Description

Summary:

We recommend buying shares of SentinelOne (S) with price upside to $23. Sentinelone is an unprofitable, next gen endpoint security provider. Originally a pure play on endpoint, they’ve expanded their cybersecurity platform to cover cloud security and identity security. They trade at one of the lowest forward revenue multiples in cybersecurity (4.5x FY25 EV/Sales) with the highest growth profile (+51% NTM revenue growth) in an attractive industry. Great technology stack, but too subscale for margins in next gen endpoint security. We think risk/reward looks good here on a revenue basis. This is a growth name by most anyone’s definition and not for everyone (-50% LTM operating margins and expected growth of 50+%). You’re ~2 years from positive margin inflection, but companies in the cybersecurity space have a track record of generating impressive FCF margins at scale. There’s also some downside protection at this price as an attractive and current acquisition target. We think this works if you can get comfortable with management execution and margin inflection in FY25. Using consensus numbers, at year end FY25 S at current price would be trading at sub 4x forward revenue on 30% forward growth with positive forward margins.

Thesis:

1)      A closer line of sight on margin inflection over the next 24 months should drive appreciation of SentinelOne’s valuation. Margins are ultimately an issue of scale rather than business model

2)      Attractive industry dynamics in endpoint and cloud security (growth, stickiness, increasingly clear ROI, strategic importance of endpoint in building a cybersecurity platform)

3)      Multiple levers to outgrow underlying end markets

4)      Takeout potential provides downside protection given quality tech stack and industry dynamics

Why does this opportunity exist?

This is a 2021 IPO vintage with high growth and very negative margins. Once a post-covid tech darling, it traded as high as high as 50x EV/NTM sales and 15-20 turns higher than cybersecurity peers as the fastest growing cybersecurity company at the time. As markets have returned to a rational focus on FCF generation, S now trades at 4.5x FY25 EV/Sales versus peers 6-8x despite having the highest forward growth profile.  On the EV/sales/growth metric popular with tech investors, it trades at .11 versus mean tech at .3-.4.

It still has a good amount of short interest. We tend to think a lot of that falls in the “short the most negative margin growth darlings of ’21 bucket” which has been a good trade in the last year, but ignores the growth/margin inflection story shortly down the horizon. There’s a bit of hair on the story as well with recent management departures and turnover in the sales team. We think those concerns are a little overblown. Some have liked to play this from the short side recently given mixed channel checks.

Company overview:

SentinelOne launched in 2013 as an endpoint security provider, adding capabilities for MDR (managed detection and response) in 2018, Cloud Workload Security in 2020, and Identity through their acquisition of Scalyr in 2021. They completed their IPO in June of 2021 at a $35 IPO price in the midst of the fed induced post-covid tech rally.

Their core Singularity platform offers EDR (endpoint detection and response) and IT/SecOps to automate detection and response. Additional modules include Cloud Security, Attack Surface Management, and Mobile Endpoint Security. Revenue is generated from subscriptions to their Singularity platform through three packages (Core, Control, and Complete) along with optionality to buy their 8+ modules a la carte. Pricing is based on a per seat basis.

Industry:

Endpoint security has been around for a while, but there have been two major industry pivots in the last five years. COVID brought about an explosion in the number of endpoints given remote work, which led to rapid growth in endpoint security spend from 2020-present. While it would be logical to assume a post-covid slowdown, endpoint spend has remained strong and next gen vendors continue to grow their pipelines. Industry analysts expect high teens industry CAGR through 2025 versus 25-30% CAGR since COVID. Near term growth is likely a function of some remaining greenfield in the SMB/mid-market, the perseverance of remote-work, and continued growth in certain non-laptop endpoints. Longer term, the industry should probably grow as a function of headcount, endpoints per employee, pricing, and upsell on related features.

The other important industry dynamic has been share shift away from old gen vendors (the largest being McAfee/Trellix, Trend Micro, Sophos, and Symantec/Broadcom) towards next gen vendors (CrowdStrike, Microsoft, and SentinelOne) over the last 4-5 years. These old gen vendors still have 40+% of market share and share shift can drive growth at next gen players for the next several years regardless of the underlying market growth.

Cybersecurity is considered one of the most defense part of the IT stacks and a top budget priority for companies. The ROI on cybersecurity spend has become increasingly clear to customers with the explosion in ransomware attacks that frequently force companies to pay up to millions of dollars. We hear tangentially that CISOs and CIOs plan to increase the % of their IT spend that goes towards cybersecurity.

Endpoint security in particular is viewed as one of the stickiest parts of the cybersecurity stack and an advantageous product position for platform expansion. Most breaches start at the endpoint, and having access to that telemetry data natively is a big advantage in offering other related cybersecurity products. Customers are increasingly looking to consolidate cybersecurity solutions under their endpoint providers. Below gives a sense of the players in the market and recent growth.

Competitive Landscape/Differentiation:

CrowdStrike is the most dominant player in this market. They have more breadth to their platform than SentinelOne, but a similar technology/performance proposition across endpoint and cloud workload security based on Gartner and channel checks. SentinelOne has a slight sticker price advantage over CrowdStrike. CRWD has seen some pricing pressure lately vs. SentinelOne which has not, which indicates that the price gap is closing somewhat. There’s also an additional price advantage to SentinelOne given it requires less servicing/management than CrowdStrike and other endpoint offerings.

SentinelOne has a distinct advantage with managed service providers which make up around 25% of their revenue base. Unlike CrowdStrike, they don’t compete with MSSPs and MSPs on services, which incentives them to push S to their customer bases. MSSPs continue to grow faster than their underlying markets given the shortage of cybersecurity professionals and outsized growth in endpoint spend in the SMB and mid-market where MSSPs reign. MSSPs also continue to move upmarket, which provides natural uplift to SentinelOne.

Microsoft Defender is the other big competitive threat here, especially in the SMB and mid-market where SentinelOne plays well. They’ve rapidly gained share in the endpoint space, and there’s a logical cross-sale opportunity from the expansive Microsoft ecosystem. From a pricing perspective, they undercut both SentinelOne and CrowdStrike, but the total cost of ownership when considering services and maintenance makes them comparable and can hurt MSFT on renewals. From a product perspective, we’re told that Microsoft Defender performs well on Windows systems but is somewhat lacking on non-Windows environments and more susceptible to breaches than CRWD or S. Competition with Microsoft is one of the most common questions that these management teams get asked. CRWD recently highlighted that 75% of the time when they investigate a MSFT customer breach, they had Defender in place. They also highlighted structural issues with their signature-based AV causing issues with breaches, analogous to issues in the past with McAfee. Both CRWD and S mentioned consistent win rates against Microsoft in their last quarter.

Another point of differentiation for SentinelOne is a strong backend system for data ingest with its XDR Data Stack and XDR Data Lake. This is an advantage as cybersecurity vendors continue to push the envelope on automation/AI and is hard to replicate given technical debt at its older competitors.

Growth Profile:

The company is guiding to ~47% ARR growth in FY24 which seems conservative. Guidance implies flat to down net new ARR in 2024. Management has commented that their guidance implies a worsening macro environment throughout ’24. While that held true for the first two months of the year, we’ve seen a better buying environment for cybersecurity through March and April. They also entered the year with a record sales pipeline. Channel checks indicate overall positive Q1 momentum for SentinelOne.

According to IDC the endpoint security market grew ~27% last year versus 106% growth at SentinelOne. For 2023, industry analysts expect ~19% endpoint security growth, cloud security growth of 27%, and identity security growth of 15%. Endpoint and identity growth should slow a bit in outer years given market maturity while cloud security growth is likely sustainable longer term.  With their underlying end markets expected to grow at a ~20% CAGR over the next few years, there are several levers that should drive continued outsized growth at SentinelOne:

1) Continued share shift towards next gen vendors (CrowdStrike, SentinelOne, and MSFT) and away from legacy endpoint vendors like McAfee, Symantec, and TrendMicro who still control 40+% of endpoint market share

2) Module expansion opportunity is still mostly ahead for SentinelOne with strong tangential offerings to endpoint. They have only recently opened up their non-endpoint offerings like cloud security to their channel partners and MSSPs. Unlike most everyone else in the cybersecurity space, they expect FY24 net new ARR to be driven primarily by new logos rather than cross-sell/upsell. CrowdStrike has an ARR/customer 2-3x higher than SentinelOne despite a stronger MSSP segment at S (MSSPs count as 1 customer) which speaks to the longer term opportunity as they go upmarket.

3) They have an outsized exposure to cloud security, which is the top priority for cybersecurity spend in 2023 and beyond and is a market that could prove larger than endpoint. Cloud security has lagged cloud spend with 1%-1.5% of public cloud spend spent on security today. This number could grow to 4%-5% of spend versus 5%-7% of overall IT spend on security. The infrastructure component of cloud security is provided by the cloud providers which accounts for a lower % of spend potential.

4) They have an outsized exposure and structural advantage with MSSPs which, as a segment, is growing faster than the overall endpoint space. SentinelOne has also indicated that 80% of MSSPs are still using old gen signature-based AV technology, which leaves a large runway for growth here as these MSSPs upgrade their underlying offerings. They’re also well positioned for the XDR/MDR industry transition.

5) Undersized amount of share in the endpoint security market compared to their premium technology positioning and a $50B market opportunity.

6) About half of their sales reps were new and un-ramped headed into 2023 per their Q3’22 earnings call. There should be a significant tailwind to sales and sales productivity as these sales reps ramp up the maturity curve in ’23.

Margins:

Margins ultimately seem more of an issue of scale rather than the business model. CrowdStrike had similar margins to SentinelOne at their current size and rapidly increased margins from -50% to positive from 2019-2021. For parallels on longer term margins, Fortinet, CrowdStrike, and Palo Alto all have 30+% FCF margins and Zscaler is over 20%.

They’re guiding to an operating margin of -25% for ’24 which seems reasonable. We model in ~3% of gross margin improvement in ’24 from increased scale and continued outsourcing of engineering/support labor to lower cost regions. If you assume their projected 50% revenue growth in ’24 is correct, that implies operating expense growth of 25%. Operating leverage does most of the work. They’ve indicated minimal investment in G&A next year, and you’re lapping the one-time G&A investments from the IPO. This allows S&M and R&D to still grow 30+%. S&M growth of 30% versus projections for flat net new ARR and a ramped salesforce seems conservative. They also recently indicated that they overinvested in Q3 and Q4 of ’23 to build out their record pipeline, which implies some additional tailwind on margin as those costs are not repeated.

Valuation:

We see fair value for SentinelOne at $23 or 6x FY25 revenue of $950M versus cybersecurity peers at 6-8x FY25 revenue. This seems reasonable given breakeven margins at S versus 25-40% FCF margin at peers, but with a much stronger growth profile and longer-term margin potential in the same range.

We think there’s downside support here as a viable takeout target, especially given recent rumors. $4B enterprise value is right in the sweet spot for PE and strategics, and S has a strong technology stack with sticky customers and platform effects for endpoint + related cybersecurity. They trade well below recent takeout multiples in cybersecurity. While these acquisitions happened during market periods with higher multiples, all were either in-line to above peer valuations with lower forward growth profiles and oftentimes without margins. ForgeRock (8x8 forward revenue on 26% exp. growth), Ping (7.1 forward revenue on 18% exp. growth), Mandiant (7.7x forward revenue on 24% exp. growth), SailPoint (11x forward revenue on 20% exp. growth), and Sophos (4.7x forward revenue on 9% exp. growth).

Risks:

1)      A slowdown in endpoint security spend and/or a slowdown in old gen to next gen share shift. While CrowdStrike was able to rapidly grow margins between ’18-’21, the next gen endpoint market is more saturated today after the post covid boom with less room to take share from incumbents like TrendMicro, McAfee/Trelix, and Symantec/Broadcom. This is a bit of a double whammy with margin inflection predicated on operating leverage from rapid growth.

2)      Competition based – Microsoft with Defender could end up being the dominant player and they prove endpoint security has strong platform tie ins to the MSFT suite. CrowdStrike could also edge out their growth prospects at SentinelOne as they move down market. You’re buying the 2nd/3rd player in a market with strong platform effects.   

3)      There’s been some talk about execution issues and turnover in the sales org. We think those are somewhat overblown. While the loss of their Chief Business Officer and Chief Marketing Officer to CrowdStrike in January was significant, SentinelOne maintains that the rest of the turnover in their sales organization was reps they had targeted to move on.

4)      It’s too early to buy unprofitable tech with a 2+ year timeline to positive margins

Catalyst

- Line of sight on margin inflection over the next 2 years

- Execution on growth targets

- Takeout offer