Updates: SentinelOne 1Q24 Execution Issues & Fundamentals Review

Updates: SentinelOne 1Q24 Execution Issues & Fundamentals Review

Summary

  • S posted an unexpected poor 1Q24 result, with growth decelerated further from 4Q23. Accounting errors and guidance slippage have generated mass panic and deep analyst scrutiny into the business.
  • After a bottom-up review, we standby our previous fundamental views on S, albeit with cautions about greater competition, the demand landscape, and executive turnover.
  • Overall, we remain cautiously optimistic about the long term future of S, and we believe the market overreaction has created a good margin of safety and risk-reward for fundamental investors.
  • In this update report, we reflect back on ZS' GTM headwinds prior to COVID-19, to help understand the possibility of growth reacceleration for S in the future.

Price Action Recap

One of the biggest risks for high growth names with high valuations is always the execution risk. One slippage in the quarterly results can result in sharp multiple contractions coupled with NTM expectation slash.

The most visible trend for us in the enterprise tech space is the continued broad slowdown in the sector. Unlike previous recessions, this round of macro headwind hit companies with varying degress of lag. For companies like Zoom or Okta, they were hit in mid-2021, way ahead of the crowd. For Snowflake and Cloudflare, the demand is so strong and the innovation is so great that they barely experienced the impact of macro headwinds until recently.

Market expectations also swing rapidly. Throughout 2022, investors were aggressively pricing in slowdowns, trying to front-run the macro uncertainties. While some of them were successful, there are periods when they timed the market too early, and the subsequent better-than-expected numbers, albeit weak YoY, are good enough to generate positive surprises. As a result, from the start of 2023, the market swings back to the other extreme; virtually every name experienced multiple expansions without an actual improvement in the numbers.

This is the case for S too. The multiples gradually melted up coming into the latest ER and then the hyped sentiment is met with the least exciting numbers since S IPOed.

With poor results, tech tourists start to make explanations based on the numbers. When the numbers are good, they call the stock a great technology company, and when the numbers are bad, they call it a bad technology company, as evidenced by S' latest results. But we are surprised to see that no one seems to be interested in the fundamentals of the product itself and how it is positioned in the industry. Without this long-term visibility, most analysts are trapped in chasing the momentum of ups and downs in quarterly results.

1Q24 Numbers

Before we dive in to our fundamentals review, let's have a quick look into the latest ER.

  • Revenue of $133.4m (+70.4% Y/Y) misses by $3.21m.
  • Annualized recurring revenue (ARR) increased 75% to $563.6m.
  • Total customer count grew approximately 43% to over 10,680 customers. Customers with ARR over $100,000 grew 61% to 917.
  • Sees 2Q24 revenue of $141m. The prior 2Q24 revenue estimate is $152.07m.
  • Now guiding FY24 revenue of $590m to $600m. Previously, S had guided FY24 revenue of $631m to $640m. The consensus estimate is $637.6m.

According to the CEO:

Despite many underlying business strengths, our Q1 topline growth did not meet our expectations. Macroeconomic pressures continue to impact deal sizes, sales cycles, and pipeline conversion rates. While not entirely new, the impact from these factors was more pronounced in Q1

Annualised QoQ growth slowed to ~25% with gross margin Adjusted CAC payback ballooned to 37 months, which is the one of the highest in the growth of 30%+ cohort. This means that the company needs to readjust their budgeting and optimise opex more quickly to achieve the FY25 breakeven target.

S has made good improvement on the bottom line. But as we've analyzed before, it isn't about the operating margin per se for this kind of early stage GTM company. The main metric is the ROI on the opex rather than the opex in relation to to revenue. Previously, S had a decent CAC Adjusted Payback among high growth cohorts. However, this quarter, the CAC Adjusted Payback period ballooned to a very high number.

The management noted that:

  • Macro continues to put pressure on deal sizes, sales cycles, and pipeline conversion rates
  • Deal deferral, compression, and elongation. Less buffer vs bigger players (i.e., CRWD)
  • Downtick in consumption >>> sharp decrease in log data ingestion, right-sizing what they put to the platform.

However, in terms of win rates and the competitive landscape, it remains unchanged. This is the place where we see a big cognitive dissonance in the analyst community. Lots of analysts are venturing into attributing the slippage to the competition from Crowdstrike, Microsoft, and many more competitors. We believe the management's reasoning is still credible here, and we don't see a sharp change in win rate or competitive dynamics as we've noticed in the CRWD report before, and the following product fundamentals.

Management also noted:

Cybersecurity spending is durable, but customers are not in a rush to spend

This is the place where many analysts missed the point. The consensus is still that cybersecurity is a non-discretionary spend. And many investors used the CIO survey and channel survey data to support that the spending in various cybersecurity sectors is still hot. However, from the bottom-up perspective, it depends on the customer type. What we are seeing is that some companies are still able to add ARR and deliver YoY growth similar to previous periods, but beneath the headline numbers, they are finding it harder to generate more demand and convert the pipeline because most customers now are cash strapped. This is a greater issue with network security and endpoint security because the sector is highly mature with tons of large installed bases, so key customers are postponing the deprecation of their existing legacy solutions to make their division's profit margin number look better.

Customer budgets are very different today compared to one year and two years ago

This could be cross-validated by SNOW's CEO's comment on CFOs taking charge rather than CIOs or CTOs, which is a rare development that hasn't arisen since ~2008. Ironically, OKTA's CFO also stressed that he is closely examining every cost item of the company and cutting down costs as much as they can. This is probably the biggest reason why S' consumption has dropped, because in the prior periods customers are more than willing to spend on DataSet (S' data backend equivalent to SNOW), but now customers are actively managing their bills. Instead of storing all log data, including S endpoint data and third-party data to S' data store, now customers are selectively choosing what to store and shortening the log retention time. These are changes not expected by S' management, and us too.

SNOW also experienced similar dynamics but with lesser impact due to its diversification across use cases that have direct ROI and revenue impact. For example, many sales and marketing teams use SNOW, and even in such a period when the budget is tight, the CFO can't easily trim down all of these costs because that is going to directly hammer the top line growth. However, for security use cases only, CFOs will be more than willing to cut usage in order to juice up the margins, especially as a potential security impact may or may not occur in subsequent quarters.

Larger companies can rely on cross-selling to their existing customer base, while S is mostly reliant on new customers

This seems to be a fair argument too. As we have observed with cases like MNDY and ASAN, point BoB solutions are having a hard time at present. No matter how great your product is right now, if it is not part of a greater platform then sales are going to struggle. Your competitors may be offering an inferior product, but they are doing so for free or at huge discounts by leveraging their platform. Then, of course, the CFO will choose breadth over BoB. Such as PANW and FTNT, we do see platform cybersecurity companies having more resilient revenue growth, even if individual products are not BoB. Another weakness of S in this regard is that it has three major bundles that include every product together. This gives huge value to customers with clarity, but it also means that it has less to cross-sell in the future but upsell.

Accounting Error

The management also noted underutilized enterprise licenses created a 5% accounting headwind. They double-counted consumption due to CRM system issues.

Many analysts noted this as huge news signaling a greater issue within the company policy, accounting, and CFO practices. Based on our reading of S' fundamentals, we believe this should be a one-time event due to the company's age and maturity. Every great tech company will hit a rock at some point in their journey. To the extent that the miscalculation doesn't impact the GAAP numbers, and the consumption pattern of S' data backend is undergoing change amid an economy teetering on recession, we believe the fear is overblown.

Layoffs

The company also announced a 5% layoff, which is not a surprise given everyone is laying off unproductive staff. The percentage is very low relative to other names including GTLB. We believe this layoff will mainly be in the S&M function, especially in Account Executives who didn't hit the quota. In cybersecurity, the turnover in this function is normally high and we believe S' great product momentum also led to unproductive AEs to easily hit the quotas, in a similar vein to the AEs at NET.

Unlike other tech companies who announced a 10%+ layoff impacting the core engineering functions, so far we still see tons of promising and innovative talents going to S instead of the other way around. As long as they keep on investing in engineering and product talent, and iteratively improve the GTM execution, the long-term potential of S is still great.

From the pure ACV metric alone, CRWD is 2.2x greater than S due to its more established brand, early enterprise adoption, and higher market share. As S continues to mature in the enterprise segment, we wouldn't be surprised to see the ACV increase to the size of CRWD and beyond.

Upsell and cross-sell potential

S added another Fortune 10 customer this quarter, now totaling 5 out of the Fortune 10. It is common for a big enterprise to use multiple EDR/XDR solutions concurrently. Based on our analysis, right now the mix is ~50% CRWD, 30% Carbon Black (VMW) and <20% S. The adoption and shift to the newer XDR vendor is entirely on a customer's discretion, meaning they can deploy S on 100 endpoints initially and gradually ramp up the licenses. However, given the current macro environment, a quick way to save the cost is to postpone the adoption and continue to use the existing licenses and vendors. S has gained a foothold to major enterprises now, and it will take more time to gradually replace legacy solutions and be fully deployed within one big enterprise.

From the DBNR perspective, S has slowed down from 132% to 126% this quarter due to weaker than expected customer data and license consumption.

Gross profit was $91m, or 68% of revenue, compared to 65% of revenue a year ago. Non-GAAP gross

profit was $100m, or 75% of revenue, compared to 68% of revenue a year ago. This significant YoY increase was driven primarily by increasing scale, data efficiencies, and customers’ growing platform adoption. The difference between GAAP and Non-GAAP is mainly driven by the amortization charges associated with the Attivo and Scalyr acquisitions. So in real numbers, S is now selling at a similar premium to CRWD from the COGS perspective. We believe this is a great sign because the company isn't selling cheap for fast market adoption. On the other hand, maybe they have pushed this up-pricing too far and thus hammered the topline growth a bit.

It is to be noted that although S and CRWD now have a similar gross margin, their price to end customers is very different. If you factor in deployment, integration, training, and operation costs into the Total Cost of Ownership calculation, then S is still 1/4 of peers primarily due to its automation features and last mover advantage. In special bundles for SMB and using Humio data backend with lower performance but better cost, CRWD could lower down the TCO gap by 1/2 but it is still a pricey product from the end customer pricing side.

On the customer count add this quarter, S has a very weak enterprise customer add, growing only from 905 to 917, or only 1.3% QoQ or ~5.4% annualized, which is weaker than total customer growth growing at ~30% annualized. According to management, this is due to an elongated sales cycle, which we believe should be partially correct.

Product Fundamentals

LLM-powered automated shift-right

S was amongst the very first to release an LLM-powered security copilot for its shift-right security operation backend. We believe this is becoming a commodity in the sense that everyone can plug in LLM, like OpenAI or Anthropic, and offer a conversational interface for the security operation backend to lower down the learning cost, response speed, and investigation time. This is becoming a negation test - introducing LLM-related features won't give you a sustainable edge, but you if don't, it means you are becoming a legacy incumbent org.

However, we view S positively here because it is amongst the very first to adopt LLM copilot in the field, at a similar pace to Orca and other startups. At the same time, we are yet to see bigger players like ZS, CRWD, and CSCO introduce similar products. This is a great early indicator that S is still keeping its early stage startup mindset, despite ARR being close to $600m. We are seeing many other attributes pointing to the fact that S is still highly innovative and it is an adopter of the newest technologies and engineers have discretion to explore and innovate on their own projects.

Competition

Although many analysts discredited S' CEO's claims, we find his comment on MSFT more genuine than CRWD's

Microsoft is a formidable competitor. I mean this is not a legacy signature-based solution. Obviously, they have a fairly expanded security portfolio. With that said, I think that for customers that are looking for the security capabilities and the coverage that pure-play vendors can provide, Microsoft just doesn't cut it.

So I think in certain parts of the market, you can see them a bit more palatable for security teams. But as a whole, I think that doesn't really translate into more discerning customers. Moreover, I think that when you look at what capabilities, customers are opting right now for cloud security would be one that I mentioned, triple-digit growth for us year-over-year on cloud security.

That is something where obviously Microsoft is not as I would say, prominent in their capability set. So all in all, they're still there. We see time and time again that when people eventually do go with Microsoft, that's a CFO-type led decision. I think that more and more people are kind of shying away from that approach.

The last thing I'll say there is we're targeting now between all the different offerings we have in our portfolio about $100 billion addressable market. Even if you look at Microsoft as one of the leading cybersecurity providers with $20 billion of revenue overall, I mean, I think you're looking at about 1/5 of that market. So a lot of it is still up and up for grabs.

And we feel still pretty good about our ability to compete with Microsoft, especially with security savvy professional, especially with MSSPs that are looking for more automated, more OpEx-driven solutions. So we feel well positioned, but obviously, Microsoft, they're a formidable vendor out there.

He highlighted that MSFT finds greater appeal in CFO-led decision making, and it won't work in the longer term. This cross-validates our view that in the present and the shorter term, some companies will sacrifice their overall security a bit for a solution that is cheaper on paper, but more costly from a TCO perspective over the longer term. It is purely the pressure to cut costs with immediate effect that is fostering a shortsightedness within enterprise customers right now. Again, we see a big divergence in the views between financial analysts and security practitioners. The former believes that MSFT with a platform and freemium license play will crush pure-play vendors like S, while the latter believes good enough solutions are not good enough, and BoB is the standard.

We believe the truth is somewhere in between. In the short run, marginal customers will find it more attractive to explore ways to utilise free endpoint security licenses from MSFT's E5 and spend more on internal engineering or third-party integrations to deploy these "free" solutions. Over the longer term, they will recognise that it is not free to use MSFT and the TCO plus security deficiencies will make MSFT less attractive as a long-term solution.

In regards to CRWD, as we've analyzed before, CRWD has made tons of improvements to make it more attractive and refreshing rather than an aging next-gen early mover. Marginally, it will make CRWD solutions more competitive than previous quarters, and thus lower down S' traction a bit. However, this is not a total revamp and we believe that CRWD won't retake the product strength leadership from S. This is also evidenced by S' comments that the win rate and churn hasn't changed.

The big picture view from the industrial evolution side is that the consolidation is happening and S is still in the duopoly play for the future XDR.

In the previous age of endpoint security, there were 10-15 major endpoint security vendors all with comparable core products but differentiated specialities, which made the sector super fragmented. However, because of EDR/XDR, which emphasises on the scale of the cloud data backend, smaller vendors will find it harder to compete with the bigger ones. We believe in the next decade, there will only be CRWD, S, and PANW as the key players in the endpoint security industry, while MSFT will be on the sideline for some special customers.

Some newer startups like Expel, Deep Instinct, and Artic Wolf could potentially disrupt the game, but they will mature in the next 3-5 years, not for now.

Cloud, Identity, and More

S also noted that new products represent 1/3 of new bookings. And its exclusive partnership with Wiz Security has gained triple-digit growth for several months.

At the start of 2023, Wiz Security announced an exclusive partnership with S whereby S' data backend will be able to directly ingest Wiz Security's context rich information. The two will share the cloud (CSPM) and endpoint (EDR) data together to deliver a better overall solution. S' objective is to create a cloud-native SOC that can:

  • Detect and respond to cloud security threats at machine speed
  • Collate context enrichment from Wiz's cloud data
  • Visualize cloud security posture in real time
  • Identify attack paths to critical cloud resources
  • Prioritize risks and quickly triage actions to reduce risk
  • Protect cloud workloads from build time to runtime,
  • Shorten the mean time to detection and the remediation of cloud incidents.

The exclusive partnership with Wiz is a great cross-validation for S being the best XDR vendor. Wiz, along with PANW, are now the de facto leaders of cloud security, and Wiz is still growing at a very high rate, while pretty much every other cybersecurity startup and public company have slowed down substantially. For more information about Wiz Security, be sure to check out our previous analysis.

The deal will compliment Wiz's agentless technology, and it is widely speculated that Wiz needed to make the deal because they do not have the in-house knowhow to build an agent-based tech themselves. We believe that over the longer term, the best cloud security vendor has to own both agentless and agent-based technologies to deliver a comprehensive cloud security platform. Interestingly, on 5th June 2023, Wiz announced the release of its own Wiz Runtime Sensor that is able to collect log data from Kubernetes via eBPF. This means that Wiz has plans beyond its partnership with S, and is entering the world of CWPP and runtime security now. Though, initially they are starting with visibility rather than prevention, detection, and response.

We are not so sure if Wiz achieved this by using a white-labeled tech from S, or whether they built this themselves from scratch. It seems like this is still an early complimentary solution to its Kubernetes visibility platform rather than a direct competition to S. Overall, we see this deal as a positive one for both vendors, and it gives us better confidence that S is the BoB and the latest technology leader.

Executive Turnover

In January 2023, S announced several executive appointments followed by the departure of its CMO and CPO, who left for CRWD. In April 2023, S appointed a new CMO, but the CPO role remains vacant.

Here is what Founder & CEO Tomer Weingarten said about the new executives:

Mrs. Mahdavian is a seasoned business leader with a proven track record of driving strategic growth. Mahdavian joins SentinelOne after over a decade at McKinsey & Co., where she was a partner and a leader in McKinsey’s Technology, Marketing and Sales practices, with clients including $50B+ software and hardware providers, global technology infrastructure organizations and multiple growth stage SaaS companies. As SVP of Business Transformation, Mahdavian will drive strategic initiatives, business intelligence and monetization strategies.

Mr. Gale has over 20 years of experience driving product innovation across the cybersecurity industry in both marketing and product leadership roles. Prior to SentinelOne, Gale was the Global VP of Product Marketing at CrowdStrike, where he hired and built a marketing organization spanning product, technical and competitive marketing as well as analyst relations. Before CrowdStrike, Gale was Chief Product Officer at Automox and Chief Product Officer at CyberGRX. As VP of Product Marketing, Gale will lead the go-to-market strategy for the Singularity Platform.

Mr. Taori is a proven business leader with a 20-year track record of building businesses, establishing market leadership positions and creating successful products. Taori joins SentinelOne from Amazon Web Services, where he was Product Leader responsible for OpenSearch analytics, search, observability and security offerings. As GM of DataSet, Taori will be responsible for defining the strategic vision, operations and go-to-market execution for SentinelOne DataSet.

Mr. Tinker has more than 25 years of experience leading renewals and driving customer success across technology organizations. Prior to SentinelOne, Tinker was SVP of Global Renewal Sales and Operations, Acceleration Sales GTM at Riverbed Technology, where he led a global team responsible for over 55% of Riverbed’s total revenue. As VP of Global Renewals, Tinker will scale the global renewals organization leveraging a standard enablement approach to increase bookings, net revenue retention and maximize gross revenue retention.

Mrs. Tsumas brings over 20 years of experience leading sales and strategic growth across high-tech companies. Tsumas joins SentinelOne from Cohesity, where she was VP of Sales, US Strategic & Enterprise. Prior to Cohesity, Tsumas held positions at VMware, NetApp and Cisco. As VP of Global Accounts & Programs, Tsumas will be responsible for leading and developing strategies that enhance customer experience across SentinelOne’s largest customers and prospects.

Sally Jenkins as Chief Marketing Officer. In this role, Jenkins will be responsible for the planning, development and global execution of the company’s marketing strategy to elevate the SentinelOne brand and support industry-leading growth at scale. Jenkins will report directly to SentinelOne CEO Tomer Weingarten.

A tenured and experienced leader, Jenkins has a proven track record of building brand and demand at leading B2B and B2C companies, including Elastic, Informatica, VMware and Symantec. Jenkins joins SentinelOne from Elastic, a data security and observability solutions provider built on Elasticsearch, where she successfully transformed the company’s positioning, marketing strategy and vision to meet the hypergrowth company’s evolving needs, contributing to a 300% revenue increase during her tenure. Prior to Elastic, she was CMO at Informatica, an AI-powered data management company, where she was instrumental in repositioning the company as a leader in the enterprise cloud data management category.

It's interesting that CRWD and S switched their marketing talent. CRWD takes S' CMO who masterminded a channel strategy that greatly targets the weak spot of CRWD and led to a differentiated success for S. Meanwhile, S hires CRWD's marketing talent to build up a greater presence with enterprise customers to generate more mind share and brand awareness.

The new SVP of Digital Transformation should help S drive more replacement deals in a similar vein to what ZS had done in the past few years.

The new GM for DataSet comes from an AWS background, managing its OpenSearch and related observability and security products. This should help DataSet mature and become more comparable to pure plays like ESTC and DDOG. It is to be noted that OpenSearch is an open-source form of ElasticSearch. This is pretty rare because in the likes of MDB and other OSS, AWS wasn't able to create a public alternative with strong control and community endorsement. Thus, we should have more positive expectations for DataSet in the future because of the new leadership.

The new VP of Global Renewals and VP of Global Accounts & Programs indicate that S is scaling up its operations and building up its enterprise S&M capabilities. This should help it better manage the DBNR and upsell/cross-sell in the future.

The new CMO comes from a different background from the previous CMO who was more experienced in the endpoint security industry. The new CMO comes from an ESTC background, which may signal that S is focusing more on the SOC backend and observability-related opportunities rather than core endpoint security only. This seems to be a long-term strategic initiative for the greater platform expansion. In the shorter term, however, we may not see S continue to have a dominant position in the channel and XDR marketing mindshare, which may explain why its 1Q24 results are poorer.

To summarise, the executive turnover:

  • matures the company's GTM capabilities, especially within enterprises;
  • highlights the strategic importance of DataSet as an independent business unit that can compete with the likes of ESTC, SPLK, and DDOG;
  • strengthens the company's ability to expand the platform and maintain XDR vision leadership.

However, the question remains as to whether S is able to maintain its existing channel leadership and product leadership given this shift in managerial talent.

Thesis Revisited

Parallel with ZS T-4?

We view S as a typical red ocean disruptor in the sense that:

  • A category-defining vendor disrupting a big and old sector.
  • One or two direct public competitors that are older, and lots of startups trying to copycat.
  • Most of the revenue comes from replacing legacy install bases.
  • Currently, customers favour incumbency with replacement projects being postponed.
  • The sector is ripe for consolidation and S is destined to be among the top three players of endpoint security in the future.
  • In general, analysts don't hold the fundamental insights on the industry level.
  • They rely on channel surveys and past financial performance to explain the product strength. When numbers are bad, analysts develop reasons as to why it is not a great innovator, and when numbers are great, analysts praise the company and develop reasons as to why it is great and far ahead.
  • As a result, the stock trades with high volatility, with investors jumping in and out of the name quickly.
  • The bottom line, however, is that the company should be able to deliver 15%+ CAGR for 5+ years, and it should be able to reach $3-$5bn terminal ARR given the industry TAM and consolidation trend.

History doesn't repeat but it does rhyme

!DOCTYPE html> Contact Footer Example