SentinelOne vs Crowdstrike important notes

I hope the board finds the following information useful.

I went through SentinelOne shareholder letter, press release and their earning call from yesterday.

Couple of things outside of the revenue and performance metrics, which I think are important for Crowdstrike investors, and something to keep an eye moving forward.

1. They claim to win 70% of the deals when competing vs legacy or next-gen solutions (I am assuming that includes vs Crowdstrike).

“we win more than 70% of POCs against the competition. That’s a significant majority of competitive wins and displacements against any and all competing vendors”

2. Pricing is similar to Crowdstrike, even more expensive on the tech stack but Crowdstrike is bundling managed services and extra tiers of services which probably makes them appear as more expensive than SentinelOne. They actually claim in many ways including link on their website comparing Crowdstrike vs SentinelOne that Crowdstrike nickel and dimes clients.

Quote from their site: “At SentinelOne, we pride ourselves on a clear pricing model that doesn’t nickel and dime, or bait and switch. CrowdStrike customers often see their quotes inflate dramatically between all of the additional costs for data retention, flexible deployment, professional services, and more”

3. Their main go to market strategy is working with resellers, MSSP, and Incident Response partners as an ecosystem -they don’t compete with them with own managed services (opposite of what Crowstrike does through their Complete and Overwatch services).

4. Better detection of malware and prevention of infections (through AI/ML), and automatic remedy (where that is possible), but also higher false positive noise. They don’t think is ok for Crowdstrike to allow higher rate of infections, and have actually displaced one of Crowdstrike’s clients due to them getting malware which should not have been allowed to go through

“And that is what our platform is incredibly unique in. That’s the advantage of AI and machine learning. And I think that’s the reason why we’re winning both against incumbents that don’t only provide the protection piece but also think about hardening, think about anti-tampering”

5. They are in fact winning in couple of categories when it comes down to strength of their AI and detection engine. “in the Gartner Magic Quadrant, where we were singled out as a vendor with the most critical capabilities out of every vendor out there for any buyer type”.

6. SentinelOne has higher DBNER of 129% - which speaks volume for their strength and customer adoption (increase user count, use cases, upsale of their 10 modules, etc).

They seem to also have an edge when it comes down to IoT with their Ranger product, quote from the CEO “Ranger for us has become truly a competitive advantage”. Their data retention is also longer, which helps with certain attacks and saves money vs Crowdstrike which requires $ for longer data retention periods, auto deploy appears to be another edge they claim to have which have helped them win against next-gen provider.

I do plan personally to keep an eye on SentinelOne and their progress moving forward. If not so much to invest in them at this point, but more so to make sure they do not disrupt Crowdstrike or impact their margins. These 2 companies have fundamentally different approaches to market and tech - so it is hard to judge at this point which one will be more successful moving forward.

1. They claim to win 70% of the deals when competing vs legacy or next-gen solutions (I am assuming that includes vs Crowdstrike).

“we win more than 70% of POCs against the competition. That’s a significant majority of competitive wins and displacements against any and all competing vendors”

As someone who has spent their life competing in enterprise software, I just want to point out that this is not actually that impressive at all.

A “POC” (short for proof of concept) can mean a lot of things, but it usually involves not only giving the customer a “free trial” but also usually investing a lot of time and effort from the vendor’s technical team.

This isn’t competing in a government contract to supply traffic cones: this is software. I don’t mean to be dismissive of traffic cones, the point I’m trying to make is that comparing one traffic cone to another isn’t very hard: the requirements are well known and although I’m sure companies extoll of virtues of their traffic cones as being brighter or more durable or lighter, it’s not a hard comparison. Comparing one software product to another is almost always comparing apples to oranges. I’m sure SentinelOne has some advantages over Crowdstrike and vice versa. But I’m sure that they difference are many and comparing them is very subjective.

Because it’s always comparing apples and oranges, and very subjective, it’s the job of the enterprise sales team to “stack the deck” as much as they can by influencing the evaluation criteria. And, frankly, to avoid wasting time and money by participating in evaluations (and POCs) where your competition has stacked the deck against you.

There’s an expression in poker that “if you can’t spot the sucker at the table, then you are the sucker”. It’s the same thing when it comes to POCs. If you haven’t figured out who is going to win the POC before it starts, then it certainly isn’t going to be you. In enterprise software, and especially with SaaS products, you might invest $40,000 in free consulting on a POC for a $100,000 first year contract. Why? For the reason we talked about last week; that you are planning on the renewals making up for it in the long term. But you can’t afford to make those kinds of bets if you only win 50% of the opportunities.

At one company I worked at we literally hadn’t lost a POC in the entire time I worked there. It wasn’t even that great a product, we were definitely the underdog in our market. But because we were the underdog, we picked our battles. We only fought when we were going to win. At another company I worked at, our POC win rate was over 90%. This time because there were two big players in the market: us and our primary competitor. And the two products were different enough that I could almost always tell in the first meeting we had with a customer whether they would favor our competitor or us. We didn’t have 50% marketshare; we were #2 in marketshare. But if we chose to participate in a POC we almost always won. But you could say the same about our competitor: they too won most of the time when they chose to compete.

I’ll also point out that “winning” a POC is sometimes subjective. I’ve seen lots of account executives declare that they “won” a POC, or “got the technical win”, only to not get any money out of the customer. Because the project was cancelled. Or the competitor made some kind of “golf course deal” with an executive.

If SentinelOne isn’t winning 99% of its POCs against “legacy” products then it has no business being in the market at all. And if it isn’t winning at least 70% of it’s battles against Crowdstrike then it’s either desperate to participate in POCs or it has a bad sales team.

But I remain unimpressed with anyone claiming a 70% POC win rate. Especially if they include “legacy” competitors in that win rate.

–CH

Ugh. Sorry for posting a one-liner, I try to avoid doing that on Saul’s board for obvious reasons. But I meant to put a disclaimer on my last post. I am currently long on Crowdstrike. I have no position in SentinelOne.

And I don’t mean to be dismissive of SentinelOne; their growth is strong and I’m keeping an eye on them. But a 70% POC win rate isn’t very convincing to me.

–CH

Can’t hurt to keep an eye on.

This writer on Seeking Alpha keeps an “AI Disruptor’s List” where he lists UPST, RSKD and PATH among them. For cybersecurity he has S listed and writes the following…

https://seekingalpha.com/article/4453684-no-sell-off-yet-pat…

SentinelOne (S) is not yet on the lips of every Cybersecurity stock analyst but it will be. Central to its operation is AI, it uses AI to find and halt hacks on the network. Because of WFH and hybrid work, the network has become the most vulnerable piece. CrowdStrike (CRWD) is in the same niche, CrowdStrike uses the wisdom of the crowd to find anomalies and block it. That means it must poll the internet and all the other CrowdStrike customers to find anomalies. S uses its AI algorithm which is local and acts much faster. Over time, the AI algorithm learns not only from itself but all the other Sentinels. In CRWD’s latest S-1, it listed S as a major threat. They do this for good reason.

With the CRWD COO selling shares, Chief Accounting Officer leaving and numbers not entirely blowing us away, CRWD might deserve tight reins as high % allocation.

Looking at ZM, TWLO, DOCU, SNOW, that $50-100B range sure does seem to be where things slow down, when there’s no epic Covid-related tailwinds.

BD

Right after I posted my comment I got an email about Kurtz’s latest presentation…

https://seekingalpha.com/article/4454378-crowdstrike-holding…

He is really funny and a killer storyteller and marketer.

Asked repeatedly about Sentinel One, he says, among other things, that S competes on price because it’s a “leaky lifeboat.” Here’s the quote…

"And the reality is I don’t know many security practitioners that want to buy leaky lifeboats, right.

You can get a great deal on a leaky lifeboat, but in security, it’s all about preventing the breaches, not stopping malware. And that is a big focus for us. And you look at our tagline stop breaches. It’s pretty simple to understand."

“You can get a deal on a leaky lifeboat” is excellent. And the man understands value of keeping it simple. Tag lines don’t get better than “Stop breaches.”

BD

Hi, only my second post but hopefully it will be helpful to all!

I gave a bit of my work history on my last post but the short description is I was in technology 30+ years with the last 10 in Infosec but have been out of the game for the last 2 years. That’s a lifetime in Infosec as things change quickly. So, I won’t dive into the technical details between Crowdstrike and SentinelOne.

I believe I heard on the Crowdstrike call that they consider them selves to be the premium product and the Sentinel One is at the lower end. I’m paraphrasing here.

So I’m wondering if were starting to see some pricing pressure on Crowdstrike compared to other vendors? It may be something to keep an eye on.

So you may be thinking why wouldn’t a company just pick the best vendor because all this data that could be exposed if they were hacked. Well, the dirty little secret is not all companies value the protection of their/your data the same way.

Just think of all the health care companies that are getting ransomware attacks. The health care vendors I have reviewed are not spending top dollar on protecting that data because healthcare customers don’t make Healthcare choices based on Information security. On the flip side I worked at an Investment Bank and they had a belt and suspenders approach. They tracked everything on their networks and went with the best of the best no matter the cost.

I’m sure Crowdstrike is going to get their share of the companies that have the budget, but for the companies that want to check the box and say we meet the Infosec regulations (a very low bar) maybe they use a less expensive Security vendor.

Crowdstrike is my second largest position and I won’t own any Sentinel One shares as they are too expensive.

I may look for opportunities to lower my stake in Crowdstrike.

These companies have been competing with eachother for 8+ years. CRWD was founded in 2011 and S1 was founded in 2013. During CRWD’s latest ER there were multiple questions re: competition from S1, and it seems in general that investors are becoming more worried about competition causing margin pressure/slowing sales from S1 to Crowdstrike.

Did S1 becoming a public last Q change the dynamic between these two companies? Has the market’s need for S1 product vs. Crowdstrike’s product changed because S1 is now a public company? I think not… but it seems the market is starting to hint towards it happening for some reason. Maybe because there is more public statements from these 2 coming out attacking eachother.

Bnh