SentinelOne Investor Session at OneCon24

OneCon24 is SentinelOne's annual cybersecurity conference for customers and partners

Oct 26, 2024

SentinelOne recently held their annual customer and partner conference in Las Vegas. In the midst of the conference, they held a two-hour presentation for analysts, with individual presentations from four executives and a Q&A session.

During the presentation the company highlighted a number of new developments, primarily around areas of artificial intelligence, automation and SentinelOne’s impressive growth in LOBs beyond the endpoint, like data and cloud.

I’ve listened through the presentation multiple times, summarizing each section and incorporating relevant quotes and screenshots from the slide deck.

SentinelOne is currently Sycamore’s largest holding, making up over 30% of the portfolio. I believe their superior technology, AI-native and open architecture framework will lead to continued market share growth, positioning them to outpace competitors like CrowdStrike and Microsoft.

Last thing, if you are newer to Sycamore and would like to see my thesis on SentinelOne, you can find that here:

SentinelOne Thesis | Sycamore Portfolio Update [July 2024]

Matthew | Sycamore Capital

August 9, 2024

Read full story

Now, here is the recap from OneCon24:

Tomer Weingarten, CEO & Co-Founder | Technology, Opportunity, and Strategy

“So I really believe there's going to be a new dawn for cybersecurity in the next 2 to 3 years. And we believe that we're incredibly well positioned to change the face of cybersecurity more than we have been in the past decade or so. It's definitely not a solved problem.”
- Tomer Weingarten

Tomer Weingarten emphasized SentinelOne's mission to build autonomous, AI-driven systems for real-time threat detection and response, eliminating the need for constant updates.
Weingarten contrasted SentinelOne’s real-time, autonomous systems with competitors that rely on delayed detection models and frequent updates, positioning SentinelOne as a leader in next-generation cybersecurity.

The importance of these two slides seems to be little understood. Here is the fine print:

“Delays: delays in detection; Configuration Changes: MITRE provides vendors with an opportunity to re-test any step after reconfiguring their product to increase their visibility of the threat. Usually, this means entirely new data sources or detection logic were brought in by the vendor, only after they know exactly what MITRE is doing.”

Delays and configuration changes are unrealistic in the real world. SentinelOne’s superior technology is real-time, AI-native, and not dependant on any interventions or mulligans. These are not subjective internal studies, but objective third party evaluations.

“So for us, taking that autonomous approach, a unified platform, simplicity, scalability, and moving security to be real time is the goal and is what we believe is going to lead the cybersecurity market in the next few years. So as I mentioned, the real-time security aspect is so incredibly important that we're also seeing customers starting to open up to the idea that something is wrong, that the way that things have been done to date are not contributing to better security. And first and foremost, it's that need to have a system that sees events in real time and not after the fact.”

SentinelOne's solutions offer comprehensive protection across endpoints, cloud environments, and workloads, serving small businesses and large enterprises, including half of the Fortune 10 (+1 from previous disclosure of four of the Fortune 10).

“This is not a product that is designed just for Fortune 500. This is not a platform that can work only for a small/medium business. This is the same product, the same code base, the same technology that serves half of the Fortune 10, and at the same time, a 50-seat small/medium business. That is obviously tremendous power.”

AI SIEM and Purple AI are introduced as ground breaking technologies, enabling AI to operate at scale across the entire enterprise by making data more accessible and actionable.
SentinelOne's open architecture allows integration with third-party products, offering flexibility to customers and eliminating the need for a "rip-and-replace" approach.

“The ability to also support every and any third-party provider has put us in a very unique place where we don't have to force customers to go all-in with a single platform, rip and replace all kinds of different things, pre-buying licenses, forcing to move away from different products. That is not the way. It is absolutely not the way. The open architecture approach that we've devised allows for flexibility. It allows for choice. And it allows for customers to weigh in their security decisions and choose the best product for them. It might not be SentinelOne all the time. We recognize that. We want to be applicable no matter what you have in your enterprise, be it one of our competitors, be it a cloud security company, it doesn't really matter. The ability for a backbone data lake to ingest data almost as a first-party citizen in the platform then allows for these 2 other layers that you see, which is the security operations layer with the AI SIEM, and then hyper automation, which we just talked about today. These 2 layers are generic. They work across every single product that you have in the enterprise, not just SentinelOne native surfaces. And obviously, the pinnacle of all of this is the ability to then apply AI processing on top of any piece of data that gets into that data lake, once again, whether it's SentinelOne or a third party, that is the game changer. The ability to stitch together the separate data points, siloed product into one cohesive AI-driven enterprise defense is unique, and it's what we believe is going to be the future of cybersecurity.”

The company has seen tremendous growth, approaching $1 billion in annual recurring revenue (ARR) with a 7x increase in ARR since its IPO just three years ago.

“So obviously, we got a pretty significant amount of growth vectors that we're executing across and are growing towards. Not only our go-to-market is wide reaching, but our ability to now go into new markets -- these are very pristine. The opportunity is not even 50% -- or close to 50%, much like the endpoint market. These are new opportunities. The data market is a new opportunity for us and for every other vendor out there. The cloud security opportunity is just in its first inception. The reason these markets at this stage are important for us, it's because there has been a definite sentiment and a change in consideration for what SentinelOne can do in light of some of the shortcomings of some other vendors. So as we look to the next few years and growing our customer base across these different TAMs, that consideration at this point in time is key. It puts SentinelOne as a front contender for all these new surfaces in the enterprise that represent the vast amount of that $100 billion target addressable market opportunity.”

SentinelOne's cloud security business has exceeded $100 million in ARR, demonstrating robust growth in this segment, while its data business has also reached a milestone, surpassing $70 million in ARR. Both segments are growing faster than company wide top-line revenue (+33%), with data growing the fastest.
The focus is on the growing importance of real-time security, cloud security, and data analytics as major opportunities in the cybersecurity market.

SentinelOne fosters a culture of transparency, trust, and innovation, contributing to its strong reputation and positioning the company to lead future advancements in cybersecurity. This is something I have pointed out in my thesis. Reviews of real employees (current and former) on Glassdoor are overwhelmingly positive regarding the CEO, the culture, and the technology and innovation.

“SentinelOne has actually been the highest-rated cybersecurity employer on Glassdoor for the past, I think, 4 or 5 years. This is not an easy feat. We can't game any of these things. This is people and what they believe and what they think and what they choose. So you're seeing one of the fastest-growing cybersecurity companies, we're the fastest-growing software companies with the highest rated culture, with best-of-breed products that lead the market with AI, I would say SentinelOne is a tremendous company.”

Ric Smith, President, Product, Technology, and Operations | Singularity Platform: Autonomous Security

SentinelOne takes pride in being the first line of defense for customers, processing over a trillion events per year and blocking over half a million ransomware attacks.
The company focuses on defending against both external and internal threats, including state-sponsored actors and employee cloud misconfigurations.
The industry is shifting from simply identifying threats to innovating in response, with SentinelOne focusing on triage, investigation, threat hunting, and automated remediation.
SentinelOne’s Purple AI drastically reduces response times from hours to minutes, cutting costs and reducing risk exposure.
The AI SIEM enhances efficiency by removing context-switching and automating tasks, allowing analysts to work faster without replacing them.

SentinelOne leverages AI to interpret events in real time, whereas competitors rely on delayed telemetry analysis.
Updates are handled through progressive rollouts that customers can control, reducing the risk of impacting business operations.

“Based off of a recent congressional hearing, we are fully aware that our nearest competitor [Crowdstrike] delivers 10 to 12 content updates per day. In comparison, we do the same volume of updates over the span of a quarter.”

SentinelOne addresses data overload by using AI to distill trillions of data points into meaningful insights and actionable alerts, improving security outcomes.
The company’s AI-driven approach extends across all products, including endpoint, cloud security, and identity management, ensuring faster, cost-effective, and scalable cybersecurity.
SentinelOne is dedicated to using AI to enhance human capabilities, driving "superhuman" successes in security operations.

Link to Purple AI Demo → here

Michael Cremen, President & CRO | Go-To-Market: Expanding Reach & Scale

Michael Cremen, CRO at SentinelOne, emphasized the growing demand for Purple AI, noting its short sales cycle and positive customer reception due to its ability to solve problems and create opportunities. Purple AI reached double digit attach rates in its first quarter of general availability.

“And I got to tell you, the whole room was buzzing when we had customers talking about the applicability of Purple AI, not just solving problems but creating opportunities. And I got to tell you, probably the highest in demand and shortest sales cycle in terms of our product I've seen, that's great for customers and wonderful for a CRO. So thank you very much.”

Cremen highlighted the expanding threat landscape, with AI-led attacks on the rise and dynamic environments requiring autonomous protection. Customers are increasingly focused on quality, risk mitigation, architecture, and cybersecurity strategy.
He reflected on his first year at SentinelOne, attracted by the company's hypergrowth, innovative AI technology, and commitment to partners. SentinelOne's large TAM further supports this growth.
Over the past three years, the company has focused on three key areas:
- Expanding the customer base, with the number of customers generating $100K+ ARR increasing 3x.
- Deepening penetration in the enterprise segment, particularly with $1M+ ARR customers increasing 5x.
- Transitioning to platform sales beyond endpoint security, resulting in a 2x increase in ARR per customer.

The partner ecosystem is a key growth lever, with a holistic, integrated strategy developed to align with various partner categories (MSSPs, cloud service providers, OEMs). This partner ecosystem is viewed as essential for long-term growth.

“Finally, it's overall, not selling products, but selling a platform and expanding and extending well beyond endpoint as Tomer and Ric both talked about.”

Cremen emphasized the importance of strengthening sales fundamentals, including pipeline management, revenue operations, and building a high-performance culture, all aimed at achieving consistent, predictable, and sustainable growth.
He concluded by expressing optimism about the future of SentinelOne, highlighting the company’s strong foundation and bullish outlook for continued success.

Barbara Larson, CFO | Financial Overview

Barbara Larson, CFO of SentinelOne, emphasized her excitement to join a company known for its leadership in innovation, strong culture, and substantial market opportunity.
SentinelOne continues its incredible growth, driven by new customer acquisition and deeper partnerships, with ARR growing 32% year over year in the most recent quarter, nearing the $1 billion ARR milestone.

The company’s margin expansion sets it apart:
- Delivered 80% gross margin in the last quarter, with 79% forecasted for the current fiscal year.
- Significant improvement in operating margins, driven by scaling and strong unit economics.
- Expanded free cash flow, enabling continued investment in innovation.

“Now as impressive as this revenue growth has been, our margin expansion really sets us apart and it highlights our focus not only on scaling up but operating more efficiently as well.”

Since its IPO, SentinelOne has hit the high end of its long-term gross margin target and achieved meaningful leverage across all cost lines, highlighting the company’s progress toward building a profitable business.

Looking ahead, the company focuses on agility, adapting to the dynamic market while balancing growth and profitability.

“I clearly see an opportunity to drive continued leverage and strong growth. So to that end, we're balancing growth and profitability. That continues to be at the core of our strategy. That won't change.”

Q&A

Lenovo OEM Partnership: SentinelOne’s partnership with Lenovo is a subscription-based model where SentinelOne is pre-installed as part of Lenovo’s ThinkShield offering. SentinelOne benefits from long-term revenue opportunities as the ThinkShield offering is activated, and Lenovo benefits from offering enhanced AI-based security. There are plans to extend this model to other OEMs.
Growth Investment Priorities: Now that SentinelOne has reached profitability, growth investments will focus on sales and marketing to capture market opportunities, while balancing operating margins and profitability. The company expects continued efficiency and leverage as it scales.
Endpoint Market Dynamics: SentinelOne sees significant growth potential in the endpoint market, driven by dynamic shifts in the cybersecurity landscape. The company remains agile to capitalize on daily changes, including emerging threats and espionage campaigns.

“Every single day there is something. Yesterday we saw probably the advent of the largest global espionage campaign the world has ever seen. That's new. So every day, there is a catalyst for us, and we're just trying to stay nimble.” - Tomer Weingarten

Flexibility in Pricing and Offerings: SentinelOne emphasizes flexibility in pricing models, supporting subscription, consumption-based pricing, and enterprise license agreements (ELA). While flexible in approach, the company avoids aggressive discounting or "giving away" products for free.
Cloud and Data ARR Growth: SentinelOne’s cloud and data ARR have grown faster than its overall business, driven by the increasing demand for AI-driven solutions. The company views the cloud security market as converging among four major players, with workload protection as a key growth area.

“If I look at the overall cloud security market, I mean, look, to me, this market has converged into maybe 4 formidable players, which we're one of. And that makes a pretty simple picture, where one of these players is a network player that has done fairly well, probably leading the cloud security market in terms of revenue. One of them is our endpoint peer, which is probably kind of second level in revenue in that market. Then you get 1 stand-alone upstart that has done a great job in selling a CSPM oriented offering. And that's the only stand-alone that I see in the market that I believe is relevant. And then there's SentinelOne.” - Tomer Weingarten

Impact of Competitor’s July 19 Incident: SentinelOne has seen a significant shift in customer consideration due to a major incident involving a competitor. This has led to new customer conversations and interest in SentinelOne’s solutions, with positive long-term effects expected.

“So is this a net positive for SentinelOne? Absolutely. Did the other vendor take a reputation hit? Absolutely. That would be the lens that I would encourage all you to think about this.” - Tomer Weingarten

“If there's one thing, I think, we can clearly share is that in terms of the partner ecosystem, which if you think about it, they've also, given what we here, have lost pretty significant amount of their inertia in terms of expansion movement with that competitor. And we share a lot of these partners, right? I mean these partners work with a lot of vendors. I think they're absolutely coming back to us and looking to us as to how we can help with those expansion footprints. So to me, again, it's a structural change that impacts SentinelOne probably the most. I think it impacts us in an incredibly positive way when you think about the adjacent surfaces.” - Tomer Weingarten

SIEM Market Position: SentinelOne's SIEM offering is designed to be agnostic, able to ingest data from any surface, whether native or third-party. The company focuses on offering the best functionality rather than relying solely on its endpoint incumbency, and SIEM remains one of the hardest surfaces to replace in cybersecurity architectures.

“I think the consideration point for SIEM is so different than endpoint that thinking that just because of endpoint incumbency, you have the right of passage to data, I don't even think that for our customer set. I think that you need to have the best capabilities possible. And that's what's going to determine the consideration. Look, we have done deals where we ingest data from Palo Alto firewalls and CrowdStrike endpoints. We've actually been the data bridge between Microsoft and CrowdStrike all being put into a SentinelOne data lake. I think that at the end of the day, you don't want to replace 1 SIEM for the other. You want to pick a foundational technology for the next 3 to 5 years. These things, there's not going to be a rip out motion every couple of years. This is going to stick. It's going to be significant.” - Tomer Weingarten

General Sentiment: SentinelOne is optimistic about its position in the market, with strong momentum in areas such as cloud security, workload protection, and customer retention. The company expects continued success in capturing market share.

Sycamore Capital is not investment advice nor a recommendation to buy, sell, or hold securities. Sycamore Capital is not an investment advisor and does not manage client assets. Assets are my own. Opinions are my own.

Sycamore Capital