SentinelOne, Inc. (S) Q2 2022 Earnings Call Transcript
Published at 2021-09-08 22:11:04
Good evening. Thank you for attending SentinelOne Second Quarter 2022 Earnings Conference Call. All lines will be muted during the presentation portion of the call with an opportunity for questions and answers at the end. I would now like to pass the conference over to your host, Doug Clark, Head of Investor Relations with SentinelOne. Thank you. You may proceed.
Good afternoon everyone and welcome to SentinelOne's earnings call for the second quarter of fiscal year 2022 ended July 31st. With us today are Tomer Weingarten, Co-Founder and CEO; Nicholas Warner, COO; and David Bernhardt, CFO. Our press release and the shareholder letter were issued earlier today and are posted on our website. This call is being broadcast live via webcast. And following the call, an audio replay will be available on the Investor Relations section of our website. Tomer, Nick and Dave will begin with prepared remarks, and then we'll open the call for questions. Before we begin, I would like to remind you that during today's call, we'll be making forward-looking statements regarding future events and financial performance, including our guidance for the third fiscal quarter and full fiscal year 2022, as well as certain long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that actual results and events could differ materially. Please refer to the documents we file from time to time with the SEC in particular, our S-1 and our quarterly report on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements. Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly, or to update the reasons actual results differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future. During this call, unless otherwise stated, we will discuss non-GAAP financial measures. These as non-GAAP financial measures are not prepared in accordance with generally accepted accounting principles. A reconciliation of GAAP and non-GAAP results is provided in today's press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for our GAAP results. The financial outlook that we provided today excludes stock-based compensation expense, which cannot be determined at this time and are therefore not reconciled in today's press release. And with that, let me turn it over to Tomer Weingarten, CEO of SentinelOne.
Welcome everyone and thanks for joining our first earnings call as a public company. This is the start of an open and informative dialogue. We value trust and transparency, and I'll have the opportunity to model this as a public company. And since this is our first earnings call, I'd like to give some background on our journey and how we got here. I will then turn it to Nick and Dave to provide some highlights from our most recent quarter and outlook. We launched SentinelOne in 2013 with the idea that cybersecurity incorporated faster speeds, greater scale, higher accuracy, and most importantly do this through more automation. We created an autonomous cybersecurity platform to deliver our vision. Attacks and threats are only becoming more sophisticated and more common and legacy solutions and human defenses just can't keep up. Looking further the older ransomware attacks, unfortunately this isn't new and it isn't going away and it's impossible to ignore. Our mission to protect our customers in our way of life has never been more important in a digitized world. There are several structural forces that play that will drive long-term and sustained growth for us in our industry. The growing threat landscape is just one of them. Next is the digital enterprise environment, more devices, more places, more data requires updates to critical enterprise infrastructure and that includes new attack surfaces such as containers and workloads. At the same time, we moved to a hybrid work environment. This is the new normal forcing the revolution of how we work, where we work from and fundamentally how we secure the future of work. The only way to ensure safety and security is with zero trust. Across the entire enterprise from endpoint to cloud companies want partners and platforms not siloed point solutions. Our open XDR approach is helping unify the entire enterprise view from data to device to cloud. Putting all of this together, cybersecurity has never been more critical and more challenging for the enterprise. That gives me tremendous confidence in the long-term growth potential in front of SentinelOne. Over the last eight years at SentinelOne, we've developed AI and machine learning models built patented storyline technology and created an in-house cloud data platform. We knew from the beginning that the best solution would have to harness the power of data and AI. And as a result, we're delivering real-time industry leading threat detection and response from endpoint to IoT to cloud. To us prevention is the fundamental component of modern day cybersecurity. Equally critical is machine speed detection, response and remediation. We've achieved many important milestones already this year. Certainly the IPO is part of that. At the same time, top scores from MITRE ATT&CK, the industry standard test for EDR, as well as the high score in the Gartner Critical Capabilities for each buyer type have helped build credibility in industry recognition. Operationally, we've expanded our board of directors and instituted an advisory board. And with an eye to the future, we just announced that we'll be opening an R&D facility in the Czech Republic to support our growing scale and global presence. Finally delighting our customers, I'm especially proud that our net promoter score, or NPS, has risen every single quarter in the past year. It jumped in Q2 to above 70. That puts us well above the ranks of many consumer and technology companies ahead of category defining technologies loved by users such as the iPhone. Our customers choose us as their cybersecurity partner and we take the responsibility and trust seriously. We're helping our customers stay ahead of all adversaries, prevent breaches and autonomously respond through innovation. Turning to the business, in Q2, our ARR growth accelerated to 127% year-over-year and our revenue was up 121%. I want to pause on that for a second. Our business is expanding well into the triple digits, both for ARR and revenue and our guidance for Q3 shows that we expect that to continue. Our growth is very well balanced across new and existing customers, as well as large and mid-sized enterprises. Enterprises represent about two thirds of our business today, and we're gaining even more traction. In Q2, we added the highest number of customers with ARR over $1 million compared to prior quarters. We're also expanding with existing customers to securing more devices and services along with bringing new security control and visibility modules. Our net retention rate was the highest it's ever been at 129%. Our channel partners are bringing us into an increasing number of opportunities, giving our sales teams access, scale and reach around the globe. Nick will talk a lot more about our differentiated go-to market and how that's fueling growth. I'm proud of the technology and the innovation we're bringing to customers through our Singularity XDR platform. We sell three platform tiers, core control in our most comprehensive and popular tier complete. These tiers enable us to bring our technology to a diverse set of biotech types and organizations from medium sized businesses all the way to the world's largest Fortune 500 enterprises. We also offer more than 10 modules that extend our platform value to more enterprise needs from IoT discovery and security to cloud and container workload protection. Our modules help customers with today's critical management protection and visibility challenges. In Q2, we enhanced our capabilities around automation, zero trust and data. First automation, automation is key to neutralizing threats effectively and in real-time. Security teams simply can't analyze and respond to billions of events every day. The response piece is especially important. A human powered 1-10-60 benchmark is a legacy model. Our customers want real-time response and protection. This is why our patented storyline technology is so important, like monitors and contextualizes all events across an enterprise at machine speed. That means fewer and more accurate alerts based on data. It also means autonomous remediation, taking machine delivered responses to a whole new level of automatic efficiency. The chief information security officer of a Fortune 500 oil company captured it well saying SentinelOne's storyline technology fundamentally changes EDR. Instead of people having to manually assemble data points, the technology assemble stories for us and even make decisions in real-time, game changer. We listen to our customers adding even more automation capabilities. In Q2, we added Storyline Active Response, or STAR. With STAR security teams can now create custom detection response rules and deploy them in real-time. In other words, write the rules once and let it trigger automatic alerts and instant responses enterprise wide. That's more control and more automation and more prevention. The secondary of focus is around zero trust. Every edge of the network must be secured. We did this in two ways in Q2, tackling group IoT devices and expanding zero trust partnerships and enterprise can't protect what it can see, including IoT and unmanaged devices. One compromised printer can quickly become an adversary's home base for an attack. The solution for the IoT and unmanaged device challenges are ranger module. Ranger identifies and tracks all rogue IoT devices and we've just released Auto Deploy. Our new Auto Deploy capability tackles one of the oldest problems in enterprise IT, quickly deploying protection to unmanaged and sometimes unreachable assets with ease. Ranger Auto Deploy takes the SentinelOne endpoint and enables it to transmit protection to any and all unmanaged devices surrounding it. This is the first. And we're already seeing demand for Auto Deploy, which helps secure a million dollar customer win in Q2, where we replaced legacy AV in one of our other major next gen competitors. We also expanded our marketplace ecosystem through new partnerships with Zscaler and Cloudflare, partnering with other zero trust leaders strengthens our customers' security postures. Finally, we're focused on data. Cybersecurity is fundamentally a data problem. We use AI to parse petabytes of data, identify anomalies and autonomously mitigate attacks in real-time. Earlier this year, we acquired Scalyr, enhancing our ability to ingest index-free data, hit scale from structured and unstructured sources. Our goal is to optimize for scale performance and cost. We're excited about the future of go-to market synergies. We've also begun transitioning our data back into Scalyr for new proof-of-concept deployments, onboarding new customers at scale. Before I turn into Nick and Dave, I want to say I'm excited about what we've achieved as the company. I am proud of the scale of our business and the triple digit growth rates we've now delivered for two consecutive quarters. This is truly a testament to the hard work of the entire team at SentinelOne. Thank you to all of our employees and also our customers and partners. Your feedback and trust puts us on the winning side of cyber warfare every day. I'm even more excited about what we can do from here. The endpoint security market is large and growing and we're just at the beginning. Cyber defense should be even more holistic. It has to be flexible and automated and that means not just across the endpoint operating systems, but also IoT devices, servers, cloud workloads, and the data itself. This is XDR. We are XDR. And with that, let me turn it to Nick Warner, our Chief Operating Officer.
Thank you, Tomer, and I'd also like to welcome everyone. I've been at SentinelOne for over four years now. Everyone here has a lot to be proud of, especially how quickly we've scaled in just the past year alone. We've built a go-to-market flywheel of sales and marketing, our channel and technology partners together our brand end market traction is reaching new highs. Let's discuss the business. ARR of nearly $200 million and growing 127% is nothing short of astounding. Looking back, it took over three years to reach a $100 million in ARR and just three quarters to nearly reach the next $100 million. Our future is unbounded. That's because of vision, execution and listening to the needs of our customers. Over 5,400 customers use our Singularity XDR platform. That's over 2000 more than last year. I'm delighted to help protect that many businesses. Our customers are diverse in size, scope and geography. Our focus on automation, speed and accuracy is critical to any enterprise, in fact, all enterprises. We're protecting even more mission-critical businesses. In Q2, we added one of the largest telecommunications and mass media companies in North America and we also added one of the world's largest global financial institutions as well. Make no mistake, this is a competitive market. We go up against incumbent and next gen players all the time. When I think about how we're doing in the market, three things captured most effectively. One, our 97% gross retention rate, which means our customers are happy and staying with us. Two, we don't compete with our channel partners. So they are able to lead with our technology platform. We enable and embrace the channel. And three, we win more than 70% of POCs against the competition. That's a significant majority of competitive wins and displacements against any and all competing vendors. Let me share some more detail from the quarter. We're making tremendous progress with large enterprises, which represent about two thirds of our business. We grew customers with ARR over $100,000 by 140% versus last year. We added the highest number of million dollar ARR customers this past quarter. In the past year, we've more than tripled the number of customers with ARR over 1 million. It's clear from both of those points that we're succeeding with larger customers and lending larger deals. Our net retention rate was 129%, a new record for our company, fantastic execution from our sales and go-to market teams. We're helping customers expand agent deployments, access more functionality with package tiers and adopt new module solutions. When it comes to our modules, our innovations help enterprises do more. Just looking at our modules that cover IoT, cloud and data, these grew more than 6x year-over-year in Q2 and represent over 10% of the quarters' new business. We're still early with our modules and see this as a long-term lever for our business. Next, I'll share some insights on our go-to market. Our internal sales and support teams combined with our diverse and growing partner ecosystem gives us an incredibly vast reach. Earlier this year, we rolled out a new channel partner training and accreditation program. Feedback has been positive and we've issued over 2,000 accreditations to-date. Our strong channel metrics are leading pipeline and traction indicators. We partner with managed security service providers, MSSPs, managed detection and response providers, MDRs, and incident response, IR partners. We equip them with industry-leading capabilities and in return we get tremendous market access and scale. We don't compete with them. We support and enable their business. We're rapidly expanding this ecosystem and its driving meaningful growth for us. I want to double click on our incident response partnerships. Driven by the rising wave of ransomware attacks, breaches have become pervasive for businesses around the world. In the unfortunate, but often common case of a company being breached, IR partners are called in to identify and remediate the attack. They use our technology to understand what's going on, stop the attack and remediate the network. Our ecosystem of IR partners are armed with the best technology available when it comes to rapidly recovering from a breach. After seeing the immediate value of our technology, we see extremely high adoption rate at post-breach as post-breach enterprise is standardized on SentinelOne as a modern approach to cybersecurity. In Q2, we added over a dozen additional IR partners and are bringing more online in Q3 and beyond. It's not just quantity, but quality. In Q2, we added world renowned IR partners like Kroll, Alvarez & Marsal and Group-IB. These and others are global leaders with extensive enterprise relationships. These are the go-to experts who cyber insurers and boards call when there is a breach. In fact, our IR partner ecosystem is our fastest growing channel. For all of us at SentinelOne, our values and goals align on protecting customers and putting them first. From sales to support, marketing to channels, business development to customer success, Vigilance MDR to SentinelLabs, our go-to-market organization is world-class and I'm proud to work with this global team of relentless Sentinels each and every day. Thank you. And let me turn it over to Dave Bernhardt, our CFO.
Nick, Tomer, thank you. And thank you all for joining us today and hopefully in the future. I'll touch on a few of the highlights before we open for Q&A. There's a lot more detail in our shareholder letter, which I welcome you to view on the Investor Relations section of our website. We are very excited about our performance in the second quarter. Looking at our Q2 results, we achieved record revenue of $46 million, increasing 121%. Fueled by new customers and existing customer expansion, we delivered ARR of $198 million in the quarter, accelerating 127% year-over-year. Even after backing out the $10 million and acquired ARR from Scalyr, our organic growth was still well into the triple digits. Obviously, we're very enthusiastic about our top line drivers. Now we'll discuss our costs and margins and then provide our guidance outlook. Our non-GAAP gross margin in Q2 was 62% and expanded 900 basis points, a healthy pickup from last quarter. The biggest benefits are coming from our increasing scale and business expansion. Additionally, we're also starting to see benefits from our renegotiated cloud hosting agreement, which we signed earlier this year to align with our expected growth. Looking at the rest of our P&L, we're investing for growth and it's clear that it's working, once again, reflected in our triple-digit top line growth rates. During the quarter, we made strategic investments in preparation for becoming a public company, enhancing our product and scaling our go-to-market. Our non-GAAP operating margin was negative 98%, an improvement over negative 101% in the year ago quarter even as we prepared for our IPO. In the shareholder letter, we've reiterated our long-term margin targets. These are the same targets that we shared during the IPO. The key point is that as we progress to our long-term targets, we intend to invest in growth while also improving our margins and profitability. A recent example is the diversification of our R&D footprint outside of Israel and Silicon Valley. We just announced that we'll be expanding our engineering excellence into the Czech Republic. With all of this opportunity in front of us, fiscal 2022 remains an investment year. Now for our outlook for Q3 and the full fiscal year. In Q3, we expect revenue of $49 million to $50 million, reflecting growth of 102% at the midpoint. For the full year, we expect revenue of $188 million to $190 million or 103% growth at the midpoint. We expect the strong momentum we saw in Q2 to continue next quarter and our structural tailwinds to persist. Combined with ongoing benefits from our product innovation, improved brand awareness and continuing to scale our go-to-market, this collectively supports our triple-digit growth outlook. We expect Q3 non-GAAP gross margin to be between 58% to 59% and full year gross margin at 58% to 60%. Most importantly, this remains well above 53% we reported in the first fiscal quarter of this year and at or above 58% we delivered in fiscal 2021. We are benefiting from increased scale, cloud hosting agreements and processing efficiency gains. Reflected in our guidance is our plan to migrate existing customers to our Scalyr backend in Q3 and Q4. The migration will result in some duplicative storage and processing costs as we ensure data and performance continuity. This is intended to further improve data processing for the future and unlock long-term platform and go-to-market synergies. Excluding the redundant costs for the Scalyr migration, we estimate fiscal 2022 gross margin would be roughly similar to our gross margin we achieved this quarter. Finally, for operating margin we expect negative 96% to 99% in Q3. Our full year operating margin guidance is for negative 99% to 104%. This is an improvement upon our fiscal year 2021 operating margin of negative 107%. We see tremendous opportunity for growth and the investments we're making today will put us in a position to succeed for the long-term. Finally, we have two quick housekeeping items. Both of these are included in the shareholder letter with more detail as well. The first item is share count. We ended Q2 with total basic shares outstanding of 265 million. This is the base run rate going forward. The second item is the lockup. We have two triggers. The first is on September 28. If the stock price remains at current levels, it will unlock up to approximately 40 million outstanding shares as of July 31, 2021, excluding vested equity awards. The remainder of the lockup will expire subsequent to our Q3 earnings report. In closing, Q2 was an excellent quarter with strong execution, and we're expecting that momentum to continue into the second half of the year. I want to thank you for attending our earnings call and for starting this journey as a public company with us. Operator, can you please open up the lines for questions? Thank you.
Certainly. We will now begin the question-and-answer session. [Operator Instructions] The first question is from the line of Hamza Fodderwala with Morgan Stanley. Thank you. You may proceed.
Hey guys, thank you for taking my question and congrats on your first quarter post-IPO. Just on – maybe a question for either Nick or Tomer, I wanted to dig into some of the partnership announcements you guys have made in recent months particularly with Zscaler and Cloudflare. What do you think – one for Tomer, to what extent does that validate your technology given that you're partnering with other next-gen vendors on the network security side? And then from a go-to-market perspective, for Nick, what type of incremental benefit will these partnerships bring?
Yes. Thanks for the questions, Hamza. And for us, it's really about, really stepping forward towards a more inclusive, open XDR approach and also kind of producing a more Zero Trust ecosystem around SentinelOne Singularity platform, really fusing together endpoint, which is kind of the edge of the network with the cloud and now identity and the user as well. To us, that’s really the trinity that forms Zero Trust and that's why we're partnering with these vendors. Obviously we find them in more and more accounts that we sell into, so that also become something that our customers are asking us to do. So all in all, I mean, it just really kind of falls in line with both of our Zero Trust strategy and our open XDR approach. And the idea is over time to continue and ingest more data from all of these adjacent solutions in the enterprise into our open XDR platform. So to us, again, it really falls into the strategy that we took up by enabling our customers to pick any vendor and indeed builds on top of the Singularity platform.
Hi, and this is Nick here. From a go-to-market perspective, what it means for our customers is we really allow them to realize even greater ROI on previous solutions that they had purchased. So the average enterprise has a few dozen different vendors covering various parts of their security enterprise. And with our vision of XDR being open, being inclusive, being easy to use, what we're really doing is up-levelling the capabilities of those traditional and already installed products, adding tremendous value with the Singularity platform, but weaving that all in together to a complete and holistic view of security, which is really the promise that we're delivering upon with XDR.
Thank you. The next question is from Brian Essex with Goldman Sachs. You may proceed.
Hi, good afternoon. Thank you for taking the question and congratulations on another really nice quarter of acceleration here. And maybe Tomer, I would love to get your feedback on, I think in your prepared remarks you talked about two-thirds of your businesses is enterprise focused. What was the mix in the quarter? And what do you anticipate going forward for larger enterprise mix? I see that landed costs per new logo is certainly much higher than it was last quarter. So just trying to think about the trajectory there and maybe the most fundamental thing that changed in the quarter to drive that improvement.
Yes. For us, it really is a good mix. I mean, we feel like our traction in the enterprise and definitely 140% growth year-over-year and 100,000 deals and above is a good reflection of how much bigger we're landing in accounts. 225% on $1 million deals, again, a good reflection of our traction in the enterprise. But at the same time we feel presence in the mid-market is important and it's something that actually is a very efficient go-to-market for us. So we like that mix, we feel it's a good mix for us. We'll continue to drive it. Definitely on the enterprise side, we’ve seen more lends with our complete tier, actually were more attached to ranger, more attached to vigilance, more attached to data retention. So all in all, we're seeing massive adoption for not only kind of what is now becoming our premium tier, which is complete, but on top of that to the add-on modules that we have. And we intend to do the same also on the mid-market where we enable our channel ecosystem to carry more than just endpoint protection and several cloud security. So all in all, we feel that mix is a healthy one and one that we would like to carry into the future.
Got it. And maybe just a quick follow-up for Dave. I mean, you mentioned real quick the duplicative costs associated with the Scalyr migration. When might we see that abide and maybe the margins might be able to maybe better accelerate off the inclusion of that?
Sure. It's predominantly in the second half of this year. So you'll see it in Q3, you'll see it in Q4, and then it should dissipate beyond there. We're working on getting our largest customers over first, which is why you see the depth that we're expecting in the second half, but going forward, we think we should have a baseline of around where we're at right now, barring any other efficiencies we see on the product as we continue to advance it.
Got it. Very helpful. Thank you very much.
Thank you, Mr. Essex. The next question is from Saket Kalia with Barclays. You may proceed.
Okay, great. Hey guys, thanks for taking my questions here and echo my congrats on becoming a public company. Tomer, maybe for you. I was hoping you could just talk a little bit about kind of the broader distribution channel a bit. I guess the question is how do you sort of judge the scale of your channel? And where do you see it kind of going in the next year coming off the IPO?
Yes. It's a great question because we look at our channel in a very inclusive manner. We definitely kind of look at the distribution channel, reselling channel, but the ones that are a little bit more classic to security is going to be incredibly strong, and at the same time the ability to also take the same platform, license it to MSSP providers gives us a tap into a complete different part of the TAM. And as Nick mentioned in the prepared remarks, our ability to now signup most of the incident response providers, most of the leading incident response providers in the U.S. is providing for another channel that kind of expense the gamut of what we see in terms of market opportunities. So all in all, we feel pretty good about our market presence in the channel ecosystem. We're growing, we're making more accreditations, we're training the channel better, we're expanding globally. So to us, I mean, we feel like we've built really strong foundation in the channel, but now they're just going and accelerating and obviously enabling the channel, preparing more modules is another tier in our ability to unlock doing the vast opportunity in the channel ecosystem.
This is Nick here. What I'd also add to that is uniquely with SentinelOne, we've made a strategic decision to enable and not compete with the various multi-dimensional channel partners out there, whether that's MDRs, MSSPs, or incident response partners, obviously as well as your traditional resell partners. And what that's really driven by enabling their business and not competing is incredible loyalty and brand loyalty with SentinelOne, and that's something we've been working really hard on for the last several years. So we're really starting to see that, that flywheel kick-in, in all the different facets of go-to-market channel partner ecosystem.
Got it. That's really helpful. David, maybe my follow-up for you. Tomer just sort of talked about this just briefly in the last question, but I was wondering if you could just double click a bit on the mix of customers across the different singularity peers specifically core control and complete. What are you sort of seeing in terms of new customers and existing customers in terms of the peers that they're sort of opting for?
Sure. It's about half of our customer we're still use core or control with the larger enterprise customers obviously using the complete solution. And there's a mix across all of them, but there's certainly an opportunity us to continue to see the customers and core control we expand up to the more complete offering, as well as add more modules, et cetera, et cetera. I think that goes into why you're seeing 129% at RR. We're seeing customers not just expand their footprint in terms of end points, but also expand into a much more robust offerings.
Very helpful. Thanks guys.
Thank you. The next question is from the line of – I apologize one moment, please. With Rob Owens [Piper Sandler], you may proceed.
Great, and appreciate you guys taking my question. I think building a little bit on Saket's question, but I wanted to touch on the net dollar retention rates. And is this coming from an expansion in seats? Is this coming from the tiers that you talked about and up-sell within the base or a lot of that growth coming from the adjacent modules?
It's actually all of the above and we definitely focus on basically providing the customer the choice, license counts naturally organically extend over time. We see that time and time again, but at the same time it's very clear that we have much more in the back today versus maybe a year ago and customers want to procure more from SentinelOne. They want to cover more surfaces. They want to use more abilities; they're opting for our services. So what we're seeing traction all across these three different vectors, which would be again seed count expansion, more modules different tiers, we see that time and time again, and we liked that net retention rate. I mean, we feel it's going to hover around these rates for kind of the foreseeable future, and we like their contribution.
As we look at customer acquisition, typically who are you going up again? Are you still seeing a lot of replacement of legacy out there, which would imply that there's still a long way to go in this markets? Where is the battle coming down to more of the next gen providers? Thanks.
Yes. And I think it's 99% displacing an incumbent. It's always going to be competitive with at least one other next gen competitor. But outside of that, I mean, we are doing displacements here and there, very anecdotal but we have those. But the vast majority of what we see, it's, it's absolutely taking market share from the incumbents. It's always a displacement. We've had multiple years doing customers of Symantec and McAfee. I'm switching over to SentinelOne this quarter as this has been with the past quarters as well. So we think the – the market momentum in customers understanding that they need to change the mindset and we move over to a next gen offering is not really mainstream. And I think that comprises the vast majority of our pipeline.
Thanks for the color, Tomer.
Thank you. The next question is from Brent Thill with Jefferies. You may proceed.
Thanks. Tomer, you mentioned IoT cloud and data center seem really good uptake. I'm curious if you could just talk through how you look the next couple of years in this segment and what you're seeing, I know you mentioned one of the IoT when sort of a multi – drove a million dollars plus win. Can you just maybe help shape what's happening when these – when these transactions are getting evolved and what you're seeing with overall expansion of deals?
Absolutely. Ranger for us has become truly a competitive advantage. Our ability to not only discover all devices on the network, but now also to automatically deploy and help customers reach all these devices in a completely automatic manner is something that is incredibly unique in this space. And it's driving more adoption and driving more seat counts in all-in-all it drives the stability for customers who shift away from their incumbent vendor with ease. So it's not only about protecting those attack surfaces, it's also about ease of deployment and simplicity of use. So we're seeing massive traction with that. We're seeing the ability for almost every customer that we have today to go in and prove by that functionality. Its zero additional deployment. It's completely cloud delivered. So it's incredibly easy to consume. Again Ranger is one of our fastest growing modules and same goes for data retention. We're now seeing, think about the White House Executive Order that mandates low collection, data retention, the ability to keep security data input telemetry for longer is actually fueling customers to procure more and more data retention and archiving directly from our platform. It's something that's highly unique to us. Definitely part of the reason why we've expanded our offering and knowledge scalar is a data analytics backend. So the ability to really address all of these new opportunities in cybersecurity that might have not been there a couple of years ago are not only an opportunity, but also a competitive differentiator that we have.
Thank you. The next question is from Tal Liani with Bank of America. Thank you. You may proceed.
Hey guys, congrats on a great quarter. I have a few questions I want to speak about competition. Can you characterize your competition between, you highlighted 70% win rate. Can you characterize the competition? How's it going versus legacy players and what drives corporates that were on legacy system for a long time? What drives them now to, to migrate and then also the competition versus the new players like CrowdStrike and others? And if you can talk about your – we spoke about product differentiation, but I want to talk about the value of automation. How is that coming to play and also pricing differences. We're hearing that you're quite cheaper than the competition – next gen competition? Thanks.
Yes. I believe for us it's really about the holistic approach we're taking that allows us to win both, I guess, incumbents and against the next gen peers. The ability to give a full spectrum solution, a full spectrum platform that ranges from best of breed prevention, all the way to detection and response and remediation all of that in a complete uniform autonomous manner. It's a big difference on what the others are doing in this space. We feel like for a lot of these customers, I mean, they're going more and more frustrated – frustrated by this need to constantly put down fires. And for us, I mean, you can take a more prevention first approach. You can actually stop these fire from actually ever happening. And that just drive efficiencies. And I think if you're looking at all these incumbent vendors and incumbent footprints, obviously there's massive, massive amounts of breaches there. Even for the engine peers, I mean, we're seeing a lot of their customers and we've had a multi-million dollar displacement this quarter for a customer that grew increasingly frustrated with the multiple infections with inefficiency on protecting server environments. And they wanted a more automatic solution. They wanted a solution that can actually remediate and clean up all the infections they were seeing. But at the same time turn into more of a preventative approach where I'm not saying that you can prevent everything, but you can absolutely do a better job on prevention and really stop that firefighting mode or improve it significantly. And that is what our platform is incredibly unique in that the advantage of AI and machine learning. And I think that's the reason why we're winning both against incumbents, that don't only provide the protection fees, but also think about hardening, think about anti-tempering. These are all things that our platform can cover today. It's incredibly holistic again in nature. And once again, we do look at the peers they're focused on detection and response. That's what they do. They bundle a service with it. For us it's about technology. It's about creating a more secure endpoint in the most holistic way possible.
Got it. And about pricing, is it – is being cheaper than the next gen competition is the strategic – strategic goal for you? I mean, how do you tax arise your pricing versus competition?
Yes. I don't think we're cheaper than the competition. I think if you look at it, apples-to-apples you'll see that the prices are pretty much similar. I think we take a different approach. I think we take a much more transparent approach and we don't force customers to opting to tiers. We don't force them to use our service. So all in all, I mean, they can actually choose what they want to procure from us, but again apples-to-apples, I think you'll see that prices are very, very similar. Don't think we're cheaper by any degree.
One thing I would add to that, this is Nick here is, from a budget perspective. What we don't try to do is hijack a customer's security budget and to forcing them to buy reams of services, hours to support, a non-automated product. What we're bringing is automation and machine learning, ease of use, and really we're democratizing very advanced technology. What that enables customers to do is achieve the outcome we're driving for them and our prospects and customers, which is protection and prevention. And so from an apples-to-apples perspective, we're typically at or higher from a technology perspective, but we enable customers to best put that, that money to use buying technology. And more importantly, really implement that technology fully to get the best protection and visibility on the planet.
Great. I have a quick one, if I can squeeze in, if not I'll ask you privately. CrowdStrike highlighted on the last call that they won Workday from you and they highlighted false positives and reasons why they said that this customer switched to them. I think it's just fair to ask the question, if you can refer to their statements and announcements on this customer? Thanks.
Yes. I mean, I think it's – it's something that you'll see anecdotally happening. I mean, we've had an excess of $1 million ACV displacement this quarter as well for Fortune 500 Company, and they cited the same. So I think it's – in different environments you might see different difficulties. I think a lot of it is sometimes about relationships, but I think what's incredibly interesting about the customers that we've displaced is the reference they made to the amounts of infections they have to deal with, which to us is really why you're bringing in cyber security solution. You want to prevent these infections from happening. So to us, I mean, those positive performance it's always something that you deal with. I mean, they deal with that, we deal with that. It's something that we'll deal with that forever. But again infection, that's something that's unacceptable. And I think that's why you see customers its scale against multi-million dollar ACVs shifting away. And that's kind of what we see in this space today.
And this is Nick here. Time and time again, what we've seen for several years now is folks go with SentinelOne for really a unique combination of prevention alas coverage and support, automation, and then lastly as Tomer had mentioned efficacy. So our ability to protect to prevent and to keep our customers safe.
Thank you. The next question is from Andrew Nowinski with Wells Fargo. You may proceed.
Great. Thank you, and congrats on a very good quarter. It's two quick questions for you. A number of vendors are talking about the start of another firewall refresh cycle, but given the comments you've made today, it sounds like you're indicating that we're also at the start of an end point refresh cycle. And as more enterprises rip out their aging legacy solutions, so I'm just wondering if that's the right characterization of the strong demand that you're seeing or do you think the ransomware attacks that we've seen over the last nine months, maybe fueling part of the momentum. I'm just really trying to get a feel for how long this exceptionally strong momentum can continue?
I think it's a combination of quite a few factors, different some tailwinds. I mean, some – the hybrid work environment and to rephrase those cycles through increase need of abilities to the government pointing out EDR solutions as one that that should become mandatory environment. So I think there are many different drivers to what we're seeing right now in endpoint security. I think the road is long, and I think what really is important to understand about our platform is we're much more than endpoint security. So for a lot of these new accounts that we're winning that the net new logo motion that we have is already going into other adjacencies in the enterprise, whether it's IoT security or cloud security. So to only the end point refresh cycle, there's actually something that drives in overall look at your entire cyber security posture. And we're becoming this trusted partner for these enterprises that actually continue and grow up and down the stack and in different surfaces. So all in all, I mean it drives I think a complete overhaul of the cyber security stack. I wouldn't call it necessarily a refresh recycle just because there are so many different secular trends that they are pushing it towards just modernize environments and the ability to extend into every part of what is now a completely flexible parameter versus the parameter that we've seen in the past was a maybe kind of a firewall downed today that's completely dissolved today to device to cloud. And that's really what's driving massive motion in our market. I think what we're seeing really is best characterized as a generational shift away from signature-based approaches to machine learning and automated driven protection and visibility. And that's what we're experiencing. We're still in early innings, but it's massive, its macro and its global.
That's great. Thank you. And just my follow-up question. As it relates to some of the $1 million ARR customers that you landed. I'm wondering, if you could just give us any more color in terms of maybe how many agents those deals typically involve? Or how many modules they typically purchase? I'm just wondering, ultimately how much of an opportunity there is that those customers for additional purchases? Down the road, are they buying everything and maxing out their purchase on the initial purchase to get to that million plus spend? Or is there a big opportunity with those going forward? Thanks.
We feel as far from it and it can vary significantly. We definitely see the ability to expand into other footprints in the enterprise, almost every account that we land. We're also putting more and more modules, just last quarter, we've actually added two new modules into our, roster and portfolio of capabilities. So all in all, we feel pretty good about our ability to continue and grow in these customer accounts, both in terms of covering more footprints but also in terms of selling more modules. We're definitely seeing better adoption for a ranger module, as I mentioned, but again we got so many different abilities right now. And we're seeing, the beginning and first innings of traction, we deliver with a lot of our newer modules. And it's kind of a game that we saw a film that we already saw and we see it growing over time. So all in all we feel the potential is quite significant.
Thank you. The next question is from Patrick Colville with Deutsche Bank. You may proceed.
Hi there. Thank you for taking my question. So sequential ARR grew $37 million bucks, if I'm not mistaken, just a kind of housekeeping items, I presumed Scalyr – likewise in first quarter, right. So that $10 million you pulled out of inorganic ARR fell in 1Q right? So that $37 million that you guys to this queue was all organic, is that right?
That's correct. We got $9 million ARR when we acquired Scalyr. It's now 10. Our focus with Scalyr is obviously been on implementing the technology not on really pushing our go-to-market. That's something we'll advance, once we get it completely tied into the SentinelOne back end. So yes – 37.
Okay. Sorry, just – $10 million was it 1Q and does it…
1 million incremental between Q1 and Q2 for Scalyr, so we acquired them at 9, they're currently 10.
Okay. That's great. Could I just, I guess follow on about the connected environment. I mean, how is going public helps in the enterprise or I guess landing kind of our partners or SI partners is, has the – I guess the publicity and profile of being a public company assisted in that? Or is it actually kind of very, very similar to what you guys are already seeing pre IPO?
I think we're definitely seeing an elevation of the brand. And we're definitely seeing more market presence. I think the tax that we choose to, be very transparent about what the company does is dispelled. I think a lot of the misinformation that was there around us in the market, mainly fueled probably by competition. So for us right now, we feel better attraction. We feel better competitive environments more, that's for sure. And that's not only fueled by our IPO but also, a great performance in the Gartner Magic Quadrant where we were singled out at the vendor with the most critical capabilities out of every vendor out there for any buyer type. I mean, that just comes to show that home prevention and all the way to detection, response and remediation. Our platform today holds the most capabilities out of any other platform out there. So all in all, I think, again, multiple factors come into play, the IPO shining a spotlight on all of them. And now we're seeing I think, of just increasing – increase in accelerated attraction across the board, both in partners and with customers, with sales cycles and with competitive win rates.
Great, thank you so much.
Thank you. The next question is from Shaul Eyal with Cowen. You may proceed.
Thank you. Congrats, guys on the strong debut quarter. Dave, when we think about your Czech Republic R&D facility, is that driven by global lack of talent? Is it driven by higher R&D costs, in the West Coast or in Israel or is pretty much all the above? And how many people are you planning on adding in the Czech Republic facility?
Sure. So we obviously look for global talent everywhere. One of the reasons that we're looking at the Czech Republic is because they do have an excellent amount of cybersecurity talent that, assets is it allows in next. So we're going to continue to look for areas where we can advance, what we need in terms of driving our product and our innovation. Obviously there are areas that are, economically more viable in terms of full strategy. So we're going to continue to monitor that. And we'll do that for the foreseeable future.
Got it. And maybe a question on cohort analysis that if it's not too early. Can you talk to us maybe from the quantitative or maybe just from a qualitative perspective on the LTV of cohorts over the past few quarters now going to say even a few years, specifically on the heels, or the fact that, your deal with a greater than 1 million have been fantastically on the rise out of the late.
This is Nick here. So we really think about growing the business from a new model perspective, as well as learning to extend, someone asked a question on that the answer is yes, we're doing both. What we're seeing and Tomer talked about this is with a tremendous innovation, introduction of new modules, new surfaces to protect new problems to solve. We've seen huge lengthen expand opportunities. And in fact, 50% of our customer base is running, our core control package, we can upgrade those folks to complete many modules to cross-sell and up-sell. What we're also finding is at time of sale for new customers, they're predicting landing with a complete package with other modules as well. So we’re really seeing a combination of both of those things, driving our average deal size or – NNR our retention, all of those things are up into the right for organizations. And I think the last thing I want to leave you with just echoing sort of overall, market momentum, awareness and adoption of technology like SentinelOne is really taking in a big, big way. And so that's also driving a lot of the adoption.
Got it. Thank you so much. Good luck.
Thank you. The next question is from Roger Boyd with UBS. You may proceed.
Terrific. Thank you very much for taking my question. I guess relative to the question, partner retention results. You call that the success with tears in modules, wondering if you can talk about the impact of cloud workload protection? Where do you think you are in that opportunity? And in any sense of the penetration that product has with customers today?
Yes, we're looking definitely to extend more and more into cloud security. And specifically, when we talk about cloud security, we talk about workload protection platform and runtime protection. Today, I think we've shared that it's already about 10% contribution into our revenue is coming from the, cloud and server protection pieces that we sell, and we're seeing more and more traction in cloud security. And to us, we also continue to bolster that capability. So there we've added CIS benchmarking capabilities just a couple of quarters ago, we're seeing better and better adoption. We've introduced, our cloud workload protection platform is an integral part of the AWS marketplace. And that drives adoption as well. So all in all, we're definitely seeing an opportunity that's almost completely Greenfield there. And we feel like a lot of our customers are coming back to us now that they're starting their transition into the cloud and they’re deploying into their Kubernetes environment into native cloud environment. We actually have a product that is completely agentless, that’s tapped into the Kubernetes control plane, and immediately cover or containers. So all in all, we feel well positioned to continue and capture market share in the cloud workload protection platform space into us, again if you coupled that with the platform approach with everything coming back to the same security data layer, then you really start unlocking synergies and you allow security teams really ask a question once and get an answer from every part of your enterprise network that spends from the endpoint or though the cloud. And that becomes very unique proposition.
Very helpful. Appreciate the colors. Thanks.
Thank you. The next question is from Alex Henderson with Needham. You may proceed.
Great, thank you very much. That was a great question from Roger. But I wanted to go into a slightly different angle on the cloud architecture that you bring. Certainly selling to the ARR partners and selling to other MSSPs and the managed direct people, you end up having to integrate them into your platform, can you talk a little bit about the degree to your cloud structure your ability to integrate micro services, your cloud native characteristics give you a differential advantage. And to what extent that partnership integration makes your partners more sticky over time and amplifies that loyalty?
Yes for sure. And our platform is a 100% cloud native. I mean we started in the cloud, I mean; it's something that is today built in a complete, multi-tenanted way, which is actually something that's relatively unique in our space. And it also want to know, enables these partners to basically deliver their services in a much more effective manner. So they get up and running in seconds, they get a complete cloud tenant for themselves, the immediately deploy using guard discovering deployment services, and then, they leave the platform there for us to come in and monetize. And once again, all of that is 100% pure cloud motion, which not only enables speed, but once again, ease of use ease of deployment. We just, turns out to be a much more efficient model than the platforms that they've been using in the past which obviously, were more on-prem down. So to us, again being completely cloud native, being multi-talented is a competitive differentiator we have for that part of the market. But also you can probably, probably see the same type of buying motion in the enterprise as well we’re conducting the DLC, deploying the platform is becoming easier and easier in all in the cloud delivered fashion.
I realize we're running long here, but wanted to add a second question. Could you talk a little bit about your hiring plans and sales? What type of capacity, you see going forward in terms of your ads for the next couple of quarters? And then what's the availability look like? And what is the cost look like? Are we seeing escalation and the prices of labor? And are there enough people out there to fulfill your needs?
Yes, hi there. We're definitely investing for growth. It's an enormous opportunity out in front of us. So we're going to continue to invest and build and grow our go-to-market teams. Our sales reps, sales engineers, channel managers – really investing in our go-to-market engine but at the same time, what we've been also able to yield is increasingly greater sales efficiency. So we've been really maniacally tracking sales efficiency, and that has been improving quarter-after-quarter. So we're going to actually have each quarter a bigger sales team that is also more efficient helping us continue to drive growth. But the last thing and this is not to be underestimated with our unique go-to-market business is that multi dimensional channel that we talked about. Massive sales forces at various channel partners in the MDR space, MSSP partners, IR partners, traditional resellers and distributors. And so that's the right way to think about our global field presence is adding all of those folks up and understanding that each time we're adding a partner behind that are hundreds of sales reps, doing 2000 plus accreditations to date, that's really building that flywheel, but we're absolutely going to continue to invest in our own SentinelOne personnel as it relates to go-to-market.
Question on the cost and availability?
Well, what we're finding and, this sort of goes back to a question before around some of the best benefits that we've seen with our IPO is that, that brand recognition doesn't just extend to channel partners and customers, it importantly extends to the best talent in the market. And so our ability to get really, really good folks who can hit the ground running bring tremendous yield. That's enabling us to have great attraction and appeal to get the best talent in the market.
Great, thank you very much.
And I would now like to pass the call back over to Tomer Weingarten, CEO of SentinelOne. Thank you. You may proceed, Mr. Weingarten.
Thank you and thank you all for joining us today. We look forward to talking to you again in the near future. Thanks a lot.
That concludes the conference call. Thank you for your participation and enjoy the rest of your day.