nameless927
2021-09-11
Nice article on Antivirus company
Why SentinelOne Is Better Than CrowdStrike
免责声明:上述内容仅代表发帖人个人观点,不构成本平台的任何投资建议。
分享至
微信
复制链接
精彩评论
我们需要你的真知灼见来填补这片空白
打开APP,发表看法
APP内打开
发表看法
{"i18n":{"language":"zh_CN"},"detailType":1,"isChannel":false,"data":{"magic":2,"id":881368624,"tweetId":"881368624","gmtCreate":1631294936168,"gmtModify":1631888855044,"author":{"id":3577602781065384,"idStr":"3577602781065384","authorId":3577602781065384,"authorIdStr":"3577602781065384","name":"nameless927","avatar":"https://static.tigerbbs.com/ff218b44b2e07b129c0d4b2f98a1fcbb","vip":1,"userType":1,"introduction":"","boolIsFan":false,"boolIsHead":false,"crmLevel":4,"crmLevelSwitch":0,"individualDisplayBadges":[],"fanSize":1,"starInvestorFlag":false},"themes":[],"images":[],"coverImages":[],"extraTitle":"","html":"<html><head></head><body><p>Nice article on Antivirus company</p></body></html>","htmlText":"<html><head></head><body><p>Nice article on Antivirus company</p></body></html>","text":"Nice article on Antivirus company","highlighted":1,"essential":1,"paper":1,"likeSize":0,"commentSize":0,"repostSize":0,"favoriteSize":0,"link":"https://laohu8.com/post/881368624","repostId":1111681724,"repostType":2,"repost":{"id":"1111681724","kind":"news","pubTimestamp":1631244064,"share":"https://www.laohu8.com/m/news/1111681724?lang=&edition=full","pubTime":"2021-09-10 11:21","market":"us","language":"en","title":"Why SentinelOne Is Better Than CrowdStrike","url":"https://stock-news.laohu8.com/highlight/detail?id=1111681724","media":"Seeking Alpha","summary":"Summary\n\nSentinelOne is technically better than CrowdStrike according to the performance results of ","content":"<p><b>Summary</b></p>\n<ul>\n <li>SentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.</li>\n <li>SentinelOne leverages a highly autonomous, out-the-box solution that's proving to deliver a more scalable business model than CrowdStrike’s – evident in 2Q22 results.</li>\n <li>SentinelOne has a significant last-mover advantage and is using it to target CrowdStrike's weak spots.</li>\n</ul>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e6e594ecb7b47299440e7129e25e25e1\" tg-width=\"1536\" tg-height=\"864\" referrerpolicy=\"no-referrer\"><span>Sundry Photography/iStock Editorial via Getty Images</span></p>\n<p><b>About this Report</b></p>\n<p>Since its June 19 IPO, CrowdStrike's(NASDAQ:CRWD)market cap has soared sixfold as the company has experienced near triple-digit revenue growth thanks to its aggressive marketing of its highly effective and differentiated endpoint protection solution. Sentinel(NYSE:S)is the new kid on the block with even faster growth – more than doubling annual revenues YoY in 2Q22 [released after market close yesterday]. S also claims NGAV (Next-Gen Antivirus) superiority and goes head-to-head with CRWD in ultra-aggressive marketing.</p>\n<p>Given S’s sky-high valuation of 92x NTM EV/S at the time of writing, it's difficult to rationalize an investment - by pretty much all measures the stock is insanely overvalued. Therefore, this report is largely about outlining why we believe S is technically superior to CRWD, and if you as investors are convinced, then you can speculate on your own growth and stock price trajectories using CRWD’s recent history as an anchor. We provide some financials and multiples projections in the Valuation Considerations section toward the end of the report.</p>\n<p>We should make clear that any criticism of CRWD is in direct comparison to S. CRWD are still way better than legacy AV vendors – there's no denying that. And hopefully, this report may serve as somewhat of a framework for evaluating other EPP/EDR vendors that may catch your attention.</p>\n<p><b>The Evolution of AV Industry</b></p>\n<p>There are quite a few acronyms connected to the antivirus [AV] software industry to become familiar with before delving into what CRWD and S actually. The AV industry began life using signature databases followed by two decades of using signature databases with various tweaks. Then around 2011, EPP [Endpoint Protection] and EDR [Endpoint Detection & Response] became popular, ushering in the era of NGAV [Next-Gen Antivirus]. XDR [Extended Detection and Response] is often referred to as the second wave of NGAV that correlates broader and disparate data sources to enhance the detection of threats, and improve investigation and responses. The following diagram - from SentinelOne with additional annotation by ourselves – provides a useful high-level view of where the AV industry has been and where it is today. We’ll elaborate on this diagram in the following sections.</p>\n<p>Figure 1 - Evolution of the AV Industry</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/cbbf1db00601920823977504a2369bd4\" tg-width=\"640\" tg-height=\"387\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne presentation, Convequity modification</span></p>\n<p><b>Signature-Based AV</b></p>\n<p>In 1987, the late John McAfee released the first commercial AV [antivirus] software to be installed on desktops. It was a signature-based AV, which means it would check the signature of all inbound files to see if they matched a known malicious signature in the database. If there was a match then the AV would block and delete the file.</p>\n<p>Most cyber-attacks involve the hacker attempting to land a malicious file on a user’s device. The file contains a virus that, when triggered with a click by the user, installs itself onto the device. From there the virus can do various things, though usually, the main objective is to ascertain the device’s network connections and send itself to critical systems of an organization.</p>\n<p>Every file has a unique signature that looks like a random combination of letters and numbers. The combination of letters and numbers is produced by a hashing algorithm. For example, a file containing only the text of “We built this city!” and the hashing was based on the SHA256 hash algorithm (one of the most secure and efficient hashes), the signature will be the following:</p>\n<p>c0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467</p>\n<p>The hashing algorithm converts a file with any amount of content to a fixed-length signature – in the case of the SHA256 hashing algorithm, it is 64 characters long, also known as 64 bytes because 1 character equals 1 byte.</p>\n<p>It’s also worth noting that changing 1 character or even flipping 1 bit [8 bits in 1 byte] from 0 to 1 or vice versa, will completely change the signature. Removing the exclamation mark so the text reads “We built this city” produces this 64-byte signature:</p>\n<p>1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27</p>\n<p>Visit this website to hash your own input or alternatively you can get the hash for any file you upload.</p>\n<p>Throughout the 1990s it became apparent that signature-based AV had some fundamental shortcomings. Here are some of them:</p>\n<ul>\n <li>Cybercriminals can change one line of code to completely change the signature of the virus, and as a result, evade detection. This puts the hacker vs AV battle economics firmly in the favor of the former, because it takes a lot of time and computing resources to detect and confirm a new virus variant.</li>\n <li>As the number of malicious files grows, so does the signature database. The database resides on the endpoint so as it grows it consumes more disk space, more CPU, and more memory.</li>\n <li>Immediately after the AV is installed it becomes out of date because there's a continual creation of new viruses and variants of existing viruses. In essence, even the best signature-based AV provides < 100% protection.</li>\n</ul>\n<p>To compensate for the < 100% protection, existing and new AV vendors came to the market with tweaks and variations of the signature-based model.</p>\n<p>During the 1990s and 2000s, the early attempts to make up for the weaknesses of signature-based AV included:</p>\n<ul>\n <li>Firewall vendors such as Check Point Software(NASDAQ:CHKP), F5 Networks(NASDAQ:FFIV), and Fortinet(NASDAQ:FTNT)leveraged their dominant status within the corporate network to improve signature-based AV solutions. They used their deep packet inspection capabilities at the gateway of the network to inspect inbound data packets transmitting the malicious files as well as outbound connections triggered by the virus. This added more context to help sniff out the malicious inbound files and attempts to exfiltrate data.</li>\n <li>Bit9, founded in 2003, (later renamed Carbon Black and now acquired by VMware) introduced app whitelisting, whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive as apps change and upgrade rapidly.</li>\n <li>FireEye(NASDAQ:FEYE), founded in 2004, introduced sandboxing, whereby an unknown suspicious app or file would be executed in an isolated environment and monitored closely for any malicious activity. Although game-changing at the time, its effectiveness didn’t last long because hackers found ways to detect the sandbox environment to then trigger the virus into stealth mode and continue the attack at a later point in time.</li>\n</ul>\n<p>Collectively, these attempts, while lacking sustainability, did an alright job at filling in the gaps, and generally speaking, provided adequate protection during the 1990s and 2000s.</p>\n<p>Things changed, however, at the dawn of the iPhone in 2007. As the attack surface expanded so did the attack cadence, and computing experienced an exponential rise in the variety of viruses and the signatures connected to those viruses. The number of forms in which a virus would reside pre-execution also proliferated – scripts (code)began appearing in website photos, PDF add-ons, Excel VBA, and many other forms, waiting to be triggered.</p>\n<p>On the whole, signature-based AV has proven not to scale very well and in the modern computing landscape does not provide adequate protection.</p>\n<p><b>Next-Gen AV</b></p>\n<p>From 2007 to 2013, a new wave of AV startups emerged with a novel approach to AV. Some Next-Gen AV [NGAV] startups focused on the EPP [Endpoint Protection] – still aiming to perform the prevention, detection, and response on the end-user device itself, but by using static AI techniques to obviate the need for a signature database. Other NGAV startups focused on the EDR [Endpoint Detection and Response] side - whereby most of the protection was delivered via the cloud and therefore the EPP software component could be lightweight and serve merely as a sensor rather than an agent that can perform the full requirements of AV.</p>\n<p>There are pros and cons to singularly focusing on either EPP or EDR. EPP avoids the shortcomings of signature databases, however, by running static AI on the endpoint without the big picture from the cloud, it's less flexible and less effective over the long term. EDR maintains the complete global threat picture because it’s powered by the cloud, but the downside is the deluge of data is overwhelming for security analysts and leads to many false alerts.</p>\n<p>As the shortcomings of EPP and EDR became increasingly apparent, NGAV vendors began to shift along the EPP/EDR spectrum to improve their products. The screenshot taken from S’s demo presentation summarizes the direction the vendors and the market moved from 2014 through to 2019.</p>\n<p><i>Figure2- Market Shifts: EPP vs EDR</i></p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/dd7cfc885dd56210dffb2212159d7ac3\" tg-width=\"505\" tg-height=\"280\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p>\n<p>XDR [Extended Detection & Response], first coined by Nir Zuk of Palo Alto Networks(NYSE:PANW)in 2018, is now the latest technology that leading vendors are striving toward. It blends EPP and EDR together whilst also adding SOAR [Security Orchestration, Automation & Response], SIEM [Security Information & Event Management], and NTA [Network Traffic Analysis]. The objective of XDR is to collect and correlate data from endpoints, network points, servers, cloud workloads, and emails to enhance detection capabilities and improve protection whilst also increasing productivity and lowering the overall cost of security software ownership.</p>\n<p><b>CrowdStrike Intro</b></p>\n<p>CRWD, founded in 2011, came to the market with EDR, which at the time was a radical approach to AV. Instead of destroying malicious files with AV software residing on the device, CRWD destroyed them from the cloud.</p>\n<p>They achieved this by having a super lightweight sensor with no database [consuming only 35 MB of storage space whereas signature-based AV can consume 4GB] installed on the endpoint. This sensor continually collects the logs (activities) related to the files on the device (i.e., what files are downloaded, open, from where, how, what time, what recent patches have been made?) and sends this telemetry data to the CRWD cloud. CRWD analysts collect this data from all CRWD devices and check it against a giant signature database in the cloud looking for matches in techniques. For example, the CRWD database contains a previous technique whereby opening a file from IP address 1.1.1.1 executed XXX.exe which was a piece of malware. As CRWD analysts recognize this technique being used again, they will block it, gather more intel, delete the file from the cloud, and share the insight across all endpoints.</p>\n<p>However, it should be noted that while CRWD can detect a potential virus within seconds, it doesn’t complete its response and eliminate the threat until hours later. The complex nature of EDR delivers a high number of false alerts that need to be investigated by a client organization's analysts and CRWD's analysts alike. Therefore, CRWD does take considerably longer to completely eliminate the threat. However, they're able to contain the spread of the threat until a full investigation is complete. S, on the other hand, can detect<i>and</i>respond within seconds thanks to its greater degree of automation and hybrid EPP/EDR approach.</p>\n<p>The key benefit of this approach is that there are no constraints on the size of the database, as it’s located in a centralized cloud. Moreover, this EDR approach obviates the need to periodically push out software updates to the endpoints to include the latest signature database, again because the database is located in the cloud. The other benefit is that the aggregated threat hunting ensures new viruses and variants and attack methods are identified faster. In essence, this AV model makes the front-end software simple and light [collecting evidence] and makes the back-end operations complex, detailed, and shared across all devices - generating insights for all. The essence of EDR is to restrain from doing early prevention, and instead wait, observe, and collect more intel regarding the threats, and respond accordingly. And this approach inspired the name of CRWD’s flagship platform Falcon.</p>\n<p><b>SentinelOne Intro</b></p>\n<p>S, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage. Instead of heavily focusing on EDR or EPP, S has utilized them both to cover all major aspects of the endpoint security to deliver the so-called XDR. Similar to CRWD, S deploys a lightweight software agent with no database on the endpoint [200 MB of disk space]. It does more than CRWD’s sensor, however. It runs static AI to establish baseline file and device behavior in which to identify anomalous activity, relating to when the file was received and how long the file was open, for example. If the file passes the rigors of static AI analysis, the user is allowed to use the file but the agent will continue to monitor closely. The agent will apply a more dynamic AI to detect any suspicious lateral movement emanating from the file – e.g., when Word opened it triggered PowerShell to open, or a command is triggered to reach out to the Internet. At any point the agent determines there's malicious activity, it will kill the virus and clean up the environment. It's this level of autonomous capability in the EPP that differentiates S from other NGAV vendors.</p>\n<p>Despite the sophistication of such AI-powered detection methods, some types of malwares can still evade detection. Polymorphic malware variants change their own features, such as file names and hashes, to bypass detection methods. Techniques such as code obfuscation make malicious code hard to find and/or understand. Therefore, some threats manage to bypass the front-end, or EPP, defenses, necessitating the need for EDR.</p>\n<p>Similar to CRWD, S utilizes back-end, or EDR, for deeper visibility threat hunting. The data collected is used by both S’s own analysts for global threat hunting,<i>and</i>its clients’ analysts working in Security Operation Centers [SOC]. On the EDR side, compared to CRWD the key differentiator is that S uses a \"story\" technique to add more context relevancy which leads to fewer alerts for analysts to handle. S have named this ‘story’ technique TrueContext ID.</p>\n<p>Taken from an S demo presentation, the screenshot below compares TrueContext ID to previous context-building techniques - Indicators of Compromise [IOC] and Indicators of Attack [IOA] – and the more typical existing EDR solutions – Tactics, Techniques & Procedures [TTP]. The slide uses the analogy of piecing together the description of a person to illustrate piecing together the description of a malicious action.</p>\n<p>Figure 3 - Comparing TrueContext ID to Typical EDR Methods</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e1fe08039bb960fee41b415e31c6d06e\" tg-width=\"544\" tg-height=\"293\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p>\n<p>IOCs look like random descriptors that would need substantial effort to comprehend. IOAs are slightly more organized but still require effort to form the full picture. TTPs actually describe the bad action and offer useful context but don’t explain what happened before that led to the bad action. TrueContext ID takes it a whole level further by not just describing the traits of the bad action but also puts together a story of the events that led to the bad action – the DNA strand implies it knows everything about a given action.</p>\n<p>For example, there has been a connection made to an external FTP server [a server for transferring files] >>> this links back to some registry files that were archived in a new hard drive location >>> this links back to an unusual command-line execution in PowerShell >>> it transpires that the opening of PowerShell was triggered by the opening of an Office document >>> deeper analysis indicates the document contained a brand-new unknown virus >>> did the user single or double click it or did it download automatically? >>> where did it come from? >>> did it come from an email or a USB drive? >>> is the email address and source IP address associated with previous malicious activity? >>> or, when was the USB drive inserted on the device?</p>\n<p>The above example shows a bad actor attempting to transfer a copy of the critical OS files [registry files], perhaps to learn more about the target organization in order to plan a devastating future attack, or something more imminent. TrueContext ID connects all the data points from the static and dynamic AI detection methods and synthesizes them with its own globally collated intelligence to string together a timeline of sequential events. And this is presented to SOC analysts either in tabular or graphical form. Putting together a chain of events like this ensures only relevant context is presented, which radically reduces the number of alerts and enables swift investigation and remediation.</p>\n<p>CRWD investors and advocates may be somewhat confused as to why S’s storing techniques are a technical competitive advantage. Indeed, CRWD has an event timelining feature that is core to their EDR solution – they refer to it as \"maps.\" However, generally, a client organization’s SOC analysts need to be tier 2 or 3 certified for using CRWD’s Falcon EDR solution – one reason for this being the high number of false alerts that an analyst needs to navigate, which is far easier for the more experienced.</p>\n<p>If a client organization doesn’t have a SOC team and hence cannot conduct the threat investigation on CRWD and leverage its EDR component, then they can just run it and let it handle things by the default settings or use the MDR [Managed Detection & Response] option whereupon CRWD experts will do the legwork. But when it comes to SOC operations, S’s storing technique appears to have an edge over CRWD because it radically reduces the alerts and false positives and, on the whole, makes life easier for SOC analysts.</p>\n<p>To summarize, S can deliver fully automated detection, response, and system recovery all within the EPP software itself, but also has the EDR-based TrueContext ID technology that can catch more sophisticated attacks and help SOC analysts triage with far fewer false positive alerts. With this in mind, it appears that S has the edge over CRWD on both the EPP and EDR sides of the market. Moreover, as we’ll show in the presentation of MITRE ATT&CK performance results, S’s out-of-the-box solution that leverages greater automation is likely to offer greater scalability than CRWD’s. We think this greater scalability is shining through in the recent 2Q22 results whereby S generated 127% YoY growth.</p>\n<p><b>Key Differences Between S and CRWD</b></p>\n<p>We’ve listed 11 aspects of endpoint protection whereupon S and CRWD differ by substantial margins. And it may seem overly biased [though we don’t have a position in S yet], but all 11 aspects are in favor of S outcompeting CRWD. We’ll elaborate on a few of these in the following sections.</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/8e23001654d05cb1774d7adce7ed7e1c\" tg-width=\"573\" tg-height=\"253\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p>\n<p>Brains of Software</p>\n<p><b>CRWD</b>: As already alluded, the brain of CRWD is in the cloud only and utilizes EDR to understand the global landscape of threats. The very nature of this cloud-based EDR approach requires the computation of petabytes of data that quickly detects potential threats but also generates large numbers of false alerts. The notion of the false alert volumes necessitates the need for thorough investigation which is why the response time takes hours instead of seconds. Ultimately, CRWD’s approach is rather labour-intensive but is still more autonomous than legacy signature-based AV.</p>\n<p><b>S</b>: The brain of S is in a hybrid form that utilizes both automation and AI in the front-end EPP and cloud-powered global intel in the back-end EDR, and blends the two harmoniously together. The storying technique applied in TrueContext ID radically reduces the number of alerts and the manual investigation for the EDR side of operations. So, as aforementioned, for the high majority of threats, this results in full automated response and recovery [system cleanup] within seconds, and results in relatively less manpower requirements [versus CRWD] for the more sophisticated attacks. Moreover, S can work offline and catch the majority of threats whereas CRWD must be connected online to work.</p>\n<p><b>Operation of AV</b></p>\n<p>We’ve already touched on S’s software being highly autonomous while CRWD’s software requires human experts to be effective. This contrast offers an apt segue into taking a look at which approach is ultimately more effective. So, we’ll use this section to review the MITRE ATT&CK endpoint protection test results.</p>\n<p>MITRE is an independent, federally funded, not-for-profit R&D organization that periodically performs attacks against leading security vendors’ software solutions. MITRE has long been the authority in cybersecurity testing, and in 2018, they launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products. S, CRWD, and PANW participated in the series of tests (2019, 2020, and 2021) and we’ll present the two most recent.</p>\n<p>In the MITRE ATT&CK tests, vendors are assessed on how effective they are in stopping tactics and techniques. A Tactic is a bad actor’s objective – for example, to acquire a username and password, acquire remote control of the system, or exfiltrate data. A Technique is a method deployed to achieve the objective – for example, cross-site scripting [taking advantage of website vulnerabilities to lure victims into submitting their login details]. There are usually several techniques included in each tactic.</p>\n<p>Figure 4 - Tactics & Techniques</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/22780f1dd68425ed1bd3bf6ea164e17d\" tg-width=\"640\" tg-height=\"251\" referrerpolicy=\"no-referrer\"><span>Source: medium.com</span></p>\n<p>Rather confusingly to the layman, MITRE presents the performance results in references to Steps and Substeps instead of Tactics and Techniques. So, for high-level knowledge purposes, Steps are closely associated with Tactics and Substeps are closely associated with Techniques. The following diagram from SentinelOne is useful to solidify the levels of detections.</p>\n<p>Figure 5 - Analytic Detections: Tactics/Steps and Techniques/Substeps</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/1c271214a738c15e65d44d3a2fcf7800\" tg-width=\"640\" tg-height=\"272\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne on YouTube, Convequity modification</span></p>\n<p>The 2020 test results [based on techniques from APT29, a hacker group linked to Russian intelligence agencies] are shown below. The first chart shown shows that S led the pack in regards to overall detections, aka Substeps. The chart shows the number of detections out of the 135 Substeps for each vendor.</p>\n<p>Figure 6 – MITRE ATT&CK 2020 Performance Result: Total Detections</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f2e9e22cd5dadfe733a41b4d89f36776\" tg-width=\"541\" tg-height=\"384\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p>\n<p>The next two charts show the Tactic and Technique detections for the MITRE AV test. As a gentle reminder, Tactics are closely associated with Steps and Techniques are associated with Substeps.</p>\n<p>Figure 7 - MITRE ATT&CK 2020 Performance Result: Tactic and Technique Detections</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/d3c4d692af2713c6fe0b234c68a23cec\" tg-width=\"640\" tg-height=\"284\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p>\n<p>Observing that S had the best performance in Tactic detections and the second-best performance in Technique detections, aligns with the storing capability of TrueContext ID. A Tactic is a Step or objective, such as data exfiltration. A Technique is a Substep or method which is one of the Substeps required to achieve the Tactic, such as connecting to an external server in the exfiltration example. TrueContext ID has been designed to provide both high-level and granular detail of each attack, and therefore, it’s understandable as to why S has performed the best across Tactics and Techniques.</p>\n<p>Interestingly, the performance rankings in the following year [2021] are very similar. In the 2020 test, it looks like CRWD detected a total of c. 115 Substeps versus S’s c. 130. And in 2021 it looks like CRWD detected c. 150 versus S detecting c. 175. So, the ratio is very similar between the two rivals in both years.</p>\n<p>Figure 8 - MITRE ATT&CK 2021 Performance Result: Total Detections</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/9f3bfc1ecc4575acfb81df5fa624348e\" tg-width=\"640\" tg-height=\"320\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p>\n<p>It would be hard to dispute that S has a better performing AV than CRWD based on the results presented in the previous charts. Though what creates further distance between S and CRWD are the configuration changes made by the vendors before MITRE conducted its test – which we’ll cover next.</p>\n<p><b>Deployment</b></p>\n<p>Much of S’s marketing outlines how their software works straight out-of-the-box. This is a common claim in competitive software markets, though in S’s case, it does appear to be largely true.</p>\n<p>The next chart shows how many configurations changes each vendor made in preparation for the 2020 test. S didn’t change anything – their AV software was applied out-of-the-box. CRWD, on the other hand, made 25 tweaks to optimize their AV for the test. This fits in very well with the earlier discussion that CRWD is designed for enterprises with more experienced security analysts [SOC 2 and 3 analysts] – more on this later. These configuration changes also underscore what we’ve outlined in regards to S being way more automated than CRWD. CRWD’s lack of automation means it can’t work out-of-the-box with high effectiveness – the AV has been designed for heavy human involvement.</p>\n<p>Figure 9 - MITRE ATT&CK Configuration Changes for 2020 Test</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f75663784c5d8c76b727e0d5c6fe33a2\" tg-width=\"640\" tg-height=\"336\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p>\n<p>So, despite CRWD making 25 tweaks to its AV software versus S’s zero tweaks, the market-leading endpoint protection provider still underperformed S by considerable margins in the MITRE test. And it’s worth reminding ourselves that S will have performed using AI and automation, whilst CRWD will have performed with heavy involvement from its own cloud-based SOC 2/3 analysts. Moreover, to add further context, this is the first test CRWD has participated in wherein it has performed acceptably well – previous tests by MITRE and NSS Labs yielded very poor results for CRWD. When you add these factors together, it really does open up a significant gap in the software capability between S and CRWD.</p>\n<p>It’s also refreshing to note that PANW also chose not to make any changes, and they achieved a top four overall total detection performance and finished in the top half in the Tactic and Technique components of the test. We’ve reiterated for a long time now that Palo Alto Networks is simply the best at cybersecurity, and considering that endpoint protection isn’t even their core/original expertise, this is a huge testament to that.</p>\n<p><b>Expertise Requirements</b></p>\n<p>For SMBs that don’t have a SOC [Security Operations Centre], have relatively simpler security needs, and for some reason may be less of a hacker target, then deploying CRWD in its default settings shouldn’t be much of an issue and is way better than opting for legacy AV. Indeed, a simple deployment across an all-Windows organization is very simple. Alternatively, if an all-Windows SMB has more nuanced security needs but doesn’t have a SOC, then CRWD’s MDR [Managed Detection & Response] service will be deployed and work smoothly with negligible issues. Expertise becomes a consideration in the case where an enterprise with its own SOC [and more complex requirements] and/or non-Windows operating systems (i.e., Linux and/or Mac) wants to install CRWD.</p>\n<p>As highlighted in the previous section, to maximize CRWD and protect against a full range of sophisticated attack techniques, substantial configuration tweaks are required. SOC 2 and 3 analysts will comfortably be able to handle this, however, SOC 1 and/or IT generalists will find it difficult and are likely to require assistance or make a mistake. Additionally, a higher-level of expertise is necessary to swiftly navigate through the barrage of alerts received with CRWD. Analysts need to coordinate Falcon with Splunk’s legacy SIEM to correlate data and gain the fullest threat landscape picture [this will eventually change, however, once they fully integrate the Humio acquisition]. Again, this requires a higher-level of expertise – SOC 2 or 3.</p>\n<p>Then if you add in non-Windows OS, deployment complicates further. Yes, in the past 12 or so months CRWD has better adapted Falcon to Linux and Mac, though a high-level of expertise is required to ensure a smooth deployment following many years of incompatibility issues.</p>\n<p>So, because of the config changes and the multi-OS environments, typically SOC 2 or 3 analysts are required for the CRWD enterprise use case.</p>\n<p>In contrast, as evident in the MITRE test, S works right out of the box and hence IT generalists can get on fine with it. TrueContext ID - the storing feature - radically reduces the volume of alerts to enable more efficient threat hunting and remediation and hence making for a more user-friendly interface for SOC 1 and IT generalists to get along with. And, S has built its Singularity Platform with Windows, Linux, and Mac in mind right from the outset [a by-product of S’s last-mover advantage and taking more time in R&D before pumping the GTM strategy], delivering feature parity across all platforms – which again, means lower expertise is required to complete a successful multi-OS environment.</p>\n<p><b>Target Market and Pricing</b></p>\n<p>As previously mentioned, CRWD and S can be easily deployed for simple use cases associated with certain SMBs. Where we view S as having a notable larger target market is in the more complicated use cases associated with certain SMBs and enterprises. Taking into account the aforementioned expertise requirements, for complex use cases, S appears as the more attractive solution – by a wide margin. In using S over CRWD, SOC two and three analysts can work with more productivity, and SOC 1 and IT generalists can deploy and manage the software with little hassle. This opens up a wider TAM for S vs. CRWD.</p>\n<p>So, at the low-end of the market, comparing S and CRWD is trivial, because for simple use cases CRWD’s default settings are adequate. But CRWD is expensive. Our research on Reddit forums indicates that CRWD is 2x to 3x more expensive than S, and from this, we infer that CRWD is or will eventually price themselves out of the market segment in which they are most technically competitive.</p>\n<p>CRWD maximizes the land-and-expand sales model as aggressively as any other software vendor. They sell the Falcon platform in modules; implementing a bare minimum number of modules in the beginning and then aggressively upselling/cross-selling other modules. Though many of the other modules are a necessity for full protection. Usually, most clients need to bundle together NGAV which is the Falcon Prevent module, EDR which is the Falcon Insight module, and device control which is the Falcon Device Control module. However, in pursuit of greater DBNR [Dollar-based Net Retention], CRWD separated device control into an independent module.</p>\n<p>Figure 10 - CRWD's Falcon Platform Modules</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/c475e910dc1a094d382a08896b76d275\" tg-width=\"633\" tg-height=\"318\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p>\n<p>The combined pricing is well beyond the price quote from legacy AV vendors – which is absolutely fine given CRWD is better. Though, according to Reddit forum discussions, those clients that mentioned \"SentinelOne\" to CRWD salespeople immediately received a ~50% discount.</p>\n<p>CRWD’s module-based land-and-expand ploys are most evident in the immediate quarters post-IPO. A cynical view, but reading between the lines it looks like a nice stock-based compensation booster was at play for the year-end of FY19.</p>\n<p>Figure 11 - CRWD's DBNR</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/6cc506dae651f32b97fc0affb3ce4111\" tg-width=\"598\" tg-height=\"240\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p>\n<p>In a clear attempt to differentiate and do things better than CRWD, S doesn’t sell individual modules. Instead, it sells its full Singularity Platform as bundles across three tiers – Core, Control, and Complete. It appears that on a like-for-like, S’s bundles are ~30% even after CRWD’s discounts.</p>\n<p>Figure 12 - S's Singularity Platform Tiered Bundles</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/5c77f334f8f81a839d3022612b73ead9\" tg-width=\"639\" tg-height=\"307\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne</span></p>\n<p>Insincere sales ploys like what CRWD has been doing only last for so long. Eventually, customers catch onto what is happening – evident by discussion on Reddit. And it feels like that day has already come, probably brought to the fore by S’s differentiated bundle pricing.</p>\n<p>To summarize, CRWD effectively competes with S on a technical basis at the lower-end of the market involving simple use cases but they are risking pricing themselves out of the market. At the higher-end of the market involving complex use cases, it looks like S is both technically better and more affordable than CRWD. Additionally, S will store logs for a maximum of 365 days whilst CRWD’s max is 90 days. All of this strongly aligns itself with S’s founder and CEO Tomer Weingarten claiming that S wins 70% of head-to-heads with CRWD.</p>\n<p>In comparison to CRWD, not only will S’s technical superiority and competitiveness help it penetrate more of the TAM whilst also widening the TAM, being able to deploy in the cloud and on-prem further expands their customer reach vis-à-vis CRWD.</p>\n<p>On the whole, S can target a broader market and based on its technical/performance superiority plus aggressive but transparent pricing, can outcompete CRWD in its own TAM.</p>\n<p><b>Architecture</b></p>\n<p>Before we move onto valuation considerations, we’ll briefly share our views and CRWD’s and S’s software architecture. In all honesty, we can’t find much information related to who has the more modern architecture, but you’ve probably guessed already that we think S has the edge here. The cadence in which both vendors release new features and modules is testament that both operate within advanced microservice architectures. However, we assume, that as CRWD partners with a legacy vendor like Splunk for SIEM and log management, its architecture is probably semi-dated and that there has been an absence of major revamp in recent years. This line of thinking could be kind of validated by the number of years it’s taken for CRWD to overhaul its Mac and Linux sensors.</p>\n<p>It’s interesting how in March 2021 CRWD bought Humio for $392m in cash and equity just one month after S bought Scalyr for $155m in cash and equity. This may be reading into things too much, but some may view it as a sign of desperation to shore up an aging architecture and move away from legacy SPLK.</p>\n<p>Any differences in the modernity of the two NGAV architectures will very likely widen in the coming quarters and years. CRWD is only 14 months older than S, but because it grew early and superfast, it will have accumulated way more technical debt. And issues that come with technical debt will only be amplified as a $60bn company like CRWD needs to continue aggressively expanding its TAM via acquisitions in order to keep the mega growth story alive.</p>\n<p>As all software firms grow, they lose their nimbleness but it will happen a lot sooner to CRWD than it will to S - and this gives another upper hand to S in years to come.</p>\n<p><b>S’s Edge Summary</b></p>\n<p>At a high level, the key competitive advantages S has over CRWD can be summarized into four fundamental drivers:</p>\n<ul>\n <li>Better product effectiveness.</li>\n <li>Better user experience.</li>\n <li>Better pricing.</li>\n <li>A more scalable business model afforded by a highly automated out-the-box solution.</li>\n</ul>\n<p><b>Valuation Considerations</b></p>\n<p>S’s IPO, on June 30, was the highest-valued cybersecurity IPO ever. The stock finished its IPO day 21% up, closing at $42.50/share with a LTM EV/S of 100x. At the time of writing the stock is trading at $68/share with a LTM EV/S of 163x and a NTM EV/S of 92x.</p>\n<p>Below are some projections going out to FY26. FY22 revenue is anchored to management’s guidance. In the 2Q22 earnings presentation released yesterday, management also gave long-term targets that included a mature gross margin of 75%-80%, hence why we’ve made it so gross margin is 78% in FY26. We’ve used CRWD’s current TTM FCF margin as a rough long-term estimate of S’s in FY26.</p>\n<p>Guessing the multiple declines is kind of an unchartered territory because of the unprecedented level and sustainability of multiples we’re witnessing in the COVID-era market. Some may argue a decline to a 53x EV/S by FY26 is not steep enough, and that might be right. Though in FY26 we expect revenue to be at similar levels to CRWD’s today and CRWD is currently trading at 56x EV/S. Of course, no macro assessment is being taken into account so please take this exercise with a pinch of salt.</p>\n<p>Figure 13 - Financials & Multiples Projections</p>\n<p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/b47610548d3c3dd40fbf6fc5d8c66a60\" tg-width=\"640\" tg-height=\"281\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p>\n<p>In the 4.5 years from today to the end of FY26 [fiscal year end 31stJan], if the EV reaches $68bn then S’s stock will deliver a 36% annualized return. So, yes the multiples are insanely high but because of the extreme growth that will presumably remain high for a few years, even a sharp decline in multiples can still deliver sufficient investor returns.</p>\n<p>CRWD’s LTM EV/S at the close of its IPO day [6thJune 2019] was 47x and it has peaked at c. 70x in Aug-19 and Feb-21. This highlights the richness in S’s current valuation. However, is S still worth an investment at the present time? Well, investors need to be aware of the melt-up and melt-down that has often occurred with high-growth tech IPOs, especially during the past 12-18 months. S could very well follow a similar path and climb much higher before falling down once the lockup period ends [27thDecember, 2021] and early investors can cash in some of their profits. Investors should also note that S employees are allowed to sell 15% of their shares as of 6thOctober 2021. For readers’ information, S’s number of shares in float to number of shares outstanding is just 17% - in contrast, a post lockup stock like CRWD has 86% in float.</p>\n<p>Therefore, high-risk tolerant and/or short-term investors may want to consider a long position right now. Longer-term investors may prefer to let the liquidation unravel post Oct-21 and then post Dec-21 before buying shares. A compromise may be to buy a fourth of a position today and opportunistically add to it in the future. Personally, we’re waiting for a correction before opening a position. If the stock corrects c. 25% we’ll probably add half of the total planned allocation and then wait to see what happens after the lockup.</p>\n<p>At first glance S’s extremely negative operating and FCF margins are alarming, but what investors should bear in mind is that S has the edge in technical and performance superiority and therefore they need to capitalize on this edge in the fastest way possible. CRWD is just 14 months older than S but has over 7x more ARR [Annual Recurring Revenue], which illuminates the differences in market approach. CRWD hit the market early and aggressively whilst S spent many years with their primary focus in R&D before focusing on sales and marketing [S&M]. Now S has a refined and market-leading product they need to maximize the GTM strategy as much as they can and catch up the market leader.</p>\n<p>Figure 14 - 1Q22 Margins</p>\n<p><img src=\"https://static.tigerbbs.com/f13e4a5a906b763afaa3476b59045597\" tg-width=\"187\" tg-height=\"81\" referrerpolicy=\"no-referrer\"></p>\n<p>The current gross margin doesn’t exactly indicate a profitable long-term business model. However, investors should bear in mind that S’s competitiveness, especially in offering 365-day log storage, is a big suppressant at the moment. When S captures a larger share of the market, builds a solid reputation, and fully integrates Scalyr’s novel way of ingesting and storing log data, S can command a greater premium and simultaneously lower cost of revenue, and hence gross margin will rise accordingly. Interestingly, 2Q22 gross margin has already jumped c. 800 basis points since 1Q22, and no doubt the integration of Scalyr will have contributed to this. Throw into the mix that S will more than likely follow CRWD in shifting from cloud to colocation infrastructure once they reach a certain scale, the mature end-state gross margin for S will be close to 80%, in our opinion.</p>\n<p>Irrespective of the trading tactics, we think S has a strong chance to prove to be a good investment, even at the current multiple levels. We’ll list the pros to consider:</p>\n<ul>\n <li>Currently, S has very low penetration - FY21 [fiscal year ending 31stJan] generated $93m of revenue and $161m of ARR [Apr-21] - in a market estimated to be worth between $20bn and $30bn by 2025.</li>\n <li>Similar to what CRWD has done, S will acquire more talent, expand its product’s capabilities, and expand into new markets - the IPO proceeds will go toward these objectives. This will expand an already large TAM for S.</li>\n <li>As we’ve presented in this report, S is the technical leader in the endpoint protection market. Technical leadership combined with mega aggressive S&M expenditure [110% of revenue vs CRWD’s IPO year of 69% of revenue] will very likely be highly effective.</li>\n <li>Given the relatively low revenue base ($93m for FY21) and the autonomous, out-the-box nature of S’s AV, we would not be surprised if they regularly exceeded analyst consensus growth expectations (91% for FY22). From c. $100m in FY18, CRWD has grown c. 100% and this is with an AV solution that needs to be customized for many customers. Therefore, NTM growth of 100% is more probable than not, in our opinion – especially, with the S&M aggressiveness.</li>\n</ul>\n<p>Of course, stocks such as S pose substantial risks for investors, so we’ll outline some of the cons to consider:</p>\n<ul>\n <li>S is a company with fast-growing revenue but also growing losses. EBIT margin for FY20 and FY21 was -161% and -124%. FCF margin for FY20 and FY21 was -102% and -78%. So, it’s clear that cash flows in any DCF valuation are far into the future which makes the stock very vulnerable to changes in inflation and interest rate expectations – which is happening with frequency at present.</li>\n <li>Given the large losses, all of the stock’s future trajectory is dependent on the company beating revenue growth expectations. Consequently, any quarterly revenue misses will have a severe impact on the share price and it could take the stock a long time to recover.</li>\n <li>S’s technical superiority might not be insurmountable – we believe it's the best but groundbreaking is a stretch too far. Endpoint protection is a highly competitive market abundant with innovation, so it’s a possibility S could eventually lose a degree of its product leadership.</li>\n <li>CRWD may up the ante with ‘smoke and mirrors’ tactics and even more aggressive S&M that specifically aims to<i>legally</i>defame S.</li>\n</ul>\n<p>There are certainly a few pros and cons to consider. In our opinion, the optimal approach to gaining exposure to S is to<b>1</b>) wait for a correction,<b>2</b>) open a ¼, a 1/3, or a ½ of the total eventual position subject to the magnitude of the correction,<b>3</b>) add during risk-off episodes during the next several months, and<b>4</b>) leave some capital spare to buy some more after the effects of the lockup expiry have been fully reflected.</p>\n<p>The conundrum, as is with all pioneering software stocks, is that investors are usually forced to pay a hefty premium in order to participate in future price appreciation. This is because these types of stocks have a tendency to remain elevated for a long time. However, on the flip-side, S has not yet made it in the Global MSCI indices, therefore, bouts of risk-off sentiment have the potential to knock down the share price considerably more than stocks such as Cloudflare(NYSE:NET), Okta(NASDAQ:OKTA), Twilio(NYSE:TWLO), and Palantir(NYSE:PLTR). With this in mind, opportunities to buy big dips are likely but sustained elevated multiples and/or multiple expansion is also a strong possibility. Hence, the optimal approach, in our opinion, is to add a fraction after a correction [or even now for the highly risk-tolerant] and complete the position in the months ahead.</p>\n<p><b>Conclusion</b></p>\n<p>This report was not intended to bash CRWD’s technology because obviously it's extremely sophisticated and great at stopping threats. However, comparing to CRWD does highlight a degree of superiority in S’s approach to AV. And most importantly, from an investment perspective, S’s out-of-the-box solution certainly makes its business appear more scalable than CRWD. And this is exciting when considering CRWD’s super growth in spite of each deployment requiring a good dose of configuration tweaking and training.</p>\n<p>The valuation is mega rich but investors need to accept that the premium is for a game-changing technical leader in a high-growth and very large market. Upside growth surprises could very well materialize given the scalability of S’s out-the-box solution.</p>","collect":0,"html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>Why SentinelOne Is Better Than CrowdStrike</title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 11px; color: #7E829C; margin: 0;line-height: 11px;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nWhy SentinelOne Is Better Than CrowdStrike\n</h2>\n\n<h4 class=\"meta\">\n\n\n2021-09-10 11:21 GMT+8 <a href=https://seekingalpha.com/article/4454383-why-sentinelone-is-better-than-crowdstrike><strong>Seeking Alpha</strong></a>\n\n\n</h4>\n\n</header>\n<article>\n<div>\n<p>Summary\n\nSentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.\nSentinelOne leverages a highly autonomous, out-the-box solution that's ...</p>\n\n<a href=\"https://seekingalpha.com/article/4454383-why-sentinelone-is-better-than-crowdstrike\">Web Link</a>\n\n</div>\n\n\n</article>\n</div>\n</body>\n</html>\n","type":0,"thumbnail":"","relate_stocks":{"CRWD":"CrowdStrike Holdings, Inc.","S":"SentinelOne, Inc"},"source_url":"https://seekingalpha.com/article/4454383-why-sentinelone-is-better-than-crowdstrike","is_english":true,"share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","article_id":"1111681724","content_text":"Summary\n\nSentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.\nSentinelOne leverages a highly autonomous, out-the-box solution that's proving to deliver a more scalable business model than CrowdStrike’s – evident in 2Q22 results.\nSentinelOne has a significant last-mover advantage and is using it to target CrowdStrike's weak spots.\n\nSundry Photography/iStock Editorial via Getty Images\nAbout this Report\nSince its June 19 IPO, CrowdStrike's(NASDAQ:CRWD)market cap has soared sixfold as the company has experienced near triple-digit revenue growth thanks to its aggressive marketing of its highly effective and differentiated endpoint protection solution. Sentinel(NYSE:S)is the new kid on the block with even faster growth – more than doubling annual revenues YoY in 2Q22 [released after market close yesterday]. S also claims NGAV (Next-Gen Antivirus) superiority and goes head-to-head with CRWD in ultra-aggressive marketing.\nGiven S’s sky-high valuation of 92x NTM EV/S at the time of writing, it's difficult to rationalize an investment - by pretty much all measures the stock is insanely overvalued. Therefore, this report is largely about outlining why we believe S is technically superior to CRWD, and if you as investors are convinced, then you can speculate on your own growth and stock price trajectories using CRWD’s recent history as an anchor. We provide some financials and multiples projections in the Valuation Considerations section toward the end of the report.\nWe should make clear that any criticism of CRWD is in direct comparison to S. CRWD are still way better than legacy AV vendors – there's no denying that. And hopefully, this report may serve as somewhat of a framework for evaluating other EPP/EDR vendors that may catch your attention.\nThe Evolution of AV Industry\nThere are quite a few acronyms connected to the antivirus [AV] software industry to become familiar with before delving into what CRWD and S actually. The AV industry began life using signature databases followed by two decades of using signature databases with various tweaks. Then around 2011, EPP [Endpoint Protection] and EDR [Endpoint Detection & Response] became popular, ushering in the era of NGAV [Next-Gen Antivirus]. XDR [Extended Detection and Response] is often referred to as the second wave of NGAV that correlates broader and disparate data sources to enhance the detection of threats, and improve investigation and responses. The following diagram - from SentinelOne with additional annotation by ourselves – provides a useful high-level view of where the AV industry has been and where it is today. We’ll elaborate on this diagram in the following sections.\nFigure 1 - Evolution of the AV Industry\nSource: SentinelOne presentation, Convequity modification\nSignature-Based AV\nIn 1987, the late John McAfee released the first commercial AV [antivirus] software to be installed on desktops. It was a signature-based AV, which means it would check the signature of all inbound files to see if they matched a known malicious signature in the database. If there was a match then the AV would block and delete the file.\nMost cyber-attacks involve the hacker attempting to land a malicious file on a user’s device. The file contains a virus that, when triggered with a click by the user, installs itself onto the device. From there the virus can do various things, though usually, the main objective is to ascertain the device’s network connections and send itself to critical systems of an organization.\nEvery file has a unique signature that looks like a random combination of letters and numbers. The combination of letters and numbers is produced by a hashing algorithm. For example, a file containing only the text of “We built this city!” and the hashing was based on the SHA256 hash algorithm (one of the most secure and efficient hashes), the signature will be the following:\nc0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467\nThe hashing algorithm converts a file with any amount of content to a fixed-length signature – in the case of the SHA256 hashing algorithm, it is 64 characters long, also known as 64 bytes because 1 character equals 1 byte.\nIt’s also worth noting that changing 1 character or even flipping 1 bit [8 bits in 1 byte] from 0 to 1 or vice versa, will completely change the signature. Removing the exclamation mark so the text reads “We built this city” produces this 64-byte signature:\n1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27\nVisit this website to hash your own input or alternatively you can get the hash for any file you upload.\nThroughout the 1990s it became apparent that signature-based AV had some fundamental shortcomings. Here are some of them:\n\nCybercriminals can change one line of code to completely change the signature of the virus, and as a result, evade detection. This puts the hacker vs AV battle economics firmly in the favor of the former, because it takes a lot of time and computing resources to detect and confirm a new virus variant.\nAs the number of malicious files grows, so does the signature database. The database resides on the endpoint so as it grows it consumes more disk space, more CPU, and more memory.\nImmediately after the AV is installed it becomes out of date because there's a continual creation of new viruses and variants of existing viruses. In essence, even the best signature-based AV provides < 100% protection.\n\nTo compensate for the < 100% protection, existing and new AV vendors came to the market with tweaks and variations of the signature-based model.\nDuring the 1990s and 2000s, the early attempts to make up for the weaknesses of signature-based AV included:\n\nFirewall vendors such as Check Point Software(NASDAQ:CHKP), F5 Networks(NASDAQ:FFIV), and Fortinet(NASDAQ:FTNT)leveraged their dominant status within the corporate network to improve signature-based AV solutions. They used their deep packet inspection capabilities at the gateway of the network to inspect inbound data packets transmitting the malicious files as well as outbound connections triggered by the virus. This added more context to help sniff out the malicious inbound files and attempts to exfiltrate data.\nBit9, founded in 2003, (later renamed Carbon Black and now acquired by VMware) introduced app whitelisting, whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive as apps change and upgrade rapidly.\nFireEye(NASDAQ:FEYE), founded in 2004, introduced sandboxing, whereby an unknown suspicious app or file would be executed in an isolated environment and monitored closely for any malicious activity. Although game-changing at the time, its effectiveness didn’t last long because hackers found ways to detect the sandbox environment to then trigger the virus into stealth mode and continue the attack at a later point in time.\n\nCollectively, these attempts, while lacking sustainability, did an alright job at filling in the gaps, and generally speaking, provided adequate protection during the 1990s and 2000s.\nThings changed, however, at the dawn of the iPhone in 2007. As the attack surface expanded so did the attack cadence, and computing experienced an exponential rise in the variety of viruses and the signatures connected to those viruses. The number of forms in which a virus would reside pre-execution also proliferated – scripts (code)began appearing in website photos, PDF add-ons, Excel VBA, and many other forms, waiting to be triggered.\nOn the whole, signature-based AV has proven not to scale very well and in the modern computing landscape does not provide adequate protection.\nNext-Gen AV\nFrom 2007 to 2013, a new wave of AV startups emerged with a novel approach to AV. Some Next-Gen AV [NGAV] startups focused on the EPP [Endpoint Protection] – still aiming to perform the prevention, detection, and response on the end-user device itself, but by using static AI techniques to obviate the need for a signature database. Other NGAV startups focused on the EDR [Endpoint Detection and Response] side - whereby most of the protection was delivered via the cloud and therefore the EPP software component could be lightweight and serve merely as a sensor rather than an agent that can perform the full requirements of AV.\nThere are pros and cons to singularly focusing on either EPP or EDR. EPP avoids the shortcomings of signature databases, however, by running static AI on the endpoint without the big picture from the cloud, it's less flexible and less effective over the long term. EDR maintains the complete global threat picture because it’s powered by the cloud, but the downside is the deluge of data is overwhelming for security analysts and leads to many false alerts.\nAs the shortcomings of EPP and EDR became increasingly apparent, NGAV vendors began to shift along the EPP/EDR spectrum to improve their products. The screenshot taken from S’s demo presentation summarizes the direction the vendors and the market moved from 2014 through to 2019.\nFigure2- Market Shifts: EPP vs EDR\nSource: youtube.com\nXDR [Extended Detection & Response], first coined by Nir Zuk of Palo Alto Networks(NYSE:PANW)in 2018, is now the latest technology that leading vendors are striving toward. It blends EPP and EDR together whilst also adding SOAR [Security Orchestration, Automation & Response], SIEM [Security Information & Event Management], and NTA [Network Traffic Analysis]. The objective of XDR is to collect and correlate data from endpoints, network points, servers, cloud workloads, and emails to enhance detection capabilities and improve protection whilst also increasing productivity and lowering the overall cost of security software ownership.\nCrowdStrike Intro\nCRWD, founded in 2011, came to the market with EDR, which at the time was a radical approach to AV. Instead of destroying malicious files with AV software residing on the device, CRWD destroyed them from the cloud.\nThey achieved this by having a super lightweight sensor with no database [consuming only 35 MB of storage space whereas signature-based AV can consume 4GB] installed on the endpoint. This sensor continually collects the logs (activities) related to the files on the device (i.e., what files are downloaded, open, from where, how, what time, what recent patches have been made?) and sends this telemetry data to the CRWD cloud. CRWD analysts collect this data from all CRWD devices and check it against a giant signature database in the cloud looking for matches in techniques. For example, the CRWD database contains a previous technique whereby opening a file from IP address 1.1.1.1 executed XXX.exe which was a piece of malware. As CRWD analysts recognize this technique being used again, they will block it, gather more intel, delete the file from the cloud, and share the insight across all endpoints.\nHowever, it should be noted that while CRWD can detect a potential virus within seconds, it doesn’t complete its response and eliminate the threat until hours later. The complex nature of EDR delivers a high number of false alerts that need to be investigated by a client organization's analysts and CRWD's analysts alike. Therefore, CRWD does take considerably longer to completely eliminate the threat. However, they're able to contain the spread of the threat until a full investigation is complete. S, on the other hand, can detectandrespond within seconds thanks to its greater degree of automation and hybrid EPP/EDR approach.\nThe key benefit of this approach is that there are no constraints on the size of the database, as it’s located in a centralized cloud. Moreover, this EDR approach obviates the need to periodically push out software updates to the endpoints to include the latest signature database, again because the database is located in the cloud. The other benefit is that the aggregated threat hunting ensures new viruses and variants and attack methods are identified faster. In essence, this AV model makes the front-end software simple and light [collecting evidence] and makes the back-end operations complex, detailed, and shared across all devices - generating insights for all. The essence of EDR is to restrain from doing early prevention, and instead wait, observe, and collect more intel regarding the threats, and respond accordingly. And this approach inspired the name of CRWD’s flagship platform Falcon.\nSentinelOne Intro\nS, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage. Instead of heavily focusing on EDR or EPP, S has utilized them both to cover all major aspects of the endpoint security to deliver the so-called XDR. Similar to CRWD, S deploys a lightweight software agent with no database on the endpoint [200 MB of disk space]. It does more than CRWD’s sensor, however. It runs static AI to establish baseline file and device behavior in which to identify anomalous activity, relating to when the file was received and how long the file was open, for example. If the file passes the rigors of static AI analysis, the user is allowed to use the file but the agent will continue to monitor closely. The agent will apply a more dynamic AI to detect any suspicious lateral movement emanating from the file – e.g., when Word opened it triggered PowerShell to open, or a command is triggered to reach out to the Internet. At any point the agent determines there's malicious activity, it will kill the virus and clean up the environment. It's this level of autonomous capability in the EPP that differentiates S from other NGAV vendors.\nDespite the sophistication of such AI-powered detection methods, some types of malwares can still evade detection. Polymorphic malware variants change their own features, such as file names and hashes, to bypass detection methods. Techniques such as code obfuscation make malicious code hard to find and/or understand. Therefore, some threats manage to bypass the front-end, or EPP, defenses, necessitating the need for EDR.\nSimilar to CRWD, S utilizes back-end, or EDR, for deeper visibility threat hunting. The data collected is used by both S’s own analysts for global threat hunting,andits clients’ analysts working in Security Operation Centers [SOC]. On the EDR side, compared to CRWD the key differentiator is that S uses a \"story\" technique to add more context relevancy which leads to fewer alerts for analysts to handle. S have named this ‘story’ technique TrueContext ID.\nTaken from an S demo presentation, the screenshot below compares TrueContext ID to previous context-building techniques - Indicators of Compromise [IOC] and Indicators of Attack [IOA] – and the more typical existing EDR solutions – Tactics, Techniques & Procedures [TTP]. The slide uses the analogy of piecing together the description of a person to illustrate piecing together the description of a malicious action.\nFigure 3 - Comparing TrueContext ID to Typical EDR Methods\nSource: youtube.com\nIOCs look like random descriptors that would need substantial effort to comprehend. IOAs are slightly more organized but still require effort to form the full picture. TTPs actually describe the bad action and offer useful context but don’t explain what happened before that led to the bad action. TrueContext ID takes it a whole level further by not just describing the traits of the bad action but also puts together a story of the events that led to the bad action – the DNA strand implies it knows everything about a given action.\nFor example, there has been a connection made to an external FTP server [a server for transferring files] >>> this links back to some registry files that were archived in a new hard drive location >>> this links back to an unusual command-line execution in PowerShell >>> it transpires that the opening of PowerShell was triggered by the opening of an Office document >>> deeper analysis indicates the document contained a brand-new unknown virus >>> did the user single or double click it or did it download automatically? >>> where did it come from? >>> did it come from an email or a USB drive? >>> is the email address and source IP address associated with previous malicious activity? >>> or, when was the USB drive inserted on the device?\nThe above example shows a bad actor attempting to transfer a copy of the critical OS files [registry files], perhaps to learn more about the target organization in order to plan a devastating future attack, or something more imminent. TrueContext ID connects all the data points from the static and dynamic AI detection methods and synthesizes them with its own globally collated intelligence to string together a timeline of sequential events. And this is presented to SOC analysts either in tabular or graphical form. Putting together a chain of events like this ensures only relevant context is presented, which radically reduces the number of alerts and enables swift investigation and remediation.\nCRWD investors and advocates may be somewhat confused as to why S’s storing techniques are a technical competitive advantage. Indeed, CRWD has an event timelining feature that is core to their EDR solution – they refer to it as \"maps.\" However, generally, a client organization’s SOC analysts need to be tier 2 or 3 certified for using CRWD’s Falcon EDR solution – one reason for this being the high number of false alerts that an analyst needs to navigate, which is far easier for the more experienced.\nIf a client organization doesn’t have a SOC team and hence cannot conduct the threat investigation on CRWD and leverage its EDR component, then they can just run it and let it handle things by the default settings or use the MDR [Managed Detection & Response] option whereupon CRWD experts will do the legwork. But when it comes to SOC operations, S’s storing technique appears to have an edge over CRWD because it radically reduces the alerts and false positives and, on the whole, makes life easier for SOC analysts.\nTo summarize, S can deliver fully automated detection, response, and system recovery all within the EPP software itself, but also has the EDR-based TrueContext ID technology that can catch more sophisticated attacks and help SOC analysts triage with far fewer false positive alerts. With this in mind, it appears that S has the edge over CRWD on both the EPP and EDR sides of the market. Moreover, as we’ll show in the presentation of MITRE ATT&CK performance results, S’s out-of-the-box solution that leverages greater automation is likely to offer greater scalability than CRWD’s. We think this greater scalability is shining through in the recent 2Q22 results whereby S generated 127% YoY growth.\nKey Differences Between S and CRWD\nWe’ve listed 11 aspects of endpoint protection whereupon S and CRWD differ by substantial margins. And it may seem overly biased [though we don’t have a position in S yet], but all 11 aspects are in favor of S outcompeting CRWD. We’ll elaborate on a few of these in the following sections.\nSource: Convequity\nBrains of Software\nCRWD: As already alluded, the brain of CRWD is in the cloud only and utilizes EDR to understand the global landscape of threats. The very nature of this cloud-based EDR approach requires the computation of petabytes of data that quickly detects potential threats but also generates large numbers of false alerts. The notion of the false alert volumes necessitates the need for thorough investigation which is why the response time takes hours instead of seconds. Ultimately, CRWD’s approach is rather labour-intensive but is still more autonomous than legacy signature-based AV.\nS: The brain of S is in a hybrid form that utilizes both automation and AI in the front-end EPP and cloud-powered global intel in the back-end EDR, and blends the two harmoniously together. The storying technique applied in TrueContext ID radically reduces the number of alerts and the manual investigation for the EDR side of operations. So, as aforementioned, for the high majority of threats, this results in full automated response and recovery [system cleanup] within seconds, and results in relatively less manpower requirements [versus CRWD] for the more sophisticated attacks. Moreover, S can work offline and catch the majority of threats whereas CRWD must be connected online to work.\nOperation of AV\nWe’ve already touched on S’s software being highly autonomous while CRWD’s software requires human experts to be effective. This contrast offers an apt segue into taking a look at which approach is ultimately more effective. So, we’ll use this section to review the MITRE ATT&CK endpoint protection test results.\nMITRE is an independent, federally funded, not-for-profit R&D organization that periodically performs attacks against leading security vendors’ software solutions. MITRE has long been the authority in cybersecurity testing, and in 2018, they launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products. S, CRWD, and PANW participated in the series of tests (2019, 2020, and 2021) and we’ll present the two most recent.\nIn the MITRE ATT&CK tests, vendors are assessed on how effective they are in stopping tactics and techniques. A Tactic is a bad actor’s objective – for example, to acquire a username and password, acquire remote control of the system, or exfiltrate data. A Technique is a method deployed to achieve the objective – for example, cross-site scripting [taking advantage of website vulnerabilities to lure victims into submitting their login details]. There are usually several techniques included in each tactic.\nFigure 4 - Tactics & Techniques\nSource: medium.com\nRather confusingly to the layman, MITRE presents the performance results in references to Steps and Substeps instead of Tactics and Techniques. So, for high-level knowledge purposes, Steps are closely associated with Tactics and Substeps are closely associated with Techniques. The following diagram from SentinelOne is useful to solidify the levels of detections.\nFigure 5 - Analytic Detections: Tactics/Steps and Techniques/Substeps\nSource: SentinelOne on YouTube, Convequity modification\nThe 2020 test results [based on techniques from APT29, a hacker group linked to Russian intelligence agencies] are shown below. The first chart shown shows that S led the pack in regards to overall detections, aka Substeps. The chart shows the number of detections out of the 135 Substeps for each vendor.\nFigure 6 – MITRE ATT&CK 2020 Performance Result: Total Detections\nSource: elastic.co/blog/\nThe next two charts show the Tactic and Technique detections for the MITRE AV test. As a gentle reminder, Tactics are closely associated with Steps and Techniques are associated with Substeps.\nFigure 7 - MITRE ATT&CK 2020 Performance Result: Tactic and Technique Detections\nSource: elastic.co/blog/\nObserving that S had the best performance in Tactic detections and the second-best performance in Technique detections, aligns with the storing capability of TrueContext ID. A Tactic is a Step or objective, such as data exfiltration. A Technique is a Substep or method which is one of the Substeps required to achieve the Tactic, such as connecting to an external server in the exfiltration example. TrueContext ID has been designed to provide both high-level and granular detail of each attack, and therefore, it’s understandable as to why S has performed the best across Tactics and Techniques.\nInterestingly, the performance rankings in the following year [2021] are very similar. In the 2020 test, it looks like CRWD detected a total of c. 115 Substeps versus S’s c. 130. And in 2021 it looks like CRWD detected c. 150 versus S detecting c. 175. So, the ratio is very similar between the two rivals in both years.\nFigure 8 - MITRE ATT&CK 2021 Performance Result: Total Detections\nSource: elastic.co/blog/\nIt would be hard to dispute that S has a better performing AV than CRWD based on the results presented in the previous charts. Though what creates further distance between S and CRWD are the configuration changes made by the vendors before MITRE conducted its test – which we’ll cover next.\nDeployment\nMuch of S’s marketing outlines how their software works straight out-of-the-box. This is a common claim in competitive software markets, though in S’s case, it does appear to be largely true.\nThe next chart shows how many configurations changes each vendor made in preparation for the 2020 test. S didn’t change anything – their AV software was applied out-of-the-box. CRWD, on the other hand, made 25 tweaks to optimize their AV for the test. This fits in very well with the earlier discussion that CRWD is designed for enterprises with more experienced security analysts [SOC 2 and 3 analysts] – more on this later. These configuration changes also underscore what we’ve outlined in regards to S being way more automated than CRWD. CRWD’s lack of automation means it can’t work out-of-the-box with high effectiveness – the AV has been designed for heavy human involvement.\nFigure 9 - MITRE ATT&CK Configuration Changes for 2020 Test\nSource: youtube.com\nSo, despite CRWD making 25 tweaks to its AV software versus S’s zero tweaks, the market-leading endpoint protection provider still underperformed S by considerable margins in the MITRE test. And it’s worth reminding ourselves that S will have performed using AI and automation, whilst CRWD will have performed with heavy involvement from its own cloud-based SOC 2/3 analysts. Moreover, to add further context, this is the first test CRWD has participated in wherein it has performed acceptably well – previous tests by MITRE and NSS Labs yielded very poor results for CRWD. When you add these factors together, it really does open up a significant gap in the software capability between S and CRWD.\nIt’s also refreshing to note that PANW also chose not to make any changes, and they achieved a top four overall total detection performance and finished in the top half in the Tactic and Technique components of the test. We’ve reiterated for a long time now that Palo Alto Networks is simply the best at cybersecurity, and considering that endpoint protection isn’t even their core/original expertise, this is a huge testament to that.\nExpertise Requirements\nFor SMBs that don’t have a SOC [Security Operations Centre], have relatively simpler security needs, and for some reason may be less of a hacker target, then deploying CRWD in its default settings shouldn’t be much of an issue and is way better than opting for legacy AV. Indeed, a simple deployment across an all-Windows organization is very simple. Alternatively, if an all-Windows SMB has more nuanced security needs but doesn’t have a SOC, then CRWD’s MDR [Managed Detection & Response] service will be deployed and work smoothly with negligible issues. Expertise becomes a consideration in the case where an enterprise with its own SOC [and more complex requirements] and/or non-Windows operating systems (i.e., Linux and/or Mac) wants to install CRWD.\nAs highlighted in the previous section, to maximize CRWD and protect against a full range of sophisticated attack techniques, substantial configuration tweaks are required. SOC 2 and 3 analysts will comfortably be able to handle this, however, SOC 1 and/or IT generalists will find it difficult and are likely to require assistance or make a mistake. Additionally, a higher-level of expertise is necessary to swiftly navigate through the barrage of alerts received with CRWD. Analysts need to coordinate Falcon with Splunk’s legacy SIEM to correlate data and gain the fullest threat landscape picture [this will eventually change, however, once they fully integrate the Humio acquisition]. Again, this requires a higher-level of expertise – SOC 2 or 3.\nThen if you add in non-Windows OS, deployment complicates further. Yes, in the past 12 or so months CRWD has better adapted Falcon to Linux and Mac, though a high-level of expertise is required to ensure a smooth deployment following many years of incompatibility issues.\nSo, because of the config changes and the multi-OS environments, typically SOC 2 or 3 analysts are required for the CRWD enterprise use case.\nIn contrast, as evident in the MITRE test, S works right out of the box and hence IT generalists can get on fine with it. TrueContext ID - the storing feature - radically reduces the volume of alerts to enable more efficient threat hunting and remediation and hence making for a more user-friendly interface for SOC 1 and IT generalists to get along with. And, S has built its Singularity Platform with Windows, Linux, and Mac in mind right from the outset [a by-product of S’s last-mover advantage and taking more time in R&D before pumping the GTM strategy], delivering feature parity across all platforms – which again, means lower expertise is required to complete a successful multi-OS environment.\nTarget Market and Pricing\nAs previously mentioned, CRWD and S can be easily deployed for simple use cases associated with certain SMBs. Where we view S as having a notable larger target market is in the more complicated use cases associated with certain SMBs and enterprises. Taking into account the aforementioned expertise requirements, for complex use cases, S appears as the more attractive solution – by a wide margin. In using S over CRWD, SOC two and three analysts can work with more productivity, and SOC 1 and IT generalists can deploy and manage the software with little hassle. This opens up a wider TAM for S vs. CRWD.\nSo, at the low-end of the market, comparing S and CRWD is trivial, because for simple use cases CRWD’s default settings are adequate. But CRWD is expensive. Our research on Reddit forums indicates that CRWD is 2x to 3x more expensive than S, and from this, we infer that CRWD is or will eventually price themselves out of the market segment in which they are most technically competitive.\nCRWD maximizes the land-and-expand sales model as aggressively as any other software vendor. They sell the Falcon platform in modules; implementing a bare minimum number of modules in the beginning and then aggressively upselling/cross-selling other modules. Though many of the other modules are a necessity for full protection. Usually, most clients need to bundle together NGAV which is the Falcon Prevent module, EDR which is the Falcon Insight module, and device control which is the Falcon Device Control module. However, in pursuit of greater DBNR [Dollar-based Net Retention], CRWD separated device control into an independent module.\nFigure 10 - CRWD's Falcon Platform Modules\nSource: CrowdStrike\nThe combined pricing is well beyond the price quote from legacy AV vendors – which is absolutely fine given CRWD is better. Though, according to Reddit forum discussions, those clients that mentioned \"SentinelOne\" to CRWD salespeople immediately received a ~50% discount.\nCRWD’s module-based land-and-expand ploys are most evident in the immediate quarters post-IPO. A cynical view, but reading between the lines it looks like a nice stock-based compensation booster was at play for the year-end of FY19.\nFigure 11 - CRWD's DBNR\nSource: CrowdStrike\nIn a clear attempt to differentiate and do things better than CRWD, S doesn’t sell individual modules. Instead, it sells its full Singularity Platform as bundles across three tiers – Core, Control, and Complete. It appears that on a like-for-like, S’s bundles are ~30% even after CRWD’s discounts.\nFigure 12 - S's Singularity Platform Tiered Bundles\nSource: SentinelOne\nInsincere sales ploys like what CRWD has been doing only last for so long. Eventually, customers catch onto what is happening – evident by discussion on Reddit. And it feels like that day has already come, probably brought to the fore by S’s differentiated bundle pricing.\nTo summarize, CRWD effectively competes with S on a technical basis at the lower-end of the market involving simple use cases but they are risking pricing themselves out of the market. At the higher-end of the market involving complex use cases, it looks like S is both technically better and more affordable than CRWD. Additionally, S will store logs for a maximum of 365 days whilst CRWD’s max is 90 days. All of this strongly aligns itself with S’s founder and CEO Tomer Weingarten claiming that S wins 70% of head-to-heads with CRWD.\nIn comparison to CRWD, not only will S’s technical superiority and competitiveness help it penetrate more of the TAM whilst also widening the TAM, being able to deploy in the cloud and on-prem further expands their customer reach vis-à-vis CRWD.\nOn the whole, S can target a broader market and based on its technical/performance superiority plus aggressive but transparent pricing, can outcompete CRWD in its own TAM.\nArchitecture\nBefore we move onto valuation considerations, we’ll briefly share our views and CRWD’s and S’s software architecture. In all honesty, we can’t find much information related to who has the more modern architecture, but you’ve probably guessed already that we think S has the edge here. The cadence in which both vendors release new features and modules is testament that both operate within advanced microservice architectures. However, we assume, that as CRWD partners with a legacy vendor like Splunk for SIEM and log management, its architecture is probably semi-dated and that there has been an absence of major revamp in recent years. This line of thinking could be kind of validated by the number of years it’s taken for CRWD to overhaul its Mac and Linux sensors.\nIt’s interesting how in March 2021 CRWD bought Humio for $392m in cash and equity just one month after S bought Scalyr for $155m in cash and equity. This may be reading into things too much, but some may view it as a sign of desperation to shore up an aging architecture and move away from legacy SPLK.\nAny differences in the modernity of the two NGAV architectures will very likely widen in the coming quarters and years. CRWD is only 14 months older than S, but because it grew early and superfast, it will have accumulated way more technical debt. And issues that come with technical debt will only be amplified as a $60bn company like CRWD needs to continue aggressively expanding its TAM via acquisitions in order to keep the mega growth story alive.\nAs all software firms grow, they lose their nimbleness but it will happen a lot sooner to CRWD than it will to S - and this gives another upper hand to S in years to come.\nS’s Edge Summary\nAt a high level, the key competitive advantages S has over CRWD can be summarized into four fundamental drivers:\n\nBetter product effectiveness.\nBetter user experience.\nBetter pricing.\nA more scalable business model afforded by a highly automated out-the-box solution.\n\nValuation Considerations\nS’s IPO, on June 30, was the highest-valued cybersecurity IPO ever. The stock finished its IPO day 21% up, closing at $42.50/share with a LTM EV/S of 100x. At the time of writing the stock is trading at $68/share with a LTM EV/S of 163x and a NTM EV/S of 92x.\nBelow are some projections going out to FY26. FY22 revenue is anchored to management’s guidance. In the 2Q22 earnings presentation released yesterday, management also gave long-term targets that included a mature gross margin of 75%-80%, hence why we’ve made it so gross margin is 78% in FY26. We’ve used CRWD’s current TTM FCF margin as a rough long-term estimate of S’s in FY26.\nGuessing the multiple declines is kind of an unchartered territory because of the unprecedented level and sustainability of multiples we’re witnessing in the COVID-era market. Some may argue a decline to a 53x EV/S by FY26 is not steep enough, and that might be right. Though in FY26 we expect revenue to be at similar levels to CRWD’s today and CRWD is currently trading at 56x EV/S. Of course, no macro assessment is being taken into account so please take this exercise with a pinch of salt.\nFigure 13 - Financials & Multiples Projections\nSource: Convequity\nIn the 4.5 years from today to the end of FY26 [fiscal year end 31stJan], if the EV reaches $68bn then S’s stock will deliver a 36% annualized return. So, yes the multiples are insanely high but because of the extreme growth that will presumably remain high for a few years, even a sharp decline in multiples can still deliver sufficient investor returns.\nCRWD’s LTM EV/S at the close of its IPO day [6thJune 2019] was 47x and it has peaked at c. 70x in Aug-19 and Feb-21. This highlights the richness in S’s current valuation. However, is S still worth an investment at the present time? Well, investors need to be aware of the melt-up and melt-down that has often occurred with high-growth tech IPOs, especially during the past 12-18 months. S could very well follow a similar path and climb much higher before falling down once the lockup period ends [27thDecember, 2021] and early investors can cash in some of their profits. Investors should also note that S employees are allowed to sell 15% of their shares as of 6thOctober 2021. For readers’ information, S’s number of shares in float to number of shares outstanding is just 17% - in contrast, a post lockup stock like CRWD has 86% in float.\nTherefore, high-risk tolerant and/or short-term investors may want to consider a long position right now. Longer-term investors may prefer to let the liquidation unravel post Oct-21 and then post Dec-21 before buying shares. A compromise may be to buy a fourth of a position today and opportunistically add to it in the future. Personally, we’re waiting for a correction before opening a position. If the stock corrects c. 25% we’ll probably add half of the total planned allocation and then wait to see what happens after the lockup.\nAt first glance S’s extremely negative operating and FCF margins are alarming, but what investors should bear in mind is that S has the edge in technical and performance superiority and therefore they need to capitalize on this edge in the fastest way possible. CRWD is just 14 months older than S but has over 7x more ARR [Annual Recurring Revenue], which illuminates the differences in market approach. CRWD hit the market early and aggressively whilst S spent many years with their primary focus in R&D before focusing on sales and marketing [S&M]. Now S has a refined and market-leading product they need to maximize the GTM strategy as much as they can and catch up the market leader.\nFigure 14 - 1Q22 Margins\n\nThe current gross margin doesn’t exactly indicate a profitable long-term business model. However, investors should bear in mind that S’s competitiveness, especially in offering 365-day log storage, is a big suppressant at the moment. When S captures a larger share of the market, builds a solid reputation, and fully integrates Scalyr’s novel way of ingesting and storing log data, S can command a greater premium and simultaneously lower cost of revenue, and hence gross margin will rise accordingly. Interestingly, 2Q22 gross margin has already jumped c. 800 basis points since 1Q22, and no doubt the integration of Scalyr will have contributed to this. Throw into the mix that S will more than likely follow CRWD in shifting from cloud to colocation infrastructure once they reach a certain scale, the mature end-state gross margin for S will be close to 80%, in our opinion.\nIrrespective of the trading tactics, we think S has a strong chance to prove to be a good investment, even at the current multiple levels. We’ll list the pros to consider:\n\nCurrently, S has very low penetration - FY21 [fiscal year ending 31stJan] generated $93m of revenue and $161m of ARR [Apr-21] - in a market estimated to be worth between $20bn and $30bn by 2025.\nSimilar to what CRWD has done, S will acquire more talent, expand its product’s capabilities, and expand into new markets - the IPO proceeds will go toward these objectives. This will expand an already large TAM for S.\nAs we’ve presented in this report, S is the technical leader in the endpoint protection market. Technical leadership combined with mega aggressive S&M expenditure [110% of revenue vs CRWD’s IPO year of 69% of revenue] will very likely be highly effective.\nGiven the relatively low revenue base ($93m for FY21) and the autonomous, out-the-box nature of S’s AV, we would not be surprised if they regularly exceeded analyst consensus growth expectations (91% for FY22). From c. $100m in FY18, CRWD has grown c. 100% and this is with an AV solution that needs to be customized for many customers. Therefore, NTM growth of 100% is more probable than not, in our opinion – especially, with the S&M aggressiveness.\n\nOf course, stocks such as S pose substantial risks for investors, so we’ll outline some of the cons to consider:\n\nS is a company with fast-growing revenue but also growing losses. EBIT margin for FY20 and FY21 was -161% and -124%. FCF margin for FY20 and FY21 was -102% and -78%. So, it’s clear that cash flows in any DCF valuation are far into the future which makes the stock very vulnerable to changes in inflation and interest rate expectations – which is happening with frequency at present.\nGiven the large losses, all of the stock’s future trajectory is dependent on the company beating revenue growth expectations. Consequently, any quarterly revenue misses will have a severe impact on the share price and it could take the stock a long time to recover.\nS’s technical superiority might not be insurmountable – we believe it's the best but groundbreaking is a stretch too far. Endpoint protection is a highly competitive market abundant with innovation, so it’s a possibility S could eventually lose a degree of its product leadership.\nCRWD may up the ante with ‘smoke and mirrors’ tactics and even more aggressive S&M that specifically aims tolegallydefame S.\n\nThere are certainly a few pros and cons to consider. In our opinion, the optimal approach to gaining exposure to S is to1) wait for a correction,2) open a ¼, a 1/3, or a ½ of the total eventual position subject to the magnitude of the correction,3) add during risk-off episodes during the next several months, and4) leave some capital spare to buy some more after the effects of the lockup expiry have been fully reflected.\nThe conundrum, as is with all pioneering software stocks, is that investors are usually forced to pay a hefty premium in order to participate in future price appreciation. This is because these types of stocks have a tendency to remain elevated for a long time. However, on the flip-side, S has not yet made it in the Global MSCI indices, therefore, bouts of risk-off sentiment have the potential to knock down the share price considerably more than stocks such as Cloudflare(NYSE:NET), Okta(NASDAQ:OKTA), Twilio(NYSE:TWLO), and Palantir(NYSE:PLTR). With this in mind, opportunities to buy big dips are likely but sustained elevated multiples and/or multiple expansion is also a strong possibility. Hence, the optimal approach, in our opinion, is to add a fraction after a correction [or even now for the highly risk-tolerant] and complete the position in the months ahead.\nConclusion\nThis report was not intended to bash CRWD’s technology because obviously it's extremely sophisticated and great at stopping threats. However, comparing to CRWD does highlight a degree of superiority in S’s approach to AV. And most importantly, from an investment perspective, S’s out-of-the-box solution certainly makes its business appear more scalable than CRWD. And this is exciting when considering CRWD’s super growth in spite of each deployment requiring a good dose of configuration tweaking and training.\nThe valuation is mega rich but investors need to accept that the premium is for a game-changing technical leader in a high-growth and very large market. Upside growth surprises could very well materialize given the scalability of S’s out-the-box solution.","news_type":1},"isVote":1,"tweetType":1,"viewCount":271,"commentLimit":10,"likeStatus":false,"favoriteStatus":false,"reportStatus":false,"symbols":[],"verified":2,"subType":0,"readableState":1,"langContent":"EN","currentLanguage":"EN","warmUpFlag":false,"orderFlag":false,"shareable":true,"causeOfNotShareable":"","featuresForAnalytics":[],"commentAndTweetFlag":false,"andRepostAutoSelectedFlag":false,"upFlag":false,"length":29,"xxTargetLangEnum":"ORIG"},"commentList":[],"isCommentEnd":true,"isTiger":false,"isWeiXinMini":false,"url":"/m/post/881368624"}
精彩评论