If you are new to Telltales, welcome! It’s great to have you here. This newsletter is designed to complement our weekly call/podcast and ultimately enable you develop your ability to think critically and independently about investments. Neither the call/podcast nor this newsletter provide ‘stock tips’ or financial advice. You should always do your own work to determine if an investment is suitable for you. If you are new, please check out the following posts:
Every week I will provide additional data to supplement our weekly Telltales podcast. You can get the podcast on Apple Podcasts, Spotify, or SoundCloud. Follow along with this newsletter to stay up to date!
Before we dig in, you might have noticed the new theme song in the podcast this week. That song was generated by artificial intelligence, specifically, the OpenAI MuseNet model. The ‘composer’ (link below) developed the song by instructing the MuseNet model to combine the well-known Pink Panther theme song with jazz and other elements. I think it’s fitting given our ‘detective’ work in seeking long-term profitable investments. Here’s a link to the entire song…
In last week’s debrief, we compared the relative valuations of two cyber security SaaS companies: SentinelOne and CrowdStrike. On this week’s episode we took a step back and discussed endpoint security as product category, the underlying themes that are driving spend in that category, and two companies that are benefitting from that increased spend - SentinelOne and CrowdStrike. In today’s debrief we will provide an overview of endpoint security and dig deeper on both companies by reviewing customer feedback and discussing growth expectations and net retention.
Endpoint Security, EDR, and XDR
Endpoint Security is a subset of the broader category of Cyber Security. Endpoint Security is the practice of securing endpoints.
An endpoint is a remote computing device that communicates back and forth with a network to which it is connected. In other words, desktops, laptops, and mobile devices, among others.
Endpoint detection and response (EDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with automated response and analysis capabilities.
EDR systems protect endpoints on a network (like a pc or an iPhone) or in the cloud (like AWS or Azure based workloads) from cybersecurity threats by installing an agent (piece of software) on each endpoint. This agent provides data that the broader EDR platform can use to detect, investigate, and act on a threat. Endpoint security is often seen as cybersecurity's frontline, and represents one of the first places organizations look to secure their enterprise networks.
As the volume and sophistication of cybersecurity threats have steadily grown, so has the need for more advanced endpoint security solutions. I should also mention that there is another term floating around this space called XDR, which is in really an evolution of EDR, that correlates and observes activity across endpoints in order to identify threats utilizing rules based, algorithm based, or artificial intelligence based means and automatically act on the threat. This appears to be a far more effective than traditional endpoint protection because it provides opportunities to utilize advanced data analytics and artificial intelligence technologies to quickly detect, analyze, block, and contain attacks in progress.
The primary driver of increased spending on Endpoint Security is the increased number of endpoints in a given business network. Businesses were forced to adopt digization and work-from-home due to COVID-19. This translated into more endpoints (iPhones, laptops, etc) for businesses to secure, and therefore more spending on EDR.
Today we will discuss two endpoint security companies, CrowdStrike and SentinelOne. Their leadership in the space is confirmed by the fact that both companies are highlighted in the Gartner Magic Quadrant for Endpoint Protection, along with Microsoft, Palo Alto Networks, Trend Micro, McAFee, and Sophos.
SentinelOne
SentinelOne is a newer entrant to the endpoint securty space. The company IPOed on June 30th and sold 35 million shares at $35, raising more than $1.2 billion in the largest cybersecurity IPO ever. Shares closed up 21% on the first day of trading to $42.50.
The company pioneered an evolution of EDR called XDR which aims to make cybersecurity defense truly autonomous, from the endpoint and beyond.
SentinelOne prides itself on having fended off cyberattacks — most notably the recent SUNBURST one (the malware that tricked systems into uploading it as an update to the SolarWinds’ Orion software) for all of its customers.
Weingarten (the ceo) has referred to CrowdStrike as its “main competitor.” And earlier this year CrowdStrike acquired Humio, an XDR competitor to SentinelOne in an apparent attempt to bolster its competitive position against the upstart.
TrustRadius has over 30 reviews on SentinelOne from users of the product. To summarize, reviewers felt that SentinelOne had lower administrative overhead than other solutions. However, reviewers did suggest that SentinelOne’s EDR capabilities are not as extensive as some other products (likely referring to CrowdStrike) - but basic information is available and unless the customer has sufficient resources to evaluate the data, that additional data may not be valuable anyways. Ultimately, most reviewers found SentinelOne to be easy to use and a good value for the money.
CrowdStrike
CrowdStrike raised about 700m in its IPO on june 12, 2019. Shares surged over 90% in the first day of trading.
In an interview after the IPO, CrowdStrike CEO George Kurtz said... “There’s been no Salesforce of security. And we think we’ve taken the right approach and created the right architecture to be that fourth pillar of cloud computing.”
CrowdStrike is a far more mature company than SentinelOne, in that it’s breadth of offering is more complete for the largest enterprise customers.
TrustRadius has over 70 reviews on Crowdstrike Falcon from users of the product. To summarize, reviewers felt that Crowdstrike is a more mature product than others on the market and that no one other security vendor can rightfully do what CrowdStrike does. Reviewers with smaller businesses (51-200 employees) found it expensive, but larger enterprises appreciated the breath of capabilities and features.
A Short Primer on SaaS Revenue & Net Revenue Retention
Before we go any farther, I’d like to take a few minutes to cover a topic that has become reflexive to me but will certainly be new for some readers. SaaS revenue, and the metrics we use to evaluate it, is fundamentally different than traditional revenue. There are four components to SaaS revenue - churn, expansion, downgrade, and new.
Churn – Churn is the revenue you no longer collect because a customer stops using the product.
Expansion – Expansion is additional revenue generated when an existing customer buys more product.
Downgrade – Downgrade is the revenue you no longer collect because a customer reduces the amount of product they consume.
New – New revenue is revenue generated when a new customer is acquired.
Different parts of the company’s sales organization spend significant efforts to optimize each of these components of revenue. Unfortunately, few (if any) publicly traded companies disclose all of these. Generally, we are lucky if the company breaks out subscription revenue from professional services. However, it has become commonplace among SaaS companies to report their Gross and Net Revenue Retention.
Net Revenue Retention (NRR) (aka Net Dollar Retention (NDR), aka dollar-based net ration rate) explains the net movement (inflow/outflow) of revenue (annual/monthly recurring revenue) within your existing customer base. Note that New revenue is not included here because Net Revenue Retention focuses just on your existing customer base.
Gross Revenue Retention (GRR) (aka Gross Dollar Retention, aka dollar-based gross retention rate) calculates lost dollars from the existing customer base.
When a public company reports NRR and/or GRR, they also report how they calculate it - this is important because not all companies follow the same standards and formulas described above.
Perspective on SentinelOne and CrowdStrike
Jumping back to our companies, SentinelOne and CrowdStrike…. investor expectations are high - target revenue growth rates for the next three fiscal years are 104%, 70%, and 65% for SentinelOne and 61%, 38%, and 32% for CrowdStrike.
One observation here to consider…. analysts expect growth rates for both companies to drop off significantly after fiscal ‘22. I'd imagine this is based on the expectation that the growth in number of endpoints per organization may decline while the total adoption of this technology will continue.
One way to get a better understanding of what is going on with endpoint growth is to look at the Net Retention Rate (NRR) for each company, which as one July 31 2021 are 129%1 and 120%2 for SentinelOne and Crowdstrike respectively. If we see a reduction in that number (especially from CrowdStrike as the product is more mature), one potential factor would be reduced growth of endpoints within existing customers.