The Tech Sales Newsletter #86: Purple rain

In my recent deep dive for Fortinet, I concluded the following:

Fortinet is a good opportunity for starter roles in cybersecurity or as a co-selling partner if you work for an MSP/SI. Unless you'll work Enterprise/Strat in the US, I would not recommend joining as an A player. In theory they have all of the ingredients of a platform play, but the actual product adoption raises significant questions around that story.

In this edition of the newsletter, we will be diving into SentinelOne. The company likes to position itself as the superior option to CrowdStrike, arguably speaking the most successful pure-play cybersecurity vendor in the last 5 years. Whether that is actually true or they are closer to being another Fortinet, is something that we will try to answer based on the available evidence.

The key takeaway

For tech sales: While the company might appear alluring at first glance (strong AI play, big incumbents to displace, generous compensation), the reality is that SentinelOne is entering a very difficult period and the go-to-market teams will bear the brunt of both the pressure and the cuts. This is an opportunity for individuals with an appetite for risk.

For investors: SentinelOne has underperformed on the stock market for so long that it's difficult to make any attempts at positioning the company as a "value pick" without seeing either higher sustained performance or more meaningful changes on the leadership side.

Purple AI and other curiosities

Tomer Weingarten: We successfully transformed our business from an endpoint focused model to a comprehensive leading AI native cybersecurity platform. At the same time, we accelerated our time to profitability through focused investments and discipline. We achieved significant profitability milestones, including our first quarter of positive operating income in Q4, well ahead of our expectations, our first full year of positive net income and earnings per share and our first full year of positive free cash flow. With these results, we've crossed a key inflection point, and we believe the company is well positioned for sustained growth and profitability at scale.

We expect to surpass $1 billion in both ARR and revenue this year, an important milestone in our growth journey. We also expect to achieve full year operating income profitability, while continuing to invest in our platform and future opportunities. In fiscal year '26, we remain focused on execution and advancing Singularity is the preeminent AI-powered cybersecurity platform for the future, which brings me to the state of the market. In many ways, the cybersecurity status quo was a disappointment in 2024, more breaches, more cost and more data was stolen than ever before, personal data, financial data, healthcare data and the list goes on.

Our entire world is now digital, and these breaches are challenging that very basic fabric. Furthermore, AI is no longer experimental and in the hands of attackers, it's a real threat. The scale, automation and speed of attacks are accelerating. Looking ahead, we must redefine the security landscape with a modern approach, our industry cannot afford torely on the same outdated approaches over the past two decades.

SentinelOne's journey over the last year has been focused on increasing profitability while deploying more features geared towards utilizing GenAI on top of their stack in order to facilitate a better experience for its users. Now the stack itself is a rather well-rated platform, hidden behind one of the most try-hard marketing in the industry:

Tomer Weingarten: We can leap, not just take steps forward. And this year, we're leaping forward to where the future is going to be. We have an incredible opportunity ahead to collaborate with our customers, partners and enterprises worldwide to usher in the new era of cybersecurity with Singularity. Our success stems from our focused innovation strategy and technology leadership. Let me cover that in more detail. Three things set our Singularity platform apart.

One, unified defenses, the only open unified AI security platform, integrating data, endpoint, cloud identity and third-party solutions for broad and complete coverage and protection.

Two, outpace threats. Autonomous security and industry leading signal to noise ratio delivers real-time protection and actionable insights to stay ahead of threats.

And three, enhanced security analysts. Our generative and agentic AI set the standard in defending against modern threats designed to evolve and constantly adapt Singularity helps move faster, more efficiently and save cost.

There is a lot to uncover here.

Let's start with the basics. SentinelOne has been a strong adopter of Machine Learning across its stack and over the years has shown prudence in both acquisitions and internal development when it comes to rolling out strong technical solutions.

At the same time, Tomer (founder and CEO) is a leader who clearly has a chip on his shoulder. There are very few individuals that have been able to build a company from a startup to IPO. By all accounts, he's been exceptionally successful. Unfortunately for him, the financial markets have remained lukewarm to his vision:

Rather than focus on ignoring the market and deliver an outstanding experience for its customers, SentinelOne is spending a significant effort in trying to "one-up" its competitors in ways that often include direct lies or misrepresentations during earnings calls.

The SentinelOne platform is one such example. Every single functionality needs to be referred to as something BIG AND SPECIAL.

SIEM is not just SIEM, it's SINGULARITY AI SIEM. Now if somebody asks the obvious question, "isn't your SIEM just an efficient database with automations on top and an LLM assistant to do searches", then they would be correct. There isn't anything groundbreaking here compared to several other vendors in the market.

Tomer Weingarten: This milestone shows our ability and momentum to disrupt large markets with leading technology. We've just begun to scratch the surface of an immense $100 billion market opportunity. In Q4, we achieved record bookings contribution from our data cloud and AI security solutions, once again showing the accelerating adoption of our broader platform. Data and AI were our fastest growing solutions fueled by adoption of our Singularity AI SIEM.

Our AI SIEM is redefining security data management with enhanced visibility, real time detection, on-streaming data, accelerated investigations and autonomous responses. Many of our largest and most strategic wins in the quarter included AI SIEM alongside broader platform solutions. Let's look at a few examples. A customer with an eight figure total deal value in the APAC region expanded endpoint and cloud coverage added CNAPP and fully replaced a legacy SIEM with AI SIEM, a true platform win.

Next, a leading financial institution switched from Splunk to AI SIEM reducing costs and improving performance. The multi-million dollar deal increased the customer size by 5x. Finally, in another multi-million dollar expansion, one of the largest retailers in its category selected AI SIEM to replace an incumbent vendor, which resulted in savings of more than $1 million per year for this customer. By combining AI SIEM with adjacent Singularity solutions, this enterprise can now detect and respond to incidents up to 12 hours faster than before.

There is no reason why displacing a couple of vendors to win bigger SIEM workloads can't be explained in a normal manner. The primary reason why SINGULARITY PURPLE AI SIEM is achieving success is because the product does pass the technical PoCs and is aggressively priced with heavy discounting, a trademark of the SentinelOne Go-To-Market strategy.

What is not being mentioned, of course, is that SIEM is a crowded market and there are a number of both pure-play cybersecurity vendors, as well as data platform players (and hyperscalers) that compete for those workloads. So while this is a driver of new business at the relatively small install base of SentinelOne (still a <1B USD revenue company), it's unlikely that they'll actually transition towards dominating the market.

Tomer Weingarten: We're also seeing increased interest from managed security, incident response and insurance providers for our broader platform solutions. In Q4 alone, more than a dozen large partners started adopting AI SIEM, Purple AI, CNAPP and more. In particular, MSSPs remain a strong driver of growth and opportunity. They are doubling down with SentinelOne, embracing more of the platform and establishing longer-term contracts.

This benefits us and our partners with more visibility and predictability into future growth. Our long standing partnerships with managed service providers are built on collaboration and innovation, multi-tenancy, automated response tools and rollback capabilities, enhance their own service offerings. Now with AI SIEM, Purple AI and CNAPP, we're taking this to the next level, helping them consolidate security coverage into a single console powered by our leading AI innovations in highly efficient data ingestion and analytics.

Now, it's important to note that 90% of all business in cybersecurity happens with Managed Service Providers (MSPs). Working with them is kind of expected at this stage. It's interesting that the prepared remarks continue to focus on feature-bombing, particularly since SentinelOne does have a mixed reputation with MSPs:

Tomer Weingarten: We believe every customer should be able to leverage generative AIs foundational abilities for security applications. After a year of customers selecting and using Purple AI, it's clear how much it can scale and automate time consuming human tasks. We're. now the first security company to include foundational Gen-AI security capabilities like natural language queries and auto generated summaries across our platform by default. This is just the first step in redefining today's categories of EDR, cloud security and SIEM to be AI-powered, bringing advanced agentic capabilities to not just hundreds of enterprises but thousands.

The inclusion of Purple AI foundations across the Singularity platform sets the baseline for AI usage, driving immediate engagement and fueling adoption of more platform solutions. More advanced agentic AI workflows or Purple are available to further enhance speed and performance. Additionally, we're extending the power of Purple AI across a wider range of security data. We've added support for third party solutions, including Zscaler, Okta, Palo Alto Networks, Fortinet, Microsoft and others.

By breaking data silos, customers can unleash the full power of Purple AI across their entire security infrastructure. We're committed to an open platform that can seamlessly co-exist and orchestrate a broader ecosystem of security solutions. Purple is already the first and only scaled agentic AI for cybersecurity, Purple plus Hyperautomation are the bedrock for agentic AI in cybersecurity. We believe this will become table stakes for autonomous security in the coming years.

Ingesting data from diverse sources is kind of the bread and butter of SIEM - ideally you want to store a large quantity of logs and then build automations on top. What they mean by Hyperautomation is something that is also rather standard - the industry refers to it as SOAR (Security Orchestration, Automation and Response) and it's also delivered by a number of vendors, without having to call it HYPEERRRRRR.

Barbara Larson: This outperformance was driven by cost discipline in the quarter and our focused investment strategy. Turning to our guidance for Q1 and fiscal year '26. This year, we expect to surpass $1 billion in both ARR and revenue. We also expect to deliver our first full. year of positive operating margin. To be specific, we anticipate revenue of $1.07 billion to $1.12 billion, representing 23% growth. While we typically do not comment on an ARR outlook, this quarter, we believe it may provide helpful context around our growth expectations.

For fiscal year '26, we expect to deliver approximately $200 million in net new ARR, growing about 2% year-over-year. This positive. trajectory builds on our reacceleration in recent quarters, continuing our growing market presence and platform adoption. At the same time, we're mindful of macroeconomic conditions, deal timing and federal spending uncertainty. In addition, we're focused on delivering efficiencies and that means prioritizing our investments in data, cloud and especially AI.

This is where the last earnings call went sideways for them (yet again), following the curious announcement of essentially almost flat Net New ARR growth. Combined with the reduced growth forecast (from 32% this year to 23% projection for next fiscal year), this raised a lot of alarms from the analysts on the call.

Barbara Larson: Our investment approach strikes a thoughtful balance between maximizing long-term growth opportunities and maintaining a strong, responsible and profitable financial profile, a strategy that's key to scaling SentinelOne to a multi-billion dollar business. At the same time, we're instilling operational discipline by identifying ways to enhance efficiency and productivity.

One example is the prioritization of investments towards AI powered security and data. In addition, we are optimizing our facilities footprint and aligning resources to strategic growth areas. These enhancements make us more nimble while freeing up investments in our key growth priorities of data, cloud and AI, all while delivering additional margin expansion this year. 

What is really playing out here is that SentinelOne's growth has been fueled by running an unprofitable business of high R&D costs and high customer discounts. As the market has continued to penalize unprofitable tech companies, SentinelOne has no choice but to pivot towards higher fiscal discipline, which will mostly be achieved through inflicting pain on the Go-To-Market team through higher quotas, layoffs, and reduced budgets.

Tomer Weingarten: Thank you for the question. There's always evolution happening. I mean, we are working on better productivity. We've improved productivity year-over-year. We are gearing towards more platform sales. We're adjusting our pricing structures. I mean, we're allowing for even more flexibility for our customers, and we're aligning with some of the pricing structures that we're seeing out there. So all-in-all, we're in this evolution of go-to-market, every indicator that we track is looking better, and that's reflected through win rates, that's reflected through channel contribution.

So what are these mysterious new pricing structures?

Tomer Weingarten: And as for pricing, I mean, the first thing I'll open and say is that pricing hasbeen very stable for us. So it's not about discounting and it's not about needing to tweak our pricing model. But obviously, customers are looking for more flexible ways to procure. And I think that's where we don't see a lot of downside in going down the path of allowing some of these more flexible terms, given that the expansion you seen in our capabilities set is significant.

I mean, our platform today is seven capabilities with about 30 something modules. That's a lot and customers like to try out a lot of different capabilities that we have. So moving into a pricing model that allows them access to the entire platform is something that we believe is going to be a beneficial, and that's the direction that we're heading towards.

If we interpret this correctly, what he is referring to is moving to consumption. For a company known to discount heavily, also moving towards "flexible terms" is something that needs to be managed very carefully.

Tomer Weingarten: I think the biggest thing is that we want to provide flexibility. I think unlike some other vendors, we don't force customers to take kind of an all or nothing approach. So we have all the capabilities. We can -- as an example, sell you a fully-fledged cloud security. suite that contains all the CNAPP capabilities and best-of-breed runtime workload protection. At the same time, we don't mind going into environment and delivering best-of-breed worker protection and working in tandem with another CNAPP provider.

To us, it's really about flexibility. And we're seeing customers adopt more and more of our capabilities once they've experimented with at least one capability. Typically, when you look at what we do, it's almost always best of breed. I mean you're talking about Gartner customer choice for endpoint protection and customer Gartner customer choice for cloud security and Gartner customer choice for MDR and Product of the Year for AI.

So obviously, what we do is at the forefront in each and every one of these. fields. And we have fully inclusive capabilities that are akin to. every other platform and every other leading platform, I should say, in the market today. But the emphasis is sell what customers need, sell to the need and sell to what they want to address today versus trying to deal with futures. We're definitely seeing the expansion coming as evidenced in the numbers, and that's why we're also moving towards those more flexible pricing platform structures that can allow customers to then over time, consume more from our capability set.

If you have to repeatedly tell investors that you are "GARTNER'S CUSTOMER CHOICE AWARD", most likely you are not the actual customer choice, as clearly seen by the revenue gap with your mortal enemy, CrowdStrike. Speaking of the devil, let's look at their FUD against SentinelOne:

The tagline of this page is "weak coverage, can't stop breaches", which, let's be honest, is a bit entertaining. Amongst practitioners, these seem to play out as accurate, with SentinelOne considered strong in specific parts of the stack, but being difficult to configure, manage, and run. When it works though, it works well.

Tomer Weingarten (at OneCon 2024) : Furthermore, when we deliver a content update, it's meant to inform our models about new techniques that we've discovered in the threat landscape. It's not signatures. It's not regular expressions. When we deliver those content updates, they're delivered into processes that are operating in user mode, not kernel mode. This is exceptionally important because it means our risk is narrowed down to stalling or crashing an application, not taking out an operating system or potentially stalling business operations.

When these content updates or software updates or if we update our cloud environments happens, this is done through a progressive rollout that is controlled. We do not do updates across our entire customer base at once. We also put customers in control of these updates. So within their own environments, they're allowed to opt in and out of content updates, as well as versions of our agent. This gives them ample time to test within their own environments before they roll out to their global enterprise, giving them more control of those environments so that they do not interfere with business operations.

Now, the thing about technology is that very rarely are there perfect solutions, mostly trade-offs. The trade-off of a light agent with minimal footprint is that it requires regular updates and system-wide access for efficiency. The trade-off of multiple big agents and a lot of ML working on the main platform is that it eats into the performance envelope and if not managed by a very technical team, it's likely not operating in its optimal state.

While quota attainment on RepVue is high (59%), SentinelOne simply lacks the same level of engagement there as other cybersecurity players. Wiz has a similar headcount and 155 ratings vs 105 for SentinelOne (and 866 for CrowdStrike). This is likely due to their business being more successful in international markets compared to the US.

While this post is a year old, it’s not difficult to see how certain choices in the way that the company has managed it’s business are no longer sustainable.

Tomer Weingarten: I think what we're trying to factor at the end of the day is just the unknowns. And we truly believe this is a good starting point for us. There's a lot of factors in play. There's a lot of shifts happening in software. We believe we're making the right responsible decisions here. So all in all, we're just factoring in everything that we believe and know. And obviously, our goal is always to overachieve and that's going to be my job.

Barbara sets the guidance, I try to overachieve it. But all-in-all, we believe, again, that captures everything we know today.

At this stage, SentinelOne has to be rated as "wait and see" in terms of the tech sales opportunity.

There is very little in their go-to-market strategy that demonstrates an edge or innovation. Their goal is to essentially continue running a very discounted land-and-expand motion for endpoint and then try to catch up in revenue with multi-product attach into CNAPP ($100M ARR business as of October '24) and SIEM ($70M ARR).

The problem with either of these categories is that they are:

• Very competitive with a variety of vendors and approaches

• SentinelOne's "high growth" story is cute, unless you compare the relative revenue and figure out that they are a very niche and small player in either of these.

Long term, the complexity of the product will remain a primary disadvantage due to how the cybersecurity market operates:

In order to solve for their current challenges, they either need to tighten up their product focus (which will go against everything that the leadership believes about themselves) or outperform tremendously through MSPs. Which is again where we run into a very crowded area, with incumbents having a significant advantage and they dislike intricate solutions.

They might come on the other side of the "profitability drive" as a mean and lean company with laser focus on its customers. They might also fall apart and get acquired by private equity.

In either case, there is a lot riding on how the next 12 months play out.

Honey, I know, I know, I know times are changin'
It's time we all reach out for something new, that means you too
You say you want a leader, but you can't seem to make up your mind
And I think you better close it and let me guide you to the purple rain

Purple rain, purple rain
Purple rain, purple rain (ooh!)
If you know what I'm singin' about up here, come on, raise your hand
Purple rain, purple rain
I only want to see you, only want to see you in the purple rain