CrowdStrike and SentinelOne reported their Q4 results and FY22 annual earnings within a week of each other (March 9th and March 15th, respectively). Both companies are leaders in next generation Endpoint Detection and Response (EDR). They're also darlings of the stock market.
Since SentinelOne joined the growing list of public cybersecurity companies in mid-2021, their performance has been inextricably linked to CrowdStrike (for better or worse). On one hand, their stock price has probably received a healthy boost because CrowdStrike has performed so well as a public company in the 2.5 years since its IPO. On the other, SentinelOne is a (slightly) younger company, founded two years after CrowdStrike in 2013.
I have already written about CrowdStrike in detail at the time of their FY22 Q3 earnings. This article extends many of the foundational ideas that were relevant at the time of their Q3 earnings and revisits several ongoing topics. It's also the first time I've covered SentinelOne in detail — a company I wish I would have been able to start covering sooner.
Rather than covering both companies sequentially (as I've done in past earnings articles), I'm going to try discussing both in parallel. The topics we should be looking at are highly relevant for both companies. It's very interesting to look at them across the board instead of going company-by-company.
In this article, we're going to cover:
Financials: An overview of FY22 financials, which both exhibit classic signs of hypergrowth.
Layering Strategy: The drivers behind growth and product strategy start with bundling and layering.
Partnerships and Marketplaces: Partnerships are an important growth driver for both companies, and marketplaces are an emerging channel.
Competition: EDR is a competitive market with some friendly (?!) shade that gets thrown from time to time.
First, let's talk about hypergrowth.
Classic Hypergrowth Financials
CrowdStrike and SentinelOne are both hypergrowth companies in terms of Annual Recurring Revenue (ARR). Both companies are growing rapidly across several important financial metrics.
Unsurprisingly, their valuations are enormous: $51.2 billion for CrowdStrike, and $10.39 billion for SentinelOne as of the time this article was written. Valuations go up and down with the market, but both companies are consistently among the highest valued cybersecurity companies.
We'll start this earnings analysis by covering a few of the most important metrics before moving on to other product and strategy-related topics.
CrowdStrike's revenue grew 66% year-over-year to $1.35 billion. That makes CrowdStrike one of the largest pure cybersecurity companies in public markets — almost exactly the same as Okta ($1.3 billion), and nearly 7x higher than SentinelOne.
SentinelOne's FY22 annual revenue was $204.8 million, a 120% increase from FY21. Don't let the comparison to CrowdStrike fool you, though. People quickly forget that SentinelOne just went public on June 30, 2021. They're growing very quickly (120% revenue growth in Q4), and compounding growth adds up.
Annual Recurring Revenue (ARR)
CrowdStrike and SentinelOne both earn most of their revenue from software subscriptions, so ARR is one of the most important metrics for measuring their growth. CrowdStrike's ARR grew 65% to $1.73 billion. SentinelOne's full annual results aren't out yet, but their ARR grew 123% year-over-year in Q4.
Some analysts didn't like the deceleration in ARR growth for CrowdStrike. ARR growth has declined ~10% in total across the past four quarters. It has also declined 27% in the past three years, from 92% in FY20 to 65% in FY22. Let's be real here, though: 65% annual ARR growth is still a lot.
Both companies have a lot of customers and are adding thousands more every quarter. CrowdStrike's customer count increased 65% to 16,325 in FY22. Growth included 1,600 new customers in Q4 alone.
SentinelOne reported 6,700 total customers at the end of FY22, growing by 70% with the addition of over 3,000 new customers. This was actually a ~10% deceleration from the prior year. EDR is a competitive market, which was likely the cause.
CrowdStrike is seeing a lot of success with larger enterprises. They also had a signature win in FY22 with the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) to protect federal agencies.
Part of being a hypergrowth company is making investments in growth. The consequence is heavy operating losses. CrowdStrike and SentinelOne are no exception.
CrowdStrike's loss from operations was $142.5 million in FY22 — well within the Rule of 30, but still high. Their leadership team has been unabashedly consistent about continuing to invest in growth. This earnings call was no exception. From CFO Burt Podbere:
...the guide really reflects what we really want to do this year, which is aggressively invest in the business. We've got this opportunity in front of us. We think there's a tremendous amount of demand. There's a tremendous big opportunity for us, and we're going for it.
SentinelOne's loss from operations was actually higher — $267.2 million for FY22. That's an operating margin of -130%, meaning the company spent $1.30 for every $1 they earned. Losses of this magnitude might seem wild, but it's somewhat reasonable in an IPO year for a company growing at the rate SentinelOne is. From CFO David Bernhardt:
Our non-GAAP operating margin was negative 66% compared to negative 104% a year ago, a huge improvement of 38 percentage points. And we achieved these impressive results while investing for growth throughout the year, including the IPO, new product launches and doubling of our workforce.
SentinelOne's operating margins are improving in a hurry if FY23 projections hold. Again from David Bernhardt:
For non-GAAP operating margin, we expect negative 84% to 86% in Q1 and negative 55% to 60% for the full year. Both of these represent meaningful year-over-year improvements. At the midpoint, we expect Q1 operating margin to improve over 40 percentage points and full year operating margin to improve over 25 percentage points.
As long as both companies continue growing at this rate, most investors and analysts are going to be able to stomach the losses.
FY23 Earnings Guidance
CrowdStrike is expecting to break $2 billion in revenue during FY23. They projected 47-49% revenue growth to finish the year around $2.1 billion. As you'd expect for a smaller company, SentinelOne is projecting approximately 80% revenue growth to $366-370 million in FY22.
Even if growth slows slightly (as it did for CrowdStrike), both companies are outpacing the growth of most other public cybersecurity companies. The probability of either company being acquired by a private equity firm or large tech company is very low.
Sustainable hypergrowth is a good thing, and the leaders at both companies appear confident they've achieved it. Tactically, what makes this level of hypergrowth possible? Let'd discuss a few of the enablers next.
Layering Beyond Endpoint Detection and Response
The major strategic theme for both CrowdStrike and SentinelOne is the expansion and diversification of their core EDR products into a broader platform of adjacent modules.
I wrote about the concept of bundling and unbundling in CrowdStrike and the Bundling of Cybersecurity. A related concept is layering, which I discussed when talking about HashiCorp's IPO. Both concepts absolutely describe what is happening today for CrowdStrike and SentinelOne.
Bundling is the consolidation of products in a way that's appealing to customers. I previously described the customer demand in cybersecurity like this:
However, the change is underway. Customers want bundling. Take a look through InfoSec Twitter or LinkedIn on any given day, and you're bound to find someone ranting ad nauseam about topics like vendor fatigue, agent bloat, or the explosion of acronyms in the industry. These are all symptoms of the upstream customer desire for bundling.
InfoSec experts would love nothing more than to have a single security agent running on every endpoint. That's exactly what CrowdStrike CEO George Kurtz wants to do:
...it goes to our strategy of consolidating agents and getting rid of other technologies that are costly and complex and weigh the system down.
Layering is a complimentary strategy that also aligns closely with growth. The big idea behind layering is that companies need to continue adding products to their core offering (at a certain point, well after product-market fit) to offset slowing growth rates from market saturation.
Andreessen-Horowitz Managing Partner Jeff Jordan described the concept of layering like this:
I came to call this process of layering in new innovations on top of the core business “adding layers to the cake”. Much of the natural effort in the organization is spent on chasing optimization of the core business. This makes sense, as small improvements in a big business can have a meaningful impact. But there is huge potential leverage to adding layers of new, complementary businesses on top of the core (aka “cake”).
Once you have these two concepts in your mind, it's easy to recognize them all over the place in the earnings discussions with George Kurtz and SentinelOne CEO Tomer Weingarten. George Kurtz straight up declared CrowdStrike to be a hypergrowth platform company:
You have heard me say that CrowdStrike is more than just an endpoint provider. The success of our platform strategy is reflected in the hyper growth we are deriving from many of our modules as well as our strong module adoption metrics, which have consistently increased quarter-after-quarter.
...and Tomer Weingarten talked about the idea of layering on top of SentinelOne's core endpoint security product:
Throughout the year, we significantly expanded our platform offerings. Our endpoint solution remains the primary driver of our business, which is being complemented by emerging growth vectors, including cloud, IoT and data.
Both examples are layering in action: establish a core product (endpoint security — the "cake") and add layers of new, complimentary businesses (IT hygeine, vulnerability management, cloud, IoT, etc.).
The companies aren't adding layers in exactly the same way, but they are clearly following each other's moves. One example happened earlier this month. SentinelOne announced the acquisition of Attivo on March 15, 2022, mirroring CrowdStrike's late 2020 acquisition of Preempt. The acquisitions add identity protection capabilities to both platforms.
The platforms aren't a 1:1 match of each other (CrowdStrike now has 22 total modules). However, the similarities in product strategy across data/log management, identity protection, and XDR are easy to see.
With the concepts of bundling and layering now established, let's look deeper into a few specific areas.
Data and Log Management
Aside from behavioral-based endpoint protection, cloud-based data capabilities are one of the main differentiators for CrowdStrike and SentinelOne. Both companies made significant investments into this area in February 2021 — essentially a big splash to kick off their respective FY22 fiscal years. SentinelOne acquired Scalyr, and CrowdStrike announced their acquisition of Humio nine days later.
Fast forwarding through the remainder of 2021, Humio and Scalyr (now branded DataSet) are core components for both product and growth strategy at their respective companies. Here's a growth example from CrowdStrike via George Kurtz:
Our success with Humio this quarter included securing a seven-figure deal with a financial services customer, whose existing log management solutions have become budget prohibitive given the exponential growth of data being captured by their dev ops team.
...and a product example from SentinelOne via Tomer Weingarten:
Building upon the acquisition of Scalyr, we launched DataSet in February of this year, a revolutionary live enterprise data platform for data queries, analytics, insights and data retention. DataSet expands our capabilities beyond cybersecurity use cases. It's a cloud-native, flexible enterprise data platform built for petabyte scale. Not only DataSet is the back end for our Singularity XDR platform. The technology is already being used by hundreds of enterprises, analyzing trillions of real-time events.
The commitment to making large scale data management and analysis a core part of both platforms is clear. Each company made a lot of progress in FY22.
However, the scope of both products remains somewhat unclear. Both CEOs discussed non-security use cases on their respective earnings calls. George Kurtz talked about Humio wins beyond security:
We talked about some of the big wins with Humio. Some of them are not even security related. They're simply observability. The beauty of that technology is the ability to get data from just about any source and answer any question at scale.
Likewise, Tomer Weingarten discussed use of DataSet as a foundation for data beyond security:
...when you're talking about the DataSet brand, we're really more addressing the known security use cases.
DataSet is really focused on addressing all use cases above and beyond security.
DataSet is our ability to now go and expand on the foundation that Scalyr was built upon and really tailor not into just logging environment and production environment but also even business data, where we see some of our existing customers are ingesting unstructured data from every source, not only production, not only logging, and are deriving insights from the data that they put into the platform.
Analysts on the Q4 earnings calls (and prior) seemed to be confused about using the products for non-security use cases and selling to buyers other than the CISO. There was also confusion about the relationship between the data platforms and XDR.
Part of the confusion is because, pre-acquisition, Humio and Scalyr were both used for a broad set of data analytics use cases. Cybersecurity was one use case, albeit compelling enough to drive the acquisitions of both startups by CrowdStrike and SentinelOne.
I expect the messaging around use cases will be refined this year as the path forward for both products becomes more clear. Any confusion is mostly driven by semantics. Both products were good acquisitions. They've clearly become an essential part of their respective platforms going forward.
As briefly mentioned earlier in this section, CrowdStrike and SentinelOne are now both the proud owners of identity protection companies (Preempt and Attivo, respectively). Before we go too far into the impact of these acquisitions, there's a distinction that needs to be made: what exactly do identity protection products do, anyway?
The first point to be abundantly clear about: identity protection is not the same as SailPoint, CyberArk, Okta, or any of your favorite companies from the broader access control part of the cybersecurity ecosystem. This isn't CyberArk acquiring a cloud authentication product to compete with cloud authentication companies. CrowdStrike and SentinelOne are not competing head on with any of these companies.
Identity protection is about detecting and protecting against threats and attacks related to identity. It's essentially fulfilling the promise of identity analytics that hasn't quite been figured out by other companies yet.
George Kurtz had a nice explanation of the business problem on CrowdStrike's earnings call:
Last year, 62% of attacks we observed were malware-less with most of these involving compromised identities. We expect that both e-criminals and nation-state adversaries alike will continue to exploit vulnerabilities across endpoints and cloud environments and ramp up tradecraft around the use of identity and stolen credentials to bypass legacy defenses.
Ironically, this approach of malware-less attacks involving compromised identities appears to have caused the security incident with Okta last week. That's not to make an example of Okta — just one of many illustrations why the need for identity protection products is important and potentially helpful in mitigating these types of attacks.
Fresh off the acquisition, Tomer Weingarten described how Attivo will expand SentinelOne's platform:
Attivo, as part of SentinelOne, will help organizations reduce their attack surface not only at the device level but now at the human identity level, too.
Bigger picture, CrowdStrike and SentinelOne may have finally figured out how to incorporate useful identity analytics into a product portfolio (and their customers' security programs). This has been an elusive need in the industry.
Identity protection seems like it could have been a logical product extension for Identity and Access Management (IAM) companies. Companies like SailPoint have kinda-sorta been working on identity analytics products for a while. For whatever reason, the products didn't stick with customers yet — too early, perhaps?
The distinction about identity analytics/protection belonging within the access control domain isn't as black-and-white as it may seem. Data about identity-related threats also makes a lot of sense in an EDR/XDR platform — it's the centralized place for enterprise threat detection, after all.
Regardless, it will be interesting to see how the identity protection products grow and expand now that Preempt and Attivo have found new homes within CrowdStrike and SentinelOne.
eXtended Detection and Response (XDR)
We can't discuss EDR without XDR, right?! Tomer Weingarten did a great job explaining why this topic is worth talking about:
If we look at the evolution of cybersecurity technologies for a moment, it's clear that legacy AV represents the past, EDR is the present and XDR is the future. While the majority of enterprises still utilize legacy AV solutions, we have undoubtedly entered the XDR era.
Both companies view XDR as the culmination for how their respective bundling and layering strategies fit together. For example, Tomer Weingarten specifically mentioned how both identity protection and data/log management fit into their product strategy for XDR:
Identity Protection: User-centric identity protection is highly complementary and value-add for our XDR platform and customers.
Data/Log Management: DataSet is the back end for our Singularity XDR platform.
CrowdStrike and SentinelOne are both leading candidates to capture the market in the XDR era, however it eventually pans out. George Kurtz certainly thinks so:
We just launched [XDR]. We're working with a lot of customers. We're adding more integrations around that. But we're really excited about that and we believe that's really a technology that will subsume the SIEM market, and we think we're in a perfect pole position to be able to capture it.
This market (and the products in it) are still being sorted out. It's clearly a top priority for both CrowdStrike and SentinelOne, though.
The similarities in both companies' product strategies are evident, but the comparisons don't stop there. Partnerships are a top priority for the growth strategy of both companies. We'll briefly discuss this topic next.
Partnerships All The Way Down
CrowdStrike and SentinelOne are both partner-first companies. Why? This quote from Tomer Weingarten pretty much sums it up:
I think the growth environment on the partner side is really unbounded.
For both companies, "partnerships" is a relatively broad umbrella that includes multiple different channels within it. CrowdStrike and SentinelOne are partners with much larger companies (AWS, for example) and much smaller companies. CrowdStrike also has an ecosystem of its own with the Crowdstrike Store. It's partnerships all the way down.
The even better news is that partnerships are going well for both companies. Let's look into this success a bit more closely.
Philosophically, both companies are built around partnerships as one of the primary drivers of growth and adoption for products. George Kurtz described CrowdStrike's long-term partnership strategy on the earnings call:
When you think about our partner opportunities and CrowdStrike, first, we're a partner-first company. That's the way I built it. We haven't wavered from that.
The strategy is working out nicely for both companies. Tomer Weingarten summarized SentinelOne's success with partnerships like this:
Our partner ecosystem continues to magnify our market presence, significantly extending our reach and efficiency. Our strategic technology and services partners have grown to over 20% of our business. This includes MSSPs, MDRs and IR firms. These partnerships are accretive to our overall growth rate with significant business expansion opportunities yet to be unlocked.
Partnerships representing 20% of the business is no small feat. It's a similar story for CrowdStrike. They directly generated $92 million in revenue from professional services in FY22 — that's a lot for a product company.
However, they're consistently clear about viewing professional services as an opportunity to sell software. From George Kurtz on the earnings call:
Our professional services organization is a strong lead generation engine for the Falcon platform. Among organizations who first become a customer after February 1, 2020, and for each $1 spent by those customers on their initial engagement for our incident response or proactive services. As of January 31, 2022, we derived an average of $5.71 in ARR for those subscription contracts, up from $5.51 reported last year.
CrowdStrike's 10-K filing checks out with Kurtz's statement:
"We view our professional services business primarily as an
opportunity to cross-sell subscriptions to our Falcon platform and cloud modules."
Growing via partnerships is mutually beneficial. Partners get to provide services to companies who use the products, and the products get brought into clients of partners. However, the topic of competition or cooperation is a continuous source of tension in partnerships.
George Kurtz put the concerns to rest (for now) with CrowdStrike partners:
We've taken the right approach to not compete with partners, to augment what they're trying to do. And what we've seen in the managed service world is that the managed service providers are looking for the best endpoint platform that they can plug in and offer other services.
...as did Tomer Weingarten with SentinelOne partners:
I can't stress enough that we don't compete with our partners. We work with over 100 of the world's leading IR firms, enabling us to address a majority of the IR market worldwide. These partnerships create hundreds of high-value and fast-moving opportunities every quarter. This is significantly more coverage than any single vendor could hope to gain on its own.
CrowdStrike and SentinelOne both offer professional services, including some that could potentially be viewed as competitive with partners. However, these "we don't compete with partners" statements make it relatively explicit that both companies are happy to defer to partners for services when needed.
Marketplaces are an emerging trend in partnerships throughout cybersecurity, and especially for CrowdStrike and SentinelOne. As I mentioned in the intro for this section, marketplace partnerships go both ways. Each company has partnerships with larger and smaller partners.
In his opening remarks on the earnings call, George Kurtz specifically highlighted CrowdStrike's partnership success with AWS, a much larger partner:
One partner I'd like to highlight is AWS. In fiscal 2022, ending ARR transacted through the AWS marketplace grew more than 100% year-over-year.
CrowdStrike ended the year as one of the top ISV partners by transaction volume on the AWS Marketplace, with partner source deals growing strongly throughout the year. We believe this speaks to the success of our partnership with the world's largest public cloud provider and highlights the value we can provide to both partners and customers alike.
SentinelOne didn't make any specific comments about the AWS marketplace or others, but they do have a listing there. However, they did specifically mention Managed Security Service Provider (MSSP) partnerships, including one with the Pax8 cloud marketplace. These partnerships have had similar results:
Looking at just a few of our top MSSP partners like Enable and Pax8, they represent millions of endpoints now secured by SentinelOne.
CrowdStrike is also having success with its own store. George Kurtz shared some financial details to back it up:
Q4 was also a record quarter for our partner ecosystem. In total, for fiscal year 2022, we gained significant leverage from our partner ecosystem. During the year, partner stores ending ARR grew 83% year-over-year with our MSSP business growing more than 200%.
There is precedent here. The Okta Integration Network, for example, is a huge contributor to the company's success. CrowdStrike may not need the same level of success with their own store, but this kind of growth for partners definitely encourages more companies to create listings.
Partnerships of all types will continue to play a major role in the futures of both companies. It's a competitive market. They need as much help as they can get from partners to grow and maintain relationships with customers.
Ending on a somewhat humorous note — these companies love to throw shade at each other. It happens on basically every earnings call. The nature of the jabs usually has something to do with technical limitations or other issues in the product. This quarter was no exception.
George Kurtz started the jousting with this customer story:
...this organization had chosen a next-gen competitor to protect a server environment. But after six months, they were still struggling to deploy the other vendors' products in its server environment. They were plagued by forced reboots, significant memory usage and unmet product road map promises...
Side-by-side, we showcased our differentiation on a broad scale and a real production environment...This customer terminated the other vendors contract and is now deploying Falcon to protect their services globally.
Tomer Weingarten had his own story a few days later on SentinelOne's earnings call:
Their existing next-gen EDR vendor failed to quickly deploy and left critical Mac and Linux attack surfaces unprotected. They terminated their existing 3-year subscription mid-flight and turned to SentinelOne. Singularity XDR deployed instantly across the whole enterprise...
I could be wrong here. It's certainly possible they could be talking about other next-gen EDR companies. Such is the nature of shade — it's hard to see through subtle, veiled insults.
Regardless, it's clear this is a competitive market segment where the competition is a little more chippy than other parts of the cybersecurity ecosystem. We'll check back in on both of these companies later in the year as the competition for EDR, XDR, and beyond rages on.
Thanks for reading! How did you like this article?