SentinelOne sells the Singularity Platform — an AI-native cybersecurity platform that autonomously detects, investigates, and neutralizes cyber threats across endpoints, cloud workloads, identities, and data. Think of it as a self-driving immune system for enterprise IT infrastructure.
The platform covers four major domains: - Endpoint Security (EPP/EDR): protects laptops, servers, VMs from malware, ransomware, and advanced attacks - Cloud Security (CNAPP/CWS): secures cloud workloads, containers, and Kubernetes environments at runtime - Data & SIEM (AI-SIEM): ingests petabytes of security telemetry, replaces legacy SIEMs like Splunk - AI Security (Prompt Security / Purple AI): secures enterprise use of generative AI tools and autonomously hunts threats via agentic AI
Subscription SaaS with hybrid monetization. SentinelOne sells annual platform subscriptions plus usage-based components. The recent launch of SentinelOne Flex (a consumption-based model with committed TCV) adds a hybrid layer: customers commit upfront for preferred economics, SentinelOne gets revenue visibility, and usage-based metering (security data lake ingestion, Purple AI queries) creates expansion upside.
SentinelOne captures value at the point of execution — the endpoint/agent layer. Unlike cloud-only security platforms that observe from the perimeter, SentinelOne's agent runs directly on the host machine, seeing and stopping threats at runtime. This is structurally harder to replicate than dashboard-layer tools.
One "unit" = an endpoint (device, server, cloud workload) protected by an annual license. Expansion comes from (a) more endpoints, (b) more modules attached per endpoint, and (c) usage-based upsell (data lake ingestion, Purple AI queries).
Increasingly fixed-cost with operating leverage. The platform architecture means adding a new module to an existing customer costs very little in incremental infrastructure. The gross margin improvement as non-endpoint revenue grows validates this. The 8% workforce reduction is explicitly about converting to a leaner cost structure that can scale with less headcount.
SentinelOne Flex, launched ~3 quarters before Q1 FY2027, crossed $200M in TCV already. It's a prepaid consumption model: customers buy upfront credits used across products. This creates:
- Committed revenue visibility (similar to SaaS)
- Usage-based expansion (similar to cloud hyperscalers)
- Easier multi-product adoption (one commitment, use any product)
- 7- and 8-figure deal sizes becoming more common
Flex is driving larger initial lands and longer commitments — critical for competing with CrowdStrike's Falcon Flex model.
SentinelOne's moat is rooted in its agent-based, AI-native architecture that was built from day one to operate autonomously — without human analysts and without constant cloud connectivity. The Singularity agent runs static and behavioral AI models directly on the endpoint, making real-time threat decisions at the point of execution.
This is fundamentally different from CrowdStrike's approach. Falcon is cloud-native: the agent collects telemetry and sends it to the cloud for analysis. Singularity runs the analysis locally on the agent. The practical consequences:
| Dimension | SentinelOne Singularity | CrowdStrike Falcon |
|---|---|---|
| Decision location | On the endpoint (agent) | In the cloud |
| Offline protection | Full autonomous capability | Limited without cloud |
| Response latency | Machine-speed (sub-second) | Cloud round-trip dependent |
| Architecture philosophy | AI-native from inception | Cloud-native, AI layered on |
| Platform unification | Single data lake, single agent | Modular acquisitions stitched together |
This architectural difference creates a structural advantage in three growing segments:
Air-gapped / restricted environments — government, defense, critical infrastructure where cloud connectivity isn't allowed. SentinelOne works fully offline. CrowdStrike doesn't.
AI workload protection — securing AI agents and models running on Linux/Mac, where SentinelOne has deep parity that competitors lack. "You simply cannot deliver comprehensive AI security without deep foundational visibility at the point of execution." — Tomer Weingarten, Q1 FY2027 call.
MSSP/MSP ecosystem — multi-tenant architecture with autonomous capabilities means fewer SOC analysts needed, creating massive cost efficiencies for managed providers. Level Blue (world's largest MSSP) consolidating onto Singularity validates this.
After years of ARR growth deceleration (from hypergrowth to ~22%), SentinelOne delivered record net new ARR of $44M in Q1 FY2027, up 55% YoY. This is the 4th consecutive quarter of positive net new ARR growth. ARR growth re-accelerated to 23%. This re-acceleration after crossing $1B ARR suggests the platform flywheel is working — not just endpoint, but cloud, data, and AI security are contributing.
The platform no longer depends on a single product. AI security ARR "nearly doubled again" in Q1 FY2027. Cloud ARR accelerated. Data/SIEM ARR accelerated for the 4th consecutive quarter. This multiproduct expansion creates switching costs: a customer using endpoint + cloud + AI-SIEM + Prompt Security is much harder to rip out than one using only endpoint.
No competitor has an equivalent to Prompt Security — an enterprise-grade, deployable solution for securing employee GenAI usage and AI agent infrastructure. The Q1 call cited a standalone Prompt win at an "iconic enterprise" that beat the incumbent next-gen vendor's "incomplete AI offering." Management described it as a strategic entry point that opens the door to displacing competitors' endpoint footholds entirely.
The CrowdStrike Falcon sensor outage on July 19, 2024 was the most significant cybersecurity industry disruption in years. It exposed the risk of kernel-level cloud-dependent agents and should have been a massive opportunity for SentinelOne. The record: SentinelOne gained some share — media reports from March 2025 cited "CrowdStrike market share slips as SentinelOne and Securonix gain ground" — but the displacement was gradual, not seismic. CrowdStrike's ARR continued growing through the incident, suggesting switching costs and bundling inertia are real. SentinelOne likely captured more evaluation cycles than actual displacements, and is converting those now (the Q1 FY2027 acceleration may reflect deals seeded during that window).
However, the bigger impact was structural: the outage redefined the acceptable risk profile of cloud-dependent agents. SentinelOne's offline-first, autonomous architecture went from "nice to have" to "must-have" in RFPs for regulated and critical infrastructure — exactly the segments where S is now landing large deals.
CrowdStrike has $5.25B+ ARR vs SentinelOne's ~$1.16B. That's ~4.5x scale. This means: - CRWD's R&D budget dwarfs S's (even if S is more capital-efficient) - CRWD's channel reach, brand recognition, and module breadth are larger - CRWD can afford to bundle more aggressively (Falcon Flex vs SentinelOne Flex) - CRWD's threat intelligence (Falcon Intelligence, OverWatch managed hunting) is deeper and more commercially proven
Microsoft Defender is bundled with E5 licenses, making it "free" for enterprises already paying for Office 365. Microsoft was ranked #1 in modern endpoint market share by IDC for three consecutive years. For price-sensitive buyers or Microsoft-aligned shops, Defender is "good enough" and already paid for. Both S and CRWD must justify their premium over "free."
The industry narrative oscillates between "consolidate onto one platform" and "best-of-breed for each layer." CRWD and Palo Alto Networks push consolidation. SentinelOne pushes "unified AI-native platform" but in a different framing — it's consolidating onto an AI-native architecture, not onto an incumbent. The risk is that buyers choose the safer, larger platform.
Prompt Security is a unique asset today, but the window is narrow. Every major security vendor is racing to add AI security capabilities. CRWD's Charlotte AI, Palo Alto's AI Runtime Security, Wiz's AI-SPM. If SentinelOne can't convert its first-mover advantage into durable market share in the next 12-18 months, this advantage evaporates.
The 8% workforce reduction is being framed as "deliberate evolution" but restructuring during a growth phase is inherently risky. If sales productivity dips or key talent departs, growth could stall just when the opportunity is largest.
Verdict: Widening, but with an asterisk.
The moat is widening because: - AI-native architecture is becoming more valuable as threats become autonomous and offline protection becomes non-negotiable - The platform is diversifying beyond endpoint — 50% non-endpoint ARR creates stickier customer relationships - Prompt Security and Purple AI are genuinely differentiated capabilities that competitors can't replicate quickly - The Flex model is working — $200M TCV in ~3 quarters proves the consumption model resonates
The asterisk: widening from a smaller base. CRWD's scale moat (distribution, brand, R&D budget) is also widening. In absolute terms, the gap in ARR ($1.16B vs $5.25B) may be stable or even growing slightly. SentinelOne can build a generational business without overtaking CRWD in market share — but the question of whether this is a winner-take-most market hasn't been settled.
The critical variable is whether AI security creates a new category that isn't captured by endpoint incumbency. If securing AI agents and GenAI usage becomes a standalone buying decision (not an endpoint upsell), SentinelOne's positioning is ideal. If it's absorbed into existing endpoint/cloud bundles, CRWD and Microsoft have the advantage.
Date: Q1 FY2027 earnings call, May 28, 2026
Speakers: Tomer Weingarten (CEO), Sonalee Parekh (CFO — first earnings call)
Overall Tone: Confident, focused on execution, margin discipline, platform acceleration
Market Reaction: Stock dropped ~8% — strong ARR beat offset by guidance miss and layoff announcement
Weingarten's tone has evolved from "we're the challenger" to "the market is coming to us." He frames AI as an existential tailwind — not just a product feature but the organizing principle of the entire platform. Key rhetorical moves:
Confidence signals: - Describes Q1 as "a solid start" — not hyperbolic, but comfortable - "4th consecutive quarter of positive net new ARR growth" — framing this as a trend, not an anomaly - Explicit about displacing incumbents: "winning standalone AI security deals from the customers of our direct competitors" - "Nearly half of the existing endpoint sector is still using legacy antivirus solutions" — the TAM story is intact
Concern signals: - The 8% workforce reduction is framed as "deliberate evolution" but any headcount cut during a growth phase deserves scrutiny - "We have been carrying more organizational capacity I think we require at this stage of our scale" — implicit acknowledgment that prior hiring outpaced efficient deployment
Parekh joined from RingCentral (CFO; scaled to $2B+ ARR) and a brief stint at Asana. Her background is scaling SaaS finance operations. First impressions:
The "Sonalee effect": A new CFO from a company that scaled to $2B+ ARR brings operational rigor. She talks in levers — unit economics, sales productivity, NRR improvement, operating margin exit rates. This is a shift from SentinelOne's historical growth-at-all-costs posture. The fact that she immediately got a margin upgrade through (FY2027 op margin guide raised to 10%, with exit rate "significantly above" that) suggests the prior model had fat to cut.
Credibility markers: - Acknowledges RPO as a leading indicator ($1.5B, +30% growth) - Disaggregates NRR: GRR "stable for many, many, many quarters" (retention strength), NRR improving in $100K+ cohort to "above 110" - Direct about guidance conservatism: back-end loaded deals, larger deal mix creating timing effects — not hiding behind vagueness
Watch items: - She's 60 days in. The restructuring plan was likely in motion before she arrived. Her real impact on operating model shows up in FY2028. - "Prompt ARR nearly doubling again" — she's already fluent in the product metrics, which is good. But we need to see if she maintains investment in emerging products when the macro gets harder.
"Enterprises realize they cannot defend against AI driven threats by consolidating onto legacy platforms that simply bolt on separate tools together. What is needed is a natively unified AI driven data and security architecture. And that is what SentinelOne delivers."
Implication: Direct attack on CRWD and PANW's acquisition-assembled platforms. Positions S as the "purpose-built" alternative.
"You simply cannot deliver comprehensive AI security without deep foundational visibility at the point of execution. On the host machine, that runs AI."
Implication: The architectural argument distilled. If true, CRWD's cloud-heavy model is structurally disadvantaged for AI workload protection.
"While our competitors cannot really secure these environments [air-gapped/on-prem], this provides an emerging growth avenue for us."
Implication: The offline autonomous capability is becoming a real moat in high-security segments — government, defense, critical infrastructure.
"We are increasingly winning standalone AI security deals from the customers of our direct competitors. This serves as a strategic entry point to expand our broader market exposure."
Implication: Prompt isn't just an upsell to existing S customers — it's a competitor-displacement wedge. The "iconic enterprise" deal where S won against the incumbent's AI offering is the proof point.
"An iconic enterprise selected Prompt Security over the incomplete AI offering over their incumbent next gen vendor...we have opened the door to displace that next gen competitor."
Implication: If Prompt converts evaluation wins into platform displacements, the growth trajectory changes. Watch for evidence of this in coming quarters.
"This is not a reactive measure. It is a deliberate evolution to reduce complexity, raise the performance bar, and build a leaner, more agile SentinelOne."
Implication: Weingarten needs this to be seen as optimization, not distress. The CNBC coverage framed it alongside Block, Wix, Atlassian, Cisco — "AI-driven restructuring" is the narrative umbrella.
"We are barely impacting our technology groups with this. We are focused on streamlining parts of the organization."
Implication: R&D is protected, G&A and underperforming sales roles are the target. This is the "right" kind of restructuring for a technology company.
"We need to put ourselves firmly on the path to rule of 40. Which means not just efficiency, but durability."
— Sonalee Parekh
Implication: The new CFO explicitly names Rule of 40 as the target. At ~20% growth + 10% operating margin (FY2027 guide), the Rule of 40 score is ~30%. The exit rate being "significantly above" 10% margin suggests ~14-15% exit margin → Rule of 40 score in the mid-30s by Q4 FY2027, with full Rule of 40 achievable in FY2028 if growth holds.
"We have all the ingredients to scale into a multibillion dollar, highly profitable, durable business."
Implication: The ambition is explicitly "multibillion dollar" — implying the company sees itself as more than a niche challenger.
"GRR...it's actually been stable for many, many, many quarters. I remember seeing that and thinking that is an extremely strong sign just in terms of the stickiness and mission criticality of our platform."
— Sonalee Parekh
Implication: Gross retention stability is a strong signal. When you're smaller than the market leader, you'd expect more churn if the product wasn't competitive. Stable GRR means customers who try S tend to stay.
"Net retention expanding in our $100,000 plus cohort...to above 110."
Implication: The largest, most strategic customers are expanding. This is where platform adoption (endpoint → cloud → data → AI security) shows up in the numbers. NRR above 110 for this cohort is good, though peers (CRWD) have historically shown higher.
| Topic | FY2026 10-K (filed ~March 2026) | Q1 FY2027 Call (May 2026) | Delta |
|---|---|---|---|
| Revenue | $1,001.3M (+22%) | $277M Q1 (+21%); guided $1.195–$1.205B full year | Consistent — same growth cohort |
| ARR | $1,119.1M (+22%) | Accelerated to +23%; $44M net new ARR (record) | Improving — re-acceleration |
| Net Loss | $450.7M in FY2026 | Non-GAAP operating income positive (4% margin in Q1) | Major improvement — GAAP still negative but trajectory shifting |
| Op Cash Flow | $76.6M positive (full year) | TTM adjusted FCF margin 6.5% | Steady improvement |
| SBC | $297.6M (significant) | Not discussed on call (non-GAAP focus) | Investors should track — still a large GAAP drag |
| ITA Settlement | $180M tax expense, $235M installments through FY2031 | Not mentioned on call | Resolved, no longer an overhang |
| Restructuring | March & July 2025 plans, ~$12.3M charges | New 8% workforce reduction, $25M Q2 charge | New action — more aggressive than prior plans |
| Share Buyback | $200M program, 12.2M shares repurchased at avg $16.39 | S&P: "opportunistic" capital allocation, buybacks at current levels viewed as positive ROI | Management sees shares as undervalued |
| Acquisitions | Prompt Security ($160M) + Observo AI ($185M) in FY2026 | Prompt highlighted as growth engine, Observo integrated into AI-SIEM narrative | Acquisitions appear to be integrating well |
| Risk Factors | AI regulatory risks, Israel geopolitical, dual-class stock, reliance on channel | Not addressed on call (normal for earnings call) | Channel dependency flagged in 10-K but not a call concern |
| Competition | CRWD, MSFT, PANW, Wiz listed | Indirect digs at "legacy platforms" and "incomplete AI offerings" — not naming names | More aggressive posture on call |
Profitability messaging gap: The 10-K shows a $450.7M GAAP net loss with a $2.1B accumulated deficit. The earnings call focuses entirely on non-GAAP metrics (4% operating margin). The gap between GAAP and non-GAAP is primarily SBC ($297.6M), which management excludes. This is standard for SaaS but worth noting — SentinelOne is "profitable" on a non-GAAP basis but deeply unprofitable on a GAAP basis.
Growth expectations: The 10-K is backward-looking (FY2026 ended Jan 31, 2026). The call shows Q1 FY2027 acceleration (23% ARR growth vs 22% in FY2026). But the full-year revenue guide of $1.195–$1.205B represents only ~20% growth — implying deceleration through the year despite current momentum. This is the Morgan Stanley analyst's concern: "lack of material guidance raise leaves in holding pattern."
Headcount trajectory: 10-K says "over 2,900" employees. Q1 call: "over 3,000" at end of April. Then an 8% cut (~240 people). The company grew headcount modestly QoQ then cut — suggesting some of those hires weren't the right profile, consistent with Weingarten's "profile of hiring is also changing" comment.