Earnings Call Transcript
SentinelOne, Inc. (S)
Earnings Call Transcript - S Q2 2022
Operator, Operator
Good evening. Thank you for attending SentinelOne Second Quarter 2022 Earnings Conference Call. All lines will be muted during the presentation portion of the call with an opportunity for questions and answers at the end. I would now like to pass the conference over to your host, Doug Clark, Head of Investor Relations with SentinelOne. Thank you. You may proceed.
Doug Clark, Head of Investor Relations
Good afternoon everyone and welcome to SentinelOne's earnings call for the second quarter of fiscal year 2022 ended July 31st. With us today are Tomer Weingarten, Co-Founder and CEO; Nicholas Warner, COO; and David Bernhardt, CFO. Our press release and the shareholder letter were issued earlier today and are posted on our website. This call is being broadcast live via webcast. And following the call, an audio replay will be available on the Investor Relations section of our website. Tomer, Nick and Dave will begin with prepared remarks, and then we'll open the call for questions. Before we begin, I would like to remind you that during today's call, we'll be making forward-looking statements regarding future events and financial performance, including our guidance for the third fiscal quarter and full fiscal year 2022, as well as certain long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that actual results and events could differ materially. Please refer to the documents we file from time to time with the SEC in particular, our S-1 and our quarterly report on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements. Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly, or to update the reasons actual results differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future. During this call, unless otherwise stated, we will discuss non-GAAP financial measures. These as non-GAAP financial measures are not prepared in accordance with generally accepted accounting principles. A reconciliation of GAAP and non-GAAP results is provided in today's press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for our GAAP results. The financial outlook that we provided today excludes stock-based compensation expense, which cannot be determined at this time and are therefore not reconciled in today's press release. And with that, let me turn it over to Tomer Weingarten, CEO of SentinelOne.
Tomer Weingarten, CEO
Welcome everyone and thanks for joining our first earnings call as a public company. This is the start of an open and informative dialogue. We value trust and transparency, and I'll have the opportunity to model this as a public company. And since this is our first earnings call, I'd like to give some background on our journey and how we got here. I will then turn it to Nick and Dave to provide some highlights from our most recent quarter and outlook. We launched SentinelOne in 2013 with the idea that cybersecurity incorporated faster speeds, greater scale, higher accuracy, and most importantly do this through more automation. We created an autonomous cybersecurity platform to deliver our vision. Attacks and threats are only becoming more sophisticated and more common, and legacy solutions and human defenses just can't keep up. Looking further, the older ransomware attacks, unfortunately this isn't new and it isn't going away and it's impossible to ignore. Our mission to protect our customers in our way of life has never been more important in a digitized world. There are several structural forces at play that will drive long-term and sustained growth for us in our industry. The growing threat landscape is just one of them. Next is the digital enterprise environment. More devices, more places, and more data requires updates to critical enterprise infrastructure, and that includes new attack surfaces such as containers and workloads. At the same time, we moved to a hybrid work environment. This is the new normal, forcing a revolution of how we work, where we work from, and fundamentally how we secure the future of work. The only way to ensure safety and security is with zero trust. Across the entire enterprise from endpoint to cloud, companies want partners and platforms, not siloed point solutions. Our open XDR approach is helping unify the entire enterprise view from data to device to cloud. Putting all of this together, cybersecurity has never been more critical and challenging for the enterprise. That gives me tremendous confidence in the long-term growth potential in front of SentinelOne. Over the last eight years at SentinelOne, we've developed AI and machine learning models, built patented storyline technology, and created an in-house cloud data platform. We knew from the beginning that the best solution would have to harness the power of data and AI. As a result, we're delivering real-time industry-leading threat detection and response from endpoint to IoT to cloud. To us, prevention is the fundamental component of modern-day cybersecurity. Equally critical is machine speed detection, response, and remediation. We've achieved many important milestones already this year. Certainly the IPO is part of that. At the same time, top scores from MITRE ATT&CK, the industry standard test for EDR, as well as the high score in the Gartner Critical Capabilities for each buyer type have helped build credibility and industry recognition. Operationally, we've expanded our board of directors and instituted an advisory board. With an eye to the future, we just announced that we'll be opening an R&D facility in the Czech Republic to support our growing scale and global presence. Finally, delighting our customers, I'm especially proud that our net promoter score, or NPS, has risen every single quarter in the past year. It jumped in Q2 to above 70. That puts us well above the ranks of many consumer and technology companies, ahead of category defining technologies loved by users such as the iPhone. Our customers choose us as their cybersecurity partner, and we take the responsibility and trust seriously. We're helping our customers stay ahead of all adversaries, prevent breaches, and autonomously respond through innovation. Turning to the business, in Q2, our ARR growth accelerated to 127% year-over-year, and our revenue was up 121%. I want to pause on that for a second. Our business is expanding well into the triple digits, both for ARR and revenue, and our guidance for Q3 shows that we expect that to continue. Our growth is well balanced across new and existing customers, as well as large and mid-sized enterprises. Enterprises represent about two thirds of our business today, and we're gaining even more traction. In Q2, we added the highest number of customers with ARR over $1 million compared to prior quarters. We're also expanding with existing customers to secure more devices and services along with bringing new security control and visibility modules. Our net retention rate was the highest it’s ever been at 129%. Our channel partners are bringing us into an increasing number of opportunities, giving our sales teams access, scale, and reach around the globe. Nick will talk a lot more about our differentiated go-to-market and how that's fueling growth. I'm proud of the technology and the innovation we're bringing to customers through our Singularity XDR platform. We sell three platform tiers: core, control, and our most comprehensive and popular tier, complete. These tiers enable us to bring our technology to a diverse set of buyer types and organizations from mid-sized businesses all the way to the world's largest Fortune 500 enterprises. We also offer more than 10 modules that extend our platform value to meet more enterprise needs, from IoT discovery and security to cloud and container workload protection. Our modules help customers with today's critical management protection and visibility challenges. In Q2, we enhanced our capabilities around automation, zero trust, and data. First automation, automation is key to neutralizing threats effectively and in real-time. Security teams simply can't analyze and respond to billions of events every day. The response piece is especially important. A human-powered 1-10-60 benchmark is a legacy model. Our customers want real-time response and protection. This is why our patented storyline technology is so important; it monitors and contextualizes all events across an enterprise at machine speed. That means fewer and more accurate alerts based on data. It also means autonomous remediation, taking machine-delivered responses to a whole new level of automatic efficiency. The chief information security officer of a Fortune 500 oil company captured it well, saying, "SentinelOne's storyline technology fundamentally changes EDR. Instead of people having to manually assemble data points, the technology assembles stories for us and even makes decisions in real-time. Game changer." We listen to our customers, adding even more automation capabilities. In Q2, we added Storyline Active Response, or STAR. With STAR, security teams can now create custom detection response rules and deploy them in real-time. In other words, write the rules once and let it trigger automatic alerts and instant responses enterprise-wide. That's more control, more automation, and more prevention. The secondary focus is around zero trust. Every edge of the network must be secured. We did this in two ways in Q2: tackling group IoT devices and expanding zero trust partnerships. An enterprise can't protect what it can see, including IoT and unmanaged devices. One compromised printer can quickly become an adversary's home base for an attack. The solution for the IoT and unmanaged device challenges is the Ranger module. Ranger identifies and tracks all rogue IoT devices, and we've just released Auto Deploy. Our new Auto Deploy capability tackles one of the oldest problems in enterprise IT: quickly deploying protection to unmanaged and sometimes unreachable assets with ease. Ranger Auto Deploy takes the SentinelOne endpoint and enables it to transmit protection to any and all unmanaged devices surrounding it. This is the first. We're already seeing demand for Auto Deploy, which helped secure a million-dollar customer win in Q2, where we replaced legacy AV in one of our other major next-gen competitors. We also expanded our marketplace ecosystem through new partnerships with Zscaler and Cloudflare; partnering with other zero trust leaders strengthens our customers' security postures. Finally, we're focused on data. Cybersecurity is fundamentally a data problem. We use AI to parse petabytes of data, identify anomalies, and autonomously mitigate attacks in real-time. Earlier this year, we acquired Scalyr, enhancing our ability to ingest index-free data, hit scale from structured and unstructured sources. Our goal is to optimize for scale, performance, and cost. We're excited about the future of go-to-market synergies. We've also begun transitioning our data back into Scalyr for new proof-of-concept deployments, onboarding new customers at scale. Before I turn it over to Nick and Dave, I want to say I'm excited about what we've achieved as the company. I am proud of the scale of our business and the triple-digit growth rates we've now delivered for two consecutive quarters. This is truly a testament to the hard work of the entire team at SentinelOne. Thank you to all of our employees and also our customers and partners. Your feedback and trust puts us on the winning side of cyber warfare every day. I'm even more excited about what we can do from here. The endpoint security market is large and growing, and we're just at the beginning. Cyber defense should be even more holistic. It has to be flexible and automated, and that means not just across the endpoint operating systems, but also IoT devices, servers, cloud workloads, and the data itself. This is XDR. We are XDR. And with that, let me turn it to Nick Warner, our Chief Operating Officer.
Nicholas Warner, COO
Thank you, Tomer, and I'd also like to welcome everyone. I've been at SentinelOne for over four years now. Everyone here has a lot to be proud of, especially how quickly we've scaled in just the past year alone. We've built a go-to-market flywheel of sales and marketing, our channel and technology partners; together our brand and market traction is reaching new highs. Let's discuss the business. ARR of nearly $200 million and growing 127% is nothing short of astounding. Looking back, it took over three years to reach $100 million in ARR and just three quarters to nearly reach the next $100 million. Our future is unbounded. That's because of vision, execution, and listening to the needs of our customers. Over 5,400 customers use our Singularity XDR platform. That's over 2000 more than last year. I'm delighted to help protect that many businesses. Our customers are diverse in size, scope, and geography. Our focus on automation, speed, and accuracy is critical to any enterprise; in fact, all enterprises. We're protecting even more mission-critical businesses. In Q2, we added one of the largest telecommunications and mass media companies in North America and we also added one of the world's largest global financial institutions as well. Make no mistake, this is a competitive market. We go up against incumbent and next-gen players all the time. When I think about how we're doing in the market, three things capture it most effectively. One, our 97% gross retention rate, which means our customers are happy and staying with us. Two, we don't compete with our channel partners, so they are able to lead with our technology platform. We enable and embrace the channel. And three, we win more than 70% of POCs against the competition. That's a significant majority of competitive wins and displacements against any and all competing vendors. Let me share some more detail from the quarter. We're making tremendous progress with large enterprises, which represent about two thirds of our business. We grew customers with ARR over $100,000 by 140% versus last year. We added the highest number of million-dollar ARR customers this past quarter. In the past year, we've more than tripled the number of customers with ARR over 1 million. It's clear from both of those points that we're succeeding with larger customers and landing larger deals. Our net retention rate was 129%, a new record for our company; fantastic execution from our sales and go-to-market teams. We're helping customers expand agent deployments, access more functionality with package tiers, and adopt new module solutions. When it comes to our modules, our innovations help enterprises do more. Just looking at our modules that cover IoT, cloud, and data, these grew more than 6x year-over-year in Q2 and represent over 10% of the quarter's new business. We're still early with our modules and see this as a long-term lever for our business. Next, I'll share some insights on our go-to-market. Our internal sales and support teams combined with our diverse and growing partner ecosystem give us an incredibly vast reach. Earlier this year, we rolled out a new channel partner training and accreditation program. Feedback has been positive, and we've issued over 2,000 accreditations to date. Our strong channel metrics are leading pipeline and traction indicators. We partner with managed security service providers, MSSPs, managed detection and response providers, MDRs, and incident response partners. We equip them with industry-leading capabilities and in return we get tremendous market access and scale. We don't compete with them; we support and enable their business. We're rapidly expanding this ecosystem, and it's driving meaningful growth for us. I want to double click on our incident response partnerships. Driven by the rising wave of ransomware attacks, breaches have become pervasive for businesses around the world. In the unfortunate but often common case of a company being breached, incident response partners are called in to identify and remediate the attack. They use our technology to understand what's going on, stop the attack, and remediate the network. Our ecosystem of incident response partners are armed with the best technology available when it comes to rapidly recovering from a breach. In Q2, we added over a dozen additional incident response partners and are bringing more online in Q3 and beyond. It's not just quantity, but quality. In Q2, we added world-renowned incident response partners like Kroll, Alvarez & Marsal, and Group-IB. These and others are global leaders with extensive enterprise relationships. These are the go-to experts who cyber insurers and boards call when there is a breach. In fact, our incident response partner ecosystem is our fastest growing channel. For all of us at SentinelOne, our values and goals align on protecting customers and putting them first. From sales to support, marketing to channels, business development to customer success, Vigilance MDR to SentinelLabs, our go-to-market organization is world-class, and I'm proud to work with this global team of relentless Sentinels each and every day. Thank you. And let me turn it over to Dave Bernhardt, our CFO.
David Bernhardt, CFO
Nick, Tomer, thank you. And thank you all for joining us today and hopefully in the future. I'll touch on a few of the highlights before we open for Q&A. There's a lot more detail in our shareholder letter, which I welcome you to view on the Investor Relations section of our website. We are very excited about our performance in the second quarter. Looking at our Q2 results, we achieved record revenue of $46 million, increasing 121%. Fueled by new customers and existing customer expansion, we delivered ARR of $198 million in the quarter, accelerating 127% year-over-year. Even after backing out the $10 million in acquired ARR from Scalyr, our organic growth was still well into the triple digits. Obviously, we're very enthusiastic about our top line drivers. Now we'll discuss our costs and margins and then provide our guidance outlook. Our non-GAAP gross margin in Q2 was 62% and expanded 900 basis points, a healthy pickup from last quarter. The biggest benefits are coming from our increasing scale and business expansion. Additionally, we're also starting to see benefits from our renegotiated cloud hosting agreement, which we signed earlier this year to align with our expected growth. Looking at the rest of our P&L, we're investing for growth and it's clear that it's working, once again reflected in our triple-digit top line growth rates. During the quarter, we made strategic investments in preparation for becoming a public company, enhancing our product and scaling our go-to-market. Our non-GAAP operating margin was negative 98%, an improvement over negative 101% in the year-ago quarter even as we prepared for our IPO. In the shareholder letter, we've reiterated our long-term margin targets. These are the same targets that we shared during the IPO. The key point is that as we progress to our long-term targets, we intend to invest in growth while also improving our margins and profitability. A recent example is the diversification of our R&D footprint outside of Israel and Silicon Valley. We just announced that we'll be expanding our engineering excellence into the Czech Republic. With all of this opportunity in front of us, fiscal 2022 remains an investment year. Now for our outlook for Q3 and the full fiscal year. In Q3, we expect revenue of $49 million to $50 million, reflecting growth of 102% at the midpoint. For the full year, we expect revenue of $188 million to $190 million, or 103% growth at the midpoint. We expect the strong momentum we saw in Q2 to continue next quarter and our structural tailwinds to persist. Combined with ongoing benefits from our product innovation, improved brand awareness, and continuing to scale our go-to-market, this collectively supports our triple-digit growth outlook. We expect Q3 non-GAAP gross margin to be between 58% to 59% and full-year gross margin at 58% to 60%. Most importantly, this remains well above 53% we reported in the first fiscal quarter of this year and at or above 58% we delivered in fiscal 2021. We are benefiting from increased scale, cloud hosting agreements, and processing efficiency gains. Reflected in our guidance is our plan to migrate existing customers to our Scalyr backend in Q3 and Q4. The migration will result in some duplicative storage and processing costs as we ensure data and performance continuity. This is intended to further improve data processing for the future and unlock long-term platform and go-to-market synergies. Excluding the redundant costs for the Scalyr migration, we estimate fiscal 2022 gross margin would be roughly similar to our gross margin we achieved this quarter. Finally, for operating margin we expect negative 96% to 99% in Q3. Our full-year operating margin guidance is for negative 99% to 104%. This is an improvement upon our fiscal year 2021 operating margin of negative 107%. We see tremendous opportunity for growth, and the investments we're making today will put us in a position to succeed for the long-term. Finally, we have two quick housekeeping items. Both of these are included in the shareholder letter with more detail as well. The first item is share count. We ended Q2 with total basic shares outstanding of 265 million. This is the base run rate going forward. The second item is the lockup. We have two triggers. The first is on September 28. If the stock price remains at current levels, it will unlock up to approximately 40 million outstanding shares as of July 31, 2021, excluding vested equity awards. The remainder of the lockup will expire subsequent to our Q3 earnings report. In closing, Q2 was an excellent quarter with strong execution, and we're expecting that momentum to continue into the second half of the year. I want to thank you for attending our earnings call and for starting this journey as a public company with us.
Operator, Operator
Certainly. We will now begin the question-and-answer session. The first question is from Hamza Fodderwala with Morgan Stanley. Thank you. You may proceed.
Hamza Fodderwala, Analyst
Hey guys, thank you for taking my question and congrats on your first quarter post-IPO. Just on – maybe a question for either Nick or Tomer, I wanted to dig into some of the partnership announcements you guys have made in recent months, particularly with Zscaler and Cloudflare. What do you think – one for Tomer, to what extent does that validate your technology given that you're partnering with other next-gen vendors on the network security side? And then from a go-to-market perspective, for Nick, what type of incremental benefit will these partnerships bring?
Tomer Weingarten, CEO
Yes. Thanks for the questions, Hamza. For us, it's really about stepping forward towards a more inclusive, open XDR approach and also producing a more Zero Trust ecosystem around SentinelOne Singularity platform, really fusing together endpoint, which is the edge of the network with the cloud and now identity and the user as well. To us, that’s the trinity that forms Zero Trust, and that's why we're partnering with these vendors. Obviously, we find them in more and more accounts that we sell into, so that also becomes something that our customers are asking us to do. So all in all, it just really kind of falls in line with both of our Zero Trust strategy and our open XDR approach. The idea is over time to continue and ingest more data from all of these adjacent solutions in the enterprise into our open XDR platform. So to us, again, it really falls into the strategy that we took up by enabling our customers to pick any vendor and indeed build on top of the Singularity platform.
Nicholas Warner, COO
Hi, and this is Nick here. From a go-to-market perspective, what it means for our customers is we really allow them to realize even greater ROI on previous solutions that they had purchased. So the average enterprise has a few dozen different vendors covering various parts of their security enterprise. With our vision of XDR being open, inclusive, and easy to use, we're really doing is up-leveling the capabilities of those traditional and already installed products, adding tremendous value with the Singularity platform, but weaving that all together into a complete and holistic view of security. This is really the promise that we're delivering upon with XDR.
Operator, Operator
Thank you. The next question is from Brian Essex with Goldman Sachs. You may proceed.
Brian Essex, Analyst
Hi, good afternoon. Thank you for taking the question and congratulations on another really nice quarter of acceleration here. And maybe Tomer, I would love to get your feedback on, I think in your prepared remarks you talked about two-thirds of your business being enterprise focused. What was the mix in the quarter? And what do you anticipate going forward for larger enterprise mix? I see that landed costs per new logo is certainly much higher than it was last quarter. So just trying to think about the trajectory there and maybe the most fundamental thing that changed in the quarter to drive that improvement.
Tomer Weingarten, CEO
Yes. For us, it really is a good mix. I mean, we feel like our traction in the enterprise and definitely 140% growth year-over-year and $100,000 deals and above is a good reflection of how much bigger we're landing in accounts—225% on $1 million deals, again, a good reflection of our traction in the enterprise. But at the same time, we feel the presence in the mid-market is important, and it's something that actually is a very efficient go-to-market for us. So we like that mix; we feel it's a good one for us. We'll continue to drive it. Definitely on the enterprise side, we've seen more lands with our complete tier, actually more attached to Ranger, more attached to Vigilance, more attached to data retention. So all in all, we're seeing massive adoption for not only what is now becoming our premium tier, which is complete, but on top of that to the add-on modules that we have. We intend to do the same also on the mid-market where we enable our channel ecosystem to carry more than just endpoint protection and several cloud security. So all in all, we feel that mix is a healthy one and one that we would like to carry into the future.
Brian Essex, Analyst
Got it. And maybe just a quick follow-up for Dave. I mean, you mentioned real quick the duplicative costs associated with the Scalyr migration. When might we see that abate and maybe the margins might be able to accelerate off the inclusion of that?
David Bernhardt, CFO
Sure. It's predominantly in the second half of this year. So you'll see it in Q3, you'll see it in Q4, and then it should dissipate beyond there. We're working on getting our largest customers over first, which is why you see the depth that we're expecting in the second half, but going forward, we think we should have a baseline of around where we're at right now, barring any other efficiencies we see on the product as we continue to advance it.
Operator, Operator
Thank you, Mr. Essex. The next question is from Saket Kalia with Barclays. You may proceed.
Saket Kalia, Analyst
Okay, great. Hey guys, thanks for taking my questions here and echo my congrats on becoming a public company. Tomer, maybe for you. I was hoping you could just talk a little bit about the broader distribution channel a bit. I guess the question is how do you sort of judge the scale of your channel? And where do you see it kind of going in the next year coming off the IPO?
Tomer Weingarten, CEO
Yes. It's a great question because we look at our channel in a very inclusive manner. We definitely kind of look at the distribution channel, reselling channel, but the ones that are a little bit more classic to security is going to be incredibly strong. At the same time, the ability to also take the same platform, license it to MSSP providers gives us a tap into a completely different part of the TAM. As Nick mentioned in the prepared remarks, our ability to now sign up most of the incident response providers, most of the leading incident response providers in the U.S. is providing for another channel that expands the gamut of what we see in terms of market opportunities. So all in all, we feel pretty good about our market presence in the channel ecosystem. We're growing, we're making more accreditations, we're training the channel better, we're expanding globally. So to us, we've built a really strong foundation in the channel, but now we're just going and accelerating, and enabling the channel, preparing more modules is another tier in our ability to unlock doing the vast opportunity in the channel ecosystem.
Nicholas Warner, COO
This is Nick here. What I'd also add to that is uniquely with SentinelOne, we've made a strategic decision to enable and not compete with the various multi-dimensional channel partners out there, whether that's MDRs, MSSPs, or incident response partners, as well as traditional resell partners. What that's really driven by enabling their business and not competing is incredible loyalty and brand loyalty with SentinelOne, and that's something we've been working really hard on for the last several years. So we're really starting to see that, that flywheel kick in, in all the different facets of go-to-market channel partner ecosystem.
Saket Kalia, Analyst
Got it. That's really helpful. David, maybe my follow-up for you. Tomer just sort of talked about this just briefly in the last question, but I was wondering if you could just double click a bit on the mix of customers across the different Singularity peers, specifically core, control, and complete. What are you sort of seeing in terms of new customers and existing customers in terms of the peers that they're sort of opting for?
David Bernhardt, CFO
Sure. It's about half of our customers we still use core or control, with the larger enterprise customers obviously using the complete solution. There's a mix across all of them, but there's certainly an opportunity for us to continue to see the customers and core control expand up to the more complete offering, as well as add more modules, etc. I think that goes into why you're seeing 129% ARR. We're seeing customers not just expand their footprint in terms of endpoints, but also expand into much more robust offerings.
Operator, Operator
Thank you. The next question is from the line of Rob Owens with Piper Sandler. You may proceed.
Rob Owens, Analyst
Great, and appreciate you guys taking my question. I think building a little bit on Saket's question, but I wanted to touch on the net dollar retention rates. Is this coming from an expansion in seats? Is this coming from the tiers that you talked about and up-sells within the base or a lot of that growth coming from the adjacent modules?
Tomer Weingarten, CEO
It's actually all of the above, and we definitely focus on basically providing the customer the choice. License counts naturally organically extend over time. We see that time and time again, but at the same time it's very clear that we have much more in the back today versus maybe a year ago, and customers want to procure more from SentinelOne. They want to cover more surfaces. They want to use more abilities; they're opting for our services. What we're seeing traction all across these three different vectors, which would be again seat count expansion, more modules, different tiers. We see that time and time again, and we like that net retention rate. I mean, we feel it's going to hover around these rates for the foreseeable future, and we like their contribution.
Rob Owens, Analyst
As we look at customer acquisition, typically who are you going up against? Are you still seeing a lot of replacements of legacy out there, which would imply that there's still a long way to go in this market? Where is the battle coming down to more of the next-gen providers? Thanks.
Tomer Weingarten, CEO
Yes. I think it's 99% displacing an incumbent. It's always going to be competitive with at least one other next-gen competitor. But outside of that, I mean, we are doing displacements here and there, very anecdotal but we have those. The vast majority of what we see, it's absolutely taking market share from the incumbents. It's always a displacement. We've had multiple years doing customers of Symantec and McAfee switching over to SentinelOne this quarter, as this has been with the past quarters as well. We think the market momentum in customers understanding that they need to change the mindset and move over to a next-gen offering is not really mainstream. That comprises the vast majority of our pipeline.
Operator, Operator
Thank you. The next question is from Brent Thill with Jefferies. You may proceed.
Brent Thill, Analyst
Thanks. Tomer, you mentioned IoT, cloud, and data center seem really good uptake. I'm curious if you could just talk through how you look at the next couple of years in this segment and what you're seeing. I know you mentioned one of the IoT when sort of a multi-driven million dollars plus win. Can you just maybe help shape what's happening when these transactions are getting evolved and what you're seeing with overall expansion of deals?
Tomer Weingarten, CEO
Absolutely. Ranger for us has become truly a competitive advantage. Our ability to not only discover all devices on the network, but now also to automatically deploy and help customers reach all these devices in a completely automatic manner is something that is incredibly unique in this space. It's driving more adoption and driving more seat counts, which all in all it drives the stability for customers who shift away from their incumbent vendor with ease. It's not only about protecting those attack surfaces; it's also about ease of deployment and simplicity of use. We're seeing massive traction with that. We're seeing the ability for almost every customer that we have today to go in and prove that functionality. Its zero additional deployment; it's completely cloud delivered. So it's incredibly easy to consume. Again, Ranger is one of our fastest growing modules, and the same goes for data retention. We're now seeing, think about the White House Executive Order that mandates low collection, data retention. The ability to keep security data input telemetry for longer is fueling customers to procure more and more data retention and archiving directly from our platform. It's something that's highly unique to us. Definitely part of the reason why we've expanded our offering and acquired Scalyr as a data analytics backend. So the ability to really address all of these new opportunities in cybersecurity that might not have been there a couple of years ago are not only an opportunity, but also a competitive differentiator that we have.
Operator, Operator
Thank you. The next question is from Tal Liani with Bank of America. Thank you. You may proceed.
Tal Liani, Analyst
Hey guys, congrats on a great quarter. I have a few questions I want to speak about competition. Can you characterize your competition between, you highlighted a 70% win rate? Can you characterize the competition? How's it going versus legacy players and what drives corporates that were on legacy system for a long time? What drives them now to migrate? Also, the competition versus the new players like CrowdStrike and others? If you can talk about your – we spoke about product differentiation, but I want to talk about the value of automation. How is that coming to play and also pricing differences? We're hearing that you're quite cheaper than the next-gen competition? Thanks.
Tomer Weingarten, CEO
Yes. I believe for us, it's really about the holistic approach we're taking that allows us to win both against incumbents and against the next-gen peers. The ability to give a full spectrum solution, a full spectrum platform that ranges from best of breed prevention, all the way to detection and response and remediation all of that in a complete uniform autonomous manner. It's a big difference from what the others are doing. For a lot of these customers, I mean, they're becoming more frustrated by this need to constantly put down fires. For us, I mean, you can take a more prevention-first approach. You can actually stop these fire from actually ever happening. That drives efficiencies. If you're looking at incumbents, obviously there are massive breaches there, and even the engine peers. We're seeing a lot of their customers, and we've had a multi-million dollar displacement this quarter for a customer that grew increasingly frustrated with the multiple infections with inefficiency on protecting server environments. They wanted a more automatic solution; they wanted remediation to clean up all the infections. They wanted a solution that can actually remediate and clean up all the infections they were seeing, but at the same time, turn into more of a preventative approach. You can prevent everything, but you can do a better job on prevention and significantly stop that firefighting mode. Our platform is incredibly unique in that advantage of AI and machine learning. That's the reason why we're winning both against incumbents that don't provide protection and think about hardening, think about anti-tempering—these are all things that our platform can cover today. It's incredibly holistic again in nature. We do look at the peers that focus on detection and response. For us, it's about technology. It's about creating a more secure endpoint in the most holistic way possible. I don't think we're cheaper than the competition. I think if you look at it apples-to-apples, you'll see that the prices are pretty much similar. We take a different approach with a much more transparent approach, and we don't force customers to opt into tiers. So all in all, they can choose what they want to procure from us, but again apples-to-apples, I think you'll see that prices are very, very similar. I don't think we're cheaper by any degree.
Nicholas Warner, COO
One thing I would add to that, this is Nick here. From a budget perspective, we don't try to hijack a customer's security budget and force them to buy reams of services, hours of support, a non-automated product. What we're bringing is automation and machine learning, ease of use, and we're democratizing very advanced technology. What that enables customers to do is achieve the outcome we're driving for them, our prospects and customers, which is protection and prevention. From an apples-to-apples perspective, we're typically at or higher from a technology perspective, but we enable customers to best put that money to use buying technology. More importantly, we enable customers to fully implement that technology to get the best protection and visibility on the planet.
Tal Liani, Analyst
Great. I have a quick one, if I can squeeze in, if not I'll ask you privately. CrowdStrike highlighted on the last call that they won Workday from you and they highlighted false positives as reasons why they said that this customer switched to them. I think it's just fair to ask the question, if you can refer to their statements and announcements on this customer? Thanks.
Tomer Weingarten, CEO
Yes. I mean, I think it's – it's something that you'll see anecdotally happening. We've had an excess of $1 million ACV displacement this quarter as well. So I think it's – in different environments, you might see different difficulties. I think a lot of it is sometimes about relationships, but what's incredibly interesting about the customers we've displaced is the reference they made to the amounts of infections they have to deal with, which to us is really why you're bringing in a cybersecurity solution. You want to prevent these infections; that’s unacceptable. That’s why you see customers at scale shifting from us.
Nicholas Warner, COO
Time and time again, what we've seen for several years now is folks go with SentinelOne for really a unique combination of prevention, efficacy, coverage, and support, automation, and lastly, as Tomer mentioned, efficacy. So our ability to protect, to prevent and to keep our customers safe.
Operator, Operator
Thank you. The next question is from Andrew Nowinski with Wells Fargo. You may proceed.
Andrew Nowinski, Analyst
Great. Thank you, and congrats on a very good quarter. It's two quick questions for you. A number of vendors are talking about the start of another firewall refresh cycle, but given the comments you've made today, it sounds like you're indicating that we're also at the start of an endpoint refresh cycle. As more enterprises rip out their aging legacy solutions, so I'm just wondering if that's the right characterization of the strong demand that you're seeing, or do you think the ransomware attacks that we've seen over the last nine months might be fueling part of the momentum? I'm just really trying to get a feel for how long this exceptionally strong momentum can continue.
Tomer Weingarten, CEO
I think it's a combination of quite a few factors and different tailwinds. The hybrid work environment and the rephrase of those cycles through the increased need for the government pointing out EDR solutions as ones that should become mandatory in the environment. There are many different drivers pushing us towards what we're seeing right now in endpoint security. The road is long, and what’s important is that our platform is much more than endpoint security. For many of these new accounts, the net new logo motion that we have is already going into other adjacencies in the enterprise, whether it’s IoT security or cloud security. I wouldn’t call it necessarily a refresh cycle simply because there are so many different secular trends that are pushing it towards modernized environments. We’re becoming this trusted partner for these enterprises that actually continue to grow up and down the stack in different surfaces. So all in all, it drives a complete overhaul; it’s not just unique to the endpoint refresh cycle. What we're seeing is a generational shift away from signature-based approaches to machine learning and automation-driven protection and visibility. We're still in early innings, but it's massive, macro, and global.
Andrew Nowinski, Analyst
That's great. Thank you. And just my follow-up question. As it relates to some of the $1 million ARR customers that you landed, I'm wondering if you could just give us any more color in terms of maybe how many agents those deals typically involve or how many modules they typically purchase? I'm just wondering, ultimately how much of an opportunity there is with those customers for additional purchases down the road. Are they buying everything and maxing out their purchase on the initial purchase to get to that million-plus spend, or is there a big opportunity with those going forward? Thanks.
Tomer Weingarten, CEO
We feel as far from it and it can vary significantly. We see the ability to expand into other footprints in the enterprise. Almost every account that we land, we’re also putting more and more modules. Just last quarter, we've actually added two new modules into our portfolio of capabilities. So all in all, we feel pretty good about our ability to continue to grow in these customer accounts, both in terms of covering more footprints but also in terms of selling more modules. We're definitely seeing better adoption for the Ranger module, as I mentioned, but again we have so many different abilities right now. We’re seeing the beginning and first innings of traction with a lot of our newer modules. It’s kind of a game that we saw a film that we already saw and we see it growing over time. We feel the potential is quite significant.
Operator, Operator
Thank you. The next question is from Patrick Colville with Deutsche Bank. You may proceed.
Patrick Colville, Analyst
Hi there. Thank you for taking my question. So sequential ARR grew $37 million bucks, if I'm not mistaken, just a kind of housekeeping items, I presumed Scalyr – likewise in first quarter, right? So that $10 million you pulled out of inorganic ARR fell in 1Q, right?
David Bernhardt, CFO
That's correct. We got $9 million ARR when we acquired Scalyr. It's now 10. Our focus with Scalyr is obviously been on implementing the technology—not on really pushing our go-to-market. That's something we'll advance once we get it completely tied into the SentinelOne back end. So yes – 37.
Patrick Colville, Analyst
Okay. Sorry, just – $10 million was it in 1Q and does it…
David Bernhardt, CFO
1 million incremental between Q1 and Q2 for Scalyr, so we acquired them at 9, they're currently 10.
Operator, Operator
Okay. That's great. Could I just, I guess follow on about the connected environment? I mean, how is going public helped in the enterprise or I guess landing kind of our partners or SI partners? Has the publicity and profile of being a public company assisted in that? Or is it actually kind of very, very similar to what you guys were already seeing pre-IPO?
Tomer Weingarten, CEO
I think we're definitely seeing an elevation of the brand. We’re definitely seeing more market presence. I think the tax that we choose to be very transparent about what the company does dispels a lot of the misinformation that was there around us in the market, mainly fueled probably by competition. So for us right now, we feel better attraction. We feel better competitive environments, more, that’s for sure. And that’s not only fueled by our IPO, but also a great performance in the Gartner Magic Quadrant where we were singled out as the vendor with the most critical capabilities among every vendor out there for any buyer type. That just comes to show that from prevention all the way to detection, response, and remediation, our platform today holds the most capabilities out of any other platform out there. All in all, I think multiple factors come into play, with the IPO shining a spotlight on all of them. We’re seeing an increase in accelerated attraction across the board, both in partners and with customers, with sales cycles and with competitive win rates.
Patrick Colville, Analyst
Great, thank you so much.
Operator, Operator
Thank you. The next question is from Shaul Eyal with Cowen. You may proceed.
Shaul Eyal, Analyst
Thank you. Congrats, guys, on the strong debut quarter. Dave, when we think about your Czech Republic R&D facility, is that driven by global lack of talent? Is it driven by higher R&D costs in the West Coast or in Israel, or is it pretty much all of the above? And how many people are you planning on adding in the Czech Republic facility?
David Bernhardt, CFO
Sure. We obviously look for global talent everywhere. One of the reasons that we're looking at the Czech Republic is because they do have an excellent amount of cybersecurity talent that allows us to continue to advance. So we're going to continue to look for areas where we can advance what we need in terms of driving our product and our innovation. There are areas that are economically more viable in terms of full strategy. So we're going to continue to monitor that, and we'll do that for the foreseeable future.
Shaul Eyal, Analyst
Got it. And maybe a question on cohort analysis; if it's not too early, can you talk to us maybe from the quantitative or maybe just from a qualitative perspective on the LTV of cohorts over the past few quarters now going to say even a few years, specifically on the heels or the fact that your deal with the greater than $1 million have been fantastically on the rise out of the late.
Nicholas Warner, COO
This is Nick here. So we really think about growing the business from a new model perspective, as well as learning to extend—someone asked a question on that, the answer is yes, we're doing both. What we're seeing, and Tomer talked about this, is with tremendous innovation and the introduction of new modules, new surfaces to protect, new problems to solve. We've seen huge lengthened expand opportunities. In fact, 50% of our customer base is running our core control package. We can upgrade those folks to complete many modules to cross-sell and up-sell. What we're also finding is at the time of sale for new customers, they're predicting landing with a complete package with other modules as well. We’re really seeing a combination of both of those things driving our average deal size or NNR and our retention; all of those things are up into the right for organizations. The last thing I want to leave you with is that overall, market momentum, awareness, and adoption of technology like SentinelOne's is really taking in a big, big way, and that’s also driving a lot of the adoption.
Shaul Eyal, Analyst
Got it. Thank you so much. Good luck.
Operator, Operator
Thank you. The next question is from Roger Boyd with UBS. You may proceed.
Roger Boyd, Analyst
Terrific. Thank you very much for taking my question. I guess relative to the question of partner retention results, you call that the success with tiers in modules. I’m wondering if you can talk about the impact of cloud workload protection? Where do you think you are in that opportunity? And any sense of the penetration that product has with customers today?
Tomer Weingarten, CEO
Yes, we're looking definitely to extend more and more into cloud security. Specifically, when we talk about cloud security, we talk about the workload protection platform and runtime protection. Today, I think we've shared that it's already about 10% contribution to our revenue is coming from the cloud and server protection pieces that we sell, and we're seeing more and more traction in cloud security. To us, we also continue to bolster that capability. We added CIS benchmarking capabilities just a couple of quarters ago, and we’re seeing better and better adoption. We've introduced our cloud workload protection platform as an integral part of the AWS marketplace, and that drives adoption as well. Overall, we feel well-positioned to continue capturing market share in the cloud workload protection platform space.
Operator, Operator
Thank you. The next question is from Alex Henderson with Needham. You may proceed.
Alex Henderson, Analyst
Great, thank you very much. I realize we're running long here, but wanted to add a second question. Could you talk a little bit about your hiring plans and sales? What type of capacity do you see going forward in terms of your adds for the next couple of quarters? And then what's the availability look like? Are we seeing escalation and the prices of labor? And are there enough people out there to fulfill your needs?
Tomer Weingarten, CEO
Yes, we're definitely investing for growth. It's an enormous opportunity in front of us. So we're going to continue to invest and build and grow our go-to-market teams, our sales reps, sales engineers, channel managers; really investing in our go-to-market engine. At the same time, what we've also been able to yield is increasingly greater sales efficiency. We've been really maniacally tracking sales efficiency, and that has been improving quarter-after-quarter. We're going to have each quarter a bigger sales team that is also more efficient helping us continue to drive growth. The last thing, which is not to be underestimated with our unique go-to-market business, is that multi-dimensional channel that we talked about. Massive sales forces at various channel partners in the MDR space, MSSP partners, IR partners, traditional resellers and distributors. That’s the right way to think about our global field presence—adding all of those folks up. Each time we’re adding a partner behind that, there are hundreds of sales reps doing 2000-plus accreditations to date. That’s really building that flywheel. But we’re absolutely going to continue to invest in our own SentinelOne personnel as it relates to go-to-market.
Alex Henderson, Analyst
Question on the cost and availability?
Tomer Weingarten, CEO
What we're finding, and this sort of goes back to a previous question about the benefits we've seen with our IPO is that brand recognition doesn't just extend to channel partners and customers; it extends to the best talent in the market. Our ability to get really, really good people who can hit the ground running has tremendous yield. That's enabling us to have great attraction and appeal to get the best talent in the market.
Operator, Operator
And I would now like to pass the call back over to Tomer Weingarten, CEO of SentinelOne. Thank you. You may proceed, Mr. Weingarten.
Tomer Weingarten, CEO
Thank you and thank you all for joining us today. We look forward to talking to you again in the near future. Thanks a lot.
Operator, Operator
That concludes the conference call. Thank you for your participation and enjoy the rest of your day.