SentinelOne Inc (S) Q2 2022 Earnings Call Transcript

SentinelOne Inc  (NYSE: S) Q2 2022 earnings call dated Sep. 08, 2021.

Corporate Participants:

Doug Clark — Head of Investor Relations

Tomer Weingarten — Co-Founder and Chief Executive Officer

Nicholas Warner — Chief Operating Officer

David Bernhardt — Chief Financial Officer

Analysts:

Hamza Fodderwala — Morgan Stanley — Analyst

Brian Essex — Goldman Sachs — Analyst

Saket Kalia — Barclays — Analyst

Rob Owens — Piper Sandler — Analyst

Brent Thill — Jefferies — Analyst

Tal Liani — Bank of America — Analyst

Andrew Nowinski — Wells Fargo — Analyst

Patrick Colville — Deutsche Bank — Analyst

Shaul Eyal — Cowen. — Analyst

Roger Boyd — UBS — Analyst

Alex Henderson — Needham — Analyst

Presentation:

Operator

Good evening. Thank you for attending the SentinelOne Second Quarter 2022 Earnings Conference Call. [Operator Instructions] I would now like to pass the conference over to your host, Doug, Clark, Head of Investor Relations, with SentinelOne. Thank you. You may proceed

Doug Clark — Head of Investor Relations

Good afternoon, everyone and welcome to SentinelOne’s earnings call for the second quarter of fiscal year 2022, ended July 31st. With us today are Tomer Weingarten, Co-Founder and CEO; Nicholas Warner, COO; and Dave Bernhardt, CFO.

Our press release and the shareholder letter were issued earlier today and are posted on our website. This call is being broadcast live via webcast. And following the call, an audio replay will be available on the Investor Relations section of our website. Tomer, Nick and Dave will begin with prepared remarks, and then we’ll open the call for questions.

Before we begin, I would like to remind you that during today’s call, we’ll be making forward-looking statements regarding future events and financial performance, including our guidance for the third fiscal quarter and full fiscal year 2022, as well as certain long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that actual results and events could differ materially.

Please refer to the documents we file from time to time with the SEC, in particular, our S-1 and our quarterly report on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements. Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly or to update the reasons actual results differ materially from those anticipated in the forward-looking statements even if new information becomes available in the future.

During this call, unless otherwise stated, we will discuss non-GAAP financial measures. These non-GAAP financial measures are now prepared in accordance with generally accepted accounting principles. A reconciliation of GAAP and non-GAAP results is provided in today’s press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for our GAAP results. The financial outlook that we provided today excludes stock-based compensation expense, which cannot be determined at this time and are therefore not reconciled in today’s press release.

And with that, let me turn it over to Tomer Weingarten, CEO of SentinelOne.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Welcome everyone, and thanks for joining our first earnings call as a public company. This is the start of an open and informative dialog. We value trust and transparency and I’ll have the opportunity to model this as a public company. And since this is our first earnings call, I’d like to give some background on our journey and how we got here. I will then turn it to Nick and Dave to provide some highlights from our most recent quarter and outlook.

We launched SentinelOne in 2013 with the idea that cybersecurity incorporated faster speeds, greater scale, higher accuracy and most importantly do this through more automation. We created an autonomous cybersecurity platform to deliver our vision. Attacks and threats are only becoming more sophisticated and more common and legacy solutions and human defenses just can’t keep up. Looking further the older ransomware attacks, unfortunately this isn’t new and it isn’t going away and it’s impossible to ignore.

Our mission to protect our customers in our way of life has never been more important in a digitized world. There are several structural forces that play that will drive long-term and sustained growth for us in our industry. The growing threat landscape is just one of them. Next is the digital enterprise environment, more devices, more places, more data requires updates to critical enterprise infrastructure and that includes new attack surfaces such as containers and workloads. At the same time, we moved to a hybrid work environment. This is the new normal, forcing the revolution of how we work, where we work from and fundamentally how we secure the future of work. The only way to ensure safety and security is with zero trust. Across the entire enterprise from endpoint to cloud, companies want partners and platforms not siloed point solutions.

Our open XDR approach is helping unify the entire enterprise view from data to device to cloud. Putting all of this together, cybersecurity has never been more critical and more challenging for the enterprise. That gives me tremendous confidence in the long-term growth potential in front of SentinelOne. Over the last eight years at SentinelOne, we’ve developed AI and machine learning models, built patented storyline technology and created an in-house cloud data platform. We knew from the beginning that the best solution would have to harness the power of data in AI. And as a result, we’re delivering real-time industry leading threat detection and response from endpoint to IoT to cloud.

To us, prevention is the fundamental component of modern day cybersecurity. Equally critical is machine speed detection, response and remediation. We’ve achieved many important milestones already this year. Certainly, the IPO is part of that. At the same time, top scores from MITRE ATT&CK, the industry standard test for EDR, as well as the high score in the Gartner Critical Capabilities for each buyer type have helped build credibility in industry recognition. Operationally, we’ve expanded our board of directors and instituted an advisory board. And with an eye to the future, we just announced that we’ll be opening an R&D facility in the Czech Republic to support our growing scale and global presence.

Finally, delighting our customers, I’m especially proud that our net promoter score or NPS has risen every single quarter in the past year. It jumped in Q2 to above 70. That puts us well above the ranks of many consumer and technology companies and ahead of category defining technologies loved by users, such as the iPhone. Our customers choose us as their cybersecurity partner and we take the responsibility and trust seriously. We’re helping our customers stay ahead of all adversaries, prevent breaches and autonomously respond through innovation.

Turning to the business, in Q2, our ARR growth accelerated to 127% year-over-year and our revenue was up 121%. I want to pause on that for a second. Our business is expanding well into the triple digits, both for ARR and revenue, and our guidance for Q3 shows that we expect that to continue. Our growth is very well balanced across new and existing customers as well as large and mid-sized enterprises. Enterprises represent about two thirds of our business today, and we’re gaining even more traction. In Q2, we added the highest number of customers with ARR over $1 million compared to prior quarters. We’re also expanding with existing customers to securing more devices and services along with bringing new security control and visibility modules. Our net retention rate was the highest it’s ever been at 129%. Our channel partners are bringing us into an increasing number of opportunities, giving our sales teams access, scale and reach around the globe. Nick will talk a lot more about our differentiated go-to market and how that’s fueling growth.

I’m proud of the technology and the innovation we’re bringing to customers through our Singularity XDR platform. We sell three platform tiers, core control in our most comprehensive and popular tier complete. These tiers enable us to bring our technology to a diverse set of buyer types and organizations from medium sized businesses all the way to the world’s largest Fortune 500 enterprises. We also offer more than 10 modules that extend our platform value to more enterprise needs from IoT discovery and security to cloud and container workload protection. Our modules help customers with today’s critical management protection and visibility challenges. In Q2, we enhanced our capabilities around automation, zero trust and data.

First, automation. Automation is key to neutralizing threats effectively and in real-time. Security teams simply can’t analyze and respond to billions of events every day. The response piece is especially important. A human powered 1-10-60 benchmark is a legacy model. Our customers want real-time response and protection. This is why our patented storyline technology is so important. It monitors and contextualizes all events across an enterprise at machine speed. That means fewer and more accurate alerts based on data. It also means autonomous remediation, taking machine delivered responses to a whole new level of automatic efficiency. The chief information security officer of a Fortune 500 oil company captured it well saying SentinelOne’s storyline technology fundamentally changes EDR. Instead of people having to manually assemble data points, the technology assemble stories for us and even make decisions in real-time, game changer. We listen to our customers adding even more automation capabilities.

In Q2, we added Storyline Active Response, or STAR. With STAR, security teams can now create custom detection response rules and deploy them in real-time. In other words, write the rules once and let it trigger automatic alerts and instant responses enterprise wide. That’s more control and more automation and more prevention. The secondary of focus is around zero trust. Every edge of the network must be secured. We did this in two ways in Q2, tackling global IoT devices and expanding zero trust partnerships and enterprises can protect what it can see, including IoT and unmanaged devices. One compromised printer can quickly become an adversary’s home base for an attack. The solution for the IoT and unmanaged device challenges are ranger module. Ranger identifies and tracks all rogue IoT devices and we’ve just released Auto Deploy. Our new Auto Deploy capability tackles one of the oldest problems in enterprise IT, quickly deploying protection to unmanaged and sometimes unreachable assets with ease. Ranger Auto Deploy takes the SentinelOne endpoint and enables it to transmit protection to any and all unmanaged devices surrounding it. This is the first. And we’re already seeing demand for Auto Deploy, which helps secure a million dollar customer win in Q2, where we replaced legacy AV in one of our other major next gen competitors. We also expanded our marketplace ecosystem through new partnerships with Zscaler and Cloudflare, partnering with other zero trust leaders strengthens our customers’ security postures.

Finally, we’re focused on data. Cybersecurity is fundamentally a data problem. We use AI to parse petabytes of data, identify anomalies and autonomously mitigate attacks in real-time. Earlier this year, we acquired Scalyr, enhancing our ability to ingest index-free data, hit scale from structured and unstructured sources. Our goal is to optimize for scale performance and cost. We’re excited about the future of go-to market synergies. We’ve also begun transitioning our data back into Scalyr for new proof-of-concept deployments, onboarding new customers at scale.

Before I turn into Nick and Dave, I want to say I’m excited about what we’ve achieved as the company. I am proud of the scale of our business and the triple digit growth rates we’ve now delivered for two consecutive quarters. This is truly a testament to the hard work of the entire team at SentinelOne. Thank you to all of our employees and also our customers and partners. Your feedback and trust puts us on the winning side of cyber warfare every day. I’m even more excited about what we can do from here. The endpoint security market is large and growing and we’re just at the beginning. Cyber defense should be even more holistic. It has to be flexible and automated and that means not just across the endpoint operating systems, but also IoT devices, servers, cloud workloads and the data itself. This is XDR. We are XDR.

And with that, let me turn it to Nick Warner, our Chief Operating Officer.

Nicholas Warner — Chief Operating Officer

Thank you, Tomer, and I’d also like to welcome everyone. I’ve been at SentinelOne for over four years now. Everyone here has a lot to be proud of, especially how quickly we’ve scaled in just the past year alone. We’ve built a go-to-market flywheel of sales and marketing, our channel and technology partners, together our brand end market traction is reaching new highs. Let’s discuss the business.

ARR of nearly $200 million and growing 127% is nothing short of astounding. Looking back, it took over three years to reach a $100 million in ARR and just three quarters to nearly reach the next $100 million. Our future is unbounded. That’s because of vision, execution and listening to the needs of our customers. Over 5,400 customers use our Singularity XDR platform, that’s over 2,000 more than last year. I’m delighted to help protect that many businesses. Our customers are diverse in size, scope and geography. Our focus on automation, speed and accuracy is critical to any enterprise, in fact, all enterprises. We’re protecting even more mission-critical businesses. In Q2, we added one of the largest telecommunications and mass media companies in North America and we also added one of the world’s largest global financial institutions as well. Make no mistake, this is a competitive market. We go up against incumbent and next gen players all the time.

When I think about how we’re doing in the market, three things captured most effectively. One, our 97% gross retention rate, which means our customers are happy and staying with us. Two, we don’t compete with our channel partners, so they are able to lead with our technology platform. We enable and embrace the channel. And three, we win more than 70% of POCs against the competition. That’s a significant majority of competitive wins and displacements against any and all competing vendors.

Let me share some more detail from the quarter. We’re making tremendous progress with large enterprises, which represent about two thirds of our business. We grew customers with ARR over $100,000 by 140% versus last year. We added the highest number of million dollar ARR customers this past quarter. In the past year, we’ve more than tripled the number of customers with ARR over 1 million. It’s clear from both of those points that we are succeeding with larger customers and landing larger deals. Our net retention rate was 129%, a new record for our company. Fantastic execution from our sales and go-to-market teams. We’re helping customers expand agent deployments, access more functionality with packaged tiers and adopt new module solutions. When it comes to our modules, our innovations help enterprises do more. Just looking at our modules that cover IoT, cloud and data, these grew more than 6 times year-over-year in Q2 and represent over 10% of the quarter’s new business. We’re still early with our modules and see this as a long-term lever for our business.

Next, I’ll share some insights on our go-to-market. Our internal sales and support teams combined with our diverse and growing partner ecosystem gives us an incredibly vast reach. Earlier this year, we rolled out a new channel partner training and accreditation program. Feedback has been positive and we’ve issued over 2,000 accreditations to date. Our strong channel metrics are leading pipeline and traction indicators.

We partner with managed security service providers, MSSPs; managed detection and response providers, MDRs; and incident response, IR partners. We equip them with industry-leading capabilities and in return we get tremendous market access and scale. We don’t compete with them. We support and enable their business. We’re rapidly expanding this ecosystem and it’s driving meaningful growth for us.

I want to double-click on our incident response partnerships.. Driven by the rising wave of ransomware attacks, breaches have become pervasive for businesses around the world. In the unfortunate, but often common case of a company being breached, IR partners are called in to identify and remediate the attack. They use our technology to understand what’s going on, stop the attack and remediate the network. Our ecosystem of IR partners are armed with the best technology available when it comes to rapidly recovering from a breach. After seeing the immediate value of our technology, we see extremely high adoption rates post breach, as post-breach enterprise is standardized on SentinelOne as a modern approach to cybersecurity.

In Q2, we added over a dozen additional IR partners and are bringing more online in Q3 and beyond. It’s not just quantity, but quality. In Q2, we added world renowned IR partners like Kroll, Alvarez & Marsal and Group-IB. These and others are global leaders with extensive enterprise relationships. These are the go-to experts who cyber insurers and boards call when there is a breach. In fact, our IR partner ecosystem is our fastest growing channel. For all of us at SentinelOne, our values and goals align on protecting customers and putting them first. From sales to support, marketing to channels, business development to customer success, Vigilance MDR to SentinelLabs, our go-to-market organization is world-class and I’m proud to work with this global team of relentless Sentinels each and every day.

Thank you. And let me turn it over to Dave Bernhardt, our CFO.

David Bernhardt — Chief Financial Officer

Nick, Tomer, thank you, and thank you all for joining us today and hopefully in the future. I’ll touch on a few of the highlights before we open for Q&A. There’s a lot more detail in our shareholder letter, which I welcome you to view on the Investor Relations section of our website.

We are very excited about our performance in the second quarter. Looking at our Q2 results, we achieved a record revenue of $46 million, increasing 121%. Fueled by new customers and existing customer expansion, we delivered ARR of $198 million in the quarter, accelerating 127% year-over-year. Even after backing out the $10 million in acquired ARR from Scalyr, our organic growth was still well into the triple digits. Obviously, we’re very enthusiastic about our topline drivers.

Now I’ll discuss our costs and margins and then provide our guidance outlook. Our non-GAAP gross margin in Q2 was 62% and expanded 900 basis points, a healthy pickup from last quarter. The biggest benefits are coming from our increasing scale and business expansion. Additionally, we’re also starting to see benefits from our renegotiated cloud hosting agreement, which we signed earlier this year to align with our expected growth.

Looking at the rest of our P&L, we’re investing for growth and it’s clear that it’s working, once again reflected in our triple-digit topline growth rate.

During the quarter, we made strategic investments in preparation for becoming a public company, enhancing our product and scaling our go-to-market. Our non-GAAP operating margin was negative 98%, an improvement over negative 101% in the year ago quarter, even as we prepared for our IPO. In the shareholder letter, we’ve reiterated our long-term margin targets. These are the same targets that we shared during the IPO.

The key point is that as we progress to our long-term targets, we intend to invest in growth while also improving our margins and profitability. A recent example is the diversification of our R&D footprint outside of Israel and Silicon Valley. We just announced that we’ll be expanding our engineering excellence into the Czech Republic. With all of this opportunity in front of us, fiscal 2022 remains an investment year.

Now for our outlook for Q3 and the full fiscal year. In Q3, we expect revenue of $49 million to $50 million, reflecting growth of 102% at the midpoint. For the full year, we expect revenue of $188 million to $190 million or 103% growth at the midpoint. We expect the strong momentum we saw in Q2 to continue next quarter and our structural tailwinds to persist. Combined with ongoing benefits from our product innovation, improved brand awareness and continuing to scale our go-to market, this collectively supports our triple-digit growth outlook. We expect Q3 non-GAAP gross margin to be between 58% to 59% and full-year gross margin of 58% to 60%. Most importantly, this remains well above 53% we reported in the first fiscal quarter this year and at or above 58% we delivered in fiscal 2021.

We are benefiting from increased scale, cloud hosting agreements and processing efficiency gains. Reflected in our guidance is our plan to migrate existing customers to our Scalyr backend in Q3 and Q4. The migration will result in some duplicative storage and processing costs as we ensure data and performance continuity. This is intended to further improve data processing for the future and unlock long-term platform and go-to-market synergies. Excluding the redundant costs for the Scalyr migration, we estimate fiscal 2022 gross margin would be roughly similar to our gross margin we achieved this quarter.

Finally, for operating margin. We expect negative 96% to 99% in Q3. Our full year operating margin guidance is for negative 99% to 104%. This is an improvement upon our fiscal year 2021 operating margin of negative 107%. We see tremendous opportunity for growth and the investments we’re making today will put us in a position to succeed for the long term.

Finally, we have two quick housekeeping items. Both of these are included in the shareholder letter with more detail as well. The first item is share count. We ended Q2 with total basic shares outstanding of $265 million, this is the base run rate going forward. The second item is the lockup. We have two triggers. The first is on September 28th. If the stock price remains at current levels, it will unlock up to approximately 40 million outstanding shares as of July 31, 2021, excluding vested equity awards. The remainder of the lockup will expire subsequent to our Q3 earnings report.

In closing, Q2 was an excellent quarter with strong execution, and we’re expecting that momentum to continue into the second half of the year.

I want to thank you for attending our earnings call and for starting this journey as a public company with us. Operator, can you please open up the lines for questions? Thank you.

Questions and Answers:

Operator

Certainly. [Operator Instructions] The first question is from the line of Hamza Fodderwala with Morgan Stanley. Thank you. You may proceed.

Hamza Fodderwala — Morgan Stanley — Analyst

Hey, guys. Thank you for taking my question and congrats on your first quarter post IPO. Just on — maybe a question for either Nick or Tomer. I wanted to dig into some of the partnership announcements you guys have made in recent months, particularly with the Zscaler and Cloudflare. What do you think — one for Tomer, to what extent does that validate your technology, given that you’re partnering with other next gen vendors on the network security side? And then from a go-to-market perspective, for Nick. What type of incremental benefit will these partnerships bring?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, thanks for the question, Hamza. And for us it’s really about, really stepping forward towards a more inclusive open XDR approach and also kind of producing a more Zero Trust ecosystem around SentinelOne Singularity platform. Really fusing together endpoint, which is kind of the edge of the network with the cloud and now identity and the user as well. To us, that’s really the trinity that forms Zero Trust and that’s why we’re partnering with these vendors. Obviously, we find them in more and more accounts that we sell into, so that also becomes something that our customers are asking us to do. So, all in all, I mean, it just really kind of falls in line with both of our Zero Trust strategy and our open XDR approach and the idea is over time to continue and ingest more data from all these adjacent solutions in the enterprise into our open XDR platform. So to us, again, it really falls into the strategy that we took by enabling our customers to pick any vendor and indeed build on top of the Singularity platform.

Nicholas Warner — Chief Operating Officer

Hi, and this is Nick here. From a go-to-market perspective, what it means for our customers is we really allow them to realize even greater ROI on previous solutions that they had purchased. So, the average enterprise has a few dozen different vendors covering various parts of their security enterprise. And with our vision of XDR being open, being inclusive, being easy to use, what we’re really doing is up leveling the capabilities of those traditional and already installed products, adding tremendous value with the Singularity platform, but weaving that all in together to a complete and holistic view of security, which is really the promise that we’re delivering upon with XDR.

Hamza Fodderwala — Morgan Stanley — Analyst

Got it. Thank you.

Operator

Thank you. The next question is from Brian Essex with Goldman Sachs. You may proceed.

Brian Essex — Goldman Sachs — Analyst

Hi, good afternoon. Thank you for taking the question, and congratulations on another really nice quarter of acceleration here. Maybe Tomer, I would love to get your feedback on — I think in your prepared remarks you talked about two thirds of your business is enterprise focused. What was the mix in the quarter? And what do you anticipate going forward for larger enterprise mix? I see that landed cost per new logo is certainly much higher than it was last quarter. So, just trying to think about the trajectory there and maybe the most fundamental thing that change in the quarter to drive that improvement.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, for us it really is a good mix. I mean, we feel like our traction in the enterprise and definitely 140% growth year-over-year and 100,000 deals and above is a good reflection of how much bigger we’re landing in accounts, 225% on $1 million deals, again a good reflection of our traction in the enterprise. But at the same time we feel presence in the mid-market is important and it’s something that actually is a very efficient go-to-market for us. So we like that mix, we feel it’s a good mix for us. We’ll continue to drive it. Definitely on the enterprise side, we’re seeing more lends with our complete tier, actually with more attached to ranger, more attached to vigilance, more attached to data retention. So, all in all, we’re seeing massive adoption for not only kind of what is now becoming our premium tier, which is complete, but on top of that to the add-on modules that we have and we intend to do the same also on the mid-market where we enable our channel ecosystem to carry more than just endpoint protection and sell also cloud security. So, all in all, we feel that mix is a healthy one and one that we would like to carry into the future.

Brian Essex — Goldman Sachs — Analyst

Got it. And maybe just a quick follow-up for Dave. I mean, you mentioned the real quick the duplicate of costs associated with the the Scalyr migration. When might we see that abate and maybe the margins might be able to maybe better accelerate after conclusion of that?

David Bernhardt — Chief Financial Officer

Sure. It’s predominantly in the second half of this year. So you’ll see it in Q3, you’ll see it in Q4, and then it should dissipate beyond there. We’re working on getting our largest customers over first, which is why you see the depth that we’re expecting in the second half, but going forward we think we should have a baseline of around where we’re out right now, barring any other efficiencies we see on the product as we continue to advance it.

Brian Essex — Goldman Sachs — Analyst

Got it. Very helpful. Thank you very much.

Operator

Thank you, Mr. Essex. The next question is from Saket Kalia with Barclays. You may proceed.

Saket Kalia — Barclays — Analyst

Okay, great. Hey guys, thanks for taking my questions here and echo my congrats on becoming a public company. Tomer, maybe for you. I was hoping if you could just talk a little bit about kind of the broader distribution channel a bit. I guess the question is how do you sort of judge the scale of your channel? And where do you see it kind of going in the next year coming off the IPO?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, it’s a great question because we look at our channel in a very inclusive manner. We definitely kind of look at the distribution channel, reselling channels, but the ones that are a little bit more classic to security is going to be incredibly strong, and at the same time the ability to also take the same platform, license it to MSSP providers gives us a tap into a complete different part of the TAM. And as Nick mentioned in the prepared remarks, our ability to now signup most of the incident response providers — most of the leading incident response providers in the U.S. is providing for another channel that kind of expand the gamut of what we see in terms of market opportunities. So, all in all, we feel pretty good about our market presence in the channel ecosystem. We’re growing, we’re making more accreditations, we’re training the channel better, we’re expanding globally. So to us, I mean, we feel like we’ve built really strong foundation in the channel, but now they’re just going and accelerating and obviously enabling the channel, preparing more modules is another tier in our ability to unlock the vast opportunity in the channel ecosystem.

Nicholas Warner — Chief Operating Officer

This is Nick here. What I’d also add to that is uniquely with SentinelOne, we’ve made a strategic decision to enable and not compete with the various multi-dimensional channel partners out there, whether that’s MDRs, MSSPs, or incident response partners, obviously as well as your traditional resell partners. And what that’s really driven by enabling their business and not competing is incredible loyalty and brand loyalty with SentinelOne, and that’s something we’ve been working really hard on for the last several years. So we’re really starting to see that, that flywheel kick-in, in all the different facets of are go-to-market channel partner ecosystem.

Saket Kalia — Barclays — Analyst

Got it. That’s really helpful. David, maybe my follow-up for you. Tomer just sort of talked about this just briefly in the last question, but I was wondering if you could just double click a bit on the mix of customers across the different singularity peers, specifically core control and complete. What are you sort of seeing in terms of new customers and existing customers in terms of the peers that they’re sort of opting for?

David Bernhardt — Chief Financial Officer

Sure. So about half of our customer still use core or control with the larger enterprise customers obviously using the complete solution. And there’s a mix across all of them, but there’s certainly an opportunity for us to continue to see the customers in core control to expand up to the more complete offering, as well as add more modules, etc., etc. I think that goes into why you’re seeing 129% ARR. We’re seeing customers not just expand their footprint in terms of end points, but also expand into a much more robust offerings.

Saket Kalia — Barclays — Analyst

Very helpful. Thanks, guys.

Operator

Thank you. The next question is from the line of — I apologize, one moment please, with Rob Owens, you may proceed.

Rob Owens — Piper Sandler — Analyst

Great. And I appreciate you guys taking my question. I think building a little bit on Saket’s question, but I want to touch on the net dollar retention rates. And is this coming from expansion in seats? Is this coming from the tiers that you talked about and up-sell within the base or is a lot of that growth coming from the adjacent modules?

Tomer Weingarten — Co-Founder and Chief Executive Officer

It’s actually all of the above and we definitely focus on basically providing the customer the choice. License counts naturally organically extend over time, we see that time and time again. But at the same time, it’s very clear that we have much more in the back today versus maybe a year ago and customers want to procure more from SentinelOne. They want to cover more surfaces, they want to use more abilities, they are opting for our services. So, all in all, we’re seeing traction all across the three different vectors, which would be again seat count expansion, more modules, different tiers. We see that time and time again and we like that net retention rate. I mean, we feel it’s going to hover around these rates for kind of the foreseeable future and we like their contribution.

Rob Owens — Piper Sandler — Analyst

And as we look at customer acquisition, typically, who are you going up against? Are you still seeing a lot of replacement of legacy out there, which would imply that there’s still a long way to go in this markets? Or is the battle coming down to more of the next gen providers? Thanks.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, I think it’s 99% displacing an incumbent. It’s always going to be competitive with at least one other next gen competitor. But outside of that, I mean, we are doing displacements here and there, very anecdotal, but we have those. But the vast majority of what we see, it’s absolutely taking market share from the incumbents, it’s always a displacement. We’ve had multiple years long customers of Symantec and McAfee switching over to SentinelOne this quarter as has been with the past quarters as well. So, we think the market momentum in customers understanding that they need to change the mindset and really move over to the next gen offering is not really mainstream. And I think that comprises the vast majority of our pipeline.

Rob Owens — Piper Sandler — Analyst

Thanks for the color, Tomer.

Operator

Thank you. The next question is from Brent Thill with Jefferies. You may proceed.

Brent Thill — Jefferies — Analyst

Thanks. Tomer, you mentioned IoT cloud and data center seem really good uptake. I’m curious if you could just talk through how you look the next couple of years in this segment and what you’re seeing? I know you mentioned one of the IoT when sort of a multi — drove a million dollars plus win. Can you just maybe help shape what’s happening when these transactions are getting evolved and what you’re seeing with overall expansion of deals?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Absolutely. Ranger for us has become truly a competitive advantage. Our ability to not only discover all devices on the network, but now also to automatically deploy and help customers reach all these devices in a completely automatic manner is something that is incredibly unique in this space and it’s driving more adoption and driving more seat counts. And all-in-all, it drives this ability for customers to shift away from their incumbent vendor with ease. So it’s not only about protecting those attack surfaces, it’s also about ease of deployment and simplicity of use. So we’re seeing massive traction with that. We’re seeing the ability for almost every customer that we have today to go in and prove by that functionality. Its zero additional deployment. It’s completely cloud delivered. So it’s incredibly easy to consume. Again, Ranger is one of our fastest growing modules and same goes for data retention.

We’re now seeing, think about the White House Executive Order that mandates low collection, data retention, the ability to keep security data input telemetry for longer, is actually fueling customers to procure more and more data retention and archiving directly from our platform. It’s something that’s highly unique to us. Definitely part of the reason why we’ve expanded our offering and now with Scalyr as a data analytics backend. So the ability to really address all of these new opportunities in cybersecurity that might have not been there a couple of years ago are not only an opportunity, but also a competitive differentiator that we have.

Brent Thill — Jefferies — Analyst

Great. Thank you.

Operator

Thank you. The next question is from Tal Liani with Bank of America. Thank you. You may proceed.

Tal Liani — Bank of America — Analyst

Hi, guys, congrats on a great quarter. I have a few questions. I want to speak about competition. Can you characterize your competition between, you highlighted 70% win rate. Can you characterize the competition? How is it going versus legacy players and what drives corporates that were on legacy system for a long time, what drives them now to migrate? And then also the competition versus the new players like CrowdStrike and others? And if you can talk about your — we spoke about product differentiation, but I want to talk about the value of automation. How is that coming to play and also pricing differences. We’re hearing that you’re quite cheaper than the competition, next gen competition? Thanks.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, I believe, for us it’s really about the holistic approach we’re taking that allows us to win both against incumbents and against next gen peers. The ability to give the full spectrum solution, a full spectrum platform — a full spectrum platform that ranges from best of breed prevention, all the way to detection and response and remediation, all of that in a complete uniform autonomous manner. It’s a big difference on what the others are doing in this space. We feel like for a lot of these customers, I mean, they’re going more and more frustrated by this need to constantly put down fires. And for us, I mean, if you take a more prevention first approach, you can actually stop these fire from actually ever happening, and that just drive efficiencies. And I think if you’re looking at all these incumbent vendors and incumbent footprints, obviously there’s massive amounts of breaches there.

Even for the next gen peers, I mean, we’re seeing a lot of their customers and we’ve had a multi-million dollar displacement this quarter for a customer that grew increasingly frustrated with the multiple infections with inefficiency on protecting server environments, and they wanted a more automatic solution, they wanted a solution that can actually remediate and clean up all the infections they were seeing. But at the same time turn into more of a preventative approach, where I’m not saying that you can prevent everything, but you can absolutely do a better job on prevention and really stop that firefighting mode or improve it significantly. And that is what our platform is incredibly unique in, that’s the advantage of AI and machine learning. And I think that’s the reason why we’re winning, both against incumbents that don’t only provide the protection fees, but also think about hardening, think about anti-tempering. These are all things that our platform can cover today. It’s incredibly holistic again in nature. And once again when you look at the peers, they’re focused on detection and response. That’s what they do. They bundle a service with it. For us, it’s about technology, it’s about creating a more secure endpoint in a most holistic way possible.

Tal Liani — Bank of America — Analyst

Got it. And about pricing, is it — is being cheaper than the next gen competition is that the strategic goal for you? I mean, how do you tax arise your your pricing versus competition?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, I don’t think we’re cheaper than the competition. I think if you look at it, apples-to-apples, you’ll see that the prices are pretty much similar. I think we take a different approach. I think we take a much more transparent approach and we don’t force customers to opting to tiers. We don’t force them to use our service. So, all in all, I mean they can actually choose what they want to procure from us. But again, apples-to-apples, I think you’ll see that prices are very, very similar. Don’t think we’re cheaper by any degree.

Nicholas Warner — Chief Operating Officer

One thing I would add to that. This is Nick here. From a budget perspective what we don’t try to do is hijack a customer’s security budget and to forcing them to buy reams of services, hours to support a non-automated product. What we’re bringing is automation and machine learning, ease of use, and really we’re democratizing very advanced technology. What that enables customers to do is achieve the outcome we’re driving for them and our prospects and customers, which is protection and prevention. And so from an apples-to-apples perspective, we’re typically at or higher from a technology perspective, but we enable customers to best put that money to use buying technology. And more importantly, really implement that technology fully to get the best protection and visibility on the planet.

Tal Liani — Bank of America — Analyst

Great. I have a quick one, if I can squeeze in, if not I’ll ask you privately. CrowdStrike highlighted on the last call that they won Workday from you and they highlighted false positives and reasons why they said that this customer has switched to them. I think it’s just fair to ask the question, if you can refer to their statements and announcements on this customer? Thanks.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, I mean, I think it’s something that you’ll see anecdotally happening. I mean, we’ve had an excess of $1 million ACV displacement this quarter as well for Fortune 500 Company, and they cited the same. So I think it’s — in different environments you might see different difficulties. I think a lot of it is sometimes about relationships, but I think what’s incredibly interesting about the customers that we’ve displaced is the reference they made to the amounts of infections they have to deal with, which to us is really why you’re bringing in cybersecurity solution. You want to prevent these infections from happening. So to us, I mean, false positive performance it’s always something that you deal with. I mean, they deal with that, we deal with that. It’s something that you’ll deal with that forever. But again, infection is something that’s unacceptable. And I think that’s why you see customers, its scale against multi-million dollar ACVs shifting away, and that’s kind of what we see in this space today.

Nicholas Warner — Chief Operating Officer

And this is Nick here. Time and time again, what we’ve seen for several years now is folks go with SentinelOne for really a unique combination of prevention, OS coverage and support, automation and then lastly as Tomer had mentioned, efficacy. So our ability to protect, to prevent and to keep our customers safe.

Tal Liani — Bank of America — Analyst

Great, thank you.

Operator

Thank you. The next question is from Andrew Nowinski with Wells Fargo. You may proceed.

Andrew Nowinski — Wells Fargo — Analyst

Great. Thank you, and congrats on a very good quarter. It’s two quick questions for you. A number of vendors are talking about the start of another firewall refresh cycle, but given the comments you’ve made today it sounds like you’re indicating that we’re also at the start of an end point refresh cycle as more enterprises rip out their aging legacy solutions, so I’m just wondering if that’s the right characterization of the strong demand that you’re seeing or do you think the ransomware attacks that we’ve seen over the last nine months maybe fueling the momentum? I’m just really trying to get a feel for how long this exceptionally strong momentum can continue?

Tomer Weingarten — Co-Founder and Chief Executive Officer

I think it’s a combination of quite a few factors, definitely some tailwinds. I mean, some — the hybrid work environment and to refresher cycles through increased need of abilities to the government pointing out EDR solutions as one that should become mandatory environment. So I think there are many different drivers to what we’re seeing right now in endpoint security. I think the road is long, and I think what really is important to understand about our platform is we’re much more than endpoint security. So for a lot of these new accounts that we’re winning that the net new logo motion that we have is already going into other adjacencies in the enterprise, whether it’s IoT security or cloud security. So to only the end point refresh cycle, there’s actually something that drives in overall look at your entire cybersecurity posture and we’re becoming the trusted partner for these enterprises to actually continue and grow up and down the stack and in different surfaces.

So, all in all, I mean, it drives, I think a complete overhaul of the cybersecurity stack. I wouldn’t call it necessarily a refreshed recycle just because there are so many different secular trends that they are pushing it towards just modernize environments and the ability to extend into every part of what is now a completely flexible parameter versus the parameter that we’ve seen in the past was mainly kind of a firewall bound today that’s completely dissolved today to device the cloud. And that’s really what’s driving massive motion in our market. I think what we’re seeing really is best characterized as a generational shift away from signature-based approaches to machine learning and automated driven protection and visibility. And that’s what we’re experiencing. We’re still in early innings, but it’s massive, its macro and its global.

Andrew Nowinski — Wells Fargo — Analyst

That’s great. Thank you. And just my follow-up question. As it relates to some of the $1 million ARR customers that you landed, I’m wondering if you could just give us any more color in terms of maybe how many agents those deals typically involve? Or how many modules they typically purchase? I’m just wondering ultimately how much of an opportunity there is that those customers for additional purchases down the road? Are they buying everything and maxing out their purchase on the initial purchase to get to that million plus spend or is there a big opportunity with those going forward? Thanks.

Tomer Weingarten — Co-Founder and Chief Executive Officer

We feel it’s far from it and it can vary significantly. We definitely see the ability to expand into other footprints in the enterprise and almost every account that we land. We’re also putting more and more modules. Just last quarter, we actually added two new modules into our roster and portfolio capabilities. So, all in all, we feel pretty good about our ability to continue and grow in these customer accounts, both in terms of covering more footprints, but also in terms of selling more modules. We’re definitely seeing better adoption for a ranger module as I mentioned. But again, we got so many different abilities right now and we’re seeing the beginning and first innings of traction with a lot of our newer modules. And it’s kind of a game that we saw a film that we already saw and we see it growing over time. So all in all, we feel the potential is quite significant.

Andrew Nowinski — Wells Fargo — Analyst

Okay, thanks guys.

Operator

Thank you. The next question is from Patrick Colville with Deutsche Bank. You may proceed.

Patrick Colville — Deutsche Bank — Analyst

Hi, there. Thank you for taking my question. So sequential ARR grew $37 million bucks if I’m not mistaken, Just a kind of housekeeping items. I presume Scalyr — likewise in first quarter, right. So that $10 million you called out of inorganic ARR fell in 1Q right? So that’s $37 million that you guys dis this Q was all organic, is that right?

David Bernhardt — Chief Financial Officer

That’s correct. We got $9 million ARR when we acquired Scalyr. It’s now $10 million. Our focus with Scalyr has obviously been on implementing the technology not on really pushing our go-to-market. That’s something we’ll advance once we get it completely tied into the SentinelOne backend. So yes, $37 million.

Patrick Colville — Deutsche Bank — Analyst

Okay. Sorry, just for clarity, so that $10 million was in 1Q and does it [Speech Overlap]

David Bernhardt — Chief Financial Officer

$1 million incremental between Q1 and Q2 for Scalyr, so we acquired them at $9 million, they’re currently $10 million.

Patrick Colville — Deutsche Bank — Analyst

Okay. That’s great. Could I just, I guess follow on about the competitive environment. I mean, how is going public helps in the enterprise or I guess landing kind of our partners or SI partners is, has the — I guess the publicity and profile of being a public company assisted in that? Or is it actually kind of very similar to what you guys already seeing in a pre IPO?

Tomer Weingarten — Co-Founder and Chief Executive Officer

I think we’re definitely seeing an elevation of the brand and we’re definitely seeing more market presence. I think the tax that we choose to be very transparent about what the company does is dispelled. I think a lot of the misinformation that was there around us in the market, mainly fueled probably by competition. So for us right now we feel better traction, we feel better competitive environments, more that’s for sure. And that’s not only fueled by our IPO, but also a great performance in the Gartner Magic Quadrant where we were singled out as a the vendor with the most critical capabilities out of every vendor out there for any buyer type. I mean, that just comes to show that home prevention and all the way to detection response and remediation, our platform today holds the most capabilities out of any other platform out there.

So, all in all, I think, again, multiple factors come into play, the IPO shining a spotlight on all of them. And now we’re seeing I think just increase in accelerated traction across the board, both in partners and with customers, with sales cycles and with competitive win rates.

Patrick Colville — Deutsche Bank — Analyst

Great, thank you so much.

Operator

Thank you. The next question is from Shaul Eyal with Cowen. You may proceed.

Shaul Eyal — Cowen. — Analyst

Thank you. Congrats, guys, on the strong debut quarter. Dave, when we think about your Czech Republic R&D facility, is that driven by global lack of talent? Is it driven by higher R&D costs in the West Coast or in Israel or is it pretty much all of the above? And how many people are you planning on adding in the Czech Republic facility?

David Bernhardt — Chief Financial Officer

Sure. So we obviously look for global talent everywhere. One of the reasons that we’re looking at the Czech Republic is because they do have an excellent amount of cybersecurity talent assets than in U.S. So we’re going to continue to look for areas where we can advance, what we need in terms of driving our product and our innovation. Obviously, there are areas that are economically more viable in terms of full strategy. So we’re going to continue to monitor that and we’ll do that for the foreseeable future.

Shaul Eyal — Cowen. — Analyst

Got it. And maybe a question on cohort analysis that if it’s not too early. Can you talk to us maybe from the quantitative or maybe just from a qualitative perspective on the LTV of cohorts over the past few quarters now going to say even a few years, specifically on the heels or the fact that, your deal with greater than 1 million have been fantastically on the rise as of late.

Nicholas Warner — Chief Operating Officer

This is Nick here. So we really think about growing the business from a new model perspective as well as learning to extend. If someone asked a question on that, the answer is yes, we’re doing both. What we’re seeing and Tomer talked about this is with a tremendous innovation, introduction of new modules, new surfaces to protect, new problems to solve, we’ve seen huge length in expand opportunities. And in fact, 50% of our customer base is running our core or control package. We can upgrade those folks to complete many modules to cross-sell and up-sell. What we’re also finding is at time of sale for new customers, they’re predicting landing with a complete package with other modules as well. So we’re really seeing a combination of both of those things, driving our average deal size or NNR, our retention, all of those things are up into the right for really those reasons. I think the last thing I would leave you with just echoing sort of overall market momentum, awareness and adoption of technology like SentinelOne is really taking in a big, big way. And so that’s also driving a lot of the adoption.

Shaul Eyal — Cowen. — Analyst

Got it. Thank you so much. Good luck.

Nicholas Warner — Chief Operating Officer

Thank you.

Operator

Thank you. The next question is from Roger Boyd with UBS. You may proceed.

Roger Boyd — UBS — Analyst

Oh, terrific. Thank you very much for taking my question. I guess relative to the partner retention results, you call that the success with tiers and modules. Wondering if you can talk about the impact of cloud workload protection? Where do you think you are in that opportunity? And any sense of the penetration that product has with customers today?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah, we’re looking definitely to expand more and more into cloud security. And specifically, when we talk about cloud security, we talk about workload protection platform and broadband protection. Today, I think we’ve shared that it’s already about 10% contribution into our revenue is coming from the cloud and server protection piece that we sell. We’re seeing more and more traction in cloud security. And to us, we also continue to bolster the capability set there. We’ve added CIS benchmarking capabilities just a couple of quarters ago and we’re seeing better and better reduction. We’ve introduced our cloud workload protection platform as an integral part of the AWS marketplace and that drives adoption as well. So all in all, we’re definitely seeing an opportunity. That’s almost completely greenfield there. And we feel like a lot of our customers are coming back to us now that they’re starting to transition into the cloud and they’re deploying into their Kubernetes environment, into native cloud environment. We actually have a product that is completely agentless that’s been tapped into the Kubernetes control plane and immediately cover all containers.

So, all in all, we feel well positioned to continue and capture market share in the cloud workload protection platform space. And to us, again, if you couple that with the platform approach with everything coming back to the same security data lake, then you really start unlocking synergies and you allow security teams to really ask a question once and get an answer from every part of their enterprise network that spans from the endpoint to the cloud and that becomes a very unique proposition.

Roger Boyd — UBS — Analyst

Very helpful. Appreciate the color. Thanks.

Operator

Thank you. The next question is from Alex Henderson with Needham. You may proceed.

Alex Henderson — Needham — Analyst

Great. Thank you very much. That was a great question from Roger, but I wanted to go into a slightly different angle on the cloud architecture that you bring. Certainly, selling to the IR partners and selling to other MSSPs and the managed direct people, you end up having to integrate them into your platform. Can you talk a little bit about the degree that your cloud structure, your ability to integrate microservices, your cloud native characteristics give you a differential advantage. And to what extent that partnership integration makes your partners more sticky over time and amplifies that loyalty?

David Bernhardt — Chief Financial Officer

Yeah, for sure. Our platform is 100% cloud native. I mean, we started in the cloud. I mean, it’s something that is today built in a complete multi-tenanted way, which is actually something that’s relatively unique in our space. And it also enables these partners to basically deliver their services in a much more effective manner. So they get up and running in seconds, they get a complete cloud tenant for themselves, they immediately deploy using our discovery and deployment services and then they leave the platform there for us to come in and monetize. And once again, all of that is 100% pure cloud motion, which not only enables speed but once again ease of use, ease of deployment, which just turns out to be a much more efficient model than the platforms that they’ve been using in the past, which obviously were more on-prem down. So to us, again, being completely cloud native, being multi-tenanted is the competitive differentiator we have for that part of the market, but also you can probably see the same type of buying motion in the enterprise as well where conducting a DLC, deploying the platform, is becoming easier and easier in all in a cloud-delivered fashion.

Alex Henderson — Needham — Analyst

I realize we’re running long here, but I wanted to add a second question. Could you talk a little bit about your hiring plans and sales. What type of capacity you see going forward in terms of your adds for the next couple of quarters? And then what’s the availability look like? And what does the cost look like? Are we seeing escalation in the prices of labor? And are there enough people out there to fulfill your needs?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Yeah. Hi there. We’re definitely investing for growth. It’s an enormous opportunity out in front of us. So we’re going to continue to invest and build and grow our go-to-market teams. Our sales reps, sales engineers, channel managers are really investing in our go-to-market engine, but at the same time, what we’ve been also able to yield is increasingly greater sales efficiency. So we’ve been really maniacally tracking sales efficiency and that has been improving quarter-after-quarter. So we’re going to actually have each quarter a bigger sales team that is also more efficient helping us continue to drive growth. But the last thing and this is not to be underestimated with our unique go-to-market business is that multi dimensional channel that we talked about. Massive sales forces at various channel partners in the MDR space, MSSP partners, IR partners, traditional resellers and distributors. And so that’s the right way to think about our global field presence is adding all of those folks up and understanding that each time we’re adding a partner behind that are hundreds of sales reps, doing 2000 plus accreditations to date, that’s really building that flywheel, but we’re absolutely going to continue to invest in our own SentinelOne personnel as it relates to go-to-market.

Alex Henderson — Needham — Analyst

And on the cost and availability?

Tomer Weingarten — Co-Founder and Chief Executive Officer

Well, what we’re finding and this sort of goes back to a question before around some of the best benefits that we’ve seen with our IPO is that, that brand recognition doesn’t just extend to channel partners and customers, it importantly extends to the best talent in the market. And so our ability to get really, really good folks who can hit the ground running, bring tremendous yield, that’s enabling us to have great attraction and appeal to get the best talent in the market.

Alex Henderson — Needham — Analyst

Great, thank you very much.

Operator

And I would now like to pass the call back over to Tomer Weingarten, CEO of SentinelOne. Thank you. You may proceed, Mr. Weingarten.

Tomer Weingarten — Co-Founder and Chief Executive Officer

Thank you and thank you all for joining us today. We look forward to talking to you again in the near future. Thanks a lot.

Operator

[Operator Closing Remarks]