SentinelOne, Inc. (S) Earnings Call Transcript & Summary

[Audio Gap] session at the Goldman Sachs Communacopia and Technology Conference. I'm Gabriela Borges. I cover the emerging software vertical here at Goldman. Delighted to have on stage with me Tomer Weingarten, CEO and Founder of SentinelOne; and Dave Bernhardt, CFO. Thank you, gentlemen, for your time.

Thank you for having us.

Tomer, I wanted to start out with a little bit of a strategic conversation on the importance of the real estate that you own at the end point. I think there are a couple of big secular themes happening between AI and data integration, data security across different vectors in security, maybe that's about a describers consolidation. Where does the endpoint fit longer term in terms of the strategic value you can deliver within the security budget?

Yes. It's a pretty interesting question, and my answer might be a bit compounded because I think when -- one part, it's by far the most strategic aspect of enterprise defense. There is no more important point for defenders, in terms of telemetry, in terms of posture, in terms of the ability to actually deliver on what cybersecurity is supposed to do, which is fend off attackers. So the endpoint is incredibly important. I think it also is one of these massive data generators. So if you kind of think about cybersecurity as a data problem, as a visibility problem, endpoint and EDR product specifically, generate the most telemetry out of any security product out there. So it's important, clearly. I do think that if you zoom out, the way to solve cybersecurity is really not about any one of these components. So it's not just about endpoint, no matter the gravity that comes with endpoint. And it's not just about the firewall. It's not just about the network, and it's not just about e-mail or identity. I think, to truly achieve a different outcome in cybersecurity and also what we're seeing in the threat landscape, which is multisurface attacks right now. If in the past 10 years, attacks were very surface specific. You had malware endpoint. You had something that punch through the firewall. That was network attacks. Now you see different attacks that kind of cross the chasm between all these different components and are harder and harder to see if you focus on just one of these surfaces, which brings me to where I believe endpoint will play a role as a data feeder to a more wider, call it, enterprise-wide cybersecurity platform. And it's not -- it's without a qualifier. It's not an endpoint cybersecurity platform. It's not a network cybersecurity platform. It's a cybersecurity platform that will be able to really see everything you have in the enterprise and bring together what up until today is very siloed, and then cross correlate these data points, help you connect the dots of how the attack actually manifests, no matter the surface. And when you think about AI, then you think about the power of what that can do in a complete enterprise-wide setting. The level of automation that you can run now, the level of orchestration that is by far greater and the outcome is much more automated than just focusing on AI for the endpoint, which is kind of what we've done in the past 10 years. I mean we've had a very autonomous structured AI, focused on making sure that you detect something and you can remediate it autonomously with no human intervention. Now think about that as the entire enterprise level. Think about that with healing the firewall and telling the firewall that something is bad. And think about that in cleaning up the e-mail and running the report and mitigating the endpoint, but also in validating the user, that's how you deal with a breach today, because the distance between what an endpoint product can do and what think about an Incident Responder should do when they handle a breach, is just immense. And endpoint protection product can deflect the threat. And Incident Responder needs to fix the entire environment, clean up the enterprise environment and give you back the keys to something that is supposed to be cleansed of an attacker. There's no product that's automated enough to do that. And I think that's where Endpoint is an important component, but it's not the sum total of all of it. I do think that by dealing with all the volume of data that comes from the Endpoint, Endpoint vendors might have the leg up. They might kind of already know how to deal with high fidelity logs. For us, dealing with AI, obviously, gives us some leg up on how you apply that to the enterprise level. So I think there's some advantages in that, but the future of cybersecurity is at the enterprise level. It's with an enterprise-wide platform and not with single surface protection. And by the way, just to end on that note, it doesn't mean that you need to have all these different services protected by the same vendor. That might be something that some of the vendors here are saying, but to me, the approach is open. I don't suspect that anybody today in the enterprise will consolidate into a single vendor. No single vendor will sell you e-mail security, identity security, endpoint security, firewall security, SASE, all of these different -- they're not going to come from a single vendor and most companies out there they buy best -- they buy the best EDR product out there, and they buy the best firewall out there. How do you marry the best firewall out there with the best EDR out there? Who knows? Remains to be seen.

So I want to focus on two different parts of what you said. The first is the data that you have and collect, and then the second is how you apply it. So you mentioned the endpoint and the fidelity of the data being higher than perhaps outside of the endpoint. Help us crystallize why the way SentinelOne collects and processes data is better or different to how your peers on the endpoint do it?

That's not necessarily different. I think for most endpoint providers, the level of data collection is the same. Like what we see -- there's no magic in here. I mean what we see are low-level system operations. It is the top 3 vendors. I think if you kind of look at the top 3 vendors, we are as good in monitoring every single bit that moves on the machine. I think that's not the secret sauce for anybody, the monitoring piece. But then it's what you do with that data. And I think that's where there's a major separation between the different models. Do you just look at all that signal as just events in time, separated events? This is what most competitor in the space do. What we do is we actually stitch it to what we licensed and patented a storyline. So we actually contextualized and build the actual progression. How do these data points actually correlate to one another? How do they relate to one another? And that is the main difference in what we do. We basically take all these disparate data points that typically are just massive log data of every operation on the endpoint, and we create a contextual meaningful story of what's happening. And that's the way that you can start connecting the dots between things that might look completely disconnected. A new program downloaded, but something got deleted, or suddenly a process is beaming out information while a new user connected to the endpoint. In essence, these are two separate events. If you have a way that can contextualize those and say, you know what, the UUID of the process that did that is actually the same one that called the kernel at the same time that the other one did it. Okay, now you have a connection. Now you can build a story. And that part is a part of what we call behavioral detection, something that we patented and something that's unique to us. And if you take that, you understand that the level of accuracy goes much, much higher than other vendors. And that, in turn, allows you to run AI models autonomously, because AI is not accurate. If any of you ever used ChatGPT, as an example, that stuff is elucidating. It's often wrong, and it's very broad and unstructured. But if you take machine learning and you structure it on something, you train it to be very, very structured, then you can reach an accuracy level where you say, you know what? I can deploy this model and [indiscernible] is more than 11,000 customers. This is now deployed on tens of millions of endpoints across the world. I mean it's an autonomous AI algorithm that runs on each and every one of these machines and takes decisions in real time with 0 human intervention to decide where something is better, something is good. If it's bad, shut it down. If it's good, let it go. Don't interrupt the user. So you need to reach a level of accuracy. I think that's where it's not just applying AI. It's applying AI with the level of accuracy that makes it actionable, because you don't want more alerts. You don't want more noise. You want something that actually is doing the work for you. And I think that's also -- I talked recently about new applications in generative AI. Everybody is clustering some check bot conversational capabilities that's taken over source LLM, splash it on our data, and lo and behold, we're generative AI enabled now. And thus, we're the best company on the planet. And to me, it's kind of first order of magnitude applications that you can build, very, very easy to build. Like literally, any kid can build such an application with leveraging APIs. The next set would be building predictive algorithms that are accurate enough to run the show for you, not to get comments from you and give you output back and decide what you want to do with the output, but get to the point that stuff is done for you in auto magic way. But basically, that is the next of function in generative AI capabilities. And I think we're not that far away from it, honestly. We've been lucky to invest in Cohere, which is one of these foundational LLM companies. If you kind of get a glimpse of what the next models are looking like. We work a lot with Entropic and you get a glimpse of what these models look like. And I think what we're seeing today and what people are rushing to instill in their applications is just kind of the first iteration of what we're going to see. And there's going to be many more, but this one specifically seems to me like everybody wants to say that they're doing it, but it's kind of nice to have capability for. It's almost like I wish we could leap that stage and go into the real estate.

Why do you think Purple is your tool for security operations center analyst. Why do you think Purple is in realizing that vision of having the work done for you?

We're definitely pushing there. We're investing, I think, the majority of our team's time to build something accurate and autonomous and predictive. So my assertion is that conversational capabilities will be table stakes. They should be table stakes. I think that's easy to do. And in part, that's also a very important part of the equation, because you want to use conversational capabilities and that great, call it, speech to query or speech to data retrieval capability that LLMs can allow. Basically, democratize the access for data. If up until now, cybersecurity analysts had to be incredibly proficient in crafting queries to retrieve data, now you can just ask the question. And I think that is an amazing thing for cybersecurity. And I think everybody is going to have to have it in wide one shape way of four. I think it's also going to change the way where people today are kind of stuck on the platform. And I don't want to take names, but I think about one of these SIM vendors, right? I mean massive market opportunity, $40 billion data analytics opportunity, customers kind of love that platform, and they've been trained to use that platform for maybe 10, 15 years. They know the query language. They know how to work it. Overnight, that's not going to be the case anymore. You're not going to have to know the query language. So it removes the barrier to moving away from these platforms, the [ topical ] now, everybody was kind of standardizing on and nobody wants to move away, because they don't want to learn a new language, don't want to learn something new. Guess what? You don't need to. You now can use just plain English or any other language to that extent. And you can do things that are much more complex. And basically, you kind of remove the barrier to entry, which was a deep competitive moat for some of these folks that, in my view, is just going to go away. And then you can start focusing on some of the disadvantages that some of these systems have like they were designed on-prem, they were designed for terabyte scale. We operate at the petabyte age right now, if not the hexabyte. So it's different scale, different speed, different cost. All of these elements now will take the front seat when you remove that usability barrier. And that usability barrier will be removed with LLM. And then you can start thinking about, okay, now I can think about predictability. I can think about predictive algorithms. I can think about true automation when I have this very robust platform that can seal the data and retrieve it almost in real time. Because the other element is that in security, it's incredibly important to have an outcome that is manifested in close to real time. Otherwise, you can be as accurate if you want. If you tell me that something happened 2 days after, it's game over. If you try something happened 1 hour after, most likely, it's game over. Eight minutes after, most likely, game over. So the ability to do it in real time, I think, is also something that we only need to pay attention to, because it's not going to be just about housing more data. It's also how do you action it in lighting fast speeds.

You made an interesting comment there, which was investing the majority of the team's time. Is it fair to say that this AI challenge is the next big technical challenge that you're looking to solve? And it sounds like that then unlocks the $40 billion opportunity for you. Is that a fair way to frame it?

I think to unlock that opportunity, I think you need to go through the first step. You need to go through the LLM and [ M&A. ] I think that part coupled with what we do today. I mean we have a security data lake -- a broad-based data lake technology. We're already doing a lot of lift and shift from these incumbents and vendors. I can't say we can rip and replace every use case out there. Still I think putting an LLM, democratizing the query language, that's one big barrier that gets removed and then you can start I think doing more and more kind of earnest attempts to lift and shift on the market share. I think the prediction is where you become just incredibly more meaningful for some customers. And you start showing outcomes that I think others are just not working on right now. I mean they're very focused on just, "Oh, yes, let's plaster something called generative AI and move on."

There is one other piece of the strategy discussion that I wanted to touch on, which is, your comments on the earnings call on the importance of remaining a public company. I believe you've also commented on the Board being aligned in maximizing shareholder value. Help us reconcile those two comments. How do you think about the industrial logic of potentially getting acquired by another company, potentially partnering with another company? Walk us through some of your thinking.

Yes. I mean, I don't know to me, it's fairly simple. I mean you got a $100 billion market opportunity. You get the fastest-growing company in the public market. I don't know that I need to say more than that. I think that we have unbelievable technology. I haven't seen anybody else on the market do something even remotely close to us. I think we got competitors that got technology that's quickly becoming obsolete, if not legacy. And I think there might be a bit panicky about it. There's nothing that stopped us from growing throughout this entire route as a public company, also as a private company. Some of our peers have enjoyed years of growth in a 0 interest environment. We're doing that -- and with no competitors, by the way. We're still demonstrating incredible growth rate, incredible margin improvement and what you all will describe a highly competitive environment. I will call it my day to day for the past 10 years in a very rough economic environment. So I think with all the old stack against us, I would posit we're still doing incredibly well. So all in all, I mean, I sincerely believe in our ability to continue and execute. I think the human talent in the company is second to none. I think the technology is fully proven. Customer state growing significantly every single quarter. We're still very focused on net new market share. Then you got the opportunity to go back to your estate and even expend there, which is not the point of focus for us. So to me, it's opportunity. I mean, yes, it's hard work. I'll give you that. I mean, some people want to sell. But for us, it's what we do. Like I don't know any other way. So you read all these rumors and speculations, and we get it, it's exciting. But for us, it's another day. And there's, I think, a lot of conviction, not only for our customers, not only for our employees, but yes, also for our Board. And I think I won't speak on the behalf of our investors. But this is the one that I know and I sometimes interact with I think they fully believe in our ability to continue and grow. So again, I mean, unless you had a better reason, I'd love to hear it. Maybe I'm missing something.

I have two follow-up questions on your comments. So the first is your comment on competition. And I think, Dave, I would appreciate, your colleague here as well, which is, do you think -- or how would you describe the ways in which competition is different today versus 3, 5 years ago? And what we tend to see in security and technology more broadly is the older generation functionality gets more commoditized. That's why you see the pricing pressure. The newer generation functionality, something like Purple, something like Data Lake, is where you see the ability to extract more value because it's more innovative. And so two-part question. How do you think competition is changing? Maybe a comment specifically on Microsoft as well. And then the second part of the question is, Dave, how do you think about pricing holistically and being able to extract value while the lower end of the market may be getting commoditized?

Go for it.

Just thinking about the lower end of the market and our ability to increase margins, increase the top line, I mean there's a lot of opportunity for us, whether it's pushing out identity, which is continuing to go data, cloud. I mean those are all massive opportunities. So there's a lot of upward trajectory of the company in terms of the pricing, especially. Something like cloud or data can be 2 to 5 to 7x the multiple that we would get when we're selling endpoints. So there's a large opportunity there. Even thinking through just our suite of products and what we're enabling to the channel and the MSSPs now, they're now getting the broad platform versus before where they were more traditional endpoints. So there's an opportunity there as well. And then I think what's most important is just our strategy. We collect this data. Once we've collected the data, every additional module we add is very high incremental margin. So there's a lot of profitability that we're unlocking. If you remember back at the IPO, I think we were 53% gross margin going into the IPO. We're 77% now. So we're talking 2 years later, that's massive growth. We gave a range of 75% to 80% at the IPO, and I think people kind of rolled their eyes. And here we are 2 years later, we're right smack dab in the middle of it, and now we're looking to approach 80% plus.

And I think on Microsoft, look, it's -- the word, platform, is freely used here. And in essence, in my view, like in my world, when you say platform, you think Salesforce, right? I mean you literally log into one platform, and you got multiple capabilities into that platform. If you think about Microsoft, that's like seven different distinct products. If you think about even parallel to networks, these are four different product lines that they have. It's even a real true platform. Even our nearest competitor got two distinct different solutions, one for EDR, the other for logging stuff. We're literally one of the only singular platform out there where you -- whether it's endpoint or cloud or identity or data, whatever it is that you use, you go to the singularity platform, and it's there. And when you add another component to it, they're both there together, and the data is both there together. And the actions that you take, you can apply on all of what you have in that platform. So to me, it's also this realization for some customers that they can buy into a dream with Microsoft that is not going to be the outcome that they're looking for. I think we're seeing that more and more, and it's all for free. And we're seeing that more and more, because markets actually hikes up their prices more and more. So it becomes more and more apparent that for workload pricing, as an example, it's not that cheap. And experts pricing or MDR, it's not that cheap. And the uplift for me [ 335 ] is not that cheap. So we need to do a better job at articulating to our customers that our value proposition is as good, in many cases, even better than what they would get with Microsoft. But to mention the security outcome, to mention the OpEx savings, to mention the level of automation and productivity, those are indisputable, like it's really hard to work in a Microsoft environment. I don't know if you've all ever seen like a Microsoft console, it's like a cockpit for an F-16. I mean you get like so many nobs in. It's really hard to operate. And it's not autonomous, it's not automatic. And I think that is a big difference to some of these customers, and it's not best of security. Now I go back to that $100 billion TAM point, because I think it's important. The world is more than just Microsoft. I mean in AWS dominant environment, Microsoft is not that -- not a go-to vendor for everything. When you want to secure workloads on AWS cloud, the immediate thought is not going to be I'm going to put Microsoft cloud protection there. You have the opportunity to work with other vendors that are natively integrated into AWS, just as an example. Same goes with something like [indiscernible] networks, which totally respect that company, they've got about 70,000 customers. Their software is mainly applicable to their own estate, which they're doing a great job harvesting more and more. But if you think about the other part of that world, the other part of that TAM, companies like Check Point, companies like Fortinet. Palo is not that applicable to that part of the market. So that remains a complete untapped opportunity. And I think part of the work for us is just identifying the easiest to win opportunity, because it's a very, very big TAM. I don't need to fight for every single one of these opportunities. I'm much rather focused. We gave this example with -- in one of our previous -- like water, just go in the path of least resistance, right? I mean, we can work with some of the others. We can lock these opportunities first. It doesn't mean by any degree that we're not going after the Palo estate. We're going to do that, too. But obviously, you're going to see much like in the incumbent days. Going after a Symantec or a mega-fee replacement was the easiest thing to do. You're going to go after a carbon black replacement as an example. That's going to be harder. We're doing those two. But obviously, there are some that are easier, some that are not. And the TAM is so big. It sustained about 12 or 13 endpoint vendors in the past 20 years. Lots of them with multibillion dollars of revenue. So it's a huge TAM. It's also quite understated. The dollar today that we sell on endpoint is not just for antivirus. It's for MDR. It's for more added capabilities. It's for data retention. There are many other elements that go into it. So again, we just need to continue and execute and make sure strategically, we're using our time in the most efficient manner. And Dave mentioned MSSP, that's an amazing segment for us, right? I mean we're practically the monopoly in North American MSSP, and there's more room to grow there. And all these partners have built their entire practices on top of our platform. So to us, just doing what to sell, where to sell it and where to invest the time.

How would you characterize the commonalities between easy displacements today versus hard displacements?

I think we evolved with the displacement cycles. I think that obviously, 5 years ago, it was all about just proving your worth against like McAfee and Symantec and winning a POC. I think today, we're seeing more consolidation of products, which means that you're seeing like carbon black coming off of a, call it, $0.5 billion revenue kind of post the Dell acquisition, and you see them a lot in tandem with the antivirus. So certainly, it's not just a Symantec replacement, it's a Symantec plus Carbon Black replacement which is by the way, it's a great opportunity because now we can save more money for the customers. So it's actually pretty efficient. And it's still head-to-head with the usual suspects, right? I mean nothing changed in that dynamic. And it's just more of the same. I think the only thing that changes in this market for at least the past 3 years, no new breakthrough technology by our competitors. I would posit, I don't know if anybody else has seen something. The level of noise, that's the only thing that fluctuates in this market. And hopefully, we're not the ones inducing that, but that's the only thing that changes. I mean the technologies are the same technology, the breadth of the platform, I think, is always expanding for us, for others as well. So it's kind of keeping it all with the motion of the market, I would say.

That makes sense. Dave, I want to ask a question on the demand environment. Based on the data sets that you look at, what are you seeing in terms of trends or observations in terms of customer willingness to spend? And I asked this through a lens of helping investors gauge the downside risk of us rolling off a really healthy endpoint cycle [ this ] month?

Yes. I mean we talk to customers every day. So when we have customers come to us, we know roughly what their budgets are, and they are more constrained than they were 1 year or 2 years ago. So we want to work with our partners and our customers to make sure that we can provide them with the best service as long as the pricing also makes sense for us. So with us, it's how do we maintain the margins or improve on the margins we currently have. How do we make sure that they have the completeness of the security that they need to protect themselves. So that's something we work with and partner with our customers. This is something where, at times, will we look at deals that maybe don't quite fit that dynamic? Yes. Is the majority of it above that dynamic? Yes. So you're seeing us -- in this environment, we're raising our ASP. We're seeing the average deal size continue to increase. We're still protecting customers. We're growing new customer count. So the demand is there. I think when we gave guidance at the end of last quarter, we anticipated that the demand environment would get worse. And I think it has plateaued a bit. It may be not be -- it wasn't as bad as we thought within Q2. Q3 is also looking like it may be kind of in that plateau. Beyond that, your guess is as good as mine, but we feel good about where we're at short term, and that's why we raised our guidance for Q3 and for the year.

And you made a comment there on new logos. How should we think about the trend of new logos, especially given that not all logos are created equal?

Sure. So if you look back 1 year ago, I think we were adding about 750 new logos a quarter. This last quarter, we added 700. It's a misleading statistic, because especially right now, when budgets are constrained, there is a push towards MSSP. MSSPs are counted as one customer. So what I would focus on is the net new ARR growth. I would focus on revenue, focus on total ARR. I think that gives you a better dynamic, because there just is more of a push to MSSPs, because talent is hard to get right now. It could be easily managed by an MSSP. They're more flexible with payment terms than maybe we are where a customer could be paying monthly or quarterly. Whereas traditionally, we've been annually or even 2-, 3-year contracts. So you offer some flexibility. And to us, it makes no difference, because now they can do the support for it offers us better margins.

Absolutely. Let me pause, and go to the audience for questions. Let's stay on the MSSP topic. So Tomer, you made a really interesting comment on the potential for penetration. Out of the MSSP customers -- MSSP partners that you already have, how do you think about what you've -- how do you think about benchmarking the level of penetration that you have today? And is there any reason it conquered 200%?

Yes. I mean there are a couple of things, two different vectors or maybe three different vectors. I mean, one, net new MSSP partners, which on one end, I mean, we were kind of -- we thought that we were tapped out with kind of the MSSP ecosystem. And then we get a new partner that -- it's a multimillion dollar partner from kind of the segment that we didn't really realize. And they're coming to us, and we're seeing more of that in our pipeline. So net new expansion for net new MSSPs still happening. We push a lot of these sub-million-dollar MSSPs to other MSSPs. So we don't take them direct. We kind of have this unspoken alliance with our MSSPs, where we try to engage only with what we call top-tier MSSPs and everybody else goes through our distribution partners. So there's some growth in that vector. Within the current MSSPs that we have, what's interesting is that -- and we've known that for a few good years. When we onboarded some of those, we didn't come into a vacuum. There was a vendor there. Sometimes it's a bit Defender or Webroot or Sophos or some of these -- not the Symantec and McAfee typically. And if you take a look at someone like ConnectWise, as an example, which is a great partner of ours, they got close to, if I'm not mistaken, I mean, close to between 8 million and 10 million endpoints under management, under RMM business. We're deploying maybe, I don't know, 2 million of those. So by proxy, you can start to understand what's the penetration level for us on some of these MSSP partners. I think generally, we're satisfied with just moving organically and growing in their state. But we're also now becoming more strategic on how we continue to expand with them. So to me, that is very repeatable story with some of the other MSSPs. So there's -- I think there's a lot more growth there. I think it's a very, very natural solution for them to continue and grow with us versus onboarding another vendor. No other vendor out there has a complete multi-tenancy capabilities, which is a huge deal for MSSPs. I mean imagine that you can have one platform that can manage 100,000 customers with the same one click that you do versus a different platform where you need to spin a different node for each and every one of the customers. Obviously, you're talking about two completely different economies of scale. And that's why I think that we've seen a lot of resilience in our MSSP ecosystem, and I think we're going to continue to see that. The third and last vector is just modules. And while it's clear that selling a data lake proposition to a micro SMB is probably not going to fly, vulnerability management as an example, is a perfect fit for that market. And MDR is a perfect fit for that market. So for us also honing in on these specific capabilities that are relevant for each part of the market is incredibly important, which is also why we're doing more million-dollar deals, which is also why ARR per customer is going up, which in tandem -- obviously, the number of customers that we acquire every quarter will shrink a tiny bit, because we are pushing upstream. So there's all these dynamics at play that to me are just incredibly positive. And again, there's just a lot of room to grow in this market.

Absolutely. Thank you both for your time. We appreciate it.

Thank you all.