SentinelOne CEO Tomer Weingarten: Google is a better home for Mandiant than Microsoft

Weingarten also told Protocol that he sees ransomware as a “fixable problem” and that major enterprises are increasingly ready to put their trust in AI/ML.

SentinelOne co-founder and CEO Tomer Weingarten

"If you can apply machine learning at scale, for every part of the enterprise, and get full visibility of all the assets that you have — that to me is the holy grail of how you reimagine the network."

Photo: SentinelOne

For a company on a growth tear like SentinelOne, the fact that Google, and not Microsoft, will be acquiring one of its major partners is just one of the things that co-founder and CEO Tomer Weingarten counts as a blessing.

While still a small player in endpoint security compared to rivals CrowdStrike and Microsoft, SentinelOne is a challenger they can’t ignore. Revenue surged by 109% during the cybersecurity and data analytics vendor’s latest quarter, reaching $78.3 million — a pretty nice growth rate for a nearly decade-old, publicly traded company.

Its initial public offering last year, meanwhile, valued the company at $8.9 billion and remains the largest cybersecurity IPO ever. There are indications SentinelOne is gaining ground in the endpoint security market faster than any major vendor.

The company got some potentially unhelpful news in February, though. On the same day that SentinelOne announced a partnership with prominent incident response provider Mandiant, Bloomberg reported that Microsoft was in acquisition talks with the cybersecurity powerhouse. That combination would have raised questions about whether Microsoft would prioritize the use of its own endpoint security tools by Mandiant, potentially complicating SentinelOne’s relationship with Mandiant just as it was getting off the ground.

In an interview with Protocol, Weingarten weighed in on Google's eventual deal to acquire Mandiant. He also spoke about the growing enterprise acceptance of AI/ML for security, the central role of extended detection and response (XDR) and why ransomware is more solvable than many realize.

This interview has been lightly edited for clarity and brevity.

You’ve been a public company for more than a year now. Who do you see as your main competitors at this stage, and what is your biggest differentiator from them?

In the endpoint market, clearly it’s Microsoft and CrowdStrike. They're out there with solid products, solid offerings. If you look at what we do differently — which goes back to our roots — it’s that we wanted to build a fully autonomous platform that would actually detect and disrupt attackers in real time, with no human intervention. That's how we designed our platform. We knew it could only happen on the back of monitoring every workload in the enterprise environment, and we started with endpoints. Then we apply artificial intelligence or machine learning to create real-time responses that are based on algorithms, not based on humans trying to sift through alerts.

Endpoint protection is obviously our core market. But we also have cloud workload protection as an adjacent surface in the enterprise. Then we also have identity protection, which comes off the back of the acquisition that we just did of Attivo Networks. So we play in three different [markets] within security. We also have a complete data analytics [offering] with nearly 400 customers.

In terms of Microsoft, how do you see its growing focus on its own security business impacting the cybersecurity industry?

I think their strategy doesn't serve the security industry, and security, period. I think that if they took the amount of effort that they're putting on building security products for revenue-generating purposes, and they put it into actually solving for vulnerabilities, improving their own product security — we would all be in a much, much better place.

You’re not unbiased of course.

Even before Microsoft came into endpoint security, in earnest, I was saying the same thing [about Microsoft vulnerabilities]. Back then, I think we saw the same things.

Given your partnership with Mandiant, would it have been a concern for you if Microsoft had been the winning bidder for Mandiant, instead of Google?

We work with 150 different incident response providers. So Mandiant is just one of them. We have KPMG, we have Kroll. We're the technology stack that enables them to deal with breaches. All in all, I'm just glad for the Mandiant team, that they'll be able to scale their business and what they're doing.

[But] another way of looking at it is, just look at how Google is treating that acquisition. Basically they're saying, "Mandiant is here to work with all security providers." I'm quite certain that if Microsoft had acquired Mandiant, that's not the message that you would hear. It would be much more of a closed-garden approach.

You mentioned your AI-focused approach as a differentiator from your competitors. What benefits does SentinelOne’s use of AI/ML bring to security teams?

We have very robust, automated technology that we built over time. And it translates into disrupting and preventing threats, not just responding to threats. I think [threat response] is where you see some of our competitors. That was their focus over the years — building a better response mechanism. With us, you can get rid of your incumbent antivirus, you can get rid of the stack that you had before. And this system that we're giving you does it all. It puts a large emphasis on deflecting attacks autonomously with technology. So to me, this will remain as one of our core differentiators.

Then you can go and really look at the breadth and depth of the platform, [which has] 25 different modules, for everything from endpoint security to endpoint management to mobile security. It's a very broad-based solution. And that in itself is already painting a very different picture for the buyer in the enterprise. Buyers today can buy some of these components from [other vendors], but it's not a holistic platform that does the work for you. Those are components that you're going to have to figure out how to use together. For us, we just tried to put a cohesive fabric in your enterprise. And so far, it's been showing a lot of success.

I hear a lot about the fact that many security practitioners are now very skeptical about AI. What would you say to the AI skeptics out there?

I agree that AI and ML have been completely overhyped. [There’s been] this very romanticized view of what AI and machine learning is — like, a robot doing everything for you. That's not really the case. But when we talk about operationalizing AI and machine learning, I think that cybersecurity is one of the two areas in our life today that is seeing meaningful [results]. Cybersecurity and [autonomous driving technology] are the two areas in operationalized standalone machine learning that are actually delivering some tangible outcomes.

Let's not get too romantic about it — AI is just the ability to have an algorithm that understands anomalies and is smart enough to make a decision.

And in cybersecurity, that tangible outcome is the algorithms are able to discern whether something is bad or good, in such a high accuracy level, that they can also take the action. They can also stop something, or allow something else. Let's not get too romantic about it — AI is just the ability to have an algorithm that understands anomalies and is smart enough to make a decision. If it's “operationalized,” that means it's accurate enough. It can actually work. In our case, we secure three of the Fortune 10 and some of the most critical infrastructure out there — [including] federal agencies. And if you think about it, what they're trusting to make all these decisions — what gets in, what doesn't get in — they're trusting the algorithm.

What’s the ultimate potential for this technology?

It's just the beginning. A new paradigm is really needed. And that paradigm really is a very natural evolution of what we've done in EDR [endpoint detection and response] [around securing] laptops and desktops and virtual devices. Now, our job is to extend that to every asset that you have in the enterprise, to allow you to really reimagine your network via the monitoring of all of these devices. And if you can apply machine learning at scale, for every part of the enterprise, and get full visibility of all the assets that you have — that to me is the holy grail of how you reimagine the network.

So you’re talking about XDR?

XDR is the foundational technology and stack that would allow you to gain that control over all of these devices. And then, once you see them — once you get the telemetry, once you know what's in your network — the next step is [to] apply machine learning at scale, so you can now control these devices and protect these devices.

What could this type of approach mean for the battle against ransomware? Is ransomware actually fixable in your view?

I think it's a fixable problem. I think it's also probably a decade-long problem to fix. It will take quite a bit of work. You need to restart your network. You need to enroll your devices and your workloads into something new. [But] we're giving people more and more tools, so they can have that fresh start. That's probably one of the only ways to deal with all the different gaps in the modern network.

I also think that we did make a dent — all of us collectively — in ransomware. Because we changed the M.O. for ransomware out there. Ransomware is now less about shutting down devices. It's more about data exfiltration. So, the attackers have also shifted what they do and how they do it. Because, especially for more modern EDR environments, it's just become tougher to actually encrypt devices and shut down devices. So now they're focused on the user angle. Now they're focused on trying to socially engineer users, and just go after credentials, not after machines — and then exfiltrate data and hold that data hostage, not the machine hostage. Which is a big difference from where it was a year or two years ago.

Looking ahead, what’s on your mind when it comes to the worsening outlook for the economy, and what it could mean for SentinelOne?

In many cases, we sell a complete modernized stack to actually replace the legacy stack and the on-prem stacks that enterprises have. When you buy something from a company like ours, in many cases that actually leads to cost reduction. While it translates to spend with us, it does also translate into cost-saving for a lot of these enterprises. So when you look at some of these folks out there, even in a more tough macroeconomic state, they’re still looking to save, they’re still looking to find ways to reduce cost on data processing.

Obviously, data processing has grown exponentially. The amount of data that needs to be collected and stored for longer periods of time has accelerated significantly. The solutions that were there to house all that data were architected 10 or 15 years ago. Today, you can just opt to [buy] much more cost-effective solutions to house that data. I think a lot of the enterprises are also looking to the next generation of solutions as a means for cost reduction and better efficiency in their own respective businesses. That's obviously very positive for us.


Google TV will gain fitness tracker support, wireless audio features

A closer integration with fitness trackers is part of the company’s goal to make TVs a key pillar of the Android ecosystem.

Making TVs more capable comes with increasing hardware and software requirements, leading Google to advise its partners to build more-capable devices.

Photo: Google

Google wants TV viewers to get off the couch: The company is working on plans to closely integrate its Android TV platform with fitness trackers, which will allow developers to build interactive workout services for the living room.

Google representatives shared those plans at a closed-door partner event last month, where they painted them as part of the company’s “Better Together” efforts to build an ecosystem of closely integrated Android devices. As part of those efforts, Google is also looking to improve the way Android TV and Google TV devices work with third-party audio hardware. (Google launched Android TV as an Android-based smart TV platform in 2014; in 2020, it introduced Google TV as a more content-centric smart TV experience based on Android TV.)

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

How Global ecommerce benefits American workers and the U.S. economy

New research shows Alibaba’s ecommerce platforms positively impact U.S. employment.

The U.S. business community and Chinese consumers are a powerful combination when it comes to American job creation. In addition to more jobs, the economic connection also delivers enhanced wages and a growing GDP contribution on U.S. soil, according to a recent study produced by NDP Analytics.

Alibaba — a leading global ecommerce company — is a particularly powerful engine in helping American businesses of every size sell goods to more than 1 billion consumers on its digital marketplaces in China. In 2020, U.S. companies completed more than $54 billion of sales to consumers in China through Alibaba’s online platforms.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

What the fate of 9 small tokens means for the crypto industry

The SEC says nine tokens in the Coinbase insider trading case are securities, but they are similar to many other tokens that are already trading on exchanges.

While a number of pieces of crypto legislation have been introduced in Congress, the SEC’s moves in court could become precedent until any legislation is passed or broader executive actions are made.

Illustration: Christopher T. Fong/Protocol

When the SEC accused a former Coinbase employee of insider trading last month, it specifically named nine cryptocurrencies as securities, potentially opening the door to regulation for the rest of the industry.

If a judge agrees with the SEC’s argument, many other similar tokens could be deemed securities — and the companies that trade them could be forced to be regulated as securities exchanges. When Ripple was sued by the SEC in late 2020, for example, Coinbase chose to suspend trading the token rather than risk drawing scrutiny from federal regulators. In this case, however, Coinbase says the nine tokens – seven of which trade on Coinbase — aren’t securities.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.


Werner Vogels: Enterprises are more daring than you might think

The longtime chief technology officer talked with Protocol about the AWS customers that first flocked to serverless, how AI and ML are making life easier for developers and his “primitives, not frameworks” stance.

"We knew that if cloud would really be effective, development would change radically."

Photo: Amazon

When AWS unveiled Lambda in 2014, Werner Vogels thought the serverless compute service would be the domain of young, more tech-savvy businesses.

But it was enterprises that flocked to serverless first, Amazon’s longtime chief technology officer told Protocol in an interview last week.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Dark money is trying to kill the Inflation Reduction Act from the left

A new campaign is using social media to target voters in progressive districts to ask their representatives to vote against the Inflation Reduction Act. But it appears to be linked to GOP operatives.

United for Clean Power's campaign is a symptom of how quickly and easily social media allows interest groups to reach a targeted audience.

Photo: Anna Moneymaker/Getty Images

The social media feeds of progressive voters have been bombarded by a series of ads this past week telling them to urge their Democratic representatives to vote against the Inflation Reduction Act.

The ads aren’t from the Sunrise Movement or other progressive climate stalwarts, though. Instead, they’re being pushed by United for Clean Power, a murky dark money operation that appears to have connections with Republican operatives.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Latest Stories