SentinelOne: Scalable Cybersecurity
A deep-dive of cybersecurity company, SentinelOne.
Most of SentinelOne’s products are built on their Singularity platform; an autonomous Endpoint Protection Platform (EPP) deploying endpoint detection and response (EDR) to protect businesses from cyber threats. Offering various packages of security products in exchange for a monthly fee per agent, SentinelOne has scaled rapidly, growing their customers 75% this past year with annual subscriptions ranging from a few hundred to a few million dollars.
We'll discover SentinelOne's core business, their growth story, valuation, and the cybersecurity market as a whole.
What's Endpoint Security?
First and foremost, endpoints are hardware devices that connect to a company’s network. There are countless devices from servers and computers to small sensors and smart meters connected to your network. Since these devices are continuously sending and receiving potentially valuable data, it’s become essential to maintain eyes on how and why these devices are communicating, which is exactly what endpoint security does.
SentinelOne's approach to endpoint protection is multi-layered and autonomous. The first phase of execution aims to detect and prevent threats using real time file analysis. With the help of Artificial Intelligence (AI) and Machine Learning (ML) static file models, SentinelOne blocks 90% of threats during their pre-execution phase. Essentially, they’re able to anticipate a potential threat and respond instantly, before the threat is even deployed. SentinelOne’s second phase of detection uses dynamic AI behavioral models (ActiveEDR code analysis) for more sophisticated threats like zero-day attacks. Zero-day attacks are complex to detect because they don’t match any malware signatures, rendering previously effective signature matching solutions useless. In fact, without behavioral AI, a critital facet of SentinelOne's security, many attacks would go unnoticed. In sum, these two autonomous threat prevention engines work simultaneously to yield the highest efficacies, lowest false positives, and lowest system impact. As a fail safe, SentinelOne also incorporates an array of remediation services like One-click Rollback. One-click Rollback allows a user/administrator to revert a malicious file (activity) right back to normal, with just one-click.
On top of Singularity’s automated detection, protection, and response capabilities, SentinelOne also incorporates Deep Visibility Response to ensure their customers have full visibility into the endpoints’ network, files, and processes for easy self-monitoring. It explains why Singularity identified the process as a threat, the threat’s attack sequence, the action taken to neutralize the threat, and even links articles/resources where you can learn more about the type of threat encountered.
Beyond Endpoint Protection
SentinelOne’s execution from launching next generation antivirus (NGAV) in 2016, managed detection & response (MDR) through Vigilance in 2017, ActiveEDR in 2019, Singularity in 2020 and integrating extended detection and response (XDR) in 2021 has been nothing short of exceptional.
Since today’s threats are quickly growing in complexity, cybersecurity companies must innovate at a rapid pace to keep their customers secure. While this isn’t a “winner takes all'' industry, the businesses that refuse to innovate at a comparable pace to their peers will lose market share. An example of SentinelOne’s more recent and exciting innovation on the Singularity platform is their extended detection and response (XDR). Today, highly sophisticated threats can avoid EDR detection, which presents the need for deep visibility across entire enterprises, not just endpoints. Fortunately, XDR solves this by collecting and correlating activity across the customer’s network, email, endpoints, and cloud workloads (Google cloud, Azure, and AWS, etc). To assist with data logging and analytics, SentinelOne recently acquired Scalyr (Q1 2021) for $155 million. Scalyr gave SentinelOne the opportunity to offer fully integrated XDR right onto the Singularity platform. Coincidentally, SentinelOne's biggest competitor, Crowdstrike acquired a similar log management company called Humio just a few weeks after.
SentinelOne's team is led by co-founder and CEO, Timer Weingarten, who states SentinelOne’s mission as follows: “Our mission is to keep the world running by protecting and securing the core pillars of modern infrastructure: data and the systems that store, process, and share information. This is an endless mission as attackers evolve rapidly in their quest to disrupt operations, breach data, turn profit, and inflict damage.”
Founded in 2013, SentinelOne has been an exemplary growth story since its inception. I created a graphic below to highlight the speed in which SentinelOne received large amounts of funding from some of the most successful Venture Capital firms (Sequoia Capital, Tiger Global Management, etc).
Following SentinelOne’s IPO on June 30th, 2021, the company's market cap stands over $12 billion. Thanks to the IPO, SentinelOne raised an additional $1.22 billion in funding to add more fuel to their remarkable growth.
SentinelOne's revenue for fiscal 2020 and fiscal 2021 was $46.5 million and $93.1 million, representing year-over-year growth of 100%. In their most recent quarter, ending April 30th 2021, SentinelOne further accelerated growth 108% year-over-year from $18.0 million to $37.4 million.
Since most of SentinelOne's revenue is derived from Singularity subscriptions, annual recurring revenue (ARR) is metric used to calculate the value of recurring subscription revenue normalized over a full year. As of April 30th 2021, SentinelOne has earned annual recurring revenue (ARR) of $161 million, representing 116% growth year-over-year. The following chart represents SentinelOne's historic ARR figures to highlight just how sticky their platform is.
Specifically, customers that generated ARR of >$100,000 was 219 in January 2021 compared to 104 in January 2020 (110% growth year-over-year). As of April 2021, SentinelOne had 17 customers with ARR of $1 million or more, up from 6 the year prior.
Digging deeper, SentinelOne boasts some exceptional SaaS metrics in their S-1.
Over this past year, SentinelOne's customers grew from 2,700 to 4,700. On top of expanding their customer base, SentinelOne demonstrates clear and obvious upselling capabilities reflected in their net retention rate (NRR) of 124%. This means their cohort of existing customers increased their spend by 24% since last year.
With over 2/3 of their revenue derived from enterprise customers, SentinelOne is demonstrating the diverse use cases for their Singularity platform from small businesses with one IT agent to large enterprises with thousands of agents. In fact, SentinelOne has already acquired customers from 3 of the top 10 Fortune companies, an indicator of how premium their platform has become.
SentinelOne has become the growth machine it is today due to the proven scalability of Singularity, providing investors with some of the most attractive SaaS metrics public markets have to offer.
Venture Capital and Private Equity have been all over U.S. security companies. The graphic below, provided by Crunchbase, gives us an overview of how much private funding has poured into this sector over the past five years.
Interest in cybersecurity investments isn't unique to Venture Capital and Private Equity, as most public cybersecurity stocks have appreciated drastically this past year. The following chart exhibits total returns for cybersecurity companies from January 2020 through July 2021.
The aggressive growth in cybersecurity stock prices gives investors an indication of how integral these businesses will become in holding up our modern world.
Further, the growing demand for cybersecurity is encompassed in Google search interest for “Cyber security” below.
While the need for cybersecurity has long been a conversation within IT departments, the discussion has now reached the board of directors purview due to increasing ransomware attacks like the Colonial Pipeline incident. We could see these discussions translate to higher cybersecurity and IT spend in the next twelve months.
According to IDC, the total addressable market (TAM) for SentinelOne’s products and services is expected to reach $40 billion in 2024, growing at a whopping compound annual growth rate (CAGR) of 11.9%. Their addressable market is broken down in their S-1 as follows:
- Corporate Endpoint Security: A $9.7 billion market in 2021, anticipated to grow to $12.0 billion in 2024.
- Cybersecurity Analytics, Intelligence, and Response: A $13.1 billion market in 2021 anticipated to grow to $17.1 billion in 2024.
- IT Operations Management. A $5.9 billion market in 2021 anticipated to grow to $11.1 billion in 2024.
Surprise, surprise, SentinelOne isn’t cheap by any valuation metric. That said, great companies are never cheap and retail investors always have to pay a premium for disruptive, high growth companies.
Today, at a $12 billion market cap and $112.5 million TTM revenue, SentinelOne trades around 100x price-to-sales. That's an absurdly high valuation. For reference, their main competitor, Crowdstrike, trades around 55x price-to-sales. However, SentinelOne's Singularity platform is an exceptional flywheel for capturing and upselling customers, reflected by the fact that their growth is outpacing Crowdstrike's. When considering its large addressable market, premium product, and broadening necessity for cybersecurity solutions, SentinelOne will inevitably grow into its valuation within the next 5 years.
I’ll reevaluate SentinelOne’s valuation every quarter on my Twitter, as they lengthen their track record as a public company and release more key SaaS metrics such as customer and revenue churn rates, burn rate, MRR, etc.
Beyond the inherent risk of holding high valuation equities, there are several risks investors should be wary of. First and foremost, SentinelOne's operating losses are currently exceeding earned revenues. As a young company trying to grow as quickly as possible, this doesn't concern me too much for now. What's more surprising, >90% of SentinelOne’s sales are driven by their channel partners. That means almost all of their revenue relies on sales from third party sales partners. Hopefully SentinelOne is able to increase their direct sales to reduce reliance on partners. Additionally, investors must not lose sight of the fact that recent IPOs are incredibly volatile (high risk) and typically produce suboptimal returns. Furthermore, SentinelOne operates in a highly competitive industry with notable competition from Crowdstrike. Lastly, investors should make note of the upcoming lock-up expiry date (12/27/2021) which marks the first day SentinelOne insiders will have access to their shares which usually entails large selling volume.
SentinelOne's Singularity platform is the flywheel that captures huge demand and stands in the top quartile of net retention rates at 124%. This company is poised to continue increasing revenue and market share at shocking rates. While near term growth is priced into the stock’s valuation, it’s important to consider how consistently SentinelOne expands their addressable market (TAM). During this deep-dive I highlighted how SentinelOne went from offering ancillary cybersecurity products in 2015 to now going after a huge piece of the pie through their XDR platform, Singularity. This team does not slow down. Such rapid execution is hard to come across in any sector, and cybersecurity is one of the most sought after investment themes of this decade. I'm gonna keep up with SentinelOne's roadmap as they increase functionality and tap into new verticals on their Singularity platform. I am long $S with a 2% portfolio allocation from IPO day.
Follow along if you're interested in learning about financial markets, innovative companies, and potential investment opportunities. You can stay up-to-date by subscribing, in order to get each post delivered to your email. Additionally, I provide daily updates to my followers on Twitter.