All right, I think we can go ahead and kick it off. Thanks everyone for joining us at the SentinelOne Session at the Goldman Sachs Conference. I'm Gabriela Borges, I cover Security here at Goldman. Very excited to have Co-founder and CEO of SentinelOne, Tomer Weingarten, on stage with me.
Thank you.
Thank you for your time this morning.
Absolutely. Thank you for having me.
Tomer, we started to have a little more of an architectural discussion on the earnings call, and you highlighted a couple of things, including the embedded AI models that you embed into the agent that allow them to work a little bit more independently than some of your competition.
Right.
So tell us a little bit more about where are your technical advantages with the embedded AI model, and is there a trade-off with the lightweightness of the agent? How do you think about the trade-off between putting more content in the agent versus having a lighter weight agent?
Yeah. So there's a few things there. You know, first of all, putting more embedded AI capabilities and detection capabilities just mean less updates, and I think we've seen the results of what excessive updates can create. So having a generic approach to detecting threats that doesn't require these frequent updates, I think that's a huge architectural change or difference between, you know, what we've been doing for years and some of the competition. I think then, it's not necessarily the lightweight nature of the agent, it's actually how lightweight you are and what you do at the most sensitive part of the machine, which is the kernel.
So if you kind of think about, you know, that product that failed, if you think about the amount of code that was put into the kernel, into that sensitive area, which is still the case, by the way, for everybody running that piece of software, think about it as this chunk at the kernel. All of that is code that can fail, that can potentially crash. It's a lot of risk surface. If you think about SentinelOne at the kernel, it's probably something like that, and it doesn't mean that it's less functionality overall on the endpoint. It means it's less functionality at that level. And then you have user space outside the kernel, where, you know, things are much, much less risky, and this is where we run most of our logic. And I think that has been kind of forever our mantra.
You know, just minimize what you do at, you know, these sensitive parts of any machine. Again, to the point where on Linux, we don't touch the kernel at all. Mac, we don't touch the kernel at all. Cloud, obviously, we don't want to touch it, the kernel. So far you don't have access to the kernel, so it's just, I think, a better, I think, safer approach, but, you know, that's just me.
Could you explain a little bit more on why you don't need kernel access in Linux to work effectively, and where do you think Microsoft goes from it, from what are some of the ways that they can balance the need for security products to be able to operate effectively with kernel access?
Yeah, I'm sorry. I'll take a sip of water. But that was the center of discussion, I think, yesterday at the-
Yeah
... the Windows Summit. And in Linux, you know, what you have is a framework that's called eBPF, and eBPF basically gives you all the telemetry that you need from the kernel without needing to be at the kernel. So it's a very smart interface that allows you to subscribe to it, and then it's as if you're at the kernel level, and you're getting the same type of visibility and access. Microsoft doesn't really have something like that, and I think part of the discussion yesterday was, "Hey, can we minimize some of these interfaces? Can we potentially lock down the kernel more than it is today?" I would say the overarching message yesterday was that that's not going to happen.
They're probably gonna supply more interfaces to receive some of these threat-related notifications, but to move all the way to a Linux-like architecture or eBPF-like architecture, most likely not going to happen, or not in the foreseeable future. The other big point of emphasis there was on the actual testing, validation, and deployment best practices, and I think it was very central to what one vendor had done or ignored. I think what Microsoft is just trying to do is to say: We don't want to see that happening ever again, thus, we are going to beef our criteria to make sure that no vendor decides to ignore it. Now, for us, it's no change. You know, we've followed these best practices for years.
So I think now they're just putting more of a spotlight on it, and I think they're just making sure that, you know, vendors are not able to just do what they want, basically. 'Cause it, it's a very, very open, I think, open field when you think about the kernel. There's no limitation. You can choose how much you want to put there, you can choose what you want to put there. So I think Microsoft, you know, just are trying to do the right thing and make sure that, you know, this time it was CrowdStrike, maybe, you know, in a few years, some other vendor is going to decide to do something, some newer vendors, we don't know, but now they won't - they don't want to take that chance.
They're putting more rigid, I think, deployment criteria, software quality control criteria that were just not there, so anybody could have done what they want. By the way, this is not just for security vendors, it's for everybody that installs any type of driver at the kernel level. Security providers have additional services they can tap in terms of boot time, load time, so you can actually load into the system before anything else load because you want to be there before the bad guys, basically. So there's a lot of other considerations that are, I think even more open to security vendors, and they want to make sure they put controls around that.
There's a simplistic way of thinking about the power between the cloud environment when it comes to accessing the kernel space, and more specifically, not accessing it, and what you do in Linux environments. Maybe expand on that a little bit. How does what you offer in the cloud compare technically to what you would typically offer on a classic on-premises implementation of endpoint with Linux, for example?
Yeah, it's very, very similar. I mean, we got almost complete feature parity between the different products. The main difference is that the way that we implement anti-tampering, and anti-tampering is basically you don't want to get removed from these devices ever. I mean, once you're plugged in, you want to make sure you're seeing everything that's happening on these devices or workloads. Attackers are constantly trying, or one of the means to bypass security solutions is to basically uninstall them, remove them, blind them, all kinds of different methods. And anti-tampering is something that is only effective if it's done at the lowest level of the machine, 'cause then again, you're there before the attackers. You can always see when somebody's trying to tamper you. If you're not loaded first, you can't see that.
So in Linux, we kind of don't have that mechanism just because we're not touching the kernel, but at the same time, we've devised other controls that can let us know when there's a deviation from the norm, when something just anomalous happens on the device. And then we can trigger an alert for the admin to go and check, "Hey, there's been a change in configuration. Go and check what happened." So we can't prevent being tampered with completely, but we can alert on it. And I think in the cloud environment where... You know, if you think about what's in the cloud, you sometimes have virtual machines. You don't have really a lot of access to, like, the hypervisors, or you can't be as low as you want to be anyways.
You got serverless functions, where you don't have any kernel, any CPU, anything. You're securing a service. So the architecture in the cloud, I think is, should be kernel-free by definition, and that's why it's not such a big consideration. On the Mac operating system, as an example, you know, Apple has basically put significant anti-tampering control, and they locked everybody else from the kernel as well. So that kind of evens the playing field in terms of, can somebody else load into the kernel and remove you? No, nobody can get into it, so now you're kind of, again, in a pretty decent spot in terms of anti-tampering capabilities.
So we spent a few minutes here on the technology strengths. We know in security that it's not enough just to have good technology. You also need to have a strong supporting go-to-market. So talk to us a little bit about how you fortify your go-to-market, especially in the context of some of your competitors spending significantly more on their go-to-market efforts than SentinelOne has.
Yeah. I think our way has always been a bit more nimble and thoughtful about how we go to market, just because we had to. You know, by definition, we were a newcomer to the space in comparison to some of the others that had been there. We don't have the reach of Microsoft, obviously, so that obviously constrains how much we can just push stuff to customers that are already there. So for us, the channel ecosystem has been really a force multiplier, and that is something that we continue and do today. Our ability to augment our own sales force with our very significant channel ecosystem has been a way for us to kind of scale efficiently.
That said, you know, I think you've seen us also change quite a bit, our go-to-market teams, our go-to-market DNA, the fact that we're leading with a platform today, and not just endpoint security, which was kind of what we were doing maybe three years ago. All of these are kind of putting us in a very different position. We now have a customer base that's pretty significant, which is also an upsell and cross-sell opportunity for us, which is yet to be fully unlocked, so it's another untapped source of growth for us. All of those, we just try to kind of balance within the desire to also become profitable on, you know, on our timeline. You can always market more. You know, you can always put more advertising. You can always be more aggressive.
I think for us, we want to see it done under a certain efficiency cohort. I would love for the product or the platform, in a couple of years, to be able to sell itself in certain degrees. Like, I think there's a distinct way to start enabling customers to consume things from your platform just by ticking a box and turning it on. So to me, that's another path that we will be pursuing in the years to come, which is why I'm not overly worried about the expansion opportunity. You know, right now, we're very focused on just net new logo acquisition. So I feel good about marketing. I think that, in general, this market is so confused and confusing that it's. I mean, we just spent, I don't know, like, 10 minutes talking about the kernel.
I'm not sure how many people really kind of understand what that means, and I'm honestly trying to simplify it as much as I can, and I think that even customers, honestly, like CIOs, CISOs, don't always fully understand what's the difference, or why should I care even about what you're saying, and that's a reality you have to contend with. I mean, one of the biggest, you know, to me, mysteries in this market was, for four years, there's been one company that consistently led MITRE evaluations with outstanding results, which you can't argue with. It's 100% protection, 100% detection. There was no asterisks, no delayed detection, no changes, no nothing. Clean 100% for four years in a row.
Still didn't seem like the market fully grasped that this is a better solution than some of the others, just given the level of marketing that you have in this space, and the level of confusion. So it's a challenge, there's no question. I do believe sincerely that folks are getting more sophisticated and getting smarter. Their eyes, I think, are a bit more open to, you know, what these products can actually do beyond that, you know, glamorous marketing and, you know, all the great kind of self-proclaimed accolades and the multiple awards that everybody's winning. And so I want to believe that marketing can be done in a more responsible way, and it's something that we've talked about ever since we IPO-ed the company.
We actually pledged. We had a pledge with the IPO, where we said we are not gonna be an oversellers marketer. We're not gonna do what the others are doing, and we're staying true to that. Right now it's, to me, mostly about education and making sure people understand technically what are these products. It's not magic. I mean, it's not EDR is gonna protect you with three-letter acronyms. It's not that. There's actual technology underneath it, and I think that will eventually prevail. With that, I think our ability to market is also growing. You know, we are, I think, a very good marketing company, and they were one of the fastest growing software companies, you know, on the public market.
So we know how to market, we know how to punch above our weight, I think, even with our relatively constrained budgets. And with every year that passes, I mean, we just get more and more capacity to market, and I, I've never felt, like, too bad about our ability to market in comparison to the mountains, you know, of cash that you see the others deploying. The last thing I want to say there is that the place where it does constrain us is definitely the top-of-funnel consideration, 'cause this is where. Look, at the end of the day, the TAM is so big across everything we do today. It's a $100 billion TAM. We're not reaching all these customers. I mean, we're not reaching all the investors. Not everybody knows about SentinelOne. Not all customers know about SentinelOne.
Not all parts of the market know what we do. I think there's this illusion that, oh, every market, every, every company out there knows about SentinelOne and CrowdStrike for sure. That's actually not the case. It's actually not the case, and in many markets, especially if you think about the cloud security opportunity, people don't think about SentinelOne immediately as a leading cloud security provider, even though we got one of the highest-rated suites out there. So that's the role of marketing. The marketing, for us, I think, is just open up that top-of-funnel presence, and we're doing more and more of that every day.
Let me pick up on the comment you made about customers being a little more eyes wide open or a little bit more aware. How have your conversations trended just in the past five weeks? Any specific color you can give us, and what advice are you giving your sales team as part of those engagements?
I've had countless conversations, honestly. I mean, I've been nonstop on the phone, and the interesting thing about it is that I swear I've not called a single customer. Every customer that I've talked to was an inbound call, and I didn't need to even call anybody. The conversations are pretty clear, I mean, to me. People wanna make sure that they can offload some of that risk that we just talked about, and there's a wide spectrum of ways to do that. Some folks just wanna move out from this, whether they've been just burnt, you know, over. I don't know, what the sentiment there, upset, for sure. Some people want out. Some people we already helped out, and we're talking about, you know, Fortune 50 companies.
Three days and you're out, so technically it's possible. I do think that for most companies, it's more of a convoluted process that's gonna take more time. But some have moved. Some have just said, "You know, we wanna pull the cord. We want out." That's an easy conversation, by the way. Most of the others, you know, they wanna understand how we do this. Like, how do we gradually come in, start with, with, you know, one or two footprints and then go after the rest of it, and what's the timeline to do that? And how they do that in the most risk-averse way, both to their endpoint environment and to their operations. And that is something that we're just working with them, working at their own pace.
We're not pressuring them. I think that that's the number one thing you ask me, what I'm saying to my salespeople, "Just work by what the customer want." Even if eventually the customer says, "No, maybe let's revisit in a year or whatnot," everything is fine. I think that, generally, the consideration has changed significantly. I also don't think that, you know, pricing is a big consideration for these customers. Like, so, you know, you're giving them all kinds of perks right now, yeah, for sure, these customers are gonna take whatever they can, but I don't think that changes the sentiment so much for them. So again, it's a, it's a wide gamut. I think that you're seeing that also in two different aspects.
One is customers that want to move, so call that, you know, rip and replace, but also customers that have stopped expanding, and that's a very prevalent conversation. I mean, not a lot of them kind of are thinking to themselves, post this: "Oh, I wanna double down with this." I mean, that doesn't make a ton of sense, so they're coming to us, and they're talking to us about these adjacent footprints. They're going to the channel ecosystem, we're going to the channel ecosystem, which is also somewhat impacted by this. Because if you think about that other vendor, most of their growth was coming from expansion, and if that motion is now significantly impaired for their entire channel ecosystem, that's a hole in revenue that they need to fill somehow.
You know, we're gladly there to help them, you know, go after these footprints and give an alternative. So all of these conversations are obviously net positive to SentinelOne. I don't wanna go into, like, what's the impact for them? I think there's some impact for them, there's some impact for us. They might not even be linear, but I'm very, very encouraged by what I'm seeing. You know, I think the two biggest things that I can definitely say, and I'm not gonna quantify anything, so-
I was gonna ask-
Yeah, I beat you to it, but, you know, we are seeing very significant pipeline building. We are seeing an uptick in win rates, and that, I think, is something that over time we will be able to quantify and translate into, you know, kind of what the future impact of this is looking like. Give us a quarter to kind of work through all of this, and I think that with next earnings, we might be able to be a bit more intelligent about, you know, how this looks like for the future for us.
I want to ask you about the upsell dynamic and endpoint separately from the cross-sell dynamic that you touched on with the emerging products. On the upsell, in network security, it's very common to see dual sourcing-
Mm-hmm.
between multiple cloud vendors.
Right.
Level set us, what is normal in endpoint, and do you think the industry structurally moves to more of a dual sourcing or multi-sourcing paradigm because of this idea of resilience?
Yeah. I, I think it does move there. It wasn't the case up until now, and, you know, very different than the network. By the way, the network part also started with one vendor, and then it moved into dual sourcing. So, you know, I guess we didn't learn. We always have to learn the hard way. But, but I think we're definitely gonna be moving into more of a dual source, whether it's side by side, different footprints, different, you know, different surfaces. There's multiple ways where you can achieve that, but I think that's definitely a conversation you wanna have. Yeah, and I think that that's gonna change materially the opportunity in the endpoint space. Generally, I think the endpoint space is also still under-penetrated.
I think that might be a controversial statement, but, look, the, the refresh cycles, the PC manufacturers, like, you're talking about 30, 40 million pieces of new devices coming into the market every couple of years, every three years, maybe. That's a huge opportunity, especially if you can partner with some of those people. So, I think there's ample opportunity in terms of net new market share grab in the endpoint market. I think there's also-
You have much junk on your iPhone.
Okay. That's Apple Intelligence? I mean, not bad.
Welcome.
So there's a lot of opportunity to get rid of the junk you have in your environment, but there's just a lot more to be had. You know, McAfee is, like, a $1 billion-dollar business, and Symantec is still close to $1 billion, and, you know, Sophos is, you know, $2 billion, and Trend Micro is a big company. There is a lot to be had in all these different markets. The MSSP ecosystem is still running Bitdefender and Webroot, so there's billions of dollars of market share to be had, and we've been able to unlock a lot of it. I mean, if you think about it, two years ago, we had 1% market share. You know, a year ago, we had 3% market share.
Now we're about 5% market share, so we're moving pretty fast in the way that we're unlocking that, I mean, faster than anybody else, that's clear. And our scale is starting to be pretty significant, and obviously, to us, every endpoint customer that we onboard is an expansion opportunity for the lifetime. And we keep these customers safe and happy, and I think that will translate into just a massive growth opportunity in terms of the actual upsell opportunity, which we've not been doing in any more than an opportunistic way up until now.
Let me pick up on the emerging products piece of the story. So, Google already landing cloud footprints-
Mm-hmm.
Next to competitor endpoint footprints before July 19th. How is the opportunity evolving in cloud, particularly as there's a little bit of a question mark if I standardize on AWS? Well, perhaps I can buy more of my security from the AWS security offerings. So how do you think about what a good cloud opportunity or what the cloud opportunity looks like for SentinelOne to venture this?
Yeah. Couple of things. It's interesting because AWS was actually one of the only vendors that did not have an appearance in the market guide for CNAPP solutions. So not entirely sure why, but I guess, you know, they don't really have all the components.
Perhaps we'll use Azure as the benchmark.
Yeah. Azure is definitely a different story, but it's Azure for Azure, and I think it's, for any other footprint, it kind of, you know, tapers down pretty quickly. To me, the cloud security market right now, the one word I would use, just fragmented. It's, like, totally fragmented. And when I say fragmented, I mean just different use cases. So most people don't realize that there are practically no cloud-only companies out there. Everybody's a hybrid company. Everyone has something on-premise, and typically, these on-premise footprints are pretty big. And a lot of these solutions, those CNAPP solutions, are very public cloud oriented. So when we look at opportunities, we try to find the ones that we believe are the better suited to our technology stack. And our technology stack has innate advantages with securing any type of workload.
On-prem, private cloud, public cloud, doesn't really matter, and our solution is distinctly better at runtime protection, so if you're asking me, you know, how is the CSPM market, I think that's kind of a commodity market, everybody can kind of do the same thing, very public cloud-oriented. But then if you go into runtime security, kind of the cloud workload protection side of the house, it's different, and it's a huge opportunity. That's a multi-billion dollar opportunity. I wanna go after this. I care little less about CSPM. We've got a great CSPM CNAPP solution. I don't think it's far-fetched to think that we're gonna maybe even give some of those away, when you buy workload protection, because to me, workload protection is by far, the most important piece in that.
Then you go into DSPM, which is a slightly different consideration, and the types of data that you want to protect, so very fragmented in terms of the use cases. I think the other realization is that, you know, you kind of hear Palo Alto saying, "Oh, we're so growing, you know, our cloud business is amazing," and, you know, CrowdStrike, you know, amazing cloud business, and, you know, and Wiz, and like, all of the... Everybody's a tremendous cloud solution. There are no perfect platforms. Doesn't exist. Not mine, by the way, not in endpoint, not in cloud, not anywhere. Everybody has strengths and weaknesses, and customers have different desires, needs, and challenges, and some of these platforms are good for certain things, not so good for other things.
When you talk about a $100 billion market opportunity, you're gonna see a full spectrum of these things, and you're gonna have your success even if somebody else is successful, and I think that's maybe kind of a missing part in the narrative because, you know, people call it the one winner takes all type of emotion. Doesn't exist. It's not there. It's impossible. Nobody can cater to all the needs of everybody in the market, so we just focus on what we do the best, and we find these opportunities, and we sell into them. You know, and again, when you see these customers that are eventually going with our solution, you typically see the most discerning one, the most discerning ones, and that's what I like to see.
And they rather go with us, even if they have already a vendor that they can platformize on. I think they still choose to go with a best-of-breed solution. Going back to what we just discussed about the multi-vendor approach, I think that also puts a dent in that beautiful platformization narrative, 'cause that would kind of go, you know, against that.
Fantastic. Question in the audience? Just go for it.
Oh, yeah. So Tomer, I mean, I've known about that, your kernel for a long time. I mean, Rick Bosworth writes great about it. Ely Kahn says great stuff about it. So if anybody needs to read up on that, Ely Kahn and Rick Bosworth write really good stuff about that for you guys. I do have two questions for you. The first question is, I've always believed you guys have the better product. Been a shareholder for a long time, but been somewhat disappointed with both the stock price and the go-to-market.
Yeah, me too.
But what you have now is you finally be able. It's not even, like, in the lab anymore. It's real world that why your platform is superior. So you've, that's now litigated in the real world, and now you have a new CRO, new CMO, new CFO. And you mentioned, last quarter, you said, well, you're willing to invest more once you reach profitability. You reach profitability. Put all those pieces together, should we expect this team and your comments about, you know, giving win rates and better pipeline, should we interpret that as this is your new team, your new opportunity, your new catalyst to say, "Hey, look, we're gonna step with new products, accelerate growth?" And by the way, your win rate's 70%. You've already disclosed that two years ago-
Okay.
in CrowdStrike. So I'm hoping that either the number goes up or the pipeline gets better. So, help me understand, are you willing to now step on the gas to growth, given all the leadership changes, product changes, and market opportunity?
Yeah. Look, it's a fair question. I think that there's no question that we're a better company today than what we were a year ago. I think that I never believed that our constraint is just, like, the marketing aspect or putting the pedal to the metal. I have a fiduciary duty to grow responsibly, and to me, I wanna see certain efficiencies happen before we pour more money into the business. Again, we're the fastest growing company on the public market in our industry, in software. Arguably, it's hard to do things even in a more accelerated fashion without things starting to break. We have a better team. We have a better company. I think our product has never been better, and I think the sentiment around SentinelOne has never been better.
It's true that we have kind of inflected into profitability. We're still not profitable on a full-year basis. That's our, you know, that's our goal, that's what we wanna see, and that's gonna also align with our efficiency cohorts, and at least that we internally track. I think then you're gonna see us just go more aggressive, but beyond all of that, there are multiple initiatives that we've been working on, you know, in the past year, that are going to fuel growth into the future. It's just, you know, some things take time, but I'm again more excited about the opportunity, both in the endpoint space and outside the endpoint space, more than I've ever been, so it, it'll get there. I'm not worried at all.
And I think that, you know, stock price, all of that, I think over time, that gets unlocked as well. Obviously, we've had some execution errors. Obviously, you know, there's been some quarters where we didn't really get to what we believed that we could have gotten to, and I think, you know, now things with this team are looking just very, very different than any other point in time for the company, so I'm encouraged by that. I'm encouraged by the predictability, the stability, and again, better team, better company. I think the landscape is mature here.
At OneCon, should we expect some announcements at OneCon?
You should expect a lot at OneCon. But obviously I can't really disclose exactly what will be announced, and in kind of which areas. Again, there's a wide gamut of things that we're working on. Some will be announced, some will not be announced, but you know, we're not sitting idle, as you can imagine.
Tomer, maybe just a little context around the CFO announcement from this morning.
Yeah. No, I mean, that one, very excited for, you know, for Barbara joining us. It's been kind of carefully planned for a good period of time, very deliberate. Obviously, we're kind of switching gears in terms of how we grow our scale. You know, we're coming pretty close to that $1 billion in ARR. We need to start thinking about our long-term targets again, how we do that, how we bridge that with scale, and, you know, obviously we can, we can and we want to use the experience of a seasoned SaaS leader, that have seen those stages of growth. You know, between $1 billion- $6 billion- $7 billion dollars of revenue, that's exactly what we need. Tremendous leader, and you know, obviously Dave has done a remarkable job as well.
I mean, he took the company public. Very grateful for him. But, you know, we're off to a new chapter, and I think we're all very excited about what Barbara brings to the picture.
What are the one or two leadership qualities that stood out to you about her as you got to know her over the last several weeks and months?
Yeah, I think it's two things. I think the interaction with the executive team, the leadership, and the partnership that can be created. I think that excites me. Honestly, it excites me because that means that I need to be less involved in that. But generally, I think that's how you foster a really healthy motion in the company. And the second thing is just the financial foresight. I mean, when you see other companies grow in a certain way and go through these different stages, now when you look at us on the same track and say, "Okay, probably need some adjustment here or some adjustment there" to replicate some of these journeys or to do even better than some of these journeys. Obviously, SentinelOne is pretty unique in its growth profile.
So those two things, you know, just really excite me, something that was never there before. You know, again, Dave has done remarkably well for us, but he's never seen that type of growth, and we're kind of nearing that point that we just wanna make sure that we're growing the most efficient way possible. You know, the profitability story for us is not just a story. Like, we wanna expand our EBITDA and operating margins significantly, and as fast as possible, and how do we bridge that with what people want from us, which is to be more aggressive, and go to market? I mean, all of these things, I mean, think about these considerations, is what you expect your CFO to do.
Excellent. Please join me in thanking Tomer for his time. Tomer, thank you very much.
Thank you. Thank you so much.
I wanna spend another half an hour on-- we didn't even talk about the stock.
Yeah.