SentinelOne, Inc. (NYSE:S) Q2 2025 Earnings Conference Call August 27, 2024 5:00 PM ET
Company Participants
Doug Clark – Vice President, Investor Relations
Tomer Weingarten – Chief Executive Officer
Dave Bernhardt – Chef Financial Officer
Conference Call Participants
Gabriela Borges – Goldman Sachs
Brian Essex – JPMorgan
Hamza Fodderwala – Morgan Stanley
Saket Kalia – Barclays
Shrenik Kothari – Baird
John DiFucci – Guggenheim
Rudy Kessinger – D.A. Davidson
Peter Weed – Bernstein
Brad Zelnick – Deutsche Bank
Adam Tindle – Raymond James
Gray Powell – BTIG
Operator
Good afternoon. Thank you for attending the SentinelOne Second Quarter Fiscal Year 2025 Earnings Conference Call. My name is Cameron, and I’ll be your moderator for today. All lines will be muted during the presentation portion of the call with an opportunity for questions-and-answers at the end.
I would now like to pass the conference over to your host, Doug Clark, Vice President of Investor Relations. You may proceed.
Doug Clark
Good afternoon, everyone, and welcome to SentinelOne’s Earnings Call for the Second Quarter of Fiscal Year 2025, which ended July 31, 2024. With us today are Tomer Weingarten, CEO, and Dave Bernhardt, CFO. Our press release and a shareholder letter were issued earlier today and are posted on the Investor Relations section of our website. This call is being broadcast live via webcast, and an audio replay will be available on our website after the call concludes.
Before we begin, I would like to remind you that during today’s call, we will be making forward-looking statements about future events and financial performance, including our guidance for the third fiscal quarter and full fiscal year 2025, as well as long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that our actual events or results could differ materially.
Please refer to the documents we file from time to time with the SEC, in particular, our Annual Report on Form 10-K, and our Quarterly Reports on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements.
Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly or to update the reasons actual results could differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future.
During this call, we will discuss non-GAAP financial measures unless otherwise stated. These non-GAAP financial measures are not prepared in accordance with generally accepted accounting principles. A reconciliation of GAAP and non-GAAP results other than with respect to our non-GAAP financial outlook is provided in today’s press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for GAAP results.
Our financial outlook excludes stock-based compensation expense, employer payroll tax on employee stock transactions, amortization expense of acquired intangible assets, acquisition-related compensation costs, restructuring charges, and gains and losses on strategic investments, which cannot be determined at this time and are therefore not reconciled in today’s press release.
And with that, let me turn the call over to Tomer Weingarten, CEO of SentinelOne.
Tomer Weingarten
Good afternoon, everyone, and thank you for joining our fiscal second quarter earnings call. We reported strong results and exceeded our expectations on all key metrics, including ARR, revenue, gross margin, and operating margin.
Our teams executed well during the quarter. We maintained our industry-leading revenue growth and set new company records for gross, operating, and net income margin. Importantly, we achieved a significant profitability milestone, our first-ever quarter of positive net income and earnings per share. This is a tremendous achievement, and I would like to congratulate all Sentinels who made this possible.
In addition, our Q2 net new ARR outperformed our expectation by a double-digit percentage and we continue to expect new business growth trends to improve in the second half of the year. Based on our business and go-to-market momentum, we’re also raising our revenue guidance for fiscal year ’25. Superior technology is the cornerstone of how we empower our partners and customers to build more resilient enterprises. SentinelOne leads the industry with best-in-class AI-powered security and customer transparency. These are our guiding principles. Mission-critical businesses around the world rely on our technology, platform architecture, and engineering best practices.
As I mentioned in a prior earnings call, bigger brands do not mean better security. Sub-standard platform architectures are extremely risky and can cause single points of failure. This is evidenced by the string of recent breaches at Microsoft and the largest IT outage in history caused by our direct competitor, CrowdStrike. The dependency on fragile software can rapidly disrupt our way of life and cause billions in damages to the businesses they’re supposed to protect. Self-proclaimed industry leadership and overzealous marketing can create a false perception of reliability, eventually, the end user suffers, which is why we must focus on facts, not fiction.
Operational hygiene and process controls are essential for any reliable software, anything short of that is a breach of customer trust. Another big takeaway from recent events is this, architecture matters. SentinelOne’s platform and patented behavioral AI security approach do not require constant antivirus-like updates, detection delays, or configuration changes to secure enterprises, period.
Singularity is purpose-built to deliver top-tier autonomous security without requiring extensive integration into the keRnel, the most sensitive part of an operating system, where even minor errors can cause significant disruption. To be clear, the combination of deployment processes fully controllable by the customer and advanced behavioral AI architecture, significantly improved security, and operational resilience. I’ll elaborate on this later. As always, please read our shareholder letter published on the Investor Relations website, which provides more detail.
Let’s review the details of our second quarter performance, which exceeded our top- and bottom-line expectations. Revenue grew 33% and total ARR grew 32% year-over-year. Net new ARR increased 16% sequentially, driven by stronger new business generation. Our pace and progress towards profitability remains best-in-class. We delivered a record high gross margin of 80% with our operating margin nearing breakeven.
Q2 also marked a record operating margin, once again improving by double-digit percentage points year-over-year. And we achieved positive net income and earnings per share for the first time in company’s history, which is a significant milestone. Demand in Q2 was broad-based. We’re securing an increasing number of businesses of all sizes and geographies from the largest global enterprises to smaller businesses to our partnerships with MSSPs.
We lead with best-in-class technology, transparency, and trust. Customers with more than $100,000 in ARR grew 24% year-over-year and customers with more than $1 million in ARR grew even faster, reaching yet another company record. The endpoint segment remains a significant growth driver for our business and we continue to win market share.
According to the IDC Worldwide Modern Endpoint Security market shares 2023 report, SentinelOne grew at the fastest pace among the Top 10 vendors in 2023. We expect this momentum to continue, especially as we expand strategic partnerships to bring SentinelOne to more businesses and endpoints than ever before.
In addition, our emerging solutions like Data, Purple AI, and cloud continue to outpace the overall company growth rate in Q2. For instance, Purple AI is proving to be truly transformative and we’re seeing great customer traction. Within only months after general availability, Purple AI adoption has surpassed all our expectations and contributed to Q2 outperformance.
For instance, we achieved double-digit attach rate for Purple AI across all eligible endpoints sold in the second quarter, indicating incredible momentum. As the industry’s most advanced generative AI security solution, Purple AI unifies, accelerates, and simplifies security operations. Customers are seeing real gains in productivity with 80% faster threat hunting and investigations.
With Purple’s generative AI capabilities, enterprises are enjoying blazing-fast performance, machine speed protection, and better security outcomes, and it’s only going to get better from here. Integrating AI into all aspects of security and data operations is a transformative step for the industry and SentinelOne is once again at the forefront.
Growth of our emerging solutions and success with large enterprises continues to drive higher ARR per customer, which increased by double-digit percent year-over-year to a record high in the second quarter. Platform expansion rates remain healthy and consistent with recent trends. Our strategy is to drive a higher portion of our business mix to new customer growth and it’s working well. Long-term, this will open doors for significant future expansion opportunities.
On the competitive front, our platform differentiation and market position are stronger than ever. We continue to win a significant majority of competitive evaluations against both next-gen and legacy vendors across endpoint data and cloud. Our AI-powered protection, unified Data Lake, and platform architecture can deliver better security, simplicity, and savings for the enterprises. Among many exciting customer wins in the quarter, let me highlight a few illustrative examples.
First, a growing number of customers are choosing a wider range of Singularity platform solutions. Our Data and SIEM solutions remain a source of outsized growth for our company. In one example, a global aerospace company expanded from endpoint security to add AI-SIEM coverage, identity, Purple AI, and began adopting our new CNAPP solution. Once again, the technological and core superiority of the Singularity platform was clear. This enterprise is now ingesting twice the data and still saving money compared to the incumbent legacy SIEM solution.
Second, cloud remains a strong driver of new customer growth and expansion. Large enterprises routinely expand their cloud security footprint for enhanced coverage and visibility with SentinelOne. Regardless of the endpoint incumbency, enterprises continue to select our AI-powered cloud security offerings for better security and operational performance. Third, legacy displacements and breach activity are driving strong demand for our endpoint solutions.
At one global financial institution, we replaced a patchwork of four different next-gen and legacy endpoint vendors through a rigorous POC evaluation, Singularity platform was selected because of its multi-tenancy broad operating system coverage and leading AI-based security. Finally, at one of the largest hospitals in the United States, SentinelOne and another endpoint vendor had been deployed in select geographies. Unfortunately, every system secured by this other vendor got breached, while systems secured by SentinelOne remained protected. The difference was clear and the customer fully deployed SentinelOne with a multi-million dollar expansion.
Our AI-powered singularity platform is fueling new customer wins and significant expansions. We remain in the early stages of market share gains and expansion of our platform footprint across multiple large end markets. From a macroeconomic perspective, little has changed in recent months. Our Q2 performance showcases strong execution and significant progress on the go-to-market initiatives outlined last quarter. We brought in proven leaders.
We’re optimizing our processes and expanding our market presence. This is a constant evolution and we’re on the right track. Our progress on these initiatives is yielding positive results, which is evidenced by stronger new business generation, competitive win rates, and growth outlook. We’ve entered a new dawn, a stronger SentinelOne in a more complex cyber landscape.
In Q2, we made significant strides to elevate our market presence and create new strategic routes to market. Let me share a few themes that showcase the expanding scale and scope of SentinelOne across the cyber ecosystem through strategic partnerships. For instance, in the Incident Response segment, we expanded our partnership with Google, becoming a strategic endpoint vendor for Mandiant Consulting. This allows Google to help migrate their customers from incumbent protection solutions and also make SentinelOne a partner of choice across a majority of the incidence response providers, including Aon, Booz Allen, KPMG, and others.
Our collaboration with Google brings together SentinelOne’s leading AI-powered autonomous security and Google Cloud’s extensive threat intelligence, creating the most comprehensive telemetry data for security insights. For the cyber insurance industry, we launched the SentinelOne Risk Assurance Initiative in partnership with an extensive network of leading cyber insurers, including Chubb, Coalition, CFC, and more. We’re helping millions of SMBs seamlessly up-level security at preferred rates while extending the reach and scale of SentinelOne.
In the federal arena, we recently launched a partnership with CISO to deliver government-wide cyber defense. As part of CISO’s persistent access capability initiative, the Singularity platform and Data Lake will provide AI-powered autonomous threat detection and response across federal IT assets, helping to safeguard our nation’s most critical and sensitive information.
Finally, we continue to strengthen our position across the MSSP ecosystem as we help new and existing partners build managed security practices. With multi-tenancy, automation capabilities, and role-based access control, SentinelOne remains the partner of choice for MSSPs. All of this is just the beginning of a new growth chapter for us.
I’ve never been more excited about our platform differentiation and go-to-market momentum. We’re positioning SentinelOne for long-term success in a $100 billion-plus security and data market opportunity. The leading indicators are positive. Having achieved profitability, we’re paving the way for durable growth and substantial market share gains.
Let’s turn to the broader cybersecurity landscape. This is an unprecedented time for our industry. The frequency, complexity, and cost of cyberattacks are reaching new highs. At the same time, the performance shortcomings of other market offerings are becoming visible to the public. In just the last few months, we’ve seen high-profile breaches and security failures from the top two endpoint vendors by market share.
These incidents are extremely disruptive for the millions of people and thousands of businesses who expect reliability from their security providers. Self-proclaimed gold standard and market share leadership do not equate to better security or customer experience. The latest global IT outage highlights the significance of platform architectures. The cost of protection should never exceed the consequences of a breach.
The scale and disruption caused by this incident is a stark reminder of the risks posed by vendor concentration. This was an avoidable incident that was born out of disregard for software deployment best practices. This failure will not be quickly dismissed. As I said last quarter, putting all eggs in the same basket is not advisable in security. Following this incident, customers and partners are looking to reduce their reliance on vendors that enforce closed garden platforms.
At SentinelOne, we take an open ecosystem approach to security to give enterprises flexibility and choice. Our goal is not to force cell modules. It is to provide optionality and access to best-of-breed capabilities that minimize security risk and maximize resilience. At Black Hat a few weeks ago, we heard from enterprises that they want to diversify cybersecurity technologies and mitigate the risk of another global outage. There was a lot of excitement and interest in SentinelOne.
Companies do not make snap decisions. They need to figure out how to make the transition, but this shift is positive for SentinelOne in the broader enterprise security landscape. This will play out for years as companies dig through the web of liabilities and risks uncovered by this historic outage. As enterprises look to mitigate risk, we help them boost resilience in their security posture. In the cybersecurity industry, we share a fundamental goal to deliver protection and reliability.
Security vendors must prioritize security over profits, facts over fiction, and innovation over marketing. Beyond this, the biggest lesson our industry has learned is the importance of product architecture. Understandably, customers and partners are now looking for better platform architectures and building more resilient cyber defenses. This is resulting in significant pipeline pickup for us in high levels of customer interest. This is coming from some of the largest enterprises and partners in the world that did not have a chance to appreciate Singularity platform’s breadth and superiority relative to the competitive offerings, all of that isn’t changing now. And they are impressed by what we can offer.
For instance, several of the world’s biggest companies are now engaging with SentinelOne and some of them have already made the decision to switch. This is just a start. SentinelOne purpose-built an agent that can simultaneously run dual AI-based detection engines both cloud natively and on device. We patented behavioral AI for real-time protection on the device complemented by comprehensive context and triage in the cloud. Solid cyber security requires both.
Redundancy in this context is mission-critical, not constant software updates. Most importantly, our platform architecture and behavioral AI-based detection capabilities are patented and unique. When we say autonomous, these are not marketing claims, but a description of how our product works. The difference is clear when you consider minor attack evaluations for endpoint over the past several years.
Let me highlight just one specific element of minor attack evaluations that is often overlooked. Every year, multiple vendors claim 100% detection with more than one claiming they had the best results. This can’t be true and it’s not. Two important metrics everyone should look at are the number of delays and configuration changes during the MITRE evaluations. Making dozens of configuration changes during an attack evaluation simply means that the vendor had to modify its product for detection and protection, otherwise, it failed. This is, obviously, unrealistic in real-world and real-time scenarios, especially when coupled with brittle keRnel-level updates.
In our Q3 shareholder letter from fiscal year ’24, you can see the mightier evaluations chart showing overuse of configuration changes and delays, the two largest endpoint vendors by market share combined had more than 50 delays and configuration changes. SentinelOne had zero. In our view, customers and partners deserve transparency from the first conversation through multi-year relationships to build trust and a secure future. This should be the industry standard. We lead with better technology instead of aggressive marketing claims. As a result, we win a significant majority of technical evaluation. We’ve been a leader in the Gartner Magic Quadrant for endpoint protection platforms for three years in a row.
We are ranked among the highest-rated vendors in the Gartner Peer Insights Voice of the Customer for endpoint protection platforms report and our Singularity platform has ranked number one in Gartner Critical Capabilities for all of the three use cases for two years in a row. A platform is only as good as some of its parts and we intend to deliver leading capabilities in all aspects of our platform with an open ecosystem approach. At the center of every SentinelOne solution is the Singularity Data Lake. Our fully integrated and unified Data platform offers leading AI-powered protection, simplicity, and savings for customers.
Enterprises benefit from a single unified Data back-end that combines Data across all enterprises’ critical services, endpoint, cloud, identities, and any third-party source. Every customer, regardless of the size of the contract, gets autonomous protection and visibility. We are transforming the legacy SIEM market with our modern AI-SIEM, scalable, automated, and fully integrated with leading AI capabilities.
We’re also seeing tremendous customer interest and adoption of our advanced Purple AI capabilities. Purple’s generative AI capabilities are a major competitive advantage and we have a clear time-to-market lead. Purple AI is natively integrated across our entire platform. Purple touches every aspect of managing security and has the ability to see and manage all security events, including those of competing products.
Unlike other market offerings with multiple platforms, co-pilots, and data silos, we’re building a unified experience with Purple as a security partner for humans. Purple alleviates the challenges of machine speed response, talent shortage, alert fatigue, and enhances analyst productivity, all while autonomously securing the enterprise. The difference is vast and we’re constantly pushing the envelope with Purple AI.
In Q2, we launched Alert Summaries. These provide AI-generated contextual summaries of alerts so analysts can easily view and understand the details and scope of their alerts across their environment. Finally, we have rapidly expanded our cloud security product offerings, which now provides extensive and highly performant runtime protection and posture management solutions.
Our CNAPP portfolio is the highest-rated by G2 Summer Grid Report. It now includes CSPM, available worldwide, and SIEM, securing identities and entitlements for cloud infrastructures. Our pace of innovation and autonomous security approach is setting new industry benchmarks. We’re widening the gap in a significant way.
As we look beyond the second quarter, the path forward for SentinelOne is bright. Demand indicators are strong, new business growth trends are poised to improve, and we’re achieving new profitability milestones. The continuation of high-profile breaches and the recent global outage once again reinforced that cybersecurity is not a winer-take-all market. The systemic risks of single-vendor concentration are abundantly clear.
After recent events, customer interest in our platform and AI-based security have distinctly risen. This is a new era of cybersecurity and we are in a leading position. It’s certainly early and will play out in months and years to come. As always, our goal remains delivering the best possible security and value to customers and partners. We’re focused on keeping customers up and running. This should be a given. Enterprises need reliability, not disruption.
As we look ahead, our teams are executing well and our go-to-market is gaining momentum. We have the winning technology and our competitive position is stronger than ever. Our financial performance remains industry-leading and we achieved positive net income for the first time. This is an incredibly dynamic time for us and the industry. Investing in the business for growth and scale is the right step forward.
For years, we’ve led the industry with innovations and now we’re seeing an expanding interest in SentinelOne’s AI-powered autonomous security. In closing, our technology teams and financial profile are stronger than ever. I extend my gratitude to our incredible team. Together, we are paving the path to maximizing our business potential.
Most importantly, we’re focused on helping enterprises advance their infrastructure and security. I want to thank all Sentinels as well as our valued customers, partners, and shareholders. We look forward to connecting again at our Investor Technology Session at our OneCon conference in October.
With that, I will turn the call over to Dave Bernhardt, our Chief Financial Officer.
Dave Bernhardt
Thank you, Tomer, and thank you, everyone, again for joining us. This afternoon, I’ll discuss our quarterly financial performance and provide additional context regarding our guidance for Q3 and fiscal year ’25. As a reminder, all comparisons are year-over-year and financial measures discussed here are non-GAAP unless otherwise noted.
Once again, our second quarter results not only met but exceeded our revenue and margin expectations. We continue to lead the industry in terms of technology, revenue growth, and margin expansion. We also delivered our first-ever quarter of positive net income and earnings per share, another significant milestone on our path to sustained profitability.
Revenue grew 33% to $199 million in the second quarter. Our growth was also balanced across geographies. Revenue from international markets grew 36%, representing 37% of our quarterly revenue. Our total ARR grew 32% to $806 million. We added $44 million in net new ARR in the quarter, which exceeded our expectations by a double-digit percentage.
New customer logos and wins across endpoint, cloud, and data remain the key drivers of new business growth. We also maintained healthy expansion rates from existing customers. Consistent with the view we shared last quarter, we continue to expect better net new ARR growth trends in the second half of the year, driven by a strong pipeline, new product contributions, and expanding go-to-market.
Compared to ARR, remaining purchase obligations once again grew at a strong pace, up 40% year-over-year as we continue to sign larger and longer-term contracts. This is important as it provides us with longer-term visibility and sustainable future growth. Looking beyond our top-line, gross margin also increased sequentially to a record-high of 80%. This was an increase of 3 percentage points year-over-year.
Our best-in-class gross margin indicates healthy pricing and the success of our value-added approach. Our unified platform architecture delivers better unit economics for SentinelOne and our customers. In addition, we continue to make extraordinary improvements to our operating and net income margins. Q2 was truly a record-setting quarter, our first with positive net income and earnings per share.
In parallel, our EBIT margin of negative 3% outperformed our Q2 guidance by 3 percentage points. This also shows an improvement of 19 percentage points compared to a year ago. Our increasing scale, efficiencies, and cost discipline continues to drive substantial operating margin improvement.
In Q2, we continue to generate positive operating cash-flow margin, and I’m extremely proud to achieve a positive 2% net income margin and positive earnings per share. We have been working towards achieving profitability since our IPO and have been unwaveringly delivering industry-leading margin expansion every single quarter.
Our unit economics and financial position remain incredibly strong. We have over $1 billion in cash, cash equivalents and investments, and zero debt. This provides us with ample durability and flexibility. To this extent, we have already demonstrated tremendous potential for leverage across the business.
Moving to our guidance for Q3 and full fiscal year ’25. Looking ahead, we remain optimistic about our growth trajectory. For Q3, we expect revenue of about $209.5 million, up 28% year-over-year. For the full year, we expect revenue of about $815 million, up 31% year-over-year.
Our higher revenue guidance reflects a $3.5 million increase compared to the midpoint of our prior guidance range, which exceeds the magnitude of our Q2 overperformance. This increase reflects our confidence despite the persistently challenging macroeconomic environment.
As I mentioned earlier, we continue to expect better growth trends in the second half of the year. Specifically, we expect second half net new ARR growth to improve compared to the first half of the year. Our confidence is driven by early indications from go-to-market enhancements, a strong second-half pipeline, improved competitive position, and traction with newer solutions like CNAPP, AI, and Data.
Turning to our outlook for margins. In Q3, we expect gross margin to be about 79%. We are also raising our full year gross margin guidance to 79%, the high end of our prior range. We expect Q3 operating margin to be negative 3%, an improvement of about 8 percentage points year-over-year.
On a full-year basis, we are narrowing our range to between negative 5% to negative 3%, an improvement of about 15 percentage points at the midpoint compared to fiscal year ’24. We are operating in an incredibly dynamic environment. Given the profound evolution of our technology and the competitive opportunities in front of us, we are leaning into investment to grow in scale and market presence. We’re encouraged that it’s already yielding positive results, including strong Q2 growth and record margins.
Based on the demand trends and opportunities for increased market share gains, we may elect to invest more in the business. Our elective investments weigh long-term growth potential with delivering a solid, responsible, and profitable financial profile. This has never been more important than today and is the right strategy. This year, we have proven the ability to drive profitability and positive free cash flow.
Our platform has strong underlying retention rates with potential for significant future expansion opportunities. Our investments in AI, Data, and Cloud Security are reshaping the cybersecurity landscape and will drive our next phase of growth, bringing greater scale and cementing a more diverse business mix.
We’ve entered a new dawn for cybersecurity. To say, it’s right for disruption is an understatement. Self-proclaimed industry leaders are now facing the same challenges as legacy solutions. Better security and reliability must be the way forward. With the Singularity platform, we deliver superior protection, leading AI capabilities, an open architecture to improve resilience and a streamlined analyst experience to prevent modern attacks.
We’re investing in our scale and reach that over time will bring SentinelOne to the forefront of millions, more endpoints, and businesses. I couldn’t be more proud of our commitment and performance to making SentinelOne profitable. We have come so far so fast, the future is just as bright.
Thank you all for joining us today. We will now take questions. Operator, please open up the line.
Question-and-Answer Session
Operator
Thank you. We will now begin the question-and-answer session. [Operator Instructions] The first question is from the line of Gabriela Borges with Goldman Sachs. You may proceed.
Gabriela Borges
Good afternoon. Thank you. Tomer, I wanted to follow-up on some of the architectural strengths that you highlighted in the prepared remarks, particularly the fewer updates and the lower level of keRnel access that you talked about, how are you able to maintain the same level of efficacy with mitigating the risk of keRnel your updates?
And how is that architectural strength translating to some of the pipeline conversations you’re having? Is there a way to think about what percentage of customers are thinking about dual sourcing versus single sourcing and where the industry might grow from a sole sourcing versus dual sourcing standpoint? Thank you.
Tomer Weingarten
So let’s try to kind of be clear about what happened. I mean we’re talking about the largest-ever IT outage systematically impacting millions of people, disrupting thousands of businesses, costing billions of dollars, and this was a global practically fleet-wide outage, totally unprecedented in reach and scale.
And secondly, also the duration of the outage, I think was also quite unprecedented. Most modern technology services don’t really take days to come back online and this has been days to weeks, required manual intervention and reboot of millions of affected devices. I’ve truly never seen anything like this in my lifetime. I think immediately you understand the level of uncertainty and concern amongst customers out there. It called into question the entire software development best practices of that vendor, and I think as a result, it goes back to your question, what does it mean for SentinelOne?
And if you think about our architecture, I think what’s immediately clear is that we don’t require the same number of updates. We embed AI models into the endpoint agent and we have removed and moved away significantly from being keRnel dependent for about five or seven years to the point that on the Mac operating system, we’re not at the KeRnel at all. On the Linux operating system, we’re not touching the KeRnel at all, and even on Windows, we minimize what we do. So even when you download updates, they actually live in a different part of the system, and obviously, moving away from the KeRnel is incredibly beneficial to system stability.
In the KeRnel, every small update, every small adjustment can result — every small mistake results in a blue screen or instability, that’s why most vendors try to minimize what they do at the KeRnel level. And I think that’s exactly what SentinelOne does to the point once again in other operating systems, we’re not even touching the KeRnel. So if you kind of think about what happened here, both in terms of the testing methodology, the deployment cadence, customer control over deployment, all of those for us has been our day-to-day for the past 10 years.
We’re not starting now with the new deployment process, and I think those good customers appreciate that. There is a definite question here on whether not testing anything when you deploy KeRnel elsewhere is even meeting the minimum of standard care. I think that it’s so shocking to see the level of deployment with no testing whatsoever. And I think that customers are first trying to assert what level of control they have over deployment.
And once again, with SentinelOne, it’s full control. We never deploy without their knowledge. We never deploy fleet-wide and that is again a stark difference from what you’ve seen from CrowdStrike. So these are the two, I think, immediate architectural differences that you have between the different products. Then you go into our core innovation and our patented behavioral AI, which obviously, has been designed to deal with attacks in real-time on the endpoint itself with no updates. That’s kind of the claim to fame that next-generation vendors had over the antivirus vendors.
You’re not going to need all these updates because you’re building AI into these systems to be able to detect generically regardless of signatures or very specific indicators. We have truly moved away from that. We’re augmenting that with the cloud, but it doesn’t require the same level of updates.
Other vendors are still very much leaning into these IOC signature-type updates, and I think that’s kind of what you’re seeing in terms of the difference. I think these are very, very nuanced elements of how these products work that have not been in the spotlight nor were they’re clear to customers and I think what happened obviously puts this front and center. I think another thing that’s important to mention is that this doesn’t really even appear to be a one-time thing or solve the issue.
I mean this is a pretty significant architectural difference here. Just last week in Europe, there were new reports of Falcon causing more cloud service issues, performance problems, lagging boot times, so that decision to be very cloud-dependent, and I think for years, people have painted as an advantage, I think is kind of turning out to be a pretty, I would say, drawback of that same approach versus a more embedded and augmented approach that SentinelOne took for years now.
Gabriela Borges
Thank you for the detail.
Operator
The next question is from the line of Brian Essex with JPMorgan. You may proceed.
Brian Essex
Great. Thank you. And thank you for taking the question. Tomer, I wanted to circle back on — you called out in your shareholder letter and your prepared remarks about the interest in your platform, as you just mentioned has distinctly risen. Could you provide a little more color around conversations you’re having with customers?
How you might see the recent outage impacting your pipeline growth if you can quantify it at all? Any impact on pricing, win rates? And are you counting on deal leakage from CrowdStrike in order to hit like target growth numbers that you’ve implied in your guidance? Just trying to get a sense of impact and conservatism there. Thank you.
Tomer Weingarten
For Q2, obviously, the vast majority of what you see is just kind of the natural momentum of the business, double-digit overachievement on the net new ARR side of the house speaks for itself. And that to me, I would call it organic momentum. I think our pipeline generally looking forward is definitely getting stronger. If you think about the partner ecosystem, I think it’s not far-fetched to say that a lot of the customers are revisiting their extension conversations, they are very, very least.
I think on top of that, we’ve already seen customers choosing to move away. Some of them have moved away already to SentinelOne, some of them are in the process, some of them will take time to assert, but I think everybody is considering their next steps. And obviously, as you can imagine, that bodes well up to SentinelOne. With that, I would also be mindful that sales cycles take nine to 12 months. Nobody wants to rip off something immediately. Some folks do, but that’s not the majority.
I think for the rest of the customer base, just decisions — they’re going to play out over time. I think people are looking at us, obviously, the number one alternative. People are looking to diversify risk and not really concentrate more and more capabilities with one vendor. So as the partner ecosystem kind of spends those expansion opportunities, I think they are now looking to other sources to cover the lost expansion opportunities with other vendors and they’re coming to us. And it comes to us in a good time, where we’ve been investing significantly in enablement of our workforce and our partner ecosystem.
So we’re now taking our entire platform to market. As you’ve seen with the adoption of Purple AI, such tremendous traction is just another evidence that we are able to now expand dramatically with our emerging products. So not only we’re seeing, I think, core momentum in the endpoint space, we’re also seeing the adjacencies now being revisited and SentinelOne being kind of a number one vendor for consideration across all these different opportunities.
Operator
The next question is from the line of Hamza Fodderwala with Morgan Stanley. You may proceed.
Hamza Fodderwala
Great. Good evening. Thank you for taking my question. Tomer, thanks a lot for all the commentary on the increased pipeline, the new product attach rates with Purple, and a lot of the other things that you mentioned. I’m curious, given this opportunity in front of you, it seems like a lot more is coming SentinelOne’s way. From a go-to-market execution standpoint, you feel like the go-to-market engine has significantly improved, especially in light of the CRO transition that SentinelOne had recently? Thank you.
Tomer Weingarten
I do. Absolutely. I think we’ve seen good evidence of that in Q2. And I think we’re seeing more and more of that. And look, I mean, when we look at the remainder of this year, there’s a couple of things that are in play. I mean, obviously, we’re looking for just overall better trends in the second half of the year. I think we’re also seeing even a departure from our seasonality between Q2 and Q3 and more sequential growth into Q3.
And everything I’m saying now is really regardless of this outage, regardless of the downstream effect, this is just our own business, really improving our go-to-market cadence. So as I mentioned, I think this in some way has come in a relatively good time for us. We’ve been improving our execution. I think our sales force DNA has been, I think, amplified. We brought in new leaders. We’re seeing better cadence. We’re seeing better pipeline retention, better conversion rates, better win rates, all of that is trending positively again regardless of what happened.
So all in all, we feel encouraged. We’re trying to take a responsible approach for the remainder of the year. These are very early days. It’s still very, very dynamic. I don’t know that we can fully quantify what we’re seeing now. And obviously, things can change here and there. We still want to make sure that we’re giving an accurate projection for you all and that’s why we’re kind of sticking to the envelope that we know about and that’s kind of what guides us forward.
Operator
The next question is from the line of Saket Kalia with Barclays. You may proceed.
Saket Kalia
Okay. Great, guys. Thanks for taking my question here. Maybe we’ll change it up a little bit, and David, I’ve got a question for you. Very helpful commentary just on sort of directionally how to think about net new ARR here in the second-half, but just for everybody’s benefit, I was wondering if you wanted to put a finer point on net new ARR. How should we be thinking about modeling net new ARR for this year? And is it fair to say that based on the commentary so far, is it fair to say that that doesn’t include too much benefit from the CrowdStrike outage?
Dave Bernhardt
Yes, that’s a great question, Saket, so thank you. When I think about ARR, I think we successfully stabilized net new ARR growth in Q2, which is what we said we would do last quarter. We outperformed our expectations by double-digits on the back, as Tomer said, of improved execution, strong underlying demand, and really our platform solutions, which have continued to have a positive response in the market.
Like we said last quarter, the H2 growth trends were poised to improve and that was before any cyber event that happened with CrowdStrike. We’ve been driving better outcomes. We were already expecting better than typical Q2 to Q3 growth, which we’ve guided accordingly. We’ve had better execution. We’ve had better pipeline retention and I think what’s probably most important on this is, if you just think about it kind of how our revenue increase has gone up as well.
We’ve moved to the higher end of our range and I think that shows the positive growth we’re expecting in the second half. That all being said, our outlook is — there are benefits that may come from customers coming to us from CrowdStrike or from the events that have happened, but our guidance isn’t dependent on it.
Operator
The next question is from the line of Shrenik Kothari with Baird. You may proceed.
Shrenik Kothari
Thanks for taking my question. So Tomer, I mean you highlighted the partnership with CISO, which delivers oral government-wide cyber defense and that seems to be pretty meaningful, so how does the platform capabilities firstly align with the requirements of the agencies? And can you elaborate on the significance of the partnership and the potential implications that would have on the growth opportunity in the federal market overall, if you can provide some more color? Thanks.
Tomer Weingarten
Of course. These types of deals, and I would say, in the same vein, the security — cyber insurer coalition that we build, these are long-term very wide-reaching partnerships that we put out there. They unlock themselves gradually and over years. And same goes for the CISO partnership. The ability to deliver and secure private clouds, private environment, on-premise environment is quite unique for SentinelOne.
I think that’s why we also have this great fit with what the federal government actually needs. When you think about our Data solutions, these are just massive cost savers for these agencies, but I would encourage everybody to think about these partnerships as things that unlock themselves over time and gradually grow. There’s no one shot to take everything. This is something again that spans millions and millions of endpoints and we unlock it over time.
The way we look at it is just the ability to really lock down market share over years, and that goes towards our partnership with Google, transitioning away from the incumbent solution that they’ve been working with and into the next-generation solution with SentinelOne and same goes with our other IR partners, the cyber insurers, anybody from Aon to Chubb, all of them are providing their customers the option to go with SentinelOne and especially better premiums and better risk posture. So all in all, these are strategic partnerships that will unlock more market share and success for us in the years to come.
Operator
Next question comes from the line of John DiFucci with Guggenheim. You may proceed.
John DiFucci
Thank you. Tomer, you were already in the process to change go-to-market, you have a new CRO, I guess, any thoughts on redirecting that due to the recent issues with the CrowdStrike outage? And on a related point, I think last quarter, you said you weren’t in a chase to invest in marketing, but given what looks like opportunity for you, has that approach changed due to these events?
Tomer Weingarten
Not so much. We’ve been very aligned to go after net new business generation, which coincides really well with what happened. So the majority of what we do has always been focused on acquiring new customers and this is not very dissimilar from that. We are getting more honed in on our channel ecosystem. There’s no question that this is where — we’ve been very, very strong. We’ve had a very wide-reaching partner ecosystem and now we’re there for them as they engage some of these customers that are rethinking their security decisions.
So I think if anything, this is just more of an accelerant to a strategy that we already had in the past, but now we got the discipline to go after it. We got the systems, we got the processes, and that is obviously, incredibly helpful and very timely.
Operator
The next question is from the line of Rudy Kessinger with D.A. Davidson. You may proceed.
Rudy Kessinger
Hey, thanks for taking my question. I guess, Tomer, in the prepared remarks, I think you mentioned you had already maybe displaced a few CrowdStrike customers since the outage and then some different kind of comments throughout the call here. You said, look, sales cycles could take nine, 12 months, Dave, you said the second half outlook really isn’t dependent on any boost from CrowdStrike.
So I guess I’m just trying to get similar to Saket, kind of a — somebody else who asked the question, not Saket, but just could you really quantify over the last five to six weeks have — can you directly attribute any material piece of your new business to customers who ex that CrowdStrike outage would not have signed contracts with you? I’m just trying to get a better sense of what’s been the impact to-date and your expectation for a potential positive impact the rest of this year.
Tomer Weingarten
Yes. Look, I’m not going to delve into how material and not material it is. We still have quite a lot of book of business regardless. That said, there have been customers that have been switching away. There have been customers that have decided and the switch to us, I hope, will happen quite soon. So it’s all really work in progress, if you may. But these are marquee customers sometimes. So what the level of impact that would have and in what exact timeline?
I mean, I’m not sure I can tell you right now. Customers need to test. Customers need to ensure interoperability. Customers need to come up with deployment plans. If anything, we’ve learned from this is that you just don’t want to move too fast, especially not with such a important pieces of software for critical infrastructure. So all in all, I think I’m very encouraged by the conversations. We’re not pushing towards any timeline.
Once again, we work at the pace of customers. We’re there to support them. We’re not there to ambulance chase. If somebody shows up at my hospital, I’m darn well going to let them in, but we’re doing this at the pace of customers.
Operator
The next question is from the line of Peter Weed with Bernstein. You may proceed.
Peter Weed
Thank you. I think one of the things you’ve been emphasizing and for several quarters has been kind of the increasing proportion of growth coming from new customers, which is obviously, really exciting for potential of future growth. But can you help us, I guess, maybe on two dimensions? One is just give us some comfort that that’s not just because of the continued deceleration in growth of existing customers.
So where is that kind of trailing 12-month NRR sitting now and that kind of line-of-sight to potential expansion in the second half? And I guess the other side is, in those new customers, is that coming from like an increasing number of incremental lands? Is that coming from expansion and the size of those new customers? Maybe give us some color on the profile that’s driving that really nice track record.
Tomer Weingarten
Sure. Look, expansion — the expansion motion for us has been healthy since I can remember and it remains healthy. Consistent with last quarters, this is very much an expansionary territory. So I think we continue and grow our business with existing customers. Our customers are incredibly happy, just jump into Gartner Peer reviews and read what they say. So to me, that’s an opportunity that’s there. It’s within our control. We’re unlocking it at the pace that we determine. But as we mentioned, the focus is on new accounts. The focus is on adding more folks into our customer state and that’s exactly what we’re doing and it comes either with new accounts on endpoints.
And mind you, there’s still 50% of this market for endpoint protection that’s up for grabs. So there’s a lot of growth to be had in the endpoint market, but also with net new lens on cloud and net new lends on our AI-SIEM product. So all-in-all, you see emerging getting stronger, but not — our emerging business getting stronger, but not just stronger because we cross-sell and upsell to existing customers, but also because we lend net new with some of these emerging capabilities, which is by design.
And this is exactly the balance that we’re trying to strike. I mean, we’re trying to go and expand our customer state as much as possible while we continue and develop that motion for cross-sell and upsell. At the end-of-the-day, if you have a finite set of sellers and you can decide which opportunities they go after, right now, we’re deciding that the dominant part goes after new account capture.
Operator
The next question comes from the line of Brad Zelnick with Deutsche Bank. You may proceed.
Brad Zelnick
Great. Thanks so much for taking the question. Tomer, I wanted to follow-up on an earlier question about architecture, and specifically, what if anything you’re expecting of Microsoft’s upcoming Cyber Summit on September 10th, what changes do you envision that they might make so that the industry never sees, 8.5 million Windows endpoints go down again. And how might any of those changes impact SentinelOne and perhaps your competitive positioning? Thank you.
Tomer Weingarten
It’s a good question. And I think what everybody needs to try and kind of keep in the back of their mind is that the KeRnel discussion is not a new discussion. Microsoft have been trying to move away from broad-based keRnel access for the past 10 years, if not more. There’s actually been — as far as I can recall, at least three different distinct initiatives to move away from the keRnel, all of them have failed. So on one end, I’m encouraged that this discussion is being revisited. On the other hand, I think the problem is so convoluted that there is a good degree where we find ourselves either in a multi-year transition best-case or again with something that might prove to be more complex to achieve and it will take even longer than that.
But all in all, SentinelOne has always been an advocate of the best possible outcome for customers. If we can and we’ll get the APIs that are needed and the channels that are needed to move away from the KeRnel and completely have the same level of visibility that we have today, we will absolutely do that. Much like we moved away from the KeRnel on Mac OS, much like we moved away from the KeRnel in Linux, and in the cloud, I think we would welcome if Microsoft had standardized the ability to monitor the system. But again, this is a much broader question than just security providers and their access to the KeRnel.
Past attempts by Microsoft have revolved around trying to build an app ecosystem and permission-based controls on Windows, that has not really happened or transformed the way that the Windows operating system works. And generally, I think that the Windows operating system proves again and again that it is quite fragile, and I think that is the bigger issue at hand. And I think that when you think about it that way, the level of refactoring that might need to take place with the operating system, I think, is going to be substantial.
And I also think that for some other vendors that have KeRnel access, if they need to get out of the KeRnel, given the kind of intrusive amount of code that they put into the KeRnel, they would also be facing significant refactors. So I think it’s early days and time will tell. But I’m hopeful that there’s going to be constructive discussion.
Operator
The next question comes from the line of Adam Tindle with Raymond James. You may proceed.
Adam Tindle
Okay. Thank you. Tomer, one of the highlights this quarter was you reached positive non-GAAP net income for the first time ever, and congrats on that. If I’m listening though to Dave’s closing comments in his prepared remarks, it does sound like you’re maybe beginning to reevaluate the trade-offs in growth and profitability certainly seems to make sense given the market is now more wide-open than ever.
But I guess the question would be if you’re potentially asking shareholders to go through an investment journey with you, be helpful to give visibility into your thought process on that, sort of the key factors that would go into your analysis on that decision, any parameters that you might put on the magnitude of potential investment? Thanks.
Tomer Weingarten
First of all, we have guidance and we follow guidance, and I think that kind of sits our entire philosophy, our entire constraint base, and how we think about the growth journey. Our comments are just in a world where you can choose to invest or not invest, we want to make sure people understand there is a massive opportunity. This is a $100 billion TAM. We got the leading technology in the market. So obviously, I don’t think our shareholders want to see us back away or back down by any degree. With that, we have committed to an envelope and we’re sticking to that envelope.
I think that’s all we’re trying to say here. The opportunity is big. I think as we look at what we can potentially unlock in kind of the out years, that’s always going to have to be balanced with our journey towards profitability. But I don’t think you’re going to see us veering away from the path that we’ve set. If anything, I think it’s just on the pace of acceleration towards profitability. If you can imagine a world where we would invest less in growth and show more profitability, I think what we’re just trying to let folks know is that this is the balance. What you’re seeing from us is the balance is what we feel is responsible and is what we’re following.
Dave Bernhardt
Yes. I would add to that. In the end, we’re just weighing on long-term growth potential with delivering solid, responsible, and profitable financial profile. When you look at the annual guidance, it’s 15 percentage points of year-over-year margin improvement, and we just — all we really did was condense the range that we already had for EBIT.
I think we went from negative 2 to negative 6 to negative 3 to negative 5. So we’ve honed in on a range, but we’ve maintained a range to preserve flexibility if there is investments that we feel will add to growth for next year. So that’s really the message we wanted to deliver to everyone. There’s a great opportunity and we may take advantage of that.
Operator
The next question is from the line of Gray Powell with BTIG. You may proceed.
Gray Powell
Okay, great. Thanks for taking the question, and congratulations on the good results. So look, I know you’ve had a lot of questions on the CrowdStrike outage, if it’s okay, I’d like to just ask one more. On the marketing side, just how aggressive are you being there following the incident? And do you have any specific programs in place to target Crowd customers who are potentially upset following the outage, like anything like a free six to 12-month limited trial period to ease the transition costs or just anything else that you’re doing that could maybe help you leverage the situation? Thank you.
Tomer Weingarten
As I mentioned, we’re just trying to be there for customers. Obviously, there’s a lot of activity with our partner ecosystem, which is natural, but we have not devised any specific takeout programs. We don’t feel like that’s warranted or needed. We want to make sure that people understand the difference in architecture. So I think we put a lot of literature and collateral around the differences between the platforms. We’re trying to educate folks.
I think more than anything, we’re just trying to make sure that people understand the kind of the ground truth of what happened. There’s a lot of attempts to create alternative narratives. We’ve seen some appalling attempts to try and threaten customers publicly. We’re, obviously, just trying to stay true to our North Star, which is no resilience marketing, staying true to facts and I think that we’re doing it here once again.
Operator
That concludes the question-and-answer session. I would now like to turn the call over to Tomer Weingarten, CEO of SentinelOne, for closing remarks.
Tomer Weingarten
Thank you, everybody. Appreciate your time today.
Operator
That concludes the SentinelOne Second Quarter Fiscal Year 2025 earnings conference call. Thank you for your participation. You may now disconnect your line.
Read the full article here