SentinelOne, Inc. (S) Earnings Call Transcript & Summary

All right. Well, hey, good afternoon, everyone. Welcome to day one of the Barclays tech conference. My name is Saket Kalia. I cover software here at Barclays. I'm honored to have the team here from SentinelOne. We've got Tomer Weingarten, Co-Founder and Chief Executive Officer. We've got Dave Bernhardt, Chief Financial Officer. We've also got members of the IR team here. We've got Doug Clark. Saad Nazir as well here in the audience. Just to frame the discussion, we've got about 30 minutes together. Let's spend the first 20 or 25 minutes just doing some fireside chat with the team, which I know is going to be fun coming off last night's quarter. But then we'd love to make this interactive. So any questions in the audience, I think we've got a mic runner in the back. We'd love to kind of keep it interactive. Can we start with fireside chat and then...

I thought you said if you had a question.

Well, at the end, if that's okay. We're going to -- we'll get through some fun questions here...

First time that someone wants to ask like immediately...

Yes, I know. I know. I like it...

Thank you so much. [ We appreciate it ].

We'll take advantage of it, for sure.

Tomer, maybe just to kind of kick us off, a lot of us were on the Q3 earnings call last night. But maybe just to make sure we're all on the same page, can you just recap some of the highlights this quarter that you were most proud of? And Dave, maybe you can just add some financial color there on what you were most proud of from the financial perspective. Does that make sense?

Yes. No, sounds good. Look, to us, the traction with data lake, I think, was to me a bright spot. Like over one quarter, suddenly, out of nowhere, meaningful contribution in the quarter, something that we worked on for a couple of good years just honing in on the product. So that part was just incredibly encouraging for me. MSSP traction, there's been a lot of talk about the mid-market. I think the resilience of our partner base, their desire to double down with us, the line of sight for further growth in the endpoint market, I think that stuff is incredibly compelling because the way that we look at the business today is really in this 3 facets type of a view. And obviously, one is endpoint. One is data. One is cloud. And in each one of them, there's a slightly different journey and different trajectory. And in each one of them, you want to devise a different go-to-market avenue. And clearly, the endpoint market, it's probably God know which inning we are in the cycle. But to parse through it, to understand that the majority of the TAM actually sits in the mid-market, it doesn't sit with a Fortune 500. And then how do you unlock that? How do you get more growth in the endpoint market? I think the deals that we've done with our mid-market partners and the deals to come, I think, would be very exciting for endpoint growth and again, unlocking the data opportunity, starting to prove out displacements for incumbent SIEMs, really, really exciting for us. Cloud security, I think with the impending kind of CNAPP offering that's coming, also very lucrative for our customers. And for net new customers, suddenly, a new automated cloud security platform that ticks all the boxes. I think it's going to be also compelling cost-wise. And if you fuse that with Purple AI and you fuse that with the analytical coverage that we can offer, suddenly, it's a cloud security platform that is driven by AI and can give you full threat hunting, remediation, automation. It's a step function better than everything that's out there. So generally, we're pretty excited. I'm just excited to see, I think, the execution of the team more than anything.

Absolutely. Dave, how about you? [indiscernible] talk about from a model perspective, too, huh?

Yes, I'm excited any time we can beat and raise on all metrics. So I'll start there. But I think the 2 things that I'm probably most proud of is we achieved 79% gross margin. So if you recall at the IPO, I think we went out -- we were 53% gross margin, and we sold a vision of how we'd be at that 75% to 80% plus. We're 9 quarters post IPO. We're now at 79%, and we're starting to rethink the model of what the long-term goal should be. I think the other thing that's really important is we achieved an 11% loss at the EBIT line -- or adjusted EBIT. And I think at the IPO, we were negative 126%. So it was our ninth straight quarter of 25-plus percent improvement. I think it shows the great strides that we're trying to make to get cost efficient to get towards breakeven or better profitability and to get to free cash flow, which we've guided that we want to be cash flow positive in the second half of next year. So...

Yes, what a great journey...

A lot of strides that we're putting a lot of effort in. And to be able to see it come to fruition [indiscernible].

For sure. It's been a great journey to see that narrowing, and it sounds like there's still more of a journey to go. So looking forward to that.

We're not done.

Yes. Absolutely. Tomer, maybe back to you. I want to touch on the core market of corporate endpoint here a little bit. It feels like -- as you look back into some of the security companies that have reported in the last couple of quarters, it feels like corporate endpoint is holding in just a little bit better than other subsegments of security. Of course, there are still macro challenges, right, that we're all facing. But it felt like you saw relatively solid results for both you and some competitors in the space as well. Maybe the question is how would you characterize the health of the corporate endpoint market right now?

I think it's -- relative to other pockets of security, it's definitely more healthy. And there's a very simple reason, by the way. Endpoint protection -- and generally, both us, some of our competitors, have kind of created, obviously, more capabilities beyond endpoint protection. These are the capabilities that matter today. These are the capabilities that actually help you to prevent the next breach. I'm sorry, but it's not the firewall that's going to protect you from the next breach, and I think that customers are seeing that. I mean they see that not all security products and all security segments are born equal. If you have a dollar to spend right now, where are you going to put it? You're going to put it in the places that matter most. And these places are in endpoint security; portions in workload protection, so specifically, protecting your servers, your crown jewels; and then in identity protection and in visibility; in incidence response, in the ability to react when an attack happens, when an incursion happen, when a breach happens and how do you remediate that. These are the exact services that us, some of our peers, that's what we do. I think that's where you're seeing slight resilience in our market in comparison to some of the others just because it's the one thing that can actually help you. I'm not saying it's a panacea for anything, and I'm definitely not saying that any of what we do or our competitors is close to being bulletproof. But it's definitely the most risk reduction that you can have, the most risk mitigation you can have is with a modern endpoint protection platform or a security operation platform or cloud security platform that comes from a defense company. And that's another big difference. When you look at SentinelOne, when you look at even our peer, we are hard-core security company. We weren't born in putting appliances out there, and we're not Microsoft doing a stint in the security market to generate more revenue. This is what we do. These are the people that we have. These are the teams that constantly parse through the landscape, the cybersecurity stratosphere to understand how we defend our customers. In many ways, I think for some people, we're almost like an army for hire. We're there with the customers in the trenches fighting, fighting their fight. And I think that's radically different from anybody else in the space right now, and it's a place that's reserved for us, maybe for one more peer.

Absolutely. Absolutely. Dave, maybe for you. I think SentinelOne has always gone to market very brilliantly, right, with various bundles. With endpoint, it's really the anchor offering. Can we just talk a little bit about those bundled offerings and maybe some new additions to that bundling that's maybe -- that I think customers are receiving very well right now? Talk to that a little bit, if you could.

Sure. So last quarter, we launched an enterprise license. So we're seeing pretty decent adoption of that. Still early stage, but there's a lot of potential upside from there. We're -- there are a lot of companies with a massive suite of products across their platform, and we've continued to advance our own platform. And I think what we have been doing is we try to be the best of breed in everything that we do. And then the ability to have a platform that has a lot of these best-of-breed technologies that is open, that allows you to ingest data from other security products, like that is very important to what we've been doing. And I think that's what separates us from -- we're not a company that takes a platform and shoves it down your throat. But we have a lot of customers that use a lot of our products and then come to us because they want to use more of our products. And this is a way for them to do it pretty cost effectively, and it's good for us from a margin perspective.

Yes. I think that -- I mean, on that margin front, when you look at something like the enterprise bundle and you kind of see us coming off a quarter where another interesting highlight was relatively significantly higher ACV per customer, and that comes from that bundling approach. For years, we've had 3 bundles: core, control, complete. I think everybody that knows us knows core, control and complete. Now we have the enterprise bundle as well. And the enterprise bundle, it's such a value bundle for the customer. It has EDR, it has identity protection, it has vulnerability management, it has portions of MDR and it has data retention all in one bundle. So obviously, the price point for that bundle is higher than the complete bundle. But for us, speaking about margins, the actual cost to deliver all of these services is very, very similar to deliver just what we deliver on complete. So when you see us with 79% gross margin and our price is holding up and ACV going up, it's all about value for the customer. It's all about taking these capabilities and making sure that we don't try to push prices down. We try to push value up, and that is something that doesn't only differentiates us from some of the others who have all kinds of way to slice and dice what they do. I think it literally does what we said to do, which is to serve the customer in the best way that we can. And that's always a great, I think, North Star.

It definitely speaks to sort of the consolidation, right, that I think customers are looking for right now as well, right?

Absolutely.

Tomer, it's funny. I had one of your competitors here on the stage earlier, and I want to ask you the same question that I asked them. I think we're all trying to figure out how much more legacy share -- just to put a bow on endpoint, right, how much legacy share is there left to shift to next-gen endpoint in this market? Now I want to be clear, that's not the only business here, right? There are a lot of other businesses here outside of endpoint that are driving a lot of the growth. But just because you spend so much time in this market, where do you feel like we are in that journey, out of curiosity?

What did they say? I think let's try and kind of parse through numbers, okay? I think that if we look at, obviously, Broadcom/Symantec, I think that stuff is like almost dried up. McAfee/Trellix, whatever you want to call them, I think -- everything that could have been taken, I think, was kind of taken. Everything else is kind of on-prem. By the way, they still have about $1 billion in revenue, close to it. So they still hold a good chunk of the endpoint market. Then I think you enter a long tail of providers. By the way, each one of these providers, it's $1 billion plus of revenue that each one of them hold. And they were not the initial targets. They're very much downstream. And I'm talking about Sophos, Trend Micro, Bitdefender, Avira, Kaspersky, Panda, ESET. I'm probably missing a few more. But between all of those folks, I mean, you're talking about a few good billions of endpoint market share. Some of it is actually still in the U.S. So it's not like in -- maybe not Kaspersky. But I think a lot of it still exists in the U.S. A lot of it is in that MSSP/RMM segment. So I think there's still a lot more growth to be had in endpoint. It's just -- it's in places in the overall TAM that I think not many vendors have a reach to. And luckily, I think that some of it sits within my partner base. And I think that over time, you'll see us capture more and more of that. I think even some of the renewed commitments and double down agreements that we've had with some of our partners, revolving around capturing more of their endpoint share. So I think there's more to be had. I think it's not where you think it is, and I think it's not relevant to all vendors out there. I think to address that type of a market, you need a highly automated, highly autonomous solution and guess who has that. I'm very excited about the endpoint market. I think that -- obviously, what we do is expand the horizons for the company with data, with AI. And we feel like there is a gigantic opportunity there. But I'm equally excited about the endpoint market growth. And I think that there's also so many more capabilities that our MSSP ecosystem can enjoy within our platform on top of the endpoint footprint that they have, that, that is also another growth driver for the company. Call it endpoint, call it endpoint adjacent, too, whatever you want, but I think it's still a meaningful opportunity.

Great dovetail into the question I wanted to ask you, Dave, right, which is I think one of the highlights from last night was sort of this idea of increasing diversification in the business, right? Like still in early stages, but it's increasing nonetheless. Maybe the question for you, Dave, is what metrics do you look at to sort of showcase that diversification? And maybe what products are driving that change?

Yes. I mean when we think about new products that I would guess -- or I would say are younger and more -- earlier in their stage, we talk about data and we talk about cloud a lot. And you look at the growth rates we've had in that, and we've been maintaining triple-digit growth quarter-to-quarter on that. So that's absolutely something we're looking at. When we think about comp plans, we want to continue to drive that behavior. So that's part of the area I look at quite a bit. When I also look at it, I look at net new logos. But I don't just look at the net new logo count at the global level. I also look at what we're also getting from MSSPs. In MSSP, we can pick up 1,000-plus customers a quarter that no one ever sees. So we always count the MSSP partner as one customer no matter how many customers are underneath it. So you're seeing continued growth there. I look at the average selling price. That continues to go up. I look at the average deal size. That continues to climb. If we're able to maintain our NRR rates and we can capture new market share, this just gives me an opportunity in the future to expand that NRR and continue the growth opportunity by us bringing new products to existing customers. So those are all the things that we look at in terms of kind of building our pipeline out for the future.

Yes. Yes, for sure. Tomer, I want to dig into the data lake business a little bit because just the focus on it last night and just the commentary, it felt palpable, right, that there's something happening here. And so I think that we all simplistically look at this as a SIEM replacement tool, which may not be completely accurate, right? But maybe the question for you is how do you think about your products here, right? And is it right to think about this as solely a SIEM replacement tool? Are there other use cases that are driving value?

Yes. I think it's easy to think about it as a SIEM replacement tool. So I'll encourage that. I think there's enough confusion in the security market. That said, I think the use cases that you kind of saw with a flexible petabyte scale, blazing fast data store are much beyond the SIEM. The SIEM was really designed to be an alert aggregator. So every time you got an indication of any type of a problem, you would get that indication into the SIEM, aggregate it and then you can maybe deal with it. Put some workflows out there. You had to buy a source system to actually action anything that you see in the SIEM. And that was kind of the story of the SIEM that's deployed in every single enterprise today, mandatory pretty much. When you look at data lake, it comes to actually address 2 different things that are bundled into one. One is that exact same use case. That's an easy use case to really achieve. The other one is actually log ingestion. And instead of focusing just on alerts data, you want to get the full fidelity, visibility and telemetry that comes from every part of the enterprise. You don't want to just look at the alerts because then you're bound to miss what you didn't alert for. So how do you detect something that is undetectable right now but in a look back way, or potentially with AI, you can parse through it and say, okay, by looking at all these logs, I can see that there's something anomalous happening here? You can't do that if you don't ingest all the data. To ingest all the data and put it in a SIEM, I mean, you probably need to redouble your security program, quadruple it, add another couple of zeros and then maybe you will be able to do that. It's just totally cost prohibitive. The SIEM was never built to be a full log aggregation system. Now add to that the compliance mandates that have been put in place in the last couple of years to actually retain these logs for a year, sometimes 1.5 years, sometimes 3 years depending on the industry, and you're getting to massive amounts of data that you have nowhere to put. If you ever want to search that data, in any existing system that you have today, and all of these were designed 10, 15 years ago, if you try to run these searches on a year worth of data, you're looking about, I would say, between 15 to 30 minutes per query until it comes back, which is probably longer than the dwell time for the adversary in that same environment. So there's a complete dichotomy right now between what you actually need to be effective in the security world and the tools that you have in place. So when you look at data lake, I think, first and foremost, it's about just put the data in. I mean let's stop thinking about it. Let's not buy a product just to filter out the data because we can't put all the data in, and we can't action the data. First, put the data. We'll figure it out later. It's still going to be cheaper than Splunk, I mean, literally. So once you put the data in, I think then you can start doing many things with it. I think you can run and start thinking about AI. Now AI really actions all these logs. And you can start thinking about automation, which is another -- I think one of the most critical ingredients now across the board in the enterprise is how do you take all these different signals from all these different places, build the right context, because an attack doesn't start and end at the endpoint, or it doesn't start and end with the [ email ] provider or your identity provider. It goes through all of them. So how do you stitch it together? Where do you see such -- how do you get a representation of such a thing? It doesn't exist. If you have a business, any enterprise, and you want to ask the most trivial question out there, am I secure, what's happening in my environment, you can't do that. There is no single product that you can go to and get that view of your business. There is no security platform in the world today. There's an endpoint security platform. There's a cloud security platform. There's maybe a network security platform. There is no security platform with no qualifiers. That's what data lake comes to do. It comes to really change how we think about security and put that overarching envelope that gives you the context regardless of the products in there. You don't need to buy all my products for this to work. You can ingest data from any product that you have in your ecosystem and build that context, run AI on top of it and get to a level of automation that, I think, is unparalleled right now and will be unparalleled in the next couple of years. And I think it's going to just get to a very different security outcome for folks that are able to converge to these new models. And I think -- by the way, this might sound like a crazy dream, which I think it was maybe a couple of years ago, now it's a reality for quite a few customers, there's also unbelievable validation because AWS has put out a security lake. And Snowflake has put a security lake, and Google are adopting the same concept. And even Microsoft that for years had Defender and SIEM and 100 different things, a few months ago, came up with a new concept that they call the unified security lake. So I think what we've innovated here, what was born with SentinelOne is a very unique concept. I think we have, obviously, the technology components to make it work. I think now we're also a scaled company that can take it to market with velocity. So I'm really excited about the concept. I'm really excited about what it can do. And again, over one quarter, just to see the traction that we've seen, it's probably 10,000% year-over-year growth. I'm kidding. Obviously, it's a very [ slow -- low ] base, but it is very encouraging.

Absolutely. It shows. Maybe just to put a bow on that point and then I'm going to open it up for questions. Dave, for you. Data lake, I think, has very different pricing, right, than sort of the core endpoint pricing. Can we just talk about -- sort of anecdotally, can we talk about how deal sizes differ perhaps between these 2 parts of the portfolio and maybe what you're seeing in your pipeline around data lake?

Sure. So we charge via ingestion. So when you think the data lake and how much data can we ingest, and we charge accordingly on that, the beauty is for having Scalyr at the back end makes that a very efficient engine. So we can do it at a lower cost than a lot of our competitors. And then when you think AI on top of that, that's more the compute power over the data engine. So those 2 pieces are a bit different in terms of how we traditionally have it where it's more licenses as far as endpoint or workloads from the cloud. So it's a bit different than that. But right now, we're still being able to enjoy a fairly favorable margin profile on those deals because we're pricing it for value for customers. And that's really the way we're doing it is to make sure that we're able to maintain our margin structure even while having some of these things that may be a bit more challenging for us in terms of ingestion, I can charge a customer based on what they use, no problem; compute, I'm also going to charge them for what they use. So I'm able to maintain that margin.

Absolutely. Absolutely. I want to open it up for questions here. Maybe we can bring a mic here to the front, and then we'll pivot to some financial questions just to wrap it up.

Yes. I think I mentioned earlier that we -- my previous company was your customer for 3 years. So a lot of things that you're saying is -- I'm not sure the rest of the Street gets it, but let me just kind of ask it in a way that maybe makes more sense to the audience. So you have a lot -- you mentioned on the call that 60% to 70%, I believe, of the data is ingested by the SIEMs endpoint. So what you have now is you have context from that agent that only CrowdStrike has. But then you have Scalyr and your data lake in the back end, and you have the ability to query it and to retain it. So now you have memory, retention and you have context. And then now you're going to take that advantage and bring it to cloud workload protection, CSPM and CNAPP. Nobody has that. Everybody's viewing you guys as an endpoint product or a cloud product or a CNAPP product or a SIEM product. But what we did in our old company was we were able to say, "Hey, look, we got attacked." Our ability to retain that data for a year at no cost allows us to go back and say, "Shoot. Did we get attack in the past? Can you do a simulation to see what kind of be in the future?" Well, without the data retention, we can't do that. So my question to you is as you look at this thing as a platform and as you roll out CNAPP and cloud workload and CSPM, and obviously, there's all these single point vendors out there, where do you see -- like what do you think you need to do to convince the rest of the Street and to convince the customers that this is -- like security is a data problem. It's a context problem. It's an understanding problem. And all these guys with these point solutions can't do it because they either have a context problem, a data retention problem or just the AI that they have to build from scratch. And most of these guys are [ piecemeal-ing ] all this together. So what do you need to do to convince the Street, to convince the customers and show in your numbers that you can do this and increase your margins? That looks like what you guys are on the path to do that.

Yes. No, I mean, it's quite accurate, to be honest. Look, I mean, convincing the Street was never something that we have tried to do. I think that's not -- it's not something that, philosophically, I set out to do. I run a company. I build products. I want to deliver customer values. I think our numbers will eventually convince the Street. So I'm with you. It's a bit frustrating at times to understand technically what we're doing, but to see that others kind of miss the picture and maybe are more focused on just operating matrix, as they should, right? That's the way the Wall Street works. I think what you're saying is incredibly important when we say something like we're going into CNAPP, and we got some questions even on the call, what -- are you going to be differentiated [ with all the ] capabilities? It's not about the capabilities in CNAPP itself. I would argue, CNAPP by now is totally commoditized. Like none of these capabilities are any form of deep IP. [ They are no form ] of patented stuff. Everybody is doing the same. It's all cobbled together from open source libraries and glitzy front end. There's no AI in it. There's no scale in it. There's no data lake in it. There's no analytics capabilities in it for any vendor out there. So when we say, okay, now we're doing CNAPP as well, the innovation doesn't come from that layer. It's just going to be everything that everybody else is doing, now you can get out of us. But to your point, not only you're getting that, you're getting now Purple AI fused into that, which no cloud security vendor has. And you're getting an analytical capability that allows you to hunt and remediate and automate on top of your cloud security platform natively that no cloud security provider has. And that is the power of what we call, I think it's one word that people glance over, unified, unified, unified. It's a unified security platform. Nobody else can claim that. Our nearest competitor, it's not unified. It's not even united. I think they're trying to find all kinds of words to position that, but it's 2 separate things for them. For us, everything is unified. It doesn't mean that you need to buy endpoint to run cloud. Not at all. But it means that when you're buying cloud security from us, you're getting all the power of the platform with it. And you're not paying for that power. It comes with it. So that's the differentiation. That's why we feel for CNAPP, for cloud security, it's so compelling. And maybe one last thing on it. I feel like cloud security is severely overpriced right now, for no good reason, by the way. And when we kind of put our platform out there, I feel like not only we can provide for a superior experience, I think we will probably also do it while maintaining 80% plus gross margin in the long term, an incredibly competitive price point that might even change the entire cloud security market and how it's priced today from certain vendors.

Yes. Absolutely. I know we're out of time here, but I want to ask one last question here to really -- maybe it's a question that both of you can tag team. It's -- we're, of course, not guiding for next year, right? It's early to talk about that, particularly, right, since we still have Q4 ahead of us, which is our biggest quarter. But the question I want to ask, maybe it's a little bit of a philosophical one, is what are some of the things that you learned here in fiscal '24 that the team may want to incorporate in a bigger way next year, if any, right? And that's not just an implicit macro question, right? But you've got other moving parts, right, like new sales leadership, right, as well as more of a diversifying business like we talked about earlier. It's a philosophical question. How do you think about -- what are some of the things that you learned this year or some of the things that have happened this year that we're going to need to make sure we consider when thinking about next year?

Yes. I mean I can give my observation, which is, I think, might be surprising. But to me, enablement and training, both to our sales force internally plus our entire channel ecosystem, probably one of the keys to grow faster. And I think that that's where -- when we think about all the new things that we expect from new leadership, which are kind of the intangibles, right, I mean, you want better accountability, better predictability, better ownership, better discipline, all of that, always and always [ will be up and up ]. But enablement and training, I think, are kind of these things that nobody really thinks about, but they matter a ton if you do them right. I also think there's complete new ways to enable and train today. It's not -- when we started this, I remember my enablement team, I mean, they were running me through content. It's like [ 70 ] different slides and 3 hours of content to get certified on. It's like, who has the time for that today? And then why do I need to go through that? I put a challenge to my team, and I told them I want 10-minute training, 10-minute training with 1-minute video blocks basically so people can immediately understand the crystallized value in the platform, in the product. So enablement, training, I think, is something that's top of mind for us. But beyond everything else, better positioning, better marketing, I think all of that is -- are things that are naturally going to happen, but that's kind of where my head's at.

Dave?

I'd add wider product portfolio. There's a lot of things that we've added this year that we didn't have at the start of last year. There's new things that are coming. We've talked about Purple AI going GA in Q1. We've talked about having a more expansive cloud offering. Those are going to be very big pickups for us for the foreseeable future. Like these are things that we've been investing in for some time. We'll finally be able to launch them, and they help give us some confidence and help gain a larger market share of the TAM.

Awesome. Well, guys, I couldn't think of a better way to end. Let me just say, very well executed in the last quarter, very well done.

Thank you.

So thanks so much for the time. Appreciate it. Thanks, everyone.

Thank you.