How the mighty have fallen
This certainly hasn’t been the year in which to own hi-growth/hi value IT shares. For the most part, operational performance hasn’t mattered much; investors have trashed just about all IT vendors with what they believe to have been elevated valuations. They have even trashed the shares of IT vendors whose valuation has been less elevated. I initially looked at SentinelOne (NYSE:S) at the time of its IPO and wrote an article on SA reviewing the company and its prospects back in July 2021. It was just too richly valued for my own predilections at that time and while the shares ultimately rose above the price at which the article was published, they have subsequently rerated along with just about everything else, almost in spite of the operating results of the company.
There is a French expression: Plus ca change, plus c’est la meme chose. It means, basically that the more things change, the more they remain the same. (I hope my definition finds approval amongst my French speaking subscribers.) In some ways, that best describes what has been happening at SentinelOne. The company has made lots of progress in terms of growth, and its loss margins have begun to ebb. It is still acquiring loads of new customers and gaining share in the market for end point detection and response software (EDR). But it is still incurring significant losses and has yet to show that it will soon generate non-GAAP profitability or free cash flow.
As the shares have rerated, and as the company has progressed, several Ticker Target subscribers have asked me to see if an investment in the shares currently makes sense. One reason for the interest is pretty self-evident. When I initially wrote about SentinelOne, the shares had an EV/S of 46. They now have an EV/S ratio, prior to the release of earnings next month of 7.5X. In other words, the rerating has brought one valuation metric down by about 85%, one of the more remarkable falls, even in this toxic environment for IT shares.
This is not an article bemoaning bubble valuations, or Fed pivots, or the future course of the economy but will focus on SentinelOne as a company and as a competitor in the cybersecurity space. Investors are most often best served by being forward looking. SentinelOne’s business model is far from perfect, and is still a work in progress. And while I am not nearly as fixated on SBC expense as some SA commentators and others, this company’s SBC ratio of 40% of revenues is very elevated, and the growth in SBC has yet to slow meaningfully.
But the company is achieving progress in terms of reaching a business model that is less an element of derision than a reasonable business evolution for a company with this level of growth. In that regard, the first sign of a less toxic business model is that of gross margin improvement which has become noticeable for this company in recent quarters.
That said, SentinelOne besides being very far from any kind of profitability, has yet to turn the corner with regards to free cash flow. Since the ugliness of the market has become so pervasive and all encompassing, and as the economy is sliding toward a recession, I have focused, for the most part, on recommending companies with substantial free cash flow. At least for me that should avoid some of the controversy about stock based compensation-although there are those who don’t accept a free cash flow based valuation, regardless. At least, as of last quarter, the company had yet to make meaningful progress toward free cash flow generation. Part of that failure relates to the vagaries of balance sheet items and timing which will normalize over the course of the year; but part of the failure for free cash flow to show signs of improvement relates to some user behaviors during this period of economic stress, i.e. the growth of deferred revenues in percentage terms is less than the growth of actual revenues as some users are more wary of making prepayments for software.
SentinelOne is going to report its Q3 numbers on December 6th. At the time the company last provided estimates at the end of August, it had talked about a prudent guide based on macro signals-basically the headwinds of longer sales cycles and more elaborate decisioning practices on the part of its customers. On the other hand, it also talked about the strength in the demand environment for its offerings, and focused on the strength it had been seeing with MSP’s. The company didn’t call out any expectations with regards to cash flow on the call, but it indicated that its expectations for gross margins and operating margin loss for the balance of the year were consistent with the results of Q2-in other words, no further improvement beyond the beat seen in that quarter.
Not surprisingly, no published reports have forecast any expectation for greater than consensus results. Overall, and just guessing at this point, I would expect to see a fairly significant upside for both revenues and operating margins when the company reports next month. While Palo Alto is really not a direct competitor, the results it announced on 11/17 suggest that demand in the cyber security space has held up quite well, with better visibility than has been seen by most other IT vendors. Just how a strong quarter in terms of growth might have translated into cash flow is not something I can readily handicap. I expect guidance, almost regardless of anything else, to remain conservative and simply incorporate the beat of the prior quarter + modest sequential growth. I can’t imagine any management in this environment guiding more aggressively than that, and if they do, investors are likely to be skeptical.
SentinelOne shares are basically hold rated by most analysts. It is the prudent call to make, and that is despite market action on 11/10 and 11/11. This is an investment where one size does not fit all. For those with a longer time horizon, and the ability to withstand volatility and drawdowns, the shares, at around $17-$18, represent reasonable, if not to say, excellent value. The company is going to grow at elevated rates, and it will do so despite macro headwinds, I believe. And it is making progress, even rapid progress, in terms of improving what has been a baleful operating model. But patience is going to be required; this is not an investment for this phase of the market, but for the long term
In this environment, where profitability trumps all, and where free cash flow is a key component of valuation, the shares are not going to outperform on a relative basis, I believe, at least until the duration of the current economic cycle becomes clearer. I personally don’t own the shares, or have put them into managed portfolios. That is a reflection of my level of risk tolerance more than a view with regards to the future of Sentinel’s business. I am considering adding a small weight in the shares to some managed portfolios.
But for readers looking for dramatic upside potential when a Fed pivot is real, rather than just in prospect, this is an entry point that should be considered. It is a huge opportunity, albeit one with risks and uncertainties mainly related to the market rather to any questions about the likely trajectory of the company’s operational performance. SentinelOne’s growth is probably greater than that of any other company I currently evaluate and that is not likely to change in the foreseeable future because of the causes for the company’s success. Growth is not much in fashion these days with investors, and profitless growth is even more disdained. At some point, growth will become more important for investors than is currently the case, and SentinelOne is making strides of some magnitude on its path to profitability.
The Existential Question: CrowdStrike vs. SentinelOne
CrowdStrike (CRWD) and SentinelOne are essentially the two, and the only two independent horses in the race for dominance in providing modern and effective end-point cyber-security solutions. There are many, many other offerings in the endpoint security space-of course including Microsoft (MSFT), which I touched on in my recent article is a significant competitor, so too is Symantec/Broadcom (AVGO. The last thing I want to do is try to call a winner in the competition between CrowdStrike and SentinelOne. I own, and have owned CrowdStrike shares for a very long time now. It’s been a pioneer in the EDR space, and its CEO, George Kurtz, is an industry visionary and has led a highly efficient company which has executed superbly.
The endpoint security market itself, while large is not the highest growth market in cybersecurity. The latest study published consistent with many other studies, suggests a CAGR of about 8%+ with a terminal value of $28 billion for endpoint security. But both SentinelOne and CrowdStrike have product sets that extend beyond the borders of endpoint security. That said, the real reason both companies are growing so rapidly is that of industry disruption. The use of AI as a technology has dramatically changed how software companies provide endpoint security compared to legacy offerings from Symantec/Broadcom (AVGO) and many others. Over time, the use of AI powered solutions will essentially replace all of the legacy solutions out there. The new technology is far more effective at securing devices than what it is replacing which is why uptake has been so rapid and that is likely to remain the case for the foreseeable future.
SentinelOne is the upstart (no pun intended) in the race which has emerged to rapidly become a major competitor in the race to replace legacy endpoint security solutions. The company’s co-founder and CEO, Tomer Weingarten, is also an industry visionary, with strong opinions (he criticized Microsoft’s cyber-security offering quite directly last summer). I have linked here to an analysis of the differences between both sets of offerings.
One industry testing entity, MITRE Engenuity ATT&CK Evaluations has rated SentinelOne very highly indeed, and its report says it outperforms CrowdStrike. But CrowdStrike gets a high score as well with 100% prevention on the test. The MITRE conclusions have been consistent for several years now. Obviously they have been well publicized. They probably are a factor in the success SentinelOne has enjoyed but have seemingly not impacted the success of CrowdStrike either.
In the last year or so, identity management has been one of the features that users want built into their endpoint security solutions. CrowdStrike was first to market with that capability and it is an extremely rapidly growing component of their business. SentinelOne bought Attivo in May which is provides the same functionality. Attivo didn’t figure into Sentinel’s performance in the quarter in which it was acquired: it is more likely to be part of an upside that is to be reported.
According to the several third party analysis I have read, both companies offer users advanced capabilities that really represent a next generation in endpoint security. It may be that SentinelOne’s machine learning algorithms are more “modern” and marginally more accurate than those offered by CrowdStrike. On the other hand, both companies have been competing in the market for years. No doubt, in the macho environment that abounds within IT software companies, the rivalry has taken on a life of its own, with vignettes about competitive battles lost and won common currency in the industry. As an investor/analyst, I don’t think all of these conversations mean much. I have linked here to an analysis that compares the two offerings.
Larger users tend to go with CrowdStrike. Those interested in a platform extending beyond end point detection and remediation will also find CrowdStrike attractive. SentinelOne probably has noticeable advantages when it comes to ease of deployment and doesn’t require a professional expert to deploy, configure and maintain the solution. It relies less on human interventions and monitoring. It is hard to dismiss the MITRE study as not representative of the capabilities of both solutions.
But none of these comments, except the last one is absolute.
SentinelOne has plenty of major references these days, but the references provided are not of the same size as those that CrowdStrike can cite. SentinelOne’s new customer acquisition count of about 750 last quarter excluding Attivo is less than half of that of CrowdStrike but given the difference in scale between the two companies, obviously SentinelOne’s percentage growth in new customers is much higher. Like most IT companies of this size, S is focused on pivoting its sales effort to larger customers who can add meaningfully to ARR growth. Last quarter, while the sequential growth in total users was about 10%, the sequential growth in larger customers was actually greater than 40%. Selling these larger users is a crucial element in the company’s growth outlook. And the company’s net expansion rate reached 137%, up from 129% the prior quarter.
When evaluating CrowdStrike vs. SentinelOne, there are a few elements to consider. Will SentinelOne achieve faster percentage growth than CrowdStrike? That is almost certainly the case. It is a much smaller company, and its pivot to larger enterprise is in early innings. Its platform strategy is really nascent at this point.
Does SentinelOne have better technology or something specific and unique that makes its solutions better than those offered by CrowdStrike. It probably does-but that begs the question as to how users select their EDR vendor. This is not a guide as to which end point security solution to buy. There are many analysis that contrast and compare the two offerings, and my comments are built around those analysis and anecdotal sources. End point security is really just one part, albeit a critical part, of a cyber-security posture for an enterprise.
There is a bit of a game of leapfrog in considering endpoint protection with one vendor initiating a new service or capability and then seeing it mimicked by others in the market. There are certainly cases in which SentinelOne has a superior solution. Currently, SentinelOne has a native Linux solution; CrowdStrike does not. That was a factor in the third party analysis which suggested that CrowdStrike was most appropriate for Windows environments. And CrowdStrike is cloud only which can be an issue for some users. SentinelOne’s solutions are more noticeably automated than those of CrowdStrike, perhaps of importance in some buying decisions.
Over time, the factors that currently disadvantage CrowdStrike are likely to be addressed, although perhaps some of the explosive growth of S has been enabled by its perceived and actual product advantages. I have linked here to SentinelOne’s comparison of itself to CrowdStrike. Of course it is a commercial and CrowdStrike has a similar comparison. But I present both of them in the interest of completeness.
I think that expecting SentinelOne to dramatically impact the growth trajectory of CrowdStrike at this point is a bit of hyperbole but it will probably win a bit more than its share of competitive evaluations between the two companies. As mentioned, the companies have been competing for years at this point, and while SentinelOne has far greater percentage growth in revenues and in ARR, CrowdStrike’s strong operational performance and hyper growth has continued unabated. Both companies are and will remain leaders in the space; there will be potential customers with different threat surfaces who might choose one vendor or the other, while some enterprises looking toward vendor consolidation are likely to find CrowdStrike particularly attractive. Over time, SentinelOne will evolve into a platform business, and will be able to capture some large, high profile enterprises. There is plenty of available market for both vendors to thrive.
Which one will be the better investment? In investing, as in much else, one size does not fit all. I decided to rate SentinelOne shares as a buy for the purposes of this article. That does not mean that all readers/investors ought to go out and buy the shares expecting immediate positive alpha. And that would be the case even if I knew that the company’s earnings report coming next month would be an upside; I am just not sure if investors are willing, yet, to pay for the hyper growth this company is likely to deliver until it starts to show even more progress toward profitability and free cash flow generation than has been the case thus far.
I think owning an entrant in this space, i.e. endpoint cyber security is a no brainer for growth investors. And, as mentioned earlier, there are really only two viable horses in this race. And if one has a long enough time horizon, my guess is that on a percentage basis, SentinelOne’s appreciation will be greater than that of CrowdStrike, although I expect the shares of both to perform well.
Currently, and for the foreseeable future, investors are valuing free cash flow generation significantly. In fact, they are valuing free cash flow generation more than growth for one of the few times I can recollect. And SentinelOne obviously is very far from achieving free cashflow generation, and CrowdStrike’s free cash margins have consistently been at elevated levels. My guess, is that over time, as SentinelOne pares its losses, its free cash flow generation will improve, perhaps in some dramatic fashion. In the meantime, the compression of its EV/S ratio to significantly below average may serve as a floor for the shares. For readers looking for a potential investment homerun from this point, I believe that SentinelOne has that potential.
The SentinelOne offering – The building of an eco-system and a platform
While of course it isn’t necessary to become an expert in all things SentinelOne to invest in the shares, and I certainly don’t suggest I am such an expert, I think an understanding of the offering can build conviction on the part of investors. And conviction is going to be necessary, I believe in order to weather through the volatility of these shares as well as the almost daily sentiment reversals on the part of the market.
The core SentinelOne offering is called Singularity. It is probably the most automated solution on the market with the ability to create context in real time for most popular OS and workloads. Most remediation is automated and no scripting is necessary. Singularity is available at a variety of functionality levels: Core, Control and Complete. Most user wind up with Complete, and those who start at the two lower tiers, usually migrate to the highest level fairly rapidly, one factor in the company’s strong upsell ratio.
These days, the company, through acquisition, offers an identity management service. Identity is one the hot buttons these days for many enterprises. Credentials get misused and deception abounds. SentinelOne acquired its identity technology which is just now becoming integrated with its suite and co-sold. It should wind up being a major revenue generator. It should be noted that the form of identity management offered by this company and by CrowdStrike is not exactly a direct competitor with the identity management solutions offered by Okta (OKTA) and by other cybersecurity identity vendors. On the other hand securing the identity of an endpoint certainly can be an alternative strategy to Okta’s offering.
The company offers an ingestion platform that enables what is called XDR (extended detection and response) XDR is a relatively new approach to threat detection and response. Most users consider the XDR concept as their preferred endpoint security posture. To reach this posture, they need to be able to ingest and visualize data from all sources and to streamline security workflows. The way these solutions work is to look at context at scale from a unified platform and to do so using an automated solution so remediation can take place in real time.
Finally, the company offers what it calls Ranger AD which is designed to uncover vulnerabilities in Amazon’s (AMZN) Active Directory and in Microsoft’s Azure AD. Most organizations have experienced breaches, and the hackers often get access to these directories. This is the kind of attack that makes headlines where the criminal empties a directory and then uses the data to steal identities and the like. Most of the hacks have come because of weak policies, harvesting and other vulnerabilities.
The company didn’t discuss its product roadmap explicitly on its last call. One of its latest product introductions was DataSet, an analytics solutions based on the company’s prior acquisition of Scalyr. DataSet is the first SentinelOne offering that can be used outside the cybersecurity space and probably is indicative of a future strategy to expand into adjacencies. Basically, this is a log monitoring tool that offers parsing, alerting and performance monitoring. It competes against Splunk (SPLK) with advanced features. It will be sold to the installed base; one of the primary growth strategies of all software vendors such as this is to expand into adjacencies and drive business through a platform offering.
The notorious SentinelOne business model
I say notorious because the first time I looked at SentinelOne its loss margin was as elevated as any I had ever seen, as was its cash burn. There have been a few companies over the years that rivalled S as vying for champion in that dubious category; most conspicuously the unlamented Hadoop vendors of whom only Cloudera remains as a private company, but the S loss trajectory, especially given the outperformance of its revenue growth was quite unique in my experience. I was particularly skeptical about the level of gross margin wondering if the company’s pricing vis-à-vis that of its rivals was too aggressive and was a factor in its rapid growth. It is true that S pricing is more aggressive, at least on a list basis, than that of CRWD-but the reality is it is far less so when a large enterprise deal is being decided. Both companies, at least according to my anecdotal checks are equally aggressive-SentinelOne with its focus on managed service providers can be cheaper for a smaller business.
SentinelOne still makes significant losses and burns cash-but it is getting better. The guidance it provided back at the end of August was not particularly investor friendly-certainly not in this environment. I imagine or guess that it will provide investors with an opex plan that will show diminishing growth in opex and a lower level of percentage opex loss. It may even speak about a profitability goal.
Back in August the company had indicated that as it looked at the darkening macro environment, it had postponed some expenses from Q2. The CFO went on to say back then that as the company saw a continuation of a favorable demand environment, those postponed expenses would fall in the 2nd half of the current fiscal year and that is why the guidance didn’t call for further margin improvement beyond the levels attained in Q2.
Again, I am guessing, but at this point, most IT companies have chosen to moderate their opex growth; more than a few have announced layoffs, and most companies are focused on raising their margins. So, almost in spite of how well SentinelOne may have done in terms of revenue growth and even in its view of its demand environment, I imagine it will announce a hiring downshift and some expectation of improving margins more rapidly than had been the case when it last reported.
I want to say before reviewing the financials at some level of detail, that the company uses SBC-lots of SBC. For readers concerned about SBC-this is not an investment for you, although regardless of the SBC level, it probably will not tick too many boxes for people looking for pristine financials with reasonable cost ratios in any event. If that is what is of importance, and a reader wants to invest in the cybersecurity space with a company with an endpoint solution, consider Palo Alto, although even that company has an SBC ratio of about 20%, albeit with a free cashflow margin of 35% or possibly higher.
If, as I expect, SentinelOne starts to slow the pace of its hiring, eventually SBC ratios will come down. But given the way SBC is calculated, and the rapid hiring of the past quarters, I really do not expect SBC dollars to decline in the next several quarters although the ratio will perhaps back off a little off from the 40% level. In calculating valuation metrics, in order to account for SBC, I use share dilution; That is running at about a 3% annual rate in the last couple of quarters, after adjusting for the shares issued as part of the Attivo transaction.
Last quarter, non-GAAP gross margins were about 72% compared to 62% in the year earlier quarter and to 68% the prior sequential quarter. The company didn’t forecast any further increase in non-GAAP gross margins for the balance of the fiscal year. If sequential revenue continues to grow at elevated rates, it would be hard to imagine a scenario in which non-GAAP gross margins didn’t rise.
Research and development expenses rose by almost 85% year on year and were 40% of revenues. They rose by 16% sequentially, and apparently reflected some level of cost shifting from Q2 to the balance of the year. There are very few software companies that have consistently spend anything like 40% of their revenues on research and development. The fact that this company is competing with CrowdStrike and to a lesser extent with Microsoft and Palo Alto, and does so based on technology, is going to call for elevated research and development expenses for the foreseeable future. Some of the increase in R&D spend last quarter was not organic and reflected the closing of the Attivo transaction.
As is fairly typical for a company such as this, the largest expense category for SentinelOne is Sales and Marketing. On a non-GAAP basis, sales and marketing expense was 65% of revenue last quarter, down from 80.5% in the year earlier quarter. Of course that is a massive improvement, and on a sequential basis, the sales and marketing expense ratio fell as well, albeit more modestly, but clearly, the path to profitability runs straight through the elevated level of sales and marketing spend. It may be that there was some cost shifting last quarter as the CFO suggested, but the sequential 24.5% growth in sales and marketing doesn’t suggest much in the way of cost shifting within sales and marketing expense, at least to this writer.
At some level, it is hard to believe that non-GAAP general and administrative expense is 25% of revenue. That is at least 50% greater than average cost ratios for this expense category for a company of this size. About the best that can be said about that expense category is that it has shown noticeable improvement from the 31% ratio in the year earlier quarter, and that sequentially, general and administrative expense rose only 10%.
Overall, non-GAAP opex rose 19% sequentially while revenues rose by 31%. That’s noticeable progress. But it still has left the company with non-GAAP operating loss margin of 58%. Many readers, if they have gotten this far, are just not going any further, and essentially, that is why the average analyst rating on the shares is no better than hold.
Last quarter, the cash burn margin was 61%. For the first 6 months of the fiscal year, cash burn was also 61% of revenues. Although the company spent $281 million on buying Attivo, it still has a cash balance of over $1.2 billion so liquidity is not an issue. Basically, free cash flow is going to be a function of profitability improvements, and to a lesser extent, signing large deals with prepayments that yield large increases in deferred revenues. I think positive free cash flow is probably about 5-6 quarters ion the future.
SentinelOne – Has the valuation compressed adequately for long-term investors?
SentinelOne has twin distinctions when it comes to valuation. It is now the fastest growing company of any scale that I follow in the IT space. But it also has the highest negative operating margins as well. I find myself torn in terms of a recommendation. S is gaining market share with advanced technology and is building a platform in a key space in cyber security, but the investment necessary to fund that goal has been huge. When I first reviewed S shares they had a premium valuation in terms of EV/S. That is no longer the case; after the company reports its Q3 results next month, its forward EV/S ratio may reach less than 7X, a massive discount from the best fit line that passes through its estimated CAGR.
Of course, when considered on a combination of growth and free cash flow margins, the discount almost disappears although it is still about 10%. I have done a DCF analysis as well, but like many such exercises, the devil is in the assumptions. I project that the company will start generating free cash in 2024 and will continue to grow at elevated rates for the next decade or so. On that basis, the DCF valuation is more than double current prices, but no doubt some will disagree that the company can achieve cash flow generation even by the end of 2024. The weighted average cost of capital formula yields a discount rate of 8.33%; again there will be those who argue that is too low but it is what is shown by Finbox.
SentinelOne is not an investment for all readers, and in this market it has its share of detractors. In addition to its reported losses, its 40% SBC ratio can be criticized. I prefer to look at dilution rather than SBC ratios. Just how long investors will shun high growth shares is really not precisely knowable-I might have thought that that the valuation implosion of the IT sector would have reached its apogee months ago.
I do focus on free cash flow in evaluating companies. I think it is a metric that is least likely to be subject to misinterpretation, although I have seen some analysis in which not all free cash flow is created equally. But regardless, SentinelOne doesn’t have free cash flow, and it won’t have it for at least the next year and possibly longer. Its improvement in free cash flow is going to have to come through eliminating operating losses, and in turn, that is going to require, I think, shifting to a lower growth cadence so that hiring can be constrained-at least by a little. I have a 3 year CAGR estimate of 61%, partially based on the growing scale of the company, but also based on my expectation that the company will choose a bit of a trade-off between hyper growth and profitability.
I expect SentinelOne to continue to make market share gains and to capture some high visibility customers over the next two years. And I expect it will develop a more holistic platform approach to its offering.
Ultimately the issue of whether or not SentinelOne is the right investment for a reader comes down to predilections regarding growth and free cash flow generation. Some of that is a factor of risk preference, although given the technology position of Sentinel, and the background of its management, I don’t expect that they will lose their top ranking for end point security efficacy in the foreseeable future. And the company’s sales execution, with a sales magic number of 1.3X last quarter is strong, and suggests that the execution issues that so often plague smaller vendors should not be a factor in assessing risks.
Over time, I expect that SentinelOne will wind up turning the corner in terms of profitability and cash flow generation, and when that happens, I expect a massive positive rerating of the shares. But realistically, the timing of the attainment of profitability will be a function of the company’s strategy and that makes it unknowable, at least for me at this point. Patient investors will, I think, reap a bonanza in these shares. This is a space ripe for continued disruption and market share gains on the part of Sentinel. But the key word is patience. I recommend that investors take a small position now, with a thought to increasing a weighting as the path to profitability becomes clearer and as investors potentially redirect their attention to growth.