Table of Contents

• 1. SentinelOne (S) – Earnings Review

  • a. SentinelOne 101:

  • b. Demand

  • c. Profits & Margins 

  • d. Balance Sheet

  • e. Annual Guidance & Valuation

  • f. Call & Letter

  • g. Take

• 2. CrowdStrike (CRWD) — Earnings Review

  • a. CrowdStrike 101

  • b. Demand

  • c. Profits & Margins

  • d. Balance Sheet

  • e. Guidance & Valuation

  • f. Call & Release

  • g. Take

• 3. Nvidia (NVDA) — Earnings Review

  • a. Nvidia 101

  • b. Demand

  • c. Profits & Margins

  • d. Balance Sheet

  • e. Guidance & Valuation

  • f. Call & Release

  • g. Take

1. SentinelOne (S) – Earnings Review

a. SentinelOne 101:

SentinelOne directly competes with CrowdStrike, Microsoft Defender and Palo Alto in endpoint security. It specializes in small-and-medium-sized business (SMB) clients and is now expanding up-market. While CrowdStrike’s overarching platform is called Falcon, SentinelOne’s comparable suite is called the “Singularity Platform.” Core products include Endpoint Detection and Response (EDR). EDR offers constant monitoring and protection of endpoints (like a company iphone). It unveils, prioritizes and responds to observed threats. Like CrowdStrike, it offers highly autonomous services and a slick, lightweight agent to drive interoperability. This, in turn, means overarching coverage and superior breach protection vs. legacy incumbents.

Also similar to CrowdStrike, SentinelOne boasts a complementary data analytics platform (which it calls the Singularity Data Lake). This lake can ingest structured data from a multitude of diverse security products. It’s the perfect complement for every product it offers, as it can seamlessly collect data once, and recycle that data across as many relevant use cases as it needs to. This capability is especially important for the firm’s Extended Detection and Response (XDR). XDR is simply EDR with more diverse data usage to extend protection beyond solely the endpoint.

The Singularity Data Lake ingests data via “log scale,” which means logarithmically organizing and storing data. The company also says customers get lower cost and faster querying speeds with it too. The service of aggregating data (or “logs”) to help organizations uncover and remediate threats is called Security Information and Event Management (SIEM).

All in all, there are three compelling effects of this product architecture:

• Open, inter-platform data sharing also leads to more effective algorithm seasoning to drive better coverage and false positive minimization.

• Cross-selling is especially margin accretive for this business model. SentinelOne incurs most of its customer costs as it deploys its first module; cross-sells are almost pure margin.

• Seamless expansion into other relevant security niches…

Just like CrowdStrike (noticing a theme?), it’s also actively expanding into cloud security. Important cloud security acronyms:

• CWS = Cloud Workload Security. It’s an agent-based, preventative cloud protection tool to observe any bad behavior by cloud environment entrants. It sounds the alarm bell for SentinelOne’s automated breach protection and, if needed, the Managed Detection and Response (MDR) threat hunting team (called Vigilance).

  • This was SentinelOne’s original aloud product.

• CNAPP = Cloud Native Application Protection Platform. This is a buzz phrase used to describe a firm’s full set of cloud tools.

• CSPM = Cloud Security and Posture Management. CSPM reports vulnerabilities and conducts configuration analysis in any cloud environment. It can flag improper permissions or hygiene. It doesn’t stop breaches in isolation, but does offer needed alerts, which frees other cloud tools like CWS to do so.

  • It acquired PingSafe to expedite delivery of this key cloud capability and bring its product suite closer to parity with CrowdStrike.

Agent vs. Agentless in Cloud:

CWS takes an agent-based approach while CSPM is agentless. Agent-based requires a direct software installation, while agentless does not. One isn’t objectively better than the other. Agentless is considered cheaper, easier to deploy and easier to scale. It’s perfect for lower-stakes use cases like configuration analysis and is a perfect complement to CWS. Companies just starting out with finite budgets, massive potential scaling needs and a lack of hyper-sensitive data can adopt an agentless approach. Agent-based is considered more comprehensive and has more complete visibility. Industries with tighter regulation, more sensitive assets, a need for real-time EDR and more complex compliance are well served by agent-based. By offering both, SentinelOne can address both markets, thus eliminating the need for disparate point solutions.

GenAI:

PurpleAI is SentinelOne’s overarching GenAI platform layer to up-level its product offering. It’s quite similar to CrowdStrike’s Charlotte AI, in that it can actively detect anomalies, help orchestrate remediations and fix issues with a human analyst’s permission. All of this pushes beginner-level security analysts to much higher levels of capability. This matters a lot in our budget-and-talent-constrained world.

b. Demand

• Beat revenue estimate by 0.8% & beat guide by 1%. Its 39.3% 2-year revenue compounded annual growth rate (CAGR) compares to 54% last quarter and 63% two quarters ago.

• Beat Annual Recurring Revenue (ARR) estimate by 0.5%. Beat net new ARR (NNARR) estimates by 4.8%. Met vague NNARR guidance calling for a Q/Q “acceleration.” It exceeded internal ARR estimates by a “double-digit percentage.”

• Remaining performance obligations (RPO) rose by 40% Y/Y as it enjoys more large contract momentum. This will translate into ARR over time, so it’s encouraging to see this metric’s growth leading ARR and revenue.

• Missed 1,273 $100,000 ARR client estimates by 40.

• Net revenue retention (NRR) remained “solidly in expansion territory.” It continues to focus on new customer wins rather than expansions. This means lower NRR today, but more cross-selling down the road.

The CrowdStrike outage had zero impact on Q2 results as it occurred almost all the way through the period. Q2 outperformance was based on general organic momentum. Much more on CrowdStrike later.

c. Profits & Margins 

• Beat -$10M free cash flow (FCF) estimate by $4.5M.

• Beat -$12.0M EBIT estimate & beat identical guidance by a little over $6M each.

• Beat 79% gross profit margin (GPM) estimate by 60 basis points (bps; 1 basis point = 0.01%) & beat guidance by 50 bps.

• Beat $0.00 EPS estimate by $0.01. First quarter of positive EPS. EBIT will come later because it collects so much net interest income from its debt-free balance sheet.

Total operating expenses rose by 11% (GAAP & non-GAAP). R&D rose by 9%  Y/Y, sales and marketing (S&M) rose by 19% Y/Y and G&A fell by 11% Y/Y due to lower legal and stock comp charges.

d. Balance Sheet

• $700M in cash & equivalents; $417M in LT investments.

• No debt or notes.

• Diluted shares rose by 6.6% Y/Y. That will slow as it moves further away from its IPO. As a good hint, stock comp dollars rose by 22% Y/Y to materially trail revenue growth. That needs to continue.

e. Annual Guidance & Valuation

• Raised revenue guidance by 0.4%, which slightly beat estimates.

• Reiterated -4.0% EBIT margin guide, which slightly missed -3.7% estimate.

• Raised 78.5% GPM guide to 79%, which beat by 60 bps.

• Q3 guidance was roughly in line across the board.

Guidance does not bake in material uplift from the CrowdStrike outage, even though management explicitly said it thinks it could come. It reminded us that sales cycles take 9-12 months, most customers don’t act impulsively here and that the financial impact will play out over the coming years, not months. SentinelOne told us it expected an acceleration in business trends throughout the 2nd half of the year last quarter. It reiterated that expectation this quarter, based on things like fantastic RPO growth.

f. Call & Letter

CrowdStrike & Microsoft Outage:

Unsurprisingly, SentinelOne leadership did not hold back in its criticism of CrowdStrike (and Microsoft too). As an important caveat, the two always talk trash about each other, and this quarter was no different. Here’s what it had to say about the incident:

SentinelOne took some time to walk us through how it thinks its architecture is superior to others. In reality, it’s somewhat similar to CrowdStrike, with the same claims of lower cost and superior efficacy.

CrowdStrike vs. SentinelOne — What’s Similar?

Both products can work on-premise or across multi-cloud environments. Both offer agent-based, on-device offerings and an agentless offering too. Both routinely talk up the multi-layered protection that it offers and how “redundancy” ensures reliable security if one layer isn’t properly working. Redundancy is a safety net in place to mitigate these risks.

CrowdStrike vs. SentinelOne — What’s Different:

On the other hand, there are some foundational differences to the architectures. There are more hardware installation requirements for most of SentinelOne’s products, which makes CrowdStrike arguably more scalable. CrowdStrike is considered to be more truly cloud native, without separate products for cloud and on-premise deployment. Next, SentinelOne requires less frequent software updates; this will become increasingly popular considering a software update is what caused the CrowdStrike outage. Beyond that, SentinelOne’s agent doesn’t need to be as deeply embedded in a customer’s core infrastructure (or “kernel”). This is a calling card for SentinelOne’s leadership team. For mac-based endpoints, it doesn’t touch the kernel at all. CrowdStrike does, which means any of its blunders will have a larger impact on overall operations.

What do I think of all of this? I think when we look back 20 years from now, this will be like Coke and Pepsi arguing that one is king and the other is a loser. The two will endlessly bicker and throw shade at each other. They’ll both claim superiority and that the other is a pretender. What matters? That these are arguably the two best companies on the planet within a sector that offers a massive runway, antiquated incumbents and easy product expansion. Both offer endpoint efficacy that is materially better than alternatives and both are adamant that superior efficacy paves the way for minimal false positives and lower customer costs. They should both do very well over the coming years if they execute.

The Platform Play – Newer Products:

SentinelOne is a few years behind CrowdStrike in rounding out its product suite beyond solely endpoint. CrowdStrike has been deeply profitable for longer, and so has had the luxury to spend more aggressively on new products & M&A. With SentinelOne’s profit inflection now secured, it’s ready to match this aggression. Signs so far are good as Purple AI, the data lake and its cloud security solutions all grew more quickly than overall revenue. 

Platform expansion rates (new product up-take) “remained healthy” and ARR per customer again grew by over 10% Y/Y. While new products are working, its core endpoint niche is still growing very nicely. It took more market share there during the quarter and sees its best-in-class market share taking here (per IDC) as continuing in the years ahead.

• $1 million+ ARR customers rose faster than $100K ARR customers (so faster than 24% Y/Y).

Purple AI:

For Purple AI specifically, SentinelOne continues to reiterate its ability to drive 80% faster threat hunting and investigations. It sees this AI arm as best-in-class, and cited it as a main reason for its outperformance. The product is “exceeding all expectations” early on and is enjoying a double-digit percentage purchase rate for all new endpoints sold in Q2. Leadership sees purple AI as having clear leads in onboarding, use case breadth and ease of use. Like CrowdStrike’s competing Charlotte AI tool, purple “alleviates the challenges of machine speed response, talent shortage, alert fatigue, and enhances analyst productivity.” It uplevels all beginner security analysts to extend highly finite client talent much further. It’s an efficiency force multiplier for better protection. This quarter, SentinelOne launched “Alert Summaries.” These are automated summaries of vulnerabilities to nudge analysts with prioritized alerts.

Cloud Security & Data:

SentinelOne added runtime cloud security and another cloud security product acronym to the fold. This time, it’s Cloud Infrastructure Entitlement Management (CIEM). CIEM offers seamless oversight of access controls for cloud assets. It can “detect over-privileged humans and machines, pinpoint toxic permission combinations and curtail risk with greater speed and efficiency.” This was the largest product gap remaining between SentinelOne’s suite compared to Palo Alto and CrowdStrike. Important debut.

Customer Wins Cited:

• Its SIEM tool led to an expansion with a global aerospace firm. The first is ingesting 2x the data it used to and is saving money compared to its old SIEM vendor.

• Global financial institution replaced 4 endpoint vendors with its product.

• For one of the largest U.S. hospitals, Sentinel and a leading competitor were both deployed. The other vendor led to instant breaches and so this customer cut the other vendor.

Macro & Go-to-Market:

Macro did not improve Q/Q for SentinelOne. It simply executed better and began to see the fruits of its go-to-market overhaul to accelerate big customer growth and overall results. It’s seeing direct yet early progress in new business generation, pipeline, competitive win rates and its overall growth outlook. 

Momentum here helped drive the outperformance this quarter. I would love to see $100K ARR customer growth accelerate, but it was too early to expect that this quarter. 

It’s leaning more heavily into its managed security service provider (MSSP), incident provider and cyber insurance partnerships. SentinelOne doesn’t struggle on the technology side. The team will readily tell you their tech is world-class, and 3rd party research firms do routinely back that boldness up. Where SentinelOne struggles is on the awareness and selling sides. It’s imperative to use these partners to help spread the word. It’s also imperative to work more closely with the public cloud vendors, like Google. Considering this, its expanded Mandiant Consulting (owned by Alphabet) partnership this quarter to make it the partner of choice across incident response is notable.

• Created a network of insurers to help smaller clients find affordable rates as part of its SentinelOne Risk Assurance Initiative.

• Partnered with Cybersecurity and Infrastructure Security Agency (CISA) to “provide threat detection and response across federal IT assets.”

g. Take

I wanted a larger annual guidance raise amid all of the commentary on already winning new customers from the CrowdStrike outage. I was slightly disappointed until I heard the revenue guidance doesn’t include any potential positive impacts from CrowdStrike. 

That potential positive impact will not come in Q3. It could come in Q4, as SentinelOne should be far enough along in some sales cycles to close deals. Commentary on deal closures already happening makes me quite confident in that being the case. Companies don’t make “snap decisions” on switching security vendors, so this will take more time than most thought.

With that said, results were again very good. The investment case is still quite strong. It offers best-in-class growth and leverage, with a pristine balance sheet and immense optionality. And? If I’m picking on a raise as my main source of disappointment, you know the quarter went relatively well.

2. CrowdStrike (CRWD) — Earnings Review

a. CrowdStrike 101

Subscribe to Nerd Plus to read the rest.