SentinelOne buys Attivo Networks

Here are some of the basics about the recent LARGE acquisition by Sentinel One. [As a reminder, S just had $66M in revenue this Q. This is a large purchase that is over double their current ARR!]

Sentinel One is buying Attivo Networks for $616.5M, 58% in cash (357.6M), 42% in shares. They have $30M in ARR (so cost about 20x sales) growing +50%, and serve 300+ custs, including “dozens” of F500 and a few govt / public sector as well.

Attivo Networks is basically the combination of Preempt and Smokescreen.

Preempt was acquired in Sep-20 by CrowdStrike for $96M, which provided identity protection by sitting over an existing identity store like AD or other IAMs like Okta. It enhances them with better visibility (user or permission change tracker, looking for misconfigurations or stale accts, etc) and real-time behavioral analytics (does this user behave like they always do). Preempt ultimately turned into their Falcon Identity Threat Detection (scanner) and Falcon Identity Threat Protection (real-time conditional access).

Smokescreen was acquired in Jun-21 by Zscaler for $11.5M in cash, which provided network, file, and identity deception technology (using decoys to catch malicious intruders). This turned into Zscaler Deception. It has not yet been fully folded into ZIA or ZPA, from what I can tell.

Sentinel One is greatly playing up the identity (Preempt-like) side of Attivo, which is a recent pivot after years of being a decoy-focused (Smokescreen-like) company. This is to greatly bolster their XDR into protecting identity. What this allows for is expanding XDR into a new highly-adjacent direction, as CrowdStrike did. Plus they get the deception capabilities to help protect network, cloud infra, file shares, and identity through decoys. Unlike Preempt, it only protects Active Directory, not other competing IAMs like Okta.

Considering Preempt and Smokescreen were $96M + $11.5M = $107.5M overall, Sentinel One paid up heavy at $616.5M (5.7x that!).

One can probably assume the newer Identity side of the Attivo is growing at a much faster rate than the Deception/Decoy side, but off a smaller base. Pure speculation, but just to conceptualize my theory, they might have $5-15M of ARR growing 70%-100% (identity), and $15-25M of it growing much a slower 30-40% (decoy). It may even be smaller than that wild guess. They have had identity decoy and endpoint agent (ADSecure) for identity protection for a while, but major parts of their new identity focus released in Mar-21 (AdAssessor AD scanner) and just now in Mar-22 (ADSecure-DC to protect over AD itself, not from their endpoint agent).

They were a CrowdStrike partner since Apr-20.…
They were a SentinelOne partner and in the Singularity Marketplace since Dec-21.

Considering this smaller segment is the part Sentinel One is overly focused on in all PR and slides, I think they greatly overpaid for having their main focus on a portion of the company.

  • muji
    long S

Thanks for this analysis Muji

Its difficult (at least for me) to tell from the outside how overvalued this acquisition was. While the product space is comparable for Preempt + Smokescreen, is this truly an apples to apples comparison? Is Attivo more mature, robust? Does it have better observability and integration tooling? Does it scale better, what about the deployment model? Its too much fog for me to to make much sense of.

From an ARR perspective on Attivo, while they were growing at say 50%, as a bolt on and cross sell SKU for Sentinel One it could turn out to be a significant addition to the parent companies ARR. Or not, and here is where having confidence in the leadership of a company comes into play. Its not clear how much experience Tomer Weingarten has in acquisitions or the track record thereof.

Long S as well


This is the Scalyr purchase. It was only for $155 million but seems core to Sentinel’s future. I recommend reading the release as it lays down how this enables S to extend beyond endpoint to client and IoT and files etc and includes reading data from the likes of CrowdStrike or Okta. Why they’d need to read CrowdStrike data I don’t know unless they can do more with it than CrowdStrike can.

So far this acquisition appears to be going splendidly. No mention made as to revenue in this press release so may not have had much and thus the smaller price.

20x is not much in this market for growth like that but is still a lot for plug in pieces. Have to think management knows what they are doing and that S will continue to define this XDR market and expand beyond endpoints as well. Crowdsource appears to be playing catch up in many respects to S in the XDR markets as well as moving to cloud protection and the like.

Will be interesting to follow the narrative and numbers over next few quarters. It does seem however that S has some experience successfully integrating acquisitions.



One Attivo CY2022 guidance, not sure if anyone noticed this:

  1. In the acquisition slide deck, S was saying Attivo grew ARR at 50%+ in CY2021
  2. Attivo has ARR 30M, I guess TTM CY2021 revenue is ~25M
  3. Then in the CC, CFO was saying for Attivo “For calendar year '22, the current forecast for the business is to deliver revenue of approximately $40 million for the full year.”, to me that means they guided 40/25= 60% revenue growth for Attivo as standalone!

They may end up deliver 75%+ IMO which will be a huge acceleration.



I think this acquisition was probably essential for S to stay atop the magic quadrant and maintain cybersecurity leadership and relevance. CRWD already has a good credential protection module. S needs to compete with this. I have read the Attivo capabilities but am not sure if there is a technological edge over CRWD. In a nutshell Attivo checks the Active Directory for vulnerabilities and recommends hardening tasks. It also peppers the network with honeypots and deception credentials to attract and detect the attackers.

60% of all breaches involve credentials, whether they be stolen via social engineering or hacked using brute force. The initial attack surface usually starts with the endpoint which by itself usually has little value. Through lateral movement via neighboring devices and privilege escalation, a persistent attack may move slowly over weeks and months. Move too fast or too blatantly and you get caught. This is hard stuff for the attackers but even harder for victims to detect. The network traffic usually appears normal. The gold prize is the Active Directory and usual underlayment LDAP employee database. For AD herein lies the keys to the universe. They also hope to access user credentials of high value.

The FireEye Solarwinds malware detection simply happened by happenstance and was a basic credential theft. An observant FireEye IT guy saw an employee signed on in two different locations. A quick call to the employee and the breech was evident. Here the high value creds were used to steal malware code and the AD/LDAP fortunately was not breeched.

Over 30% of the time there is a credential theft that starts the penetration. How does this happen:

  • Users having to manage too many accounts and remembering which password belongs to which account
  • AND AD/LDAP servers that are ?#&! beyond recognition. Companies acquire, merge, and reorganize faster that they can keep their AD/LDAP updated, well configured, and organized properly. Employees move and get promoted, change passwords, etc. and it usually contains email, location, organization, grade, group access permissions, etc. Once the AD/LDAP gets out of control, a lot of tricky corporate coordination and maintenance is required of the AD/LDAP to clean it up and keep it hardened to attack.
  • So credential protection and detection is where Attivo is focused. Overall this acquisition looks good to me and worth the investment. I like it. I would like to hear a 2022/23 forecast of projected revenue from SentinelOne for this new module. No doubt S will market this new module to their existing customer base…easy peasy business. If possible, we need to measure the module uptake and impact to revenue if S will tell us.



    So is Attivo a direct competitor of OKTA?

    Is Attivo a direct competitor to Okta? I am not a tech expert in regard, but I did not find any competitive comparison between OKTA and Attivo. They both work with active directory and identity security but Attivo is more featured for its “deception” security element.

    This article is about the best summary of what it is all about, echoing some of what has already been said on this thread:…

    In the end though, I do not believe that you choose Attivo or Okta but that Attivo is more like a feature set to identity and better suited to a company like S or CRWD’s product capabilities.



    Btw, I have to laugh at Sentinel One’s motto as stated in the article: Its website details the Singularity platform as an innovative, AI-powered defense tool “performing at a faster speed, greater scale, and higher accuracy than possible from any single human or even a crowd.

    Hmmm, an unintentional pun or a direct message?



    Attivo and OKTA are two completely different animals.

    OKTA is focused on credential AAA; authentication, authorization, and audit. So it defines the rules of identifying the user (user code, password, and additional multi factors and rules for accessing the credential store). And what permissions that authenticated user has for resource access. Upon authentication, OKTA can provide a custom home page of available resources/applications per his approved authorizations of his assigned group. OKTA is commonly fitted with scripts for AD/LDAP access but can provide its own credential store. Attivo does none of this.

    Hope this helps.



    I thought, maybe I should take a wee little break from my 3-days-straight St Patricks day celebration to consider the merits of Sentinel One’s acquisition of Attivo.

    So, I put down my wee little shot glass of Bushmills 12-year and grabbed a wee little bar napkin and the wee little golf scorecard pencil from behind my ear and did some wee little math.

    St. Paddy - Please forgive any beverage-induced trespasses below.

    Current annual revenue estimate = $2,163M
    Assuming a 50% annual growth rate, in three years, their annual revenue will be $4,868M

    Current cash on hand = $2,000M
    Assuming a continuation of their 30% free cash flow margin, in three years, their cash on hand will be $4,394M

    Current annual revenue estimate = $370M
    Attivo will generate $40M annual revenue, so S’s updated annual revenue estimate = $410M
    Assuming a 100% annual growth rate, in three years, their annual revenue will be $1,640M

    Current cash on hand = $1,670M
    After Attivo acquisition, cash left on hand = $1,312M
    Assuming a continuation of -11% free cash flow margin, in three years, their cash on hand will be $925M

    If they decide to cash in all their chips, and make 3 more similar acquisitions….
    Assuming a 100% annual growth rate, in three years, their annual revenue will be $$2,120M and cash on hand will be $168M

    And we have not even penciled in any affects of S’s shareholder dilution, negative operating margin and market sentiment.

    I think I am getting thirsty again…where is that bartender?

    Long CRWD (10% position) and I also own S (1% position).

    Beachman (@iwannabeontheb2)



    Seems like you have penciled in a lot of assumptions for S. Why did you figure negative cash flow out into the future and continued acquisitions? Seems to me that cash flow will probably improve and acquisitions is a real SWAG. Overall the company is projecting reduced expenses and improving margins.




    I would definitely agree with that: S improved their FCF margin from -86% to -11% YoY. One would think that this trend is set to continue. The market is probably rewarding these improving trends and expecting management to continue integrating their acquisitions effectively. If beachman’s calculations are close to correct S would get pummeled by the market. I would rather hold S over CRWD at this point, the revenue numbers required to maintain CRWD’s growth are rather challenging