SentinelOne, Inc. (S) Earnings Call Transcript & Summary

All right. I think we can go ahead and kick it off. Thanks, everyone, for joining us at the SentinelOne Session at the Goldman Sachs Conference. I'm Gabriela Borges. I cover security here at Goldman. Very excited to have Co-Founder and CEO of SentinelOne, Tomer Weingarten, on the stage with me. Thank you for your time this morning.

Absolutely. Thank you for having me.

Tomer, we started to have a little more of an architectural discussion on the earnings call, and you highlighted a couple of things, including the embedded AI models that you embed into the agent that allow them to work a little bit more independently than some of your competition. So tell us a little bit more about where are your technical advantages with the embedded AI model, and is there a trade-off with the lightweightness of the agent? How do you think about the trade-off between putting more content in the agent versus having a lighter weight agent?

Yes. So there's a few things there. First of all, putting more embedded AI capabilities and detection capabilities just mean less updates. And I think we've seen the results of what excessive updates can create. So having a generic approach to detecting threats that doesn't require these frequent updates, I think that's a huge architectural change or difference between what we've been doing for years and some of the competition. I think then, it's not necessarily the lightweight nature of the agent, it's actually how lightweight you are and what you do at the most sensitive part of the machine, which is the kernel. So if you kind of think about that product that failed, if you think about the amount of code that was put into the kernel, into that sensitive area, which is still the case, by the way, for everybody running that piece of software, think about this chunk at the kernel. All of that is code that can fail, that can potentially crash. It's a lot of risk surface. If you think about SentinelOne in the kernel, it's probably something like that. And it doesn't mean that it's less functionality overall on the endpoint. It means less functionality at that level. And then you have user space outside the kernel where things are much less risky. And this is where we run most of our logic. And I think that has been kind of forever our mantra, just minimize what you do at these sensitive parts of any machine. Again, to the point where Linux, we don't touch the kernel. Mac, we don't touch the kernel at all. Cloud, obviously, we don't want to touch the kernel. [indiscernible] you don't have access to the kernel. So it's just -- I think, it's just a better, I think, safer approach, but that's just me.

Could you explain a little bit more on why you don't need kernel access and Linux to work effectively? And where do you think Microsoft goes [indiscernible]? What are some of the ways that they can balance the need for security products to be able to operate effectively with kernel access?

Yes. I'm sorry. I'll take a sip of water. That was the center of discussion, I think, yesterday at the Windows Summit. In Linux, what you have is a framework that's called eBPF. And eBPF basically gives you all the telemetry that you need from the kernel without needing to be at the kernel. So it's a very smart interface that allows you to subscribe to it, and then if you're at the kernel level and you're getting the same type of visibility and access. Microsoft doesn't really have something like that. And I think part of the discussion yesterday was, hey, can we minimize some these interfaces? Can we potentially lock down the kernel more than it is today? I would say, the overarching message yesterday was that, that's not going to happen. They're probably going to supply more interfaces to receive some of these threat-related notifications. But to move all the way to a Linux-like architecture or eBPF-like architecture, most likely not going to happen or not in the foreseeable future. The other big point of emphasis there was on the actual testing, validation and deployment best practices. And I think it was very central to what one vendor had done or ignored. And I think what Microsoft is just trying to do is to say, we don't want to see that happening ever again. Thus, we are going to beef our criteria to make sure that no vendor decides to ignore it. Now for us, it's no change. We've followed these best practices for years. So I think now they're just putting more of a spotlight on it, and I think they're just making sure that vendors are not able to just do what they want basically because it's a very, very open -- think, open field when you think about the kernel, there's no limitation. You can choose how much you want to put there. You can choose what you want to put there. So I think Microsoft just are trying to do the right thing and make sure that -- this time it was CrowdStrike, maybe in a few years, some other vendors are going to decide to do something, some newer vendors, we don't know, but now they don't want to take that chance. So they're putting more rigid, I think, deployment criteria, software quality control criteria that were just not there, so anybody could have done what they want. By the way, this is not just for security vendors. It's for everybody that installs any type of driver at the kernel level. Security providers have additional services they can tap in terms of boot time, load time. So you can actually load into the system before anything else load because you want to be there before the bad guys basically. So there's a lot of other considerations that are, I think, even more open to security vendors, and they want to make sure they put controls around that.

And there's a simplistic way of thinking about the power between the cloud environment when it comes to accessing the kernel space and more specifically not accessing it and what you do in Linux environment. Maybe expand on that a little bit, how does what you offer in the cloud compare technically to what you would typically offer on a classic on-premise implementation of endpoint with Linux, for example?

Yes. It's very, very similar. I mean, we got almost complete feature parity between the different products. The main difference is that the way that we implement anti-tempering and anti-tempering is basically you don't want to get removed from these devices ever. I mean, once you're plugged in, you want to make sure you're seeing everything that's happening on these devices or workloads. Attackers are constantly trying or one of the means to bypass security solutions is to basically uninstall them, remove them, blind them, all kinds of different methods. And anti-tempering is something that is only effective if it's done at the lowest level of the machine because then, again, you're there before the attackers, you can always see when somebody is trying to temper you. If you not loaded first, you can't see that. So in Linux, we kind of don't have that mechanism just because we're not touching the kernel. But at the same time, we've divided other controls that can let us know when there's a deviation from the norm. When something just anomalous happens on the device and then we can trigger an alert for the admin to go and check, hey, there's been a change in configuration, go and check what happened. So we can't prevent being tempered with completely, but we can alert on it. And I think in the cloud environment where -- if you think about what's in the cloud, you sometimes have virtual machines. You don't have really a lot of access to like the hypervisors or you can't be as low as you want to be anyways. You've got serverless functions. We don't have any kernel, any CPU, anything. You're securing a service. So the architecture in the cloud, I think, is -- should be kernel-free by definition, and that's why it's not such a big consideration. On the Mac operating system, as an example, Apple has basically put significant anti-tempering control, and they locked everybody else from the kernel as well. So that kind of evens the playing field in terms of can somebody else load into the kernel and remove you, no, nobody can get into it. So now you're kind of, again, in a pretty decent spot in terms of anti-tempering capabilities.

So we spend a few minutes here on the technology strength. We know in security that it's not enough just to have a good technology, you also need to have a strong supporting go-to-market. So talk to us a little bit about how you fortify your go-to-market, especially in the context of some of your competitors spending significantly more on [indiscernible] market assets than SentinelOne has?

Yes. I think our way has always been a bit more nimble and thoughtful about how we go to markets just because we had to. By definition, we were a newcomer to the space in comparison to some of the others that have been there. We don't have the reach of Microsoft, obviously. So that obviously constrains how much we can just push stuff to customers that are already there. So for us, the channel ecosystem has been really a force multiplier, and that is something that we continue and do today. Our ability to augment our own sales force with our very significant channel ecosystem, has been a way for us to kind of scale efficiently. That said, I think you've seen us also change quite a bit our go-to-market teams, our go-to-market DNA. The fact that we're leading with a platform today, just endpoint security, which was kind of what we were doing maybe 3 years ago, all of these are kind of putting us in a very different position. We now have a customer base that's pretty significant, which is also an upsell and cross-sell opportunity for us, which is yet to be fully unlocked. So it's another untapped source of growth for us. All of those, we just try to kind of balance within the desire to also become profitable on our time line. You can always market more. You can always put more advertising. You can always be more aggressive. I think for us, we want to see it done under a certain efficiency cohort. I would love for the product or the platform in a couple of years to be able to sell itself in certain degrees. Like I think, there's a distinct way to start enabling customers to consume things from your platform just by taking a box and turning it on. So to me, that's another path that we will be pursuing in the years to come, which is why I'm not overly worried about the expansion opportunity. Right now, we're very focused on just net new logo acquisition. So I feel good about marketing. I think that, in general, this market is so confused and confusing, that it's -- I mean, we just spent, I don't know, like 10 minutes talking about the kernel, I'm not sure how many people really kind of understand what that means. And I'm honestly trying to simplify it as much as I can. And I think that even customers, honestly, like CIOs, CISOs don't always fully understand what's the difference? Or why should I care even about what you're saying? And that's the reality you have to contend with. I mean, one of the biggest, to me, mysteries in this market was for 4 years, there's been one company that consistently led MITRE evaluations with outstanding results, which you can't argue with. It's 100% protection, 100% detection. There was no asterisks, no delayed detection, no changes, no nothing, clean 100% for 4 years in a row. Still didn't seem like the market fully grasped that this is a better solution than some of the others just given the level of marketing that you have in the space and the level of confusion. So it's a challenge. There's no question. I do believe sincerely that folks are getting more sophisticated, they're getting smarter. Their eyes, I think, are a bit more open to what these products can actually do beyond that glamorous marketing and all the great kind of self-proclaimed accolades and the multiple award that everybody is winning. So I want to believe that marketing can be done in a more responsible way, and it's something that we've talked about ever since we IPOed the company. We're actually pledged -- we had a pledge with the IPO where we said we are not going to be an overseller's marketer. We're not going to do what the others are doing, and we're staying true to that. And right now, it's to me, mostly about education and making sure people understand technically what are these for? It's not magic. I mean, it's not EDR is going to protect you with 3 letter acronyms. It's not that. There's actual technology underneath it. And I think that will eventually prevail. And with that, I think our ability to market is also growing. And we are, I think, a very good marketing company. Then they were one of the fast-growing software companies on the public market. So we know how to market. We know how to punch above our weight, I think, even with our relatively constrained budgets. And whatever year that passes, I mean, we just get more and more capacity to market. And I've never felt like too bad about our ability to market in comparison to the mountains of cash that you see the others deploying. The last thing I want to say there is that the place where it does constrain us is definitely the top-of-funnel consideration because this is where -- look, at the end of the day, the TAM is so big across everything we do today, it's a $100 billion TAM. We're not reaching all these customers. I mean, we're not reaching all the investors, not everybody knows about SentinelOne. Not all customers know about SentinelOne. Not all parts of the market know what we do. I think there's this illusion that, oh, every market, every company out there knows about SentinelOne and CrowdStrike for sure. That's actually not the case. It's actually not the case. And in many markets, especially if you think about the cloud security opportunity, people don't think about SentinelOne immediately as a leading cloud security provider, even though we got one of the highest-rated suites out there. So that's the role of marketing. The marketing for us, I think it just opened up that top-of-funnel presence, and we're doing more and more of that every day.

Well, let me pick up on the comment you made about customers being a little more eyes wide open or a little bit more aware. How have your conversations trended just in the past 5 weeks? Any specific color you can give us? And what advice are you giving your sales team as part of those engagements?

I've had countless conversations, honestly. I mean, I have been nonstop on the phone. And the interesting thing about it is that I swear I've not called a single customer. Every customer that I've talked to was an inbound call, and I didn't need to even call anybody. The conversations are pretty clear. I mean, to me, people want to make sure that they can offload some of that risk that we just talked about. And there's a wide spectrum of ways to do that. Some folks, they just want to move out from this, whether they've been just, I don't know, burned over, I don't know what the sentiment there, upset for sure. Some people want out. Some people we already helped out, and we're talking about Fortune 50 companies. Three days and you're out. So technically, it's possible. I do think that for most companies, it's more of a convoluted process that's going to take more time. But some have moved. Some have just said, we want to pull the cord, we want out. That's an easy conversation, by the way. Most of the others, they want to understand how we do this. Like how do we gradually come in, start with the same -- with 1 or 2 footprints and then go after the rest of it and what's the time line to do that and how they do that in the most risk-averse way, both to their endpoint environment and to their operations. And that is something that we're just working with them, working at their own pace, we're not pressuring them. I think that's the #1 thing you asked me and what I'm saying to my salespeople, just work by what the customer wants, even if eventually the customer says, no, maybe let's revisit in a year or whatnot, everything is fine. I think that generally, the consideration has changed significantly. I also don't think that pricing is a big consideration for these customers. So you're giving them all kinds of perks right now. Yes, for sure, these customers are going to take whatever they can. But I don't think that changes the sentiment so much for them. So again, it's a wide gamut. I think that -- you're seeing that also in 2 different aspects. One is customers that want to move, so call that rip and replace, but also customers that have stopped expanding, and that's a very prevalent conversation. I mean, not a lot of them kind of are thinking to themselves post this, oh, I want to double down with this. I mean, that doesn't make a ton of sense. So they're coming to us and they're talking to us about these adjacent footprints. They're going to the channel ecosystem. We're going to the channel ecosystem, which is also somewhat impacted by this because if you think about that other vendor, most of their growth was coming from expansion. And if that motion is now significantly impaired for their entire channel ecosystem, that's a hole in revenue that they need to fill somehow, and we're gladly there to help them go after these footprints and give an alternative. So all of these conversations are obviously net positive to SentinelOne. I don't want to go into like what's the impact for them. I think there's some impact for them, there's some impact for us. They might not even be linear, but I'm very, very encouraged by what I'm seeing. I think the biggest -- 2 biggest things that I can definitely say, and I'm not going to quantify anything. So...

That was my next question.

But I will beat you to it. But we are seeing very significant pipeline building. We are seeing an uptick in win rates. And that, I think, is something that, over time, we will be able to quantify and translate into kind of what the future impact of this is looking like. Give us a quarter to kind of work through all of this, and I think that with next earnings, we might be able to be a bit more intelligent about how this looks like for the future for us.

I want to ask you about the upsell dynamic and end point separately from the cross-sell dynamic that you touched on with the emerging products. On the upsell, in Linux security, it's right common to see dual sourcing between multiple kernel vendors. Level set us what is normal in endpoint? And do you think the industry structurally moves to more of a dual sourcing or multisourcing paradigm because of the side [indiscernible]?

Yes. I think it does move there. It wasn't the case up until now, very different than the network. By the way, the network part also started with one vendor, and then it moved into dual sourcing. So I guess we didn't learn. We always have to learn the hard way. But I think we're definitely going to be moving into more of a dual source, whether it's side-by-side, different footprints, different surfaces, there's multiple ways where you can achieve that, but I think that's definitely a conversation you want to have. And I think that's going to change materially the opportunity in the endpoint space. Generally, I think the endpoint space is also still underpenetrated. I think that might be a controversial statement, but look, the refresh cycles, the PC manufacturers, like you're talking about 30 million, 40 million pieces of new devices coming into the market every couple of years, every 3 years maybe. That's a huge opportunity, especially if you can partner with some of these people. So I think there is ample opportunity in terms of net new market share grab in the endpoint market. I think there's also...

[indiscernible]

Okay. That's Apple Intelligence, I mean -- So there's a lot of opportunity to get rid of the junk you have in your environment. But there's just a lot more to be had. McAfee is like a $1 billion business and Symantec is still close to $1 billion, and Sophos is $2 billion, and Trend Micro is a big company. There is a lot to be had in all these different markets. The MSSP ecosystem is still running Bitdefender and Webroot. So there's billions of dollars of market share to be had, and we've been able to unlock a lot of it. I mean, if you think about it, 2 years ago, we had 1% market share. A year ago, we had 3% market share. Now we're about 5% market share. So we're moving pretty fast in the way that we're unlocking that. I mean, faster than anybody else, that's clear. And our scale is starting to be pretty significant. And obviously, to us, every endpoint customer that we onboard is an expansion opportunity for the lifetime. And we keep these customers safe and happy. And I think that will translate into just a massive growth opportunity in terms of the actual upsell opportunity, which we've not been doing in any more than an opportunistic way up until now.

Let me pick up on the emerging products piece of the story. So global already landing cloud footprints next to competitor endpoint footprint before July 19. How is the opportunity evolving in cloud, particularly as there's a little bit of a question mark if I standardize on AWS, we'll perhaps I can buy more of my security from the AWS security offerings. So how do you think about what a good cloud opportunity or what the cloud opportunity looks like for SentinelOne...

Yes. A couple of things. It is interesting because AWS is actually one of the only vendors that did not have an appearance in the market guide for CNAPP solutions. So not entirely sure why, but I guess they don't really have all the components.

Perhaps we'll use Azure as the benchmark.

Yes. Azure is definitely a different story, but it's Azure for Azure. And I think it's -- for any other footprint, it kind of tapers down pretty quickly. To me, the cloud security market right now, the one word I would do is just fragmented. It's like totally fragmented. And when I say fragmented, I mean, just different use cases. So most people don't realize that there are practically no cloud-only companies out there. Everybody is a hybrid company. Everyone has something on-premise. And typically, these on-premise footprints are pretty big. And a lot of these solutions, those CNAPP solutions are very public cloud oriented. So when we look at opportunities, we try to find the ones that we believe are better suited to our technology stack. And our technology stack has innate advantages with securing any type of workload, on-prem, private cloud, public cloud, doesn't really matter. And our solution is distinctly better at runtime protection. So if you're asking me how is the Sphere market, I think that's kind of a commodity market where everybody can kind of do the same thing, very public cloud oriented. But then if you go into runtime security, kind of the cloud workload protection side of the house, it's different, and it's a huge opportunity. That's a multibillion-dollar opportunity. I want to go after this, I care a little less about CSPM. We've got a great CSPM, CNAPP solution. I do think it's far-fetched to think that we're going to maybe even give some of those away when you buy workload protection. Because to me, workload protection is by far the most important piece in that. Then you go into DSPM, which is a slightly different consideration and the types of data that you want to protect. So very fragmented in terms of the use cases. I think the other realization is that you kind of hear Palo Alto saying, oh, it's so good. Our cloud business is amazing. And CrowdStrike, amazing cloud business. Like everybody is a tremendous cloud solution. There are no perfect platforms, doesn't exist. Not mine, by the way, not in endpoint, not in cloud, not anywhere. Everybody has strengths and weaknesses and customers have different desires, needs and challenges. And some of these platforms are good for certain things, not so good for other things. When you talk about a $100 billion market opportunity, you're going to see a full spectrum of these things, and you're going to have your success even if somebody else is successful. And I think that's maybe kind of a missing part in the narrative because people call it the one-winner-takes-all type of a motion, it doesn't exist. It's not there. It's impossible. Nobody can cater to all the needs of everybody in the market. So we just focus on what we do the best, and we find these opportunities and we sell into them. And again, when you see these customers that are eventually going with our solution, you typically see the most discerning ones, and that's what I like to see. And they rather go with us even if they have already a vendor that they can platformize on. I think they still choose to go with the best-of-breed solution. Going back to what we just discussed about the multi-vendor approach, I think that also puts a dent in that beautiful platformization narrative because that would kind of go against that.

Fantastic. Any question in the audience? Just go for it.

Yes. So Tomer, I mean, I've known about your kernel for a long time. I mean, Rick Bosworth writes great about it, like [indiscernible] great stuff about. So if anybody needs to read up on that like [indiscernible] about that for you guys. I do have 2 questions for you. The first question is, I've always believed you guys have a better product, I've been a shareholder for a long time, but somewhat disappointed with both stock price and the go-to-market.

Yes, me too.

But what you have now is you finally be able -- it's not even like in the lab anymore, it's real world that why your platform is superior. So that's now litigated in the real world. And now you have a new CRO, new CMO, new CFO. And you mentioned last quarter, you said, well, you're willing to invest more once you reach profitability. Put all those pieces together, should we expect this team in your comments about given win rates and better pipeline, should we interpret that as this is your new team, your new opportunity, the new catalyst to say, hey, look, we're going to step with new products, accelerate growth. And by the way, your win rate is 7%, you've already disclosed that 2 years ago in the CrowdStrike. So I hope that your number goes up or the pipeline gets better. So help me understand the -- are you willing to now step on the gas to growth given all the leadership changes, product changes and market opportunity?

Yes. Look, it's a fair question. And I think that -- there's no question that we're a better company today than what we were a year ago. I think that -- I never believe that our constraint is just like the marketing aspect or putting the pedal to the metal. I have a fiduciary duty to grow responsibly. And to me, I want to see certain efficiencies happen before we pour more money into the business. Again, we're the fastest-growing company on the public market in our industry in software. Arguably, it's hard to do things even in a more accelerated fashion without things starting to break. We have a better team. We have a better company. I think our product has never been better. I think the sentiment around SentinelOne has never been better. It's true that we have kind of inflected into profitability. We're still not profitable on a full year basis. That's our goal. That's what we want to see. And that's going to also align with our efficiency cohorts and at least that we internally track. And I think then you're going to see us just go more aggressive. But beyond all of that, there are multiple initiatives that we've been working on in the past year that are going to fuel growth into the future. It's just some things take time. But I'm, again, more excited about the opportunity, both in the endpoint space, and outside the endpoint space more than I've ever been. So it will get there. I'm not worried at all. And I think that stock price, all of that, I think, over time, that gets unlocked as well. Obviously, we've had some execution errors. Obviously, there's been some quarters where we didn't really get to what we believe that we could have gotten to. And I think now things with this team are looking just very, very different than any other point in time for the company. So I'm encouraged by that. I'm encouraged by the predictability, the stability and again, better team, better company, seeing the landscape is maturing.

OneCon. Should we expect some announcements at OneCon?

You should expect a lot at OneCon. But obviously, I can't really disclose exactly what will be announced and kind of in which areas and again, there's a wide gamut of things that we're working on. Some will be announced, some will not be announced, but we're not sitting idle, as you can imagine.

Tomer, maybe just a little context around the CFO announcement from this morning.

Yes. No, I mean that one, very excited for Barbara joining us. It's been kind of carefully planned for a good period of time, very deliberate. Obviously, we're kind of switching gears in terms of how we grow our scale, we're coming pretty close to that $1 billion in ARR. We need to start thinking about our long-term targets, again, how we do that, how we bridge that with scale. And obviously, we can and we want to use the experience of a seasoned SaaS leader that have seen those stages of growth between $1 billion to $6 billion to $7 billion of revenue. That's exactly what we need, tremendous leader. And obviously, Dave has done a remarkable job as well. I mean, he took the company public, very grateful for him. But we're off to a new chapter, and I think we're all very excited about what Barbara brings to the picture.

What were the 1 or 2 leadership qualities that stood out to you about her as you got to know her over the last several weeks and months?

Yes. I think it's the -- I think it's 2 things. I think the interaction with the executive team, the leadership and the partnership that can be created. I think that excites me. Honestly, it excites me because that means that I need to be less involved in that. But generally, I think that's how you foster a really healthy motion in the company. And the second thing is just the -- I think the financial foresight. I mean, when you see other companies grow in a certain way and go to these different stages, now when you look at us, it's on the same track and say, okay, probably, we need some adjustment here or some adjustment there to replicate some of these journeys or to do even better than some of these journeys. Obviously, SentinelOne is pretty unique in its growth profile. So those 2 things just really excite me, something that was never there before. Again, Dave has done remarkably well for us, but he's never seen that type of growth. And we're kind of nearing that point that we just want to make sure that we grow in the most efficient way possible. The profitability story for us is not just a story, like we want to expand our EBIT and operating margin significantly and as fast as possible. So -- and how do we bridge that with what people want from us, which is to be more aggressive and go to market, I mean, all these things, I mean, think about these considerations is what you expect your CFO to do.

Excellent. Please join me in thanking Tomer for his time. Tomer, thank you very much.

Thank you so much.