SentinelOne: Profitability Concerns Are Overblown (NYSE:S)

SentinelOne’s stock (NYSE:S) has had a tough time since listing in 2021, despite the company performing quiet well. This has been due to a high initial valuation, rapidly rising discount rates and growing concern over the company’s losses. While SentinelOne’s operating expenses are high, the company is realizing rapid growth and margins are improving with scale. SentinelOne isn’t the most efficient organization, but their large R&D investments are making the income statement look worse than it actually is. A decline in inflation will likely lower pressure on unprofitable companies, and provided SentinelOne’s growth remains robust the stock could do well from current levels.

Market

Cybercrime is reportedly a $6 trillion business and attackers can be large networks of well-resourced individuals or even nation state actors. Attackers are leveraging increasingly sophisticated techniques, which means that organizations need increasingly sophisticated defenses.

The rise of the hybrid work environment, ongoing digital transformation initiatives and an evolving threat landscape are driving the endpoint security market. This is a large market, which continues to grow, and the penetration of next-gen solutions is only just beginning.

The attack surface of most organizations is increasing due to trends like remote work, bring your own device and the rise of IoT devices. There will be an estimated 41 billion IoT devices online in 2025, many of which will have little to no built-in security capabilities. Visibility across connected devices and continuous assessment of their risk profile has become a top priority for organizations.

Legacy antivirus solutions rely on signatures to identify malware, which is ineffective and reactive. Human-powered EDR is a next-gen approach where people drive detection and response. Human-powered EDR aims to detect an attack in one minute, investigate in 10 minutes and respond within an hour. This approach is potentially problematic though as an attack may only take milliseconds. Legacy antivirus and human-powered EDR both rely on linear human effort to defend against the exponential growth of cyber threats. SentinelOne characterizes CrowdStrike (CRWD) as a human-powered EDR platform and their own solution as an autonomous EDR platform, as it does not rely on human intervention.

It is estimated that an additional three million professionals are required to adequately defend organizations against cyberattacks worldwide. A scalable approach is therefore needed which does not rely on human intervention to prevent, detect, and remediate cyber threats.

Some next-gen tools also struggle to handle the volume, variety and velocity of data that must be ingested and analyzed. Many of these tools generate a large amount of noise and require human intervention to extract useful signals. Existing EDR tools may also be unable to store large historical data sets cost efficiently, a necessity when investigating past attacks.

At the time of their IPO, SentinelOne estimated that their addressable market would be approximately $29 billion in 2021. This estimate was updated to $50 billion in 2022, due to the expansion of SentinelOne’s Singularity XDR platform into areas like identity. SentinelOne also believes that there are opportunities in adjacent markets like Threat Intelligence and Data Loss Prevention.

The endpoint security market is growing due to the breadth of services provided by next-gen vendors. Next-gen vendors can likely charge more per endpoint for managed type services and are likely to be protecting a far greater number of endpoints/workloads (PCs, servers, cloud workloads, Kubernetes, mobile devices and IoT devices).

SentinelOne

SentinelOne is a cybersecurity company that was founded in 2013. Their platform delivers capabilities across endpoint, mobile, IoT and cloud security and data analytics.

SentinelOne’s focus is on utilizing AI to make cybersecurity truly autonomous and they believe that this differentiates them from legacy security solutions and next-gen solutions which rely on crowd-powered protection. This has the potential to reduce the burden on cybersecurity personnel, but has faced criticism for producing overly noisy results. An autonomous approach also allows greater speed and scale, and potentially higher accuracy than possible from a person or crowd.

SentinelOne’s platform ingests, correlates, and queries petabytes of structured and unstructured data from a range of external and internal sources in real-time, allowing SentinelOne to build rich context. SentinelOne’s algorithms are distributed, running both on every endpoint and cloud workload, as well as on their cloud platform. While inferencing workloads are generally less resource intensive, this approach could make SentinelOne’s agent quite resource intensive relative to CrowdStrike’s. Agents that are overly resource intensive are a potential pain point for customers if they effect the endpoint user’s experience. This approach allows SentinelOne to protect endpoints when they are not connected to the cloud though.

SentinelOne’s Static AI model predicts file-based attacks, including previously unknown threats. The fact that this process is autonomous and occurs on device also makes it fast. SentinelOne achieves industry-leading detection rates by carefully developing and curating training data sets at scale.

SentinelOne’s Behavioral AI model monitors and links all behaviors on the endpoint to create contextual narratives that SentinelOne calls Storylines. Behavioral AI utilizes rich contextual information that is encoded in each Storyline. As a result, it is attack vector agnostic because it is not limited to any particular pathway used by attackers to penetrate a system. When an activity is deemed a threat, the software autonomously kills the attack and because the Storyline contains a complete record of changes made during the attack, these changes can be remediated. SentinelOne believes this capability is unmatched on the market and significantly reduces the resource burden of remediation.

SentinelOne’s cloud platform aggregates Storylines and their Streaming AI can detect anomalies by correlating multiple data feeds with external and internal data. SentinelOne’s platform also provides a single pane for an organization so that analysts can quickly and easily investigate incidents and hunt for threats.

SentinelOne offers endpoint protection, endpoint detection and response, cloud security, IoT security, identity protection, data analytics and IT and security operations. By deploying SentinelOne’s Singularity Platform, customers can receive a return on investment of 353% over three years, and a payback period of less than three months.

Singularity Mobile allows customers to manage mobile device security alongside endpoint, cloud workloads and IoT devices. Singularity Mobile brings behavioral AI-driven machine speed protection, detection and responds directly to iOS, Android and Chrome OS devices.

SentinelOne also offers an increasing number of modules on top of what is bundled in their entry level package. Additional modules are offered as a subscription and charged on a per agent basis.

• Binary Vault – Enables customers to store and download copies of any file that has been executed in their environment for forensic review and reverse engineering.
• Data Retention – Offers data retention upgrades from one month to three years and beyond.
• Cloud Funnel – Allows organizations to export their XDR data in real-time to their private data lakes, whether locally-hosted or in the cloud.
• STAR Premium – Enables custom behavioral and IOC-based rules for real-time analysis, alerting, and automatic response workflows.
• Ranger (for IoT) – Provides organization-wide inventory and control of IoT devices.
• Cloud Workload Security – Extends EPP, EDR, and XDR features to offer runtime protection for servers and containerized workloads.
• WatchTower – Delivers threat hunting and insights to help customers understand the nature of threats, targeted attacks, threat actors, and risk reduction.
• Vigilance MDR – Enables customers to benefit from world-class SOC operations with customized threat annotation and response.

SentinelOne has a number of capabilities, in addition to their autonomous approach to endpoint security, which they believe further differentiates their platform. SentinelOne’s remote script orchestration allows the execution of scripts across an enterprise, rather than device by device. This allows incidence response partners and customers to rapidly respond to breaches.

SentinelOne also offers multi-tenancy to support the use of their software as a managed service platform. Multi-tenancy is a software architecture in which a single instance of software runs on a server and serves multiple tenants.

Sentinel One offers IoT Security under the Ranger brand. Ranger transforms SentinelOne’s agents into an AI powered intelligent scanning mesh. Ranger discovers connected devices and delivers network inventory and risk mapping. This includes modules to identify unprotected assets, provide information about discovered devices and create network segments that restrict access to the corporate network.

SentinelOne believes that other SIEM vendors lack automation and enforcement capabilities, and that by combining SIEM with their endpoint protection platform, they are able to close the loop. SentinelOne acquired Scalyr to improve their data analytics capabilities in support of their platform. Scalyr is now integrated into SentinelOne’s technology backend and is reportedly performing well.

Scalyr is a critical part of SentinelOne’s XDR road map as it enhances their ability to ingest and store data. Enhanced data storage capabilities allow customers to cost effectively retain large amounts of data for longer periods of time. New customers are already being onboarded to Scalyr and existing customers are being migrated.

On the back of the Scalyr acquisition, SentinelOne has also launched DataSet, an enterprise data platform for data queries, analytics, insights and data retention. DataSet is an enterprise data platform, not just the back end for SentinelOne’s XDR platform and addresses use cases like logging, search and real-time event data monitoring. DataSet eliminates data schema requirements from the ingestion process and index limitations from querying. The availability of an index-free approach enables customers to get faster results at a fraction of the cost compared to traditional approaches. Index free logging involves storing data in buckets which are tagged so that a query engine can find relevant data. Indexes are suitable for systems with low ingest rates and high query frequencies. This is problematic for logging as it involves high ingest rates and query frequency is often low. Index-free logging reduces ingest latency and disk space and hardware requirements.

SentinelOne has also entered the identity protection market, with a $617 million acquisition of Attivo. This acquisition allows SentinelOne to protect identity using a zero trust framework. Misused credentials are one of the primary techniques used in breaches. A compromised endpoint can lead to compromised user credentials, at which point an attacker can install backdoors, exfiltrate data and change security policies. Attivo helps organizations keep passwords safe, admin privileges restricted and user identity intact.

Attivo’s identity protection is an agent-based solution that secures credentials and detects malicious identity behaviors. It delivers real-time protection against credential theft, privilege escalation and lateral movement. Attivo also offers identity infrastructure assessment, identity-based vulnerability scanning and management for enterprise infrastructure. Attivo’s scanner provides instant visibility of active directory misconfigurations, suspicious password changes and unauthorized access. Attivo also has a deception solution that makes attackers reveal themselves, their methods and targets through misdirection.

Identity is an estimated $4 billion opportunity and Attivo is capturing share within that market, growing its ARR at over 50% annually. At the end of 2021 Attivo’s ARR was approximately $30 million, and revenue in 2022 was forecast to be $40 million. Attivo has over 300 customers, from Fortune 500 enterprises to government entities. The acquisition opens up new customer and cross-sell opportunities.

SentinelOne also offers a marketplace where customers can integrate applications across a number of categories (Threat Intelligence, SIEM, Sandboxing, Analytics, and Workflow Automation) into the Singularity Platform. Singularity XDR Marketplace also allows security teams to drive a unified, orchestrated response among security tools in different domains.

Partnerships are an increasingly important part of SentinelOne’s business, and could drive sales and marketing efficiency in the future. Managed security service providers provide outsourced monitoring and management of security devices and systems. SentinelOne’s partnerships with these organizations (Enable, AT&T, Pax8, Continuum, Kroll) give them mid-market and large enterprise coverage, and are an important source of growth. ARR from the MSSP channel increased by 300% YoY in the third quarter of FY22. SentinelOne’s strategic technology and services partners (including MSSPs, MDRs and IR partners) have grown to over 20% of their business.

SentinelOne also continues to build on their incidence response partnerships (Mandiant, KPMG, Kroll, RSA), and have been developing continuing education courses to complement their accreditation programs. These courses keep partners up-to-date on new capabilities and modules.

Competition

SentinelOne faces a number of competitors, including:

• CrowdStrike
• VMware (VMW)
• McAfee
• Symantec (Broadcom (AVGO))
• Microsoft (MSFT)
• Palo Alto Networks (PANW)

CrowdStrike, Microsoft and Palo Alto are probably the most important competitors due to the breadth of their solution portfolios and the strength of their offerings.

SentinelOne has mentioned win rates at or above 70%, including against their closest peers. SentinelOne has also pointed to high and improving win rates for deals worth over $1 million and over $100,000, which are generally against other next-gen competitors.

From a competition perspective, there are a number of current developments that could allow SentinelOne to pick up market share. Kaspersky is a Russian cybersecurity vendor that is potentially providing tailwinds to competitors due to the war in Ukraine. SentinelOne is currently seeing a sizeable movement away from Kaspersky, either by mandate or because customers want a better security platform.

Broadcom’s acquisition of VMware is another potential tailwind for competing solutions. According to market share reports, there was a large shift to next-gen vendors from Symantec after they were acquired by Broadcom. The same situation will potentially play out with Carbon Black, benefitting companies like CrowdStrike and SentinelOne.

Financial Analysis

SentinelOne continues to suggest that demand remains strong, although management appears to have become slightly less bullish in recent quarters. In the most recent quarter management suggested that sales cycles had become marginally longer and required more budgetary approvals. Cybersecurity is a top IT spending priority, and management believes that the macro environment has not impacted that. The consequences of not being protected by a leading cybersecurity solution are too great for customers to cut spending.

Cloud protection is SentinelOne’s fastest growing segment, with more than 10% of SentinelOne’s endpoints being servers or in the cloud. SentinelOne expects that cloud will continue to expand and at some point will be similar in size to the endpoint market. Customers are choosing Singularity cloud in conjunction with endpoints and on a stand-alone basis. SentinelOne is also seeing more and more cloud only deals. The scale of cloud footprint in early deal sizes indicate a much larger future potential.

SentinelOne expects organic growth to be mid-80% going forward, an impressive figure given the company’s size. This would continue to place SentinelOne’s growth broadly inline with CrowdStrike’s at the same size.

SentinelOne’s growth has been driven by strong adoption of their next-gen endpoint solution, along with the introduction of new solutions (MDR, EDR, cloud workload security, Scalyr) and FedRamp certification. Emerging products like Ranger IoT, cloud workload protection and data capabilities are all growing at triple-digit rates.

SentinelOne’s customer base continues to grow rapidly, although it is currently still fairly small. Revenue per customer is also increasing due to SentinelOne attracting larger new customers and expanding within existing customers. Revenue per customer is also relatively low and has significant room for expansion as SentinelOne continues to introduce functionality to their platform and protect more endpoints/workloads.

As of January 31, 2021, SentinelOne’s dollar-based gross retention rate was 97%, which is reasonably high and supportive of improving margins as the business scales. Gross retention is also likely to improve over time as SentinelOne introduces more modules and an increasing number of customers standardize on their platform. SentinelOne’s net retention rate is also robust and has been improving as customers adopt more modules.

SentinelOne’s gross margins are relatively low given the nature of their platform, but have been slowly improving. There have been suggestions that SentinelOne is willing to undercut competitors on price to gain market share, which may be contributing to lower gross margins. The migration of existing customers to SentinelOne’s DataSet back end has also resulted in temporarily higher costs. SentinelOne are targeting gross margins of 75-80% in the long-term. This should be achievable as SentinelOne earns high incremental margins when customers adopt multiple modules.

SentinelOne’s operating profit margins are far more concerning than their gross margins, due to the company’s high operating expenses. While margins are improving with scale, SentinelOne’s operating losses are large for a company its size.

This appears to be more the result of heavy investments in R&D than inefficient sales and marketing. SentinelOne is far from being a lean organization though, as exemplified by their high general and administrative expenses.

As of April 30, 2021, 35% of SentinelOne’s employees worked in their R&D organization. The burden of R&D expenses is declining, and provided that the company continues to introduce functionality that drives growth, R&D costs are not a major concern.

SentinelOne’s sales and marketing expenses are similar in magnitude to CrowdStrike’s at a similar size. SentinelOne may be able to improve the efficiency of their sales and marketing organization as their partnerships mature and grow in relative importance.

SentinelOne has increased its headcount rapidly since going public, and continues to hire aggressively in support of growth. There is little indication in SentinelOne’s hiring data so far that they are facing a demand slowdown that is concerning management. They are also in the process of globalizing their talent pool into new areas like the Czech Republic and India, which should help to control costs.

SentinelOne’s management has suggested that they are targeting operating margins of over 20% in the long-run, which seems reasonable based on their current trajectory. Their financial performance is currently a long way from best-in-class company’s like CrowdStrike, but gross margins will improve and the burden of R&D will decline. Importantly, SentinelOne will realize economies of scale and scope over time and churn should decline.

By capitalizing a portion of SentinelOne’s operating expenses to account for investments in intangible assets and adjusting margins for scale to account for operating leverage, a clearer picture of SentinelOne’s profitability can be ascertained. Depending on how large SentinelOne ultimately becomes, and whether they can maintain their low churn and high expansion, it would not be unreasonable to expect operating profit margins of around 20-25% at scale with normalized growth.

Valuation

Investor time horizons have compressed significantly over the past 18 months, with investors now less concerned about a company’s long-term ability to generate free cash flow and more concerned about next quarter’s profits. For companies like SentinelOne, this has caused a large decline in share price as they have gone from trading at a premium based on growth, to trading at a discount based on profitability. Looking forward 5-10 years, SentinelOne should offer investors strong returns if the company can maintain its competitive position. In the current market environment this matters little though, and without current profits there is no real floor for the stock price.

Conclusion

SentinelOne has been growing rapidly in a strong demand environment for cybersecurity software. The stock appears attractively priced if SentinelOne can continue progressing towards profitability, provided that growth does not deteriorate too much going forward.