6 min read

SentinelOne S-1 Teardown

SentinelOne S-1 Teardown

Company Overview

SentinelOne is a developer of automated cybersecurity software designed to protect devices and servers against malware and threats. The company's cloud-based software helps in delivering autonomous security for the endpoint and cloud environments to help organizations secure their assets with speed and simplicity and also unifies the detection, prevention, and remediation of threats and advanced cyber attacks.

Product Offering

SentinelOne's XDR platform ingests, correlates, and queries petabytes of structured and unstructured data from a myriad of ever-expanding disparate external and internal sources in real-time.

They then build context and deliver greater visibility by constructing a dynamic representation of data across an organization.  The distributed AI models run both locally on every endpoint and every cloud workload, as well as on our cloud platform.

The Static AI model predicts file-based attacks of all types, even previously unknown threats, often referred to as “zero-day attacks".

The Behavioral AI model maps, monitors, and links all behaviors on the endpoint to create contextual narratives called Storylines. Storylines contain a complete record of unauthorized changes made during an attack and can be used to roll back changes. SentinelOne claims the power to turn back time on a device is unique in the market and their software eliminates manual, expensive, and time-consuming incident cleanup.

The platform is completely flexible across cloud and on-prem servers which is to be expected.

According to SentinelOne deploying their Singularity Platform, customers can receive a return on investment of 353% over three years, and a payback period of fewer than three months according to a 2020 Total Economic Impact study that was conducted by Forrester Consulting.

Business Model and Risks

SentinelOne generates substantially all of its revenue by selling subscriptions to its Singularity Platform. Subscription tiers include Core, Control, and Complete. The subscription contracts typically range from one to three years.  Subscription revenue is realized over the term of a contract.

From the key risks section, it's clear SentinelOne views the sales cycle as its biggest risk.

Customers often view the subscription to our platform as a significant strategic decision and, as a result, frequently require considerable time to evaluate, test and qualify our platform prior to entering into or expanding a relationship with us. Large enterprises and government entities in particular often undertake a significant evaluation process that further lengthens our sales cycle.

In addition to this risk, there are two more that stand out. First, certain segments of cybersecurity continue to be heavily focused on services - a fact SentinelOne points out but attempts to glance over. These are often low-margin offerings that are difficult to scale.

Certain of our customer agreements contain service level commitments, which contain specifications regarding the availability of our platform and our support services. Failure of or disruption to our infrastructure could impact the performance of our platform and the availability of services to customers. If we are unable to meet our stated service level commitments or if we suffer extended periods of poor performance or unavailability of our platform, we may be contractually obligated to provide affected customers with partial refunds or termination rights.

Market Sizing

According to IDC, the addressable market addressed for SentinelOne's solutions today is expected to reach $40.2 billion in 2024, growing at a compound annual growth rate, or CAGR, of 11.9% between 2021 and 2024. These numbers span 3 different segments:

  • Corporate Endpoint Security. A $9.7 billion market in 2021 and growing to $12.0 billion in 2024; comprising Modern Endpoint Security, Server Security (physical servers and cloud workload security), Information Protection and Control, and Endpoint Management.
  • Cybersecurity Analytics, Intelligence, Response, and Orchestration. A $13.1 billion market in 2021 and growing to $17.1 billion in 2024; comprising Device Vulnerability Assessment, Forensics and Incident Investigation, Policy and Compliance, Security Device Systems Management, Security Information and Event Management, or SIEM, and Software Vulnerability Assessment.
  • IT Operations Management. A $5.9 billion market in 2021 and growing to $11.1 billion in 2024.

Competitive Landscape and Recent Transactions

According to Pitchbook, SentinelOne has several competitors - defined as a 99%+ match for this analysis.

  • Cylance, acquired by Blackberry for $1.4B in February 2019 on revenues of $108M
  • Carbon Black, acquired by VMware for $2.1B in October 2019 on revenues of $209.7M
  • Lookout, last round raised March 2020 on a $1.75B.
  • CrowdStrike, publicly traded with a $46.7B on $1B of revenue, 73% gross margins

One particularly interesting note is the amount of consolidation that hit the space in Q3 and Q4 of 2019.  Most of these acquisitions were priced in the range of 10X TTM revenues with average growth. Cybersecurity is hard to scale due to the continuous nature of service and the need for MSP agreements which has limited some firms' full potential.

Revenue Growth and Quality

As of April 30, 2021, SentinelOne had over 4,700 customers, increasing from over 2,700 as of April 30, 2020, including three of the Fortune 10, 37 of the Fortune 500, and 66 of the Global 2000.

All Fortune 10 customers, 25 of our 37 Fortune 500 customers, and 43 of our 66 Global 2000 customers generated ARR greater than or equal to $100,000. As of April 30, 2021, no single end customer accounted for more than 3% of our ARR.

SentinelOne had 277 customers with an ARR of $100,000 or more as of April 30, 2021, up from 122 as of April 30, 2020. Further, as of April 30, 2021, they had 17 customers with an ARR of $1 million or more, up from six as of April 30, 2020.

Cost of revenue increased by $10.7 million, from $7.6 million for the three months ended April 30, 2020, to $18.3 million for the three months ended April 30, 2021, primarily due to higher third-party cloud infrastructure expenses of $6.8 million from increased data usage and an increase of $3.0 million in allocated overhead costs.

Like most cybersecurity firms, SentinelOne continues to struggle with gross margins. While there's no financial callout of it in their S-1, they do allude to consulting services as part of their offering which is common in cybersecurity. This service component continues to be a drag on gross margins in addition to the cloud computing costs mentioned above which is common for AI-based firms.

Taking a look at the two traditional growth metrics, SentinelOne is pretty average among other high-growth software firms. Its current magic number is .91 - similar to Cloudflare and Zscaler's 1.0, but well behind Crowdstrike's 1.5.

The Rule of 40 number for SentinelOne is 76% - which again compares it favorably to Zscaler but well behind Crowdstrike's 109%.

Funding History and Cap Table

In a lot of ways, Sentinel One took the textbook venture capital path. They raised roughly every 15 months until the very end with valuations growing by 2-3x each time.

  • August 2013 Seed: $2.5M on $11M valuation
  • April 2014 Series A: $12M on $48M valuation
  • October 2015 Series B: $25M on $75M valuation
  • January 2017 Series C: $70M on $210M valuation
  • April 2019 Series D: $120M on $600M valuation
  • February 2020 Series E: $200M on $1.1B valuation
  • November 2020 Series F: $267M on $3.0B valuation

SentinelOne's largest shareholder is Insight with a 15.7% stake worth $472 as of the latest private funding round. Insight led the company's series D in 2019.

Tiger Global first invested in SentinelOne's Series A in 2014 with an initial check of $10M according to Pitchbook. As of the last round, their stake represents a fair market value of $372M.

Other notable investors include Data Collective - one of SentinelOne's earliest investors along with Accel (note: Accel appears to have sold out a majority of its share in secondaries along the way) and Redpoint Ventures.

Lastly, Sequoia is also a shareholder in the company after leading the last private round at a $3B valuation in Q4 of 2020. As far as growth equity goes, it's hard to beat a potential 3x in 12 months.


Like with every S-1, the question is "what's the price?"

Cybersecurity firms typically don't attract the big revenue multiples of software companies. We discussed the reasons above - longer sales cycles, lower gross margins, and difficult scalability.

SentinelOne is reportedly seeking a $10B IPO valuation. Given the tailwinds behind the industry, it's very possible they'll hit that target.

However, the price seems high with gross margins and cash efficiency metrics that are fairly pedestrian. SentinelOne is a solid cybersecurity firm, but is still way behind industry leaders like Crowdstrike which is priced at 46x EV/TTM currently and certainly behind the best enterprise SaaS companies.

For comparison, pricing SentinelOne at 46x based on 2021 fiscal revenues would land at a $4.2B valuation and even that seems high - but in this market, who knows?