SentinelOne Inc

NYSE:S

Good afternoon. Thank you for attending the SentinelOne Q3 FY 2024 Earnings Conference Call. My name is Victoria, and I'll be your moderator today. [Operator Instructions]

I would now like to pass the conference over to your host, Doug Clark, Vice President, Investor Relations. Thank you. You may proceed, Doug.

Good afternoon, everyone, and welcome to SentinelOne's Earnings Call for the Third Quarter of Fiscal Year '24 ended October 31. With us today are Tomer Weingarten, CEO; and Dave Bernhardt, CFO. Our press release and the shareholder letter were issued earlier today and are posted on the Investor Relations section of our website. This call is being broadcast live via webcast, and an audio replay will be available on our website after the call concludes.

Before we begin, I would like to remind you that during today's call, we'll be making forward-looking statements about future events and financial and performance, including our guidance for the fourth fiscal quarter and our full fiscal year '24 as well as long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that our actual events or results could differ materially.

Please refer to the documents we file from time to time with the SEC, in particular, our annual report on Form 10-K and our quarterly reports on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements. Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly or to update the reasons actual results could differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future.

During this call, we will discuss non-GAAP financial measures unless otherwise stated. These non-GAAP financial measures are not prepared in accordance with generally accepted accounting principles. A reconciliation of the GAAP and non-GAAP results is provided in today's press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for our GAAP results. Our financial outlook excludes stock-based compensation expense, employer payroll tax on employee stock transactions, amortization expense of acquired intangible assets, acquisition-related compensation costs, restructuring charges and gain on strategic investments, which cannot be determined at this time and are, therefore, not reconciled in today's press release.

And with that, let me turn the call over to Tomer Weingarten, CEO of SentinelOne.

Good afternoon, everyone, and thank you for joining our fiscal third quarter earnings call. We delivered strong third quarter results, which exceeded our expectations on all key metrics. And once again, we're raising both our top line and bottom line guidance for fiscal year 2024. This was another quarter of solid execution in a demanding macro environment.

Enterprises continue to modernize their endpoint security with a singularity platform. In addition, we're seeing strong demand for our cloud security and data lake solutions which combined grew triple digits. And I'm pleased to announce that we've begun delivering Purple AI to enterprises.

We also solidified our lead with mid-market enterprises and expanded our business with leading MSP partners to larger and longer-term commitments. Finally, we continued making significant progress towards profitability with our net income margin improving to negative 5%.

Our pace of innovation and technology leadership continue to fuel growth. For the fourth consecutive year, SentinelOne led the MITRE ATT&CK Evaluations with 100% real-time protection driven by autonomous security, which is critical in the modern threat landscape. In Gartner Peer Insights, we received a score of 4.8 out of 5 for outstanding customer experience and product capabilities.

We're leading the industry with breakthrough innovations across endpoint, cloud, data and AI, delivering a fully unified platform experienced organization once again selling SentinelOne far apart from other security vendors. We're addressing critical enterprise security needs, remaining ahead of adversaries now and into the future. As always, please read our shareholder letter published on the Investor Relations website, which provides a lot more detail.

On today's call, I'll cover three key areas: one, details of our strong quarterly performance; two, the broader demand environment and state of cybersecurity; three, innovations that magnify our technology leadership and drive future growth across multiple markets. Let's double-click into our third quarter performance, which exceeded our top and bottom line expectations.

Revenue grew 42% and total ARR grew 43% year-over-year. Net new ARR growth accelerated to 11% year-over-year, driven by a combination of new customers and existing customer expansion. Despite persistent macro challenges and escalation of geopolitical tensions, the combination of superior technology and solid execution is driving positive business momentum.

Our progress towards profitability remains a bright spot. We delivered a record high gross margin of 79%, and we posted the ninth consecutive quarter of more than 25 points of operating margin expansion. In parallel, our free cash flow margin improved by 40 percentage points year-over-year, and our net income margin approached only negative 5%. This tremendous progress reflects the scalability and power of our business model. We remain committed to building on this progress in achieving positive free cash flow in the second half of next fiscal year.

We are succeeding in the endpoint market from large enterprises to mid-market and smaller businesses where we're already a proven leader through our MSSP partnerships. Beyond endpoint, the momentum of our platform expansion into adjacent markets is picking up. Our total customer base now exceeds 11,500, recall, this number is dramatically understated as it does not include the customers served by our MSSP partners.

We're increasingly protecting more customers through this channel as enterprises are turning to MSSPs for managed security services, which is a highly scalable way to address the mid-market. At the same time, customers with more than $100,000 in ARR grew 33% and customers with more than $1 million ARR grew even faster. Our success with large enterprises and platform adoption continues to drive higher ARR per customer, which increased about 15% year-over-year.

In Q3, we generated strong momentum in the federal arena and secured several new agencies. Similarly, many large enterprises across global health care providers, technology pioneers and multinational corporations continue to choose the singularity platform. These engagements include multiple aspects of the singularity platform such as endpoint cloud identity and our data lake.

In Q3, Singularity Cloud and Singularity Data Lake were our fastest-growing solutions. Combined, they represented over 20% of quarterly bookings and grew triple digits. We've seen a notable uptick in demand for our unified Singularity Data Lake solution. This illustrates the growing diversity of our business and our expanding platform horizon. Singularity cloud and data lake are so much more than [ end-to-end ] modules. These are highly differentiated and enterprise-critical technologies with massive TAMs and long-term growth opportunities.

Our dollar-based net retention rate remained north of 115% as our existing customer base continues to deploy additional platform technologies. We see significant long-term potential based on high customer retention and satisfaction, expanding product categories and early-stage adoption from our installed base.

On to our partner ecosystem. We achieved another quarter of standard growth with our MSSP partners in Q3, and our momentum in mid-market enterprises remain strong. MSSPs represent the fastest-growing channel category in the security market and the preeminent way to protect SMBs. Our platform architecture is purpose-built to help service providers manage security at scale and drive meaningful growth. Multi-tenancy, automation and remote management make singularity the platform of choice for MSSP. In Q3, we continued to solidify our leadership position with MSSPs.

On the competitive front, we continue to win a significant majority of competitive evaluations against both next-gen and legacy endpoint providers. When you look beyond endpoint security, the competitive landscape tilts further in favor of SentinelOne. Our unified data and security platform architecture helps enterprises consolidate spend, point products and consoles, resulting in better value efficiency and user experience. These jointed platforms do not result in better protection. Bigger brands do not mean better security. As proven by the string of massive breaches, these solutions are frequently breached. Just think about the many high-profile cyberattacks in the last few months, and the shortcoming should be obvious.

We introduced a novel approach that uses real-time superior protection and delivers fully autonomous cybersecurity and unified enterprise data in one place. With the migration to cloud-based architectures and the adoption of AI-based technologies, digital infrastructures are rapidly evolving. More important now than ever before, our unified security data lake architecture enables organizations to move at the pace of AI while also modernizing enterprise-wide visibility and protection. In many cases, our competitors can't even offer cloud security or security data lake. We have distinct technology advantages in these areas, including resource-efficient worker protection and then actual unified data architecture capable of ingesting enterprise-wide data.

We are engaging with enterprises and winning deals with singularity cloud and data lake regardless of the installed endpoint vendor. Helping enterprises manage complete security data at scale with better cost and performance is a strategic conversation that is different from focusing on point solutions. Over time, we believe these opportunities will open the doors for further consolidation with the singularity platform, resulting in greater platform adoption.

Let me highlight two examples. First, after 15 years of using Splunk, a large enterprise replaced it with Singularity Data Lake alongside our endpoint and cloud security. After consolidating multiple security needs on the singularity platform, this enterprise has also deployed Purple AI to get a fully integrated autonomous experience. like many others, the customer valued SentinelOne's unified platform that fuses security data and actions, future-proofing their enterprise security posture. Second, among many federal wins in the quarter, one of the agencies similarly selected SentinelOne to consolidate security across endpoint cloud and data. This federal agency completely replaced their legacy SIEM solution with Singularity Data Lake, showcasing that SIEM is the past and singularly data lake is the future. Our competitive wins demonstrate how AI-based technologies are fueling both new customer wins and significant expansion across multiple end markets.

Let's turn the discussion to the broader demand environment and cybersecurity landscape. The demand environment remains relatively consistent with last quarter. From a macro perspective, global economic challenges persist and are further typified by rising geopolitical tensions, yet the threat landscape remains unrelenting. The velocity and complexity of attacks have dramatically increased. As an example, dwell times have shrunk from months to days, presenting new challenges for corporate defenses and putting more emphasis on the need for real-time protection.

A slew of recent high-profile breaches shows the enormous consequences for enterprises. A single attack can cost hundreds of millions of dollars, lost business and disrupted operations. Events like these are constant reminders about cybersecurity must be the top priority for CIOs around the world. The most unnerving part of these attacks is that they continue to circumvent so-called large platform vendors.

Time and again, point products and endless list of modules meshed together in this jointed platforms are consistently failing to protect enterprises. Vectors of attack are forever evolving, a constant moving target in the age of AI. Cyber warfare has also taken a new turn towards online disinformation and manipulation. Geopolitical tensions are spilling into cyberspace, destabilizing and undermining normal business operations and even parts of society.

At SentinelOne, we're ushering a new age of enterprise security, one that can outpace the threat landscape by taking a holistic approach to managing risk through AI-based real-time operations. Beyond security software, there's a clear need to assess, quantify and articulate risks from security executives to the CEO and Board of Directors. The shift in risk management is needed to prepare and protect against fast-acting complex cyberattacks.

In Q3, we launched PinnacleOne, a strategic advisory practice to help enterprises and governments build world-class cybersecurity programs. I'm thrilled to have Chris Krebs and Alex Stamos join SentinelOne. Both are renowned industry experts who lead with integrity. Combining their talent and SentinelOne's technology leadership makes PinnacleOne a highly valuable and unique resource to enterprises and governments across the world. PinnacleOne will help management teams and Boards understand who the attackers are, what they're after, and how to fortify their security framework beyond just deploying any single product. This will also help public and corporate leaders to better assess cyber risks and liabilities, so they can develop effective strategies and mitigate potential impacts.

Let me also share an update on our leading innovations across multiple growth areas. We recently hosted our first customer partner conference and showcased our commitment to 4 key areas: data and AI, cloud, and as always, endpoint. As I've said before, cybersecurity is a data problem. We are the first company to introduce a fully unified data and security platform. Legacy SIEM solutions are falling behind and security vendors are clamoring to keep up.

SentinelOne's unified data and security platform delivers cost efficiency and high performance at scale. In Q3, we secured large data deals, which reinforces the demand from large enterprises looking to modernize away from legacy SIEM solutions. Recent deals of the leading SIEM vendor being acquired is further boosting enterprise interest in our Singularity Data Lake. We're taking singularity to the next level through AI. We're disrupting the SIEM and security market by fusing Purple AI with our unified data lake.

Purple AI is fully integrated across the entire singularity platform and user interface. It enhances investigations, simplifies threat hunting, mixed recommendations and automate actions. In essence, it supercharges every SOC and data analyst unlocking efficiency and accelerating response times. As I mentioned earlier, we've already started selling Purple AI to select customers. We expect general availability in Q1 of next year. The combination of unified data and Purple AI puts us in a strong position to deliver enterprise-wide security and disrupt the legacy data analytics market.

Next, we're expanding our cloud security offerings. We are already leading in cloud workload protection and cloud data security. In the coming year, singularity cloud will become a full-featured CNAPP with agent-based and agentless capabilities. We'll have more to share in the next couple of quarters. And as always, we will continue to maintain our technology leadership and end points. We achieved the fourth consecutive year of leadership in the MITRE Engenuity ATT&CK Evaluations. Our approach to this year's MITRE evaluation reflects our philosophy on protection that speed and autonomous security are critical.

Unlike most participants in this test, you will see 0 delays or configuration modifiers in SentinelOne results. In contrast, our closest next-gen competitor had over 20 delays and configuration changes. Achieving 100% detection and protection without any do-overs is the difference between a simulation and the real world. Attackers don't offer extra time or a chance to make configuration changes. Singularity is built to be real-time, AI-driven and autonomous, critical to combat against modern threats.

Before concluding my remarks, I'd like to mention some exciting updates. We've made some terrific additions to our leadership team to bring unrivaled industry expertise. Michael Cremen joined SentinelOne in November as our new Chief Revenue Officer. Michael joins us as CRO from Elastic, where he was instrumental in scaling the business to $1 billion and beyond. His experience unites security and data in a way that ideally matches our mission. This transition has been thoughtfully planned over the past several quarters.

I want to thank and congratulate Mark Parrinello, our former CRO, for his contributions and well-deserved retirement. Mark will remain at SentinelOne until the end of this fiscal year to ensure smooth transition. As I mentioned earlier, I'm also excited to welcome Chris Krebs and Alex Stamos to the SentinelOne team. They are renowned for their cybersecurity thought leadership with deep experience across both public and private sector, including Homeland Security CISA and global tech giants like Facebook and others.

In closing, our technology and talent are stronger than ever, leading to another quarter of outperformance. Together, we remain focused on the long-term opportunity in maximizing our business potential. Most importantly, we're focused on helping enterprises advance their infrastructure and security now and for the future. I want to thank all Sentinels as well as our valued customers, partners and shareholders.

With that, I will turn the call over to Dave Bernhardt, our Chief Financial Officer.

Thank you, Tomer. This afternoon, I'll discuss our quarterly financials and provide additional context around our guidance for Q4 and fiscal year '24. As a reminder, all comparisons are year-over-year and all margins discussed are non-GAAP, unless otherwise noted. Our third quarter results exceeded our expectations across the board. We delivered high top line growth and substantial margin expansion. Revenue grew 42% to $164 million and ARR grew 43% to $664 million, reflecting a net new ARR of $52 million in the quarter.

Our net new ARR exceeded our typical third quarter seasonality and accelerated to 11% year-over-year growth. Our growth has accelerated despite persistent macro challenges. We delivered strength across all geographies. Revenue from international markets grew 46% and represented 37% of revenue. Q3 revenue also benefited from a stronger contribution of our professional services, driven by elevated breach activity across legacy and competing platforms. As Tomer mentioned, deploying software alone doesn't solve all security challenges. This is why we acquired KSG and launched expert advisory practice PinnacleOne.

We continue to drive a healthy mix of new customers and existing customer expansion across businesses of all sizes. Our ARR per customer rose 15% year-over-year to approximately $60,000 per customer. In addition, our momentum with MSSP partners, and by extension, SMBs, was particularly strong as it continues to fuel a solid base of long-term growth. We continue to take market share from incumbents and next-gen vendors and our third quarter performance signifies a strong competitive position and enterprise demand for SentinelOne's best-in-class cybersecurity.

Looking beyond top line growth, our progress towards profitability remains a bright spot, evident by significant margin improvements. Our gross margin reached a new record of 79%, showing an 8% year-over-year improvement and comfortably within our long-term target range of 75% to 80% or higher. This important achievement reflects the benefit of our increasing scale and platform unit economics. Our margin improvement is indicative of healthy pricing and the value and innovation we deliver to customers. It also demonstrates the success of our land and expand strategy. Our unified security and data architecture in a single platform is delivering meaningful value for SentinelOne as well as our customers.

Q3 marked our ninth consecutive quarter of more than 25 percentage points of year-over-year operating margin expansion. Our increasing scale and cost discipline are driving substantial operating margin improvement. Q3 operating margin expanded 32 percentage points to negative 11%. And we're not just improving our margins.

We've also significantly reduced our operating losses by more than 60% to negative $18 million in Q3 from negative $50 million in the year ago quarter. Similarly, we improved our free cash outflow by about 60%. This is tremendous progress. It reflects the continuing success of our proactive efforts to enhance working capital and thoughtfully manage our costs. We are committed to building on this progress and achieving positive free cash flow in the second half of our next fiscal year.

Moving to our guidance for Q4 and the full fiscal year '24. The demand environment remains consistent with the trends we discussed last quarter. Indeed, customers are still facing higher cost of capital and additional approval layers. These dynamics can impact visibility into the timing or size of potential deals. It's prudent to be mindful of these dynamics as we enter Q4, our seasonally largest quarter of the year.

Despite operating in a challenging macro and geopolitical environment, we're raising our revenue and margin expectations for fiscal year '24. Our teams are executing well. Our win rates remain strong, and we are delivering operating leverage.

In Q4, we expect revenue of about $169 million, reflecting growth of 34% year-over-year. For the full year, we expect revenue of about $616 million, reflecting growth of 46% in fiscal year '24. This is an $11 million increase compared to the prior outlook of $605 million, above and beyond our Q3 beat. Based on this view, we're on track to deliver about $200 million in net new ARR for the year, up from our prior expectation of $195 million.

Based on our go-to-market momentum and strong competitive position, we feel confident in our ability to deliver against these higher full year growth targets. Importantly, we're seeing durability in our new business generation and the trajectory of growth rates. Beyond endpoint security, we're encouraged by increasing platform adoption of our adjacent solutions like cloud, data, identity and AI to drive diverse growth opportunities for years to come.

Turning to the outlook for margins. We expect a Q4 gross margin of about 77.5%, implying a year-over-year increase of about 2.5 percentage points. On a constant currency basis, we expect our Q4 gross margin to be relatively consistent with Q3. Also for the full year, we are raising our gross margin guidance to 77%, up about 5 percentage points year-over-year and up 100 basis points when compared to our prior guide of 76%. We expect continued benefits from increasing scale and data efficiencies inherent in our business model.

Finally, we expect operating margin to be negative 14% in Q4, implying an improvement of 23 percentage points year-over-year and is stronger than our prior expectation. For the full year, we are raising our guidance for operating margin to about negative 20%, up 5% compared to our prior annual guide of negative 25%. This implies a significant improvement of more than 29 percentage points compared to fiscal year '23.

We expect Q4 free cash flow margin to improve sequentially based on the seasonality of cash collections and payments and our improved operating margin outlook. We have a very strong balance sheet with $1.1 billion in cash, cash equivalents and investments and 0 debt. This provides durability and flexibility to optimize top line growth and margin improvement. We are delivering industry-leading margin improvement and moving closer to achieving positive free cash flow generation.

As I said before, we'll continue to grow market share and capitalize on large TAMs with disruptive technologies. Our investment approach remains selective and focused on key areas of competitive strength, notably data, AI, cloud and as always, endpoint. This is evident by our strong top line growth and industry-leading margin improvement.

Thank you all for joining us today. We will now take questions. Operator, please open up the line.

[Operator Instructions] Our first question comes from the line of Joshua Tilton with Wolfe Research.

Congrats on a pretty solid quarter. Kind of just clarifications here, but customer additions came in a bit lower than we were expecting. Anything to highlight there? And just you called out offering a broader CNAPP platform in the next 12 months. Is that going to be developed in-house? Or are you guys looking to make some acquisitions in that space?

The customer count is rounded down. But moreover, I think the amount of additions that we see across [ MSP ] channel is very significant. And that spans midsized enterprises all the way to SMBs. To us, I mean, it was a very strong quarter of customer additions. Moreover, the ARR per customer is always something that we optimize and we invest in. And that obviously is another impact on the total customer count. Having seen our ARR go up per customer 50% year-over-year, obviously that's the exact trajectory that we want to see. So all of that kind of goes into the customer count. But all in all, a very healthy kind of net new quarter for us.

As for CNAPP, I think we've been focused on developing internally for quite a few quarters. We already have, I think, a large subset of capabilities already available in the market. With that, we always kind of look out there to see if there's any interesting technologies. We never precluded an acquisition. But with that, we're very disciplined, I think, in how we approach acquisitions, especially these days. But all in all, I think we're feeling more and more confident about our ability to provide a full CNAPP portfolio in the near future.

Our next question comes from the line of Brian Essex with JPMorgan.

Great to see the margin expansion. It's really nice to see. I guess, Tomer, just one question for you. Really interesting development with PinnacleOne. Could you maybe unpack a little bit what your intentions are with that part of the business? Is this going to be more of a lead gen, innovation-type consulting business? Or is it more incident response? And how might that impact -- how might we expect that to impact revenue and margins going forward?

Absolutely. Definitely not in incident response firm. We actually have already incident response capabilities within Vigilance. We've had for about 3 years now. When we look at PinnacleOne, if you kind of look at what's happening in the threat landscape over the past couple of years, we've seen an incredible shift, I think, in attack methodologies. And we've also seen, I think, just a failure of the product methodology.

People, obviously, have security products, yet they're still getting breached. And what we're seeing more and more is not only the shift in liability to the boardroom, to the CEO, to the executive level, but also the need to actually come up with a security strategy to assess risk and to understand risk, quantified and conveyed in a much better way. PinnacleOne comes to address exactly that. It's a highly strategic advisory service, again, with some of the best minds in cybersecurity that comes to help our customers and new prospect design their security posture, regardless of the product, obviously.

This is completely vendor-neutral. Obviously, if you couple that with our technology leadership, if you couple that with the level of threat intelligence that we see in overall geopolitical mapping that we do, you get into a very unique service, I think, in the entire landscape and one that should provide for ample risk reduction for customers out there above and beyond the products that they deploy.

Got it. And maybe -- I don't know if Dave could expand on the size of that business and margin impact given that it's more kind of a head count-focused business.

Yes. And for Q4, I mean it's essentially immaterial. I think it's under $1 million of total impact to the quarter. So really no effect on revenue or margins for the current quarter. For next year, we're obviously working on the plan for next year. And we'll give you guys more visibility on that when we announce Q4 earnings.

Our next question comes from the line of Saket Kalia with Barclays.

Okay. Great. Tomer, maybe for you. I just wanted to dig into the competitive environment a little bit in endpoint. Not the usual suspects, but I think there are some public reports out there that Carbon Black may change hands again, may not stay with VMware as part of that sort of broader deal. Maybe the question for you is, can you just talk about them a little bit as a competitor and whether you think that could be a significant share gain opportunity for SentinelOne?

Sure. Yes, I don't put a lot of stock in rumors, as you can imagine. But at the same time, it's definitely been one of the most preeminent share donors out there for the past couple of years. I think the technology is largely stagnated and we've seen a pretty decent amount of Carbon Black displacements throughout the last couple of years. With that, I think the size of the business is not so material, so it can really change or impact things in the endpoint market in a significant way.

But with that, again, it's a relatively easy target for displacement. Carbon Black was mainly on the EDR side, while most prominent vendors right now in endpoint actually cover both endpoint protection and EDR. Most customers are looking for one solution, one platform to cover both aspects. So that doesn't bode well for Carbon Black, period. So I don't know where they're finally going to find a place or not, but I feel it's relatively incremental.

Got it. Got it. That's helpful. Dave, maybe for my follow-up for you. I echo the prior comments. Just great to see the continued improvement in operating loss. Can you just maybe talk about the restructuring program that we implemented earlier this year and whether we've seen most of the benefits of that yet, whether there's still some more benefit to come? How do you think about that sort of restructuring having played into this improvement? And how much more is left?

Thanks, Saket. The impact of the restructuring, it's been included in our annual and quarterly guide since we announced it in Q1. So no real incremental pickup from that. With that being said, we're continuing to analyze the yield from our expense investments for growth and expanding market share. You see this is evident in our continued operating margin expansion. I think we're 9 straight quarters of 25% or more year-over-year improvement. And our Q3 results show margin improvement well and above any benefit we would have gotten from restructuring. So we implemented that. We operated essentially fully, I think, on June 1, and we've been off and running from that point on.

Our next question comes from the line of Hamza Fodderwala with Morgan Stanley.

Tomer, you talked a lot about Singularity Data Lake in your prepared remarks. I was wondering if you could, maybe just rough sense, help us sort of size that business and what you're seeing in terms of the opportunity for SIEM replacements in light of recent M&A in the space.

Sure. We don't disclose, obviously, the exact size of the business. It grew more than triple digit on a stand-alone basis. It's definitely one of our fastest-growing modules right now. It's a complete product line. It consists of really pricing by data ingestion. So it's a very different motion than the seat-based motion that we see in endpoint. The TAM -- the original TAM for security analytics is about $20 billion. If you bundle that with data analytics, it becomes about $40 million of a target opportunity.

The dominant vendors in that market, you mentioned that competitor getting acquired and a bunch of others. These are technologies that have been developed probably about 15 years ago. So if you can kind of think today about the data scale that most enterprises need to deal with, obviously, it goes for something new. If we can, with Singularity Data Lake, provide something to customers that is twice the speed and half the cost, obviously, that's a very palatable offering for them. And obviously, if you couple that with unique capabilities like generative AI, Purple AI on top of an enterprise-wide data lake, then you start to realize that you get compounded value by switching into an all-inclusive platform that is not focused just on endpoint and maybe some generative AI and chat bots for endpoint, but really a broad-based capability where you can ingest any type of data, both structured and unstructured, no need to index, up and running in minutes.

This is a revolution in data analytics, and that's why we believe that the disruption for the SIEM market for security analytics is really pending. We foresee in the next 24 months or so, a major shift in that market. And it's not about replacing the SIEM. It's about coming with a whole new offering, with a modernized platform that can do much beyond the SIEM was ever designed to do, and that's why we're incredibly excited about the opportunity.

Our next question comes from the line of Alex Henderson with Needham.

I actually want to do 2 follow-up questions to questions that were already asked. The first one being on the data lake structure. So it's pretty clear that you guys get a lot of telemetry data off of your endpoints. But if I think about the merger between Splunk and Cisco, their primary value there is adding not just the traditional SIEM data, but adding it to the data networking content and telemetry information that historically has been in titration and the like as well as the observability functionality that's been in AppDynamics. So I guess the question is to what extent you need to reach out to third parties to add some of those type of incremental data to your data lake to get beyond just indications of attack and indications of compromise that are captured in the initial data lake architecture?

Yes. Look, our data lake is built on being totally open, and that is the key to all of it. We don't lean on any one specific vendor, and actually, in many cases and even with deals that we've done last quarter, we ingest data even when we're not the endpoint provider. So to us, it's really about being fully open and having the ability to ingest data directly from a network provider, from the e-mail provider, from an authentication provider much like Splunk. Splunk did not own any one of these assets, they were leaning on integration into their platform. We do it with OCSF. It's a complete open format. We're one of the founding members in that alliance. And that allows us complete flexibility in ingesting data from any ecosystem product that you have in your enterprise.

With that said, typically within a classic SIEM environment, 60% to 70% of the data that you find in the SIEM is actually generated from EDR product. I've been saying that for years, which was really one of the reasons why we thought it makes a whole lot of sense to actually start embedding the other components in enterprise into that same data lake infusing it with the endpoint data. Moreover, we're not talking just about threat indicators. We're talking about fully fledged log analytics. What we ingest into data lake is all pieces of data, not just curated threat indicators, but any log line, any event can be ingested.

I think that's one of the keys in an era where keeping logs become this requirement that is becoming more and more important, keeping logs for longer. If you need to retain your logs for a year worth of time, doing it with any one of these incumbent platforms is going to be a high cost-prohibitive practice. That's why when we look at the potential for Security Data Lake, it's not XDR, it's not a SIEM.

It's built to be a vast petabyte scale, log injection mechanism to put all logs. We don't discriminate logs. We want all of them in, and that's what we believe can also allow for better AI utilization once we're able to feed all that data and expose it to algorithms, you will be able to get to much more accurate results versus just putting threat events into this different data source.

If I can just throw one last question, and it's really a playoff of what has already been said. The PinnacleOne opportunity, it strikes me that this is very much like the managed services environment where once you have a customer in that pipeline and working with PinnacleOne that ultimately that generates significant potential downstream revenues after the fact. Is it reasonable to think that for every dollar of PinnacleOne revenue that there's $5 or $6 worth of ARR that will accrue from it in the following periods?

We definitely hope so, even though -- look, our North Star is just to help customers. And obviously, the KSG group comes with their own customer base. Obviously, to us, it's about putting the best security consulting business that we can in that advice in the hands of customers, whether that results in further revenue and more product sales, perhaps, obviously, we hope so. But to us, we just feel like there's a dire need and a big gap in actually designing security beyond just deploying sporadic products into environments, and that's what we're trying to solve here. So it's customers first. And then, yes, if you can help with technology, obviously, that will fuel into that.

Our next question comes from the line of Tal Liani with Bank of America.

I've been asking the same questions, all the other security names, and it looks like it's throughout the industry we're seeing it. But if I look at the sequential trends of billings, in '22, it was up 54% in 4Q '22. 4Q '23, up 42%, 43%, and now it's only up 2%. Can you discuss why is billings on a sequential basis, we don't see the same seasonality that we're seeing? And again, this is industry-wide. Does it mean that contract duration is going down? Does it mean that pricing is going down? What are the implications for the business?

Thanks, Tal. Billings grew 2% quarter-over-quarter, but they were up 33% year-over-year. The quarterly billings can vary based on customer mix, especially with MSSP. So we focus on ARR, and it's a better metric. Just from an overall contract standpoint, the average contract duration is up but we're seeing less frequent upfront payments, which the entire industry is seeing. We're not in a $0 or 0% interest environment, and that obviously impacts customers' willingness to put full year upfront or multiyears upfront for larger enterprise customers. So that dynamic has changed really over the past year. But -- and with MSSPs, we see a lot of monthly and quarterly payments. So that's always going to be the dynamic with us.

Got it. And is there any difference in linearity of deal flow during the quarter, this quarter versus previous quarters?

No, linearity was fairly consistent.

Consistent. Okay. Perfect.

Our next question comes from the line of Trevor Walsh with JMP Securities.

Great. Appreciate it. And I also appreciate the updates around Purple AI. Maybe Tomer, just a quick one for you on that. Of your customer conversations, what's been kind of the primary pushback, if any, around just the adoption of that new product? And then how does that maybe translate into what you're seeing from just kind of an initial attach rate of what you're expecting around with Purple AI as we move into kind of the beginning of next year? And if that tracks similar to maybe singularity cloud or the security data like, could you expect that type of uptick? Or if there may be other kind of puts and takes there.

Sure. We're not seeing, I think, any type of pushback per se. I think that some of the questions that we've been asked revolved around potentially training more models -- more AI models that are tailored to the customer environment and how we plan to address that. So I think there is largely a lot of excitement towards the capability in terms of how we're thinking about it.

Obviously, it takes some time to scale a whole new technology. And obviously, we're doing it responsibly. We want to make sure there's the right safeguards. We want to make sure that privacy is kept. All of these things are incredibly important for a company like ours. I mean we're not just an average consumer company. We deal with security, and we need to make sure these things are in place.

In terms of the magnitude, I mean, Purple AI is definitely almost another product line for us, right? I mean it's not just a module. So how we're treating it, how we're structuring our go-to-market, what we anticipate Purple will contribute in the, call it, the next 24 months is definitely in the magnitude of something like cloud, something like data. But again, I mean, it's early days. It looks very, very promising.

I think the fact that it's an enterprise-wide capability, so once again, it's not something that you sell per se. It's not something that just for one footprint and the application of it can be virtually endless in the enterprise environment. I think that puts us in a league of its own in terms of the other offerings that we're seeing in the security space.

The next question comes from the line of Rudy Kessinger with D.A. Davidson.

Dave, I guess just on the net new ARR, I guess, the implied net new ARR for Q4 and probably about, I guess, half the growth versus Q3 as you saw last year. So just what are your assumptions on close rates, budget flush, et cetera, relative to, I guess, Q3, but also Q4 of last year?

Yes. So obviously, we've increased our guidance to about $200 million in net new ARR for the full year, up from $195 million. So we're seeing clear signs of stabilization. We're expecting Q4 net new ARR to be essentially flat to what it was in Q4 of last year. We don't expect a budget flush. We've never really been a recipient of that. Although I wouldn't mind it if it were to come. But really, the way we're thinking about this is that Q4 is seasonally our largest quarter of the year. We don't expect Q4 this year to be any different than historically.

We delivered upside to Q3. We outperformed typical seasonality, and we're expecting that to carry into Q4. And I think one of the things to be concerned about is just there's still macro uncertainty, there's geopolitical uncertainties. Those are continuing to persist. We want to be mindful of the evolving macro dynamics. But I think overall, we're pleased with the outlook we're seeing. We're pleased with the performance we had in Q3, and we're pleased with the execution of our teams. So stabilization we're seeing and the visibility we have for Q4 makes us optimistic that things are getting better.

Okay. And then just a quick follow-up. The margin improvement, very, very nice to see. Just on gross margins, any one-time items to call out that drove that 79% in Q3 and why the step back down about 150 basis points in Q4.

There's about 150 basis points of FX gain. Obviously, we have a fair amount of support people across Europe. The U.S. saw favorable U.S. dollar to -- especially to the shekel over the end of Q3. Some of that has slipped thus far in Q4. But on a constant currency basis, we're assuming we'd have been roughly the same at about 7.5%, which is what we're guiding for Q4.

Our next question is from the line of Gabriela Borges with Goldman Sachs.

This is [ Max ] on for Gabriela. As a follow-up to the prior question, we have a question for you. As you think about your fiscal year 2025 planning assumptions, it would be great to get your observation on what is incrementally changing in your priorities headed into next year, especially with your new CRO in place.

We'll provide an outlook next quarter. It feels prudent to get to the largest quarter of the year before turning to a new calendar year and budget expectations. Look, our market position is strong and we execute well. I think we have multiple growth drivers.

Our goal remains the same. It's to maximize growth and improve margins. And obviously, at the same time, as Dave mentioned, the economic challenges are still very, very present. And we're not assuming any battering conditions significantly next year.

We're very encouraged by our new CRO. We're very excited to have Michael with us. Obviously, brings a wealth of experience. It definitely is something that we planned for quite a few quarters. We also want to wish Mark the best in his retirement. And we look forward to really scaling the business in the next couple of years beyond 1 billion.

Our next question comes from the line of Ray McDonough with Guggenheim.

Tomer, over the past couple of quarters, we've talked about some downsizing on renewals. And I understand the commentary around the macro, in general, has been that trends are relatively stable. But in that area, specifically around renewals. Are those trends starting to change at all? Or are you still seeing similar customer behavior?

And maybe just continuing to zoom out, as you look at kind of what transpired in November and as you talk to customers about heading into the next calendar year, how are those budget conversations around security spend shaping up? Do you feel close rates may improve next year as the threat environment seems to get more intense? Just any commentary on broader level spend and your feeling going into next year would be helpful.

Yes. Look, all I can say is that things remain pretty consistent. I don't think that anybody feels like they can buy forward licenses for something that they don't use. So rightsizing, truly understanding what you need to use, I think that dynamic is here to stay. I don't think anything changes with that. Cybersecurity has been top of mind for years now. I don't think there's anything new in that. So all in all, I think there's really no change that I can call out at this point in time.

Okay. Makes sense. And Dave, as the data lake solutions continues to scale, can you talk about the patterns of overages on consumption that you're seeing? And assuming that's where the majority of consumption revenue comes from? And maybe to what extent you've been successful in capturing incremental commitments, which would otherwise have been overages? And how should we think about that potentially being a tailwind to ARR growth next year as the data lake solution scales?

Yes. We really didn't have any changes or unexpected impacts from consumption during the quarter at all. One of the things that we're seeing and we're encouraged by is that customers that did have overages when they do commit to us are committing at the level that they were spending. So if a customer is moving from consumption to subscription, we're seeing that at the levels that they were spending. As Tomer said, they're not putting a lot of elevated spend in that. They're essentially carrying it forward at the rates they've been doing. So we just -- we really haven't seen anything except for stabilization.

Our next question comes from the line of Gray Powell with BTIG.

All right. Great. Congratulations on the strong results. So I really appreciate the color that you gave on the macro environment in the prepared remarks. I guess I just want to follow up there. So we've been in a weak macro for like 18 months now. How do you feel about your visibility on customer behavior patterns and just like customer behavior patterns today and your ability to predict your business today versus this time a year ago?

I mean, obviously, we know more. But once again, I feel like we're still in a bad macro. We remain in the back macro, and we expect the bad macro to continue. I think even within the bad macro, obviously, you still see us grow 40% plus. So at the end of the day, I think we've adjusted at the beginning of this year to what we believe we can extract. And I think that we're seeing practically stabilization across customer behavior.

I think customer expectations remain roughly the same as what they were a few quarters ago. So all in all, once again, I wouldn't assume anything is trending better, but it's also not trending worse. It's the same macro. And to Dave's point, I think our team's execution, our ability to adapt, and really, I think conveyed value in our platform has helped us kind of navigate through it.

That's really helpful. And then one more, if I may. So when you acquired Attivo back in early -- I think it was 2022, that business was growing at about a 50% annual pace. Just with attacks, more recently, you're increasingly targeting identity systems. How should we think about the growth potential on that business? Has there been any incremental tailwinds?

I think it's -- for us, it's just another module, a lot of pretty large list of capabilities that we have. We're targeting bigger market opportunities, and I think our attention goes towards designing our go-to-market around where we feel the most traction and the biggest opportunity is. Identity is just one of more modules that we have. I also think that in cybersecurity in general, a lot of these capabilities are very much, I would call them, temporary in their ability to actually alleviate the threat vector.

So it's identity today. Tomorrow, it's going to be something else. A year ago, it was exploitation. I think these are constantly moving targets. And identity is obviously growing with our business. It's a great capability to have. But again, we're focused on cloud, focused on data, focused on AI is really tiebreakers for defenders in the enterprise.

Our last question comes from the line of Eric Heath with KeyBanc Capital Markets.

Great. Dave, just a housekeeping question. I know before you had some targets out there for EBIT profitability for fiscal '25 and free cash flow profitability for the second half of '25. So just curious if that stands.

And then just I'll add the second question, which is for Tomer. It sounds like you're taking a different approach to your pricing around gen AI. So just curious what the pricing mechanism is for Purple AI and just how customers -- or what the feedback is from customers on the pricing strategy.

Sure. I can start. Thank you for the question. We're committed to optimizing growth and margin improvement, and we remain on track to achieving positive free cash flow in the second half of fiscal year '25. We're delivering margin improvement in an incredibly strong pace, more than 25 points of operating margin improvement for 9 consecutive quarters. It's our entire history as a public company, and we're going to continue with that.

Free cash flow margin improved 40% year-over-year. Our net income margin was negative 5%. So we've been very proactive with our cost structure. We've shown measurable progress to achieving profitability. And we've also raised our full year operating margin guidance from negative 25% to negative 20% this last quarter. So we're well on our way to achieving our profitability targets.

We expect Q4 free cash flow margin in the negative single digits. So you're going to see improvement there, too. So really, what we're doing is we're aligning our investment plans at the pace of growth. We'll continue to selectively invest in key growth areas such as cloud and data, unlocking significant TAMs where we have distinct competitive advantages. And that's the path that we're progressing to.

Obviously, we'll be guiding at the end of Q4. So look out for that. But everything we're doing as a company and a lot of the improvements you're seeing right now are setting us up on the pace to make sure that what we want to achieve in fiscal '25 becomes achievable. So right now, we're focused on free cash flow creation. We expect that in the second half of next year, and we're working towards that.

As for Purple pricing, as I mentioned, given that it's an enterprise-wide capability, we're still obviously experimenting with it. It's still obviously not fully baked. But to us, I mean, just attaching it to the data ingested, I think, is something that we see is just a very straightforward way to go about it.

That said, obviously, for a platform capability set, so why like the one that we have today, you also see us doing more and more ELA-type structured deals. So you can imagine Purple can be part of that. So all in all, a lot of opportunity for more uplift. But I'll just once again mention, to us, it's about customer value, and we want to make sure that customers see the value from Purple. I think the pricing structure is secondary to the amount of value that you can tangibly show to the customer, and that's the focus with Purple AI.

I would now like to pass the conference back to Tomer Weingarten, the CEO, for any closing remarks.

Thank you all for joining us today. From a collective standpoint, the ongoing conflicts and geopolitical tensions impacting people around the globe are disheartening. I'm humbled by the perseverance and commitment of Sentinels globally and especially our own people in Israel who endured some of the worst atrocities in recent history.

Cyber warfare plays an important role in this as well. Cyberattacks, espionage, disinformation and influence operations are attempting to stabilize so many aspects of society. The war in cyberspace is now fully embedded into all of our lives, and the concept of truth is eroding. Generative AI capabilities are a significant contributing factor to the severity of the situation, and this is the only generation one. At SentinelOne, our mission is to be a force for good, using AI technology to create a safer world and safeguard our customers. We hope for a peaceful tomorrow.

Once again, I want to thank all Sentinels, our customers and our partners for helping us drive this mission. Thank you.

That concludes today's conference call. I hope you all enjoy the rest of your day. You may now disconnect your lines.