E2139 Debrief

Cyber Security - SentinelOne & CrowdStrike

If you are new to Telltales, welcome! It’s great to have you here. This newsletter is designed to complement our weekly call/podcast and ultimately enable you develop your ability to think critically and independently about investments. Neither the call/podcast nor this newsletter provide ‘stock tips’ or financial advice. You should always do your own work to determine if an investment is suitable for you. If you are new, please check out the following posts:

Share Telltales

Every week I will provide additional data to supplement our weekly Telltales podcast. You can get the podcast on Apple PodcastsSpotify, or SoundCloud. Follow along with this newsletter to stay up to date!

In last week’s debrief, we covered two consumer facing app companies: Bumble and Duolingo. On this week’s episode we continued our discussion of recent IPOs and dug into SentinelOne, a cyber security SaaS company. In today’s debrief we will dig deeper on SentinelOne and compare it to a similar cyber security company, CrowdStrike.

Cyber Security

A couple weeks ago we discussed digital transformation and the digitization of work, specifically covering two companies that have benefited and are enabling further adoption of digital workflow management, Asana and Monday.com. With digital transformation changing everything, accelerated by the COVID-19 pandemic, organizations have become increasingly susceptible to cyberattacks. Every place where data resides is vulnerable - from device to server to the cloud. Across all industries, institutions, and governments, cyberattacks expose the fragility of our systems and have become one of the biggest threats to global stability and progress. Our growing reliance on technology creates an accelerating risk cycle: more devices generate and process more data which result in more opportunities for cybercriminals to attack. Cybersecurity is foundational to preserving our digital way of life.

Historically, the best achievable cybersecurity outcome was defined by the 1-10-60 Rule - meaning 1 minute to detect an attack, 10 minutes to investigate, and 60 minutes to respond. Today, this is the equivalent of bringing a knife to a gun fight.

The companies we will look at today, SentinelOne and CrowdStrike, provide cutting edge solutions that are capable of preventing attacks like the one that affected SolarWinds. In fact, both companies claim that their clients were not affected by the SolarWinds hack. Both companies use artificial intelligence technologies to protect against cyber attacks and both charge SaaS subscription fees based on the number of endpoints in a given network.

An endpoint is a remote computing device that communicates back and forth with a network to which it is connected.

SentinelOne (S) & CrowdStrike (CRWD)

We will dig deeper on both companies next week, but for now here are some hard numbers…

EV/NTM Revenue

SentinelOne’s NTM (next twelve month) revenue is expected to double to $243.8m. With an EV (enterprise value) of $13b, the SentinelOne currently trades 53.6x NTM revenue.

CrowdStrike’s NTM revenue is expected to grow by 47% to $1.67b. With an EV of $54b, CrowdStrike currently trades at 32.4x NTM revenue.

NTM revenue growth rate is the single best explainer of EV multiple of revenue, but there are other factors which we will cover in the following paragraphs.

Gross Margin

Generally, gross margins for SaaS companies are expected to be high (population mean and median are 72% and 74% respectively). SentinelOne’s lower gross margins are likely a result of the low revenue base. The company’s S-1 called out “…the expansion of our cloud infrastructure related to the growing adoption of our platform” as the primary driver of increased cost of goods sold. Presumably, as they grow, the company’s gross margin will approach the population mean of 72%. As you can see in the chart below, CrowdStrike’s gross margin has improved over time.

Net Expansion

Net Expansion is a cohort based analysis of existing customer revenue growth, net of churn. Both SentinelOne and CrowdStrike have similar net expansion (125% and 120%, respectively), highlighting the fact that both companies have strong product market fit and are well positioned to grow as their customers number of endpoints increase.

Sales & Marketing Payback

Like all SaaS companies, SentinelOne and CrowdStrike spend heavily on Sales and Marketing: 91% and 45% of TTM (trailing twelve months) revenues, respectively. The chart below shows how CrowdStrike’s Sales & Marketing spending has decreased over time and that of SentinelOne is likely to follow a similar path.

As far as return on investment goes, CrowdStrike’s Gross Margin adjusted payback of 16 months is slightly better than SentinelOne’s 20 months.

Rule of 40

The Rule of 401 is a SaaS industry metric that evaluates two important factors in growing SaaS businesses - revenue growth rate and free cash flow margin. The rule of thumb is that a number > 40% is good.

SentinelOne has a low rule of 40 (22%), primarily due to the company’s extremely negative free cash flow margin.

Sentinel One Rule of 40 = 108% TTM Revenue Growth + -86% TTM FCF Margin

In contrast, CrowdStrike has an extremely strong Rule of 40.

CrowdStrike Rule of 40 = 74% TTM Revenue Growth + 34% TTM FCF Margin

Comp Table

SaaS Valuations and Interest Rates

Theoretically, SaaS valuations should be affected by interest rates as interest rates are used to discount the value of future cash flows to the present. The impact of an increase in interest rates ought to translate to a decrease in the slope (b) of the regression equation published by Jamin Ball in Clouded Judgment each week2.

It can also be seen in this chart, again, from last week’s CloudedJudgement. A full analysis of the correlation of interest rates to revenue multiples is beyond the scope of this post, but something to keep in mind in the current environment.


Rule of 40 = LTM revenue growth rate + LTM FCF margin


I cite his data here because he has consistently posted his data on a weekly basis.