a. SentinelOne 101

Endpoint & Data Cores:

SentinelOne's endpoint and Security Information and Event Management (SIEM) suites are the core pillars of its operations. It’s also quickly expanding into cloud security, which adds pretty much every large next-gen platform as competition.

  • SIEM: Aggregating data (or “logs”) to help organizations uncover and remediate threats.

It specializes in small-and-medium-sized business (SMB) clients and is expanding up-market. While CrowdStrike’s overarching platform is called Falcon, SentinelOne’s comparable suite is called the “Singularity Platform.” Core products include Endpoint Detection and Response (EDR). EDR offers constant monitoring and protection of endpoints (like a company iPhone). It unveils, prioritizes and responds to observed threats. Like CrowdStrike, it offers highly autonomous services and a slick, lightweight agent to drive efficient work and interoperability. This, in turn, means overarching coverage and superior breach protection vs. legacy incumbents.

Also similarly to CrowdStrike, SentinelOne boasts a complementary data analytics platform (which it calls Singularity Data). This ingests data from a multitude of diverse security products. It’s the perfect sidekick for everything SentinelOne offers, as it can seamlessly collect data once, and recycle that data across as many relevant use cases as it needs to. This capability is especially important for the firm’s Extended Detection and Response (XDR). XDR is simply EDR with more diverse data usage to extend protection beyond solely the endpoint.

Singularity Data ingests data via “log scale,” which means logarithmically organizing and storing information. The company also says customers get lower cost and faster querying speeds with it.

Like Palo Alto and CrowdStrike, SentinelOne is looking to use its SIEM and endpoint talents to become a customer’s security operations center (SOC). This means the vendor of record that provides a holistic, end-to-end protection for its clients. And just like those two larger competitors, SentinelOne is trying to expand into cloud, identity and exposure management to enhance cross-selling and retention. It’s behind larger competitors in this regard, but is making progress:

All in all, there are three compelling effects of its product architecture:

  • Open, inter-platform data sharing leads to more effective algorithm seasoning to drive better coverage and false positive minimization.
  • Cross-selling is especially margin accretive for this business model. SentinelOne incurs most of its customer costs as it deploys its first module; cross-sells are almost pure margin.
  • Seamless expansion into other relevant security niches…

Just like CrowdStrike (noticing a theme?), it’s also actively expanding into cloud security. Important cloud security acronyms:

  • CNAPP = Cloud Native Application Protection Platform. This is a buzz phrase used to describe a firm’s full set of cloud tools.
  • CWP = Cloud Workload Protection. It’s an agent-based, runtime cloud protection tool to observe any bad behavior by cloud environment entrants. It sounds the alarm bell for SentinelOne’s automated breach prevention and, if needed, the Managed Detection and Response (MDR) threat hunting team (called Vigilance).
  • CSPM = Cloud Security and Posture Management. CSPM reports vulnerabilities and conducts configuration analysis in any cloud environment. It can flag improper permissions or hygiene. It doesn’t stop breaches in isolation, but does offer needed alerts, which frees other cloud tools like CWP to do so.
    • It acquired PingSafe to expedite delivery of this key cloud capability and bring its product suite closer to parity with CrowdStrike.
    • Launched AI Security Posture Management (AI-SPM) to extend its CSPM offering to AI apps and models. CSPM tools are repurposed here to offer the same misconfiguration and hygiene issue-flagging services in the world of GenAI. 
  • Cloud Infrastructure Entitlement Management (CIEM). CIEM offers seamless oversight of access controls/entitlements for cloud assets. It can “detect over-privileged humans and machines, pinpoint toxic permission combinations and curtail risk with greater speed and efficiency.” This was one of the largest product gaps remaining between SentinelOne’s suite compared to Palo Alto and CrowdStrike.
  • It more recently added runtime security to stop breaches in cloud environments.

GenAI:

PurpleAI is SentinelOne’s overarching GenAI platform layer to up-level its product offering. It’s quite similar to CrowdStrike’s Charlotte AI, in that it can actively detect anomalies, summarize cases, help orchestrate remediations and fix issues with a human analyst’s permission. All of this pushes beginner-level security analysts to much higher levels of capability. This matters a lot in our budget and talent-constrained world.

The company does have exposure management (vulnerability management) and identity tools, but the aforementioned offerings drive the vast majority of its current business.

b. Key Points

  • Improving execution led to a large net new annual recurring revenue (NNARR) beat.
  • Outperformance driven by both new customer growth and cross-selling.
  • Taking market share across most of its product categories.
  • A great step in the right direction following a poor year of performance.

c. Demand

  • Slightly beat revenue estimates & slightly beat guidance.
    • International revenue rose by 27% Y/Y.
  • Beat ARR estimates by 1.5%.
  • Beat $38M NNARR estimates by $15M or 39%. It also beat internal company expectations by about 40%.
    • NNARR rose by more than 20% Y/Y as it enjoyed a “strong uptick in new business generation.”
  • Missed 1,531 $100K+ ARR customer estimates by 18 customers or 1.2%.

While the revenue beat was fairly modest, the NNARR beat was nothing short of great. It was massive for its scale, and came as S took market share in “pretty much every growth area” it competes in (per the team). Part of me assumed there had to be some big customer win or pull-forward. That wasn’t the case. The beat was entirely structural in nature and “broad-based.” It was driven by both new customer strength as well as existing customer up-sells to non-endpoint solutions. Specifically, Purple AI and SIEM were its fastest-growing product categories.

The data business enjoyed an acceleration in bookings growth, while its Y/Y endpoint bookings growth was higher than it has been in a year.

💡
“These results underscore our stronger competitive position and growing product differentiation… Organizations need a platform experience that brings simplicity, intelligence and best-in-class security. That's exactly what Singularity delivers: streamlined operations, faster time-to-value and superior protection through a unified AI native platform.” – Founder/CEO Tomer Weingarten

d. Profits & Margins

  • Slightly beat 79% GPM estimates & slightly beat guidance.
  • Beat $1M EBIT estimates by $4.4M & beat guidance by $5.4M.
  • Beat $0.03 EPS estimates by $0.01.
  • Missed $2M FCF estimates by $9M.

e. Balance Sheet

  • $800M in cash & equivalents.
  • $350M in long-term investments.
  • No debt.
  • 5.9% Y/Y share count dilution.

f. Guidance & Valuation

  • Slightly raised annual revenue guidance, which slightly beat estimates.
    • The roughly $15M raise is mainly due to Q4, as Q2 was about $200,000 above expectations and Q3 is about $600,000 above expectations.
  • Lowered annual 79% GPM guidance by 25 basis points (bps; 1 basis point = 0.01%), which slightly beat estimates.
  • Lowered annual $35M EBIT guidance to $30M, which missed by $3.3M.
    • This is related to Prompt Security M&A and some FX headwinds.
  • Lowered FCF margin guidance from several points higher than EBIT margin to a few points higher than FCF margin.
  • For Q3, revenue and GPM guidance was slightly ahead of estimates and EBIT was in line.
  • CFO Barbara Larson said SentinelOne’s rest of year NNARR expectations have “relatively improved.”

Leadership said a few times on the call that the guidance raise is based on pipeline strength. The targets also bake in "prudent assumptions given a dynamic macro backdrop” and “variability in the timing of larger deals."

g. Call & Presentation

Prompt Security M&A:

We got more detailed on SentinelOne’s $180M acquisition of Prompt Security announced earlier in the month. It’s expected to close this quarter, have an immaterial impact to full-year revenue and lower operating margin by 80 bps (hence the guidance reduction).

Prompt Security is like a data loss prevention (DLP) tool that’s purpose-built for the GenAI era. The company helps companies safely and confidently embrace models, apps and agents. It protects customers from malicious prompt injections (overwhelming models with low-quality instructions or inaccurate information), and safeguards valuable data. As leadership puts it, enterprises want control of data and real-time streaming of that data; Prompt gives that to SentinelOne. Generally speaking, this organization provides companies with “visibility and control over GenAI… without slowing innovation.” SentinelOne is excited to add this to its suite of data products and eventually expand its DLP capabilities to other non-AI assets.

💡
“Importantly, this unlocks a new frontier of growth for our company and reinforces our role in defining AI native cybersecurity in the future… just by the early traction, we believe it’s going to be a significant contributor in the year to come.” – Founder/CEO Tomer Weingarten

SentinelOne Flex & Platform-Level Adoption:

SentinelOne officially launched SentinelOne Flex. As the name indicates, this is quite similar to CrowdStrike’s Falcon Flex, and is designed to drive model purchasing autonomy for its customers. With it, clients enter “one agreement that covers the entire platform,” meaning they can mix and match products without needing to go through procurement processes and can seamlessly add new products as they debut. Early on, this is already above $10M in total deal value (TDV); it's showing clear signs of shrinking the sales cycle and driving faster platform-wide adoption.

Importantly, it's still very early for this Flex offering and not yet a material driver of material cross-selling. Despite this, half of SentinelOne’s NNARR outperformance still came from module additions from existing customers. Platform momentum is strong pre-Flex tailwind. The effective shift again led to 50% of its total bookings coming from non-endpoint solutions and meaningful ARR per customer growth. Flex should merely support this building momentum. 

Purple AI:

IDC came out with an encouraging study on SentinelOne’s Purple AI offering. While the vast majority of AI spending struggles to find positive ROI, this is bucking that trend. It’s delivering a 3-year ROI of 338%, 55% faster time to remediation and 60% lower likelihood of a major incident. This helped the product grow at a 100%+ Y/Y clip and reach a 30%+ contract attach rate vs. 25% Q/Q. It's already closing 7-figure deals on its own and is off to a promising start.

Wins:

  • Global media conglomerate purchased product, data and cloud products to “reduce tool sprawl and improve operational outcomes.”
  • Its SIEM offering won an “iconic luxury brand” and standardized on the Singularity Platform and SOC.
  • Its cloud business won a Fortune 50 brand with “10,000s of cloud workloads. They were specifically drawn to its Hyperautomation product. This provides pre-built, no-code integrations and malleable templates for common cybersecurity issues like ransomware.
  • SentinelOne Flex was the source of its largest quarterly win. It helped SentinelOne land a “multinational conglomerate” with cloud, SIEM, Purple AI, Hyperautomation and hundreds of thousands of endpoints.

Partners:

The Lenovo deal is ramping nicely and giving the team confidence in this being a material revenue driver in the years to come. The company also added its SIEM, Purple AI and Singularity Cloud suite to the AWS AI Agents and Tools marketplace and was an AWS Security Hub launch partner (along with CrowdStrike). It called Managed Security Service Provider (MSSP) traction strong.

Other News:

  • As previously discussed, it achieved FedRAMP High Authorization for its endpoint, data, cloud and Hyperautomation offerings in May.

h. Take

While I can’t call this amazing, the quarter was SentinelOne’s best in over a year. And it was reasonably strong. The revenue beat doesn’t loudly show it, but the NNARR outperformance was very good. One quarter doesn’t make a durable trend, and they have more proving to do. But still, this is a sorely needed first step in the right direction after a lengthy period of underwhelming performance. I also do not mind the negative profit guidance revision, as it’s related to M&A that I find appropriate and compelling.

I was running out of patience here and entertaining a strong likelihood of exiting after another bad quarter tonight. That bad quarter fortunately didn't come. As I wrote in the Discord (Max readers, join), I was determined to give them one more chance to show signs of righting the ship. They did, and I’m sticking with this company for another 3 months. As I've been saying, this is not a technology issue. They rank very highly across 3rd-party research firms, just like CrowdStrike. This was go-to-market and execution problems that now seem to be easing.

I want to wait for them to deliver another strong performance during Q3 before I get too encouraged, but this was an excellent start in rebuilding conviction in this name. More quarters like this one and it’s hard to believe S will stay at a 1.3x forward PEG. It does not deserve CRWD's 3.6x PEG, but simply closing a little bit of the gap would yield considerable gains.

Just keep executing.

Reply

Avatar

or to participate

Keep Reading

© 2026 Stock Market Nerd.
beehiivPowered by beehiiv