But then talk about an augmentation of close to 4,000 sellers across the globe, the amount of accreditations that we're doing now on a quarterly basis is just rising incredibly fast. So to us, this is just an augmentation of our sales force and obviously, better reach across every part of this TAM.

So there's a lot of subscriptions that CrowdStrike -- they've got a lot of feature sets. You guys are still fairly young company. Don't have quite as many. But on the other side of the coin, very high likelihood that we will be seeing additional features, additional subscriptions added to the platform over time based on the fact that you have an extensible and micro service based and all the stuff that we're just talking about. So as I think about the next couple of years, how should we be thinking about additional subscriptions that might come down the pike? Any thoughts or scaling of the importance of the things you're working on in the background at this point that might be coming down the pipe?

Yes. But I would say we got a decent amount of modules and attached modules. I mean, we've got about 15 different modules on top of what we bundle as our entry level packages. Things like remote script orchestration, STAR automated response, MDR services, application control. And I can go on and on and on. There's plenty there. And that's even before the complete distinct product lines that we've added with IoT security and cloud workload protection and now mobile security. So all in all, we got a lot on the menu. I kind of feel, and I have to say, when you look at someone like CrowdStrike, there's also a limit to how much a customer can actually absorb at one time. And I think that, to us, we really are focused on delivering value and listening to what customers actually need. I mean, we don't want to just show up with the menu of options and trying to cram it down their throat. We just want to make sure that we deliver the value at the right time. And lastly, what I'll say is that it's also always, in my mind, a question of timing and when you kind of put the foot on the pedal. To us, I mean, we got an amazing growth rate and we want to continue and sustain it for as long as we can. So accelerating some of these product lines, some of these modules attached, we kind of do it over time. We don't want to show up with a 200% net retention rate one day and just over-monetize our estate. So these things take time. I mean we are focused on gaining new market share and more and more market share on end point. That is the first and foremost priority. And then obviously, over time, you can attach more and more modules. So part of our strategy is really to stay focused on monetizing endpoint to the best of our ability. And then over time, attaching more and more of these modules. But we got plenty of them. And obviously, we're going to keep on innovating.

So I wanted to talk a little bit about cloud workload security, Kubernetes and the like. I can't think of a dynamic that's more important to how enterprises are going to be configured down in the next 15, 20 years. We are of the belief that we're at the cusp of moving away from an enterprise network perimeter defense legacy client server architecture, which has been trillions of dollars worth of infrastructure over the last 35 to 40 years, to one that is a cloud direct where users and applications are simply points in the cloud and connected across the cloud, where Kubernetes orchestrated applications are independent of the run time environment much like you have at AWS today. And that's driven by the adoption of microservices, Kubernetes, modern workloads, code as infrastructure. You guys have a very interesting product in this space, particularly focused on the run time side of it. How big a project could that be? How -- is that as large an opportunity as you have in the enterprise side? How do we think about the scaling of that workload opportunity? And where can you go with it?

Yes. I mean, again, this will be our view, and we can always be wrong. But we feel like it's a massive opportunity, probably one that's equal in size, if not bigger, through the one that we've been seeing in endpoint security. We've got a phenomenal solution there that actually integrates seamlessly into containerized environments and it allows folks, not only to deliver run time security and protection, but also collect telemetry to the same data lake. And again, we talked about the need to actually retain logs, to gain the telemetry, to save all that data. That's something that we provide customers the ability to do as well. And when you look at what's happening right now in cloud workload protection, obviously, as people transition to the cloud, they have to put a security component on top of it. And right now, we're one of the best-of-breed solutions out there. When you look at our business, we kind of said last quarter, about 10% of our new ARR came from our emerging product line. Cloud security was the #1 contributor to that. It's something that have grown year-over-year about 700%. So it's growing incredibly fast. I think next quarter, we're going to see even more contribution out of that. We're seeing more and more cloud-only deals. So that to us is even more interesting of an interesting dynamic. Kind of looking at all of these very large workload environments, some of the biggest users of workloads because consumers of workloads in the world today are going with SentinelOne to protect their environments. So that, to us, again, very interesting dynamic where we don't necessarily have to be the endpoint provider to actually gain steam in your cloud environment. And again, it just represents not only a greenfield opportunity, but at the same time, a great gateway to get -- to then go back in and sell data solutions, endpoint solutions, IoT solutions and everything else we have in the portfolio. So again, a very compelling opportunity. We're very excited about it. We got a dedicated sales force for cloud security right now. We're generating more and more cloud security specific pipeline. So again, we're taking it very seriously.

I want to come back to that. Just a reminder to people who are in the audience, some almost 100 clients that dialed into this. If you want to ask a question, please do. We do have a question that came in from the audience. So let me parse that over to you. So any potential for wealth effect and market focus on profitability, affecting your spending intentions for the next year versus what you might have thought a few months ago? Your SBC is also 49% of revenue in last quarter with negative 120% GAAP margins. Would there be any tipping point in market behavior that could force your hand to change your go-to-market investments?

Yes. I wouldn't say necessarily, but we are staying very tuned, right? I mean we want to make sure that we balance the business and balance growth with our path to profitability. One of the things that we want to make sure is that when you're in a market where there's obvious disruption, an obvious market share gains to be had, we want to make sure that we prioritize locking in more and more of the market share. And that is one of the north stars that we have. But with that, I mean, yes, absolutely. I mean when we look at the market, when we look at what we want to achieve, we want to always balance the amount of investment that we have into how much we're actually marching towards our cash flow positive point or breakeven point in our profitability. So to us, I think what you're going to see us do is really improve in all the matrix. It will, of course, at some point, come on the expense of growth. I think those 2 things come on kind of the same continuum. But at the same time, I think there's a lot of runway. I think we're balancing it the right way. I think we're trimming expenses as we continue and accelerate growth. That's what we've demonstrated. And we're going to continue doing that into the future to the best of our ability. So all in all, we really are staying very balanced in our view on how we spend versus the market opportunity. Dave, I don't know if there's anything you'd like to add there?

No, I think you've covered it. I think this is something that we think about every day. So like you said, it wasn't -- this isn't something that would be a big change for us. It's something that we're always thinking about, and we make that decision on every investment we make, whether it's a push for enhanced market share versus profitability. So we're constantly thinking about that.

Yes, I just wanted to chime in a little bit on my thoughts on that point. So you guys beat the last quarter by, I think, it was some 20-odd percent. It's hard for me to believe that a 1% or 2% change in interest rates is more valuable than that ability to crush the numbers. So I get it that people are very worried about discounted cash flows and all that sort of stuff in a rising interest rate environment. But there are a few companies that are spectacular growth companies that I think can power through this headwind. And to the extent that you were to give back half of your growth to multiple compression and half of it to stock appreciation. You'd have a very successful stock price. So I'm off for the growth because this has got to be a very large market. I wanted to go back to the Kubernetes discussion. Clearly, as we move more and more to cloud arena and get more and more involved with micro service-based shift left type technologies, the coders become more important. And can you talk to what you're doing to reach coders? I think I was -- had a conversation with the CEO of Cloudflare. He said, the guy that gets the most coders wins, and he's adding 50,000 coders per quarter. Now you guys aren't trying to do that. But the point is that coding community is critical. How do you reach them? How important is it to you? And how do you tie it into your product line?

Yes. And to us, it's a predominantly IT infrastructure business. So it's -- there is no question that when you look at our entire continuum, I mean, developers are still not the ones driving the overall production security decisions. They do have a say. And I think that when we think about designing our products, we also think about how to make some of the data also accessible to developers and to coders and we make sure that it's incredibly friendly and can be used by coders. I wouldn't by any stretch say that our go-to-market right now is one that's designed to gain coders in mass. I think that's something that comes further down the line. We're very focused on protecting production environments, and production environments are still kind of the hands of the IT and security people. They're the one liable. They are the ones that are in charge of protection. They're the one in charge of compliance. And I think over time, and definitely as we progress more and more into our cloud go-to-market, I think these pieces will fall. But it's almost a complete different capability that speaks in cloud security to developers than the one that we're doing today, which is cloud workload protection. Cloud workload protection is still very much an IT-bound sale. So to us, it's really kind of where the capabilities will go, we'll follow with the go-to-market. But right now, it's still laser-focused on the IT infrastructure environment, sometimes the CTO environment as well.

Shift gears a little bit. One of the questions I'm trying to ask every company I talk to is what are they seeing in terms of employee turnover. What are they seeing in terms of wage inflation? Because I think it's a critical gauge of what's going on in the economy. So not looking at, say, 2020 as much as comparing to 2019, which was pre-COVID, how is your turnover look?

I think we might be an anomaly. Our turnover is incredibly low, much lower than industry standards. And a lot of it is the culture that we built. I think it's quite intangible. But at the same time, I think they're just a very committed group of people in the company, and they just -- they are a great magnet for other people to join as well. So we're seeing recruiting on pace. We're not seeing people attrit. I mean, we've been very, very stable in our attrition rates, which have been very, very low. So I don't think there's any big changes there. I would say that, yes, you're definitely seeing, I think, elevation in compensation. I think that the market is obviously getting more competitive. But with that, I also feel like the folks that you eventually want joining are not the ones that will necessarily join just because of compensation. I think some of these folks are looking for a mission, they're looking for meaning, they're looking for wellness, they're looking for fulfillment. Compensation, they can get anywhere. So to us, I mean, it's really about making sure that they got all these other components. And I think that's why our culture is very special.

So to some extent, I have to say that you're not an anomaly in the sense that you are what I would describe as a destination company. And as a destination company, your ability to hire, your ability to retain, obviously, is going to be better than companies that are lower growth. I think this actually distinguishes between the real movers and shakers and the guys that are wannabes. I wanted to talk a little bit about the architecture of the company, though. You also are very distributed in the way you're staffed. So that gives you an advantage as well. Does it not?

Yes, absolutely. And it's -- I'd put it as agility. I mean, our ability to decide that we want to do something in specific territory or access talent where talent actually resides without any geographic boundaries has made us very, very strong, very, very nimble. We opened about 4 different R&D sites globally. When we started, when I started the company, there was 1 R&D site in Israel. Today, there are 4 different sites. We got a site here in San Mateo, in Silicon Valley, another one in Czech Republic. So we got amazing access to talent, and we don't try to kind of superimpose any one specific site or any one specific idea as to how we want to recruit and how we want to retain people. We're very open-minded. And I think that, again, gives us just a lot of strength in accessing the talent that we want without the typical boundaries that people have when they try to recruit.

So we've got 3 minutes left. What are the 3 key takeaways you want people who are on this call to take away when they're thinking about SentinelOne over the next quarter, year, longer term?

I think, first and foremost, we're incredibly responsible in the way that we use capital. So if there is any qualms around balancing growth, I think we're very much attuned to the market. So first and foremost, I want to say that. If you look at our business, the opportunity, or the 2 opportunities that we're the most excited about are the cloud opportunity and the data analytics opportunities. Data analytics is a $40 billion TAM, completely ripe for disruption, and we got an exceptional offering there in the form of Scalyr, and our XDR story. So there's a lot to be had there. And then when we look at cloud, I mean, we just talked about it. Just amazing traction that we're seeing right now. So to us, I mean, we want to make sure that people understand we're a platform company. We play in many different TAMs, at least 4 different TAMs. We're not just an endpoint company. And endpoint is a big TAM in itself, but the overall opportunity size for the company is so immense and that's what's really fueling our growth.

I would add to that, the partnering scalability of your partnering, the ability to do the incident response partner and the MSSPs really provides tremendous leverage to your business model.

Absolutely. If we had Nick Warner on this call today, then he would rave all about it.

Well, we'll have to work on that. So my apologies for not using any of the questions I sent over to you, but we're going to have to wrap it up here. I really appreciate SentinelOne coming on, and the some hundred clients that Zoomed in. Great job, guys, and congratulations on the superb year and execution. And with that, I want to thank the operators, Rob and Jen, for helping us. Thanks, all.

Thank you.

Thanks, everyone.