使用警語:中文譯文來源為 Google 翻譯,僅供參考,實際內容請以英文原文為主
Operator
Good evening. Thank you for attending the SentinelOne Second Quarter 2022 Earnings Conference Call. (Operator Instructions) I would now like to pass the conference over to your host, Doug Clark, Head of Investor relations with SentinelOne. Thank you. You may proceed.
Douglas G. Clark - Head of IR
Good afternoon, everyone, and welcome to SentinelOne's earnings call for the second quarter of fiscal year 2022 ended July 31. With us today are Tomer Weingarten, Co-Founder and CEO; Nicholas Warner, COO; and Dave Bernhardt, CFO. Our press release and the shareholder letter were issued earlier today and are posted on our website. This call is being broadcast live via webcast. And following the call, an audio replay will be available on the Investor Relations section of our website. Tomer, Nick and Dave will begin with prepared remarks, and then we'll open the call for questions.
Before we begin, I would like to remind you that during today's call, we'll be making forward-looking statements regarding future events and financial performance, including our guidance for the third fiscal quarter and full fiscal year 2022 as well as certain long-term financial targets. We caution you that such statements reflect our best judgment based on factors currently known to us and that actual results and events could differ materially.
Please refer to the documents we file from time to time with the SEC, in particular, our S-1 and our quarterly report on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements.
Any forward-looking statements made during this call are being made as of today. If this call is replayed or reviewed after today, the information presented during the call may not contain current or accurate information. Except as required by law, we assume no obligation to update these forward-looking statements publicly or to update the reasons actual results differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future.
During this call, unless otherwise stated, we will discuss non-GAAP financial measures. These non-GAAP financial measures are not prepared in accordance with generally accepted accounting principles. A reconciliation of GAAP and non-GAAP results is provided in today's press release and in our shareholder letter. These non-GAAP measures are not intended to be a substitute for our GAAP results. The financial outlook that we provided today excludes stock-based compensation expense, which cannot be determined at this time and are therefore not reconciled in today's press release.
And with that, let me turn it over to Tomer Weingarten, CEO of SentinelOne.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Welcome, everyone, and thanks for joining our first earnings call as a public company. This is the start of an open and informative dialogue. We value trust and transparency, and I'll have the opportunity to model this as a public company. And since this is our first earnings call, I'd like to give some background on our journey and how we got here. I will then turn it to Nick and Dave to provide some highlights from our most recent quarter and outlook.
We launched SentinelOne in 2013 with the idea that cybersecurity incorporated faster speeds, greater scale, higher accuracy and most importantly, do this through more dimension. We created an autonomous cybersecurity platform to deliver our vision. Attacks and threats are only becoming more sophisticated and more common, and legacy solutions and human defenses just can't keep up. Look no further than all the ransomware attacks. Unfortunately, this isn't new, and it isn't going away, and it's impossible to ignore.
Our mission to protect our customers and our way of life has never been more important in a digitized world. There are several structural forces at play that will drive long-term and sustained growth for us and our industry. The growing threat landscape is just one of them. Next is the digital enterprise environment, more devices, more places, more data, requires updates to critical enterprise infrastructure, and that includes new attack surfaces such as containers and workloads.
At the same time, we've moved to a hybrid work environment. This is the new normal, forcing the evolution of how we work, where we work from and fundamentally how we secure the future of work. The only way to ensure safety and security is with 0 trust across the entire enterprise, from endpoint to cloud. Companies want partners and platforms, not siloed point solutions. Our open XDR approach is helping unify the entire enterprise view from data to device to cloud.
Putting all of this together, cybersecurity has never been more critical and more challenging for the enterprise. That gives me tremendous confidence in the long-term growth potential in front of SentinelOne.
Over the last 8 years at SentinelOne, we've developed AI and machine learning models, built patented Storyline technology and created an in-house cloud data platform. We knew from the beginning that the best solution would have to harness the power of data and AI. And as a result, we're delivering real-time industry-leading threat detection and response from endpoint to IoT to cloud. To us, prevention is the fundamental component of modern day cybersecurity. Equally critical is machine speed detection, response and remediation.
We've achieved many important milestones already this year. Certainly, the IPO is part of that. At the same time, top scores from MITRE ATT&CK, the industry standard test for EDR, as well as the highest score in the Gartner Critical Capabilities for each buyer type has helped build credibility and industry recognition. Operationally, we've expanded our Board of Directors and instituted an Advisory Board. And with an eye to the future, we just announced that we'll be opening an R&D facility in the Czech Republic to support our growing scale and global presence.
Finally, delighting our customers. I'm especially proud that our Net Promoter Score, or NPS, has risen every single quarter in the past year. It jumped in Q2 to above 70. That puts us well above the ranks of many consumer and technology companies and ahead of category-defining technologies loved by users such as the iPhone. Our customers choose us as their cybersecurity partner, and we take the responsibility and trust seriously. We're helping our customers stay ahead of our adversaries, prevent breaches and autonomously respond through innovation.
Turning to the business. In Q2, our ARR growth accelerated to 127% year-over-year, and our revenue was up 121%. I want to pause on that for a second. Our business is expanding well into the triple digits both for ARR and revenue, and our guidance for Q3 shows that we expect that to continue. Our growth is very well balanced across new and existing customers as well as large and midsized enterprises. Enterprises represents about 2/3 of our business today, and we're gaining even more traction.
In Q2, we added the highest number of customers with ARR over $1 million compared to prior quarters. We're also expanding with existing customers through securing more devices and services, along with bringing new security control and visibility modules. Our net retention rate was the highest it's ever been at 129%. Our channel partners are bringing us into an increasing number of opportunities, giving our sales teams access, scale and reach around the globe. Nick will talk a lot more about our differentiated go-to-market and how that's fueling growth.
I'm proud of the technology and the innovation we're bringing to customers through our Singularity XDR platform. We sell 3 platform tiers, Core, Control and our most comprehensive and popular tier, Complete. These tiers enable us to bring our technology to a diverse set of buyer types and organizations, from medium-sized businesses all the way to the world's largest Fortune 500 enterprises.
We also offer more than 10 modules that extend our platform value to more enterprise needs, from IoT discovery and security to cloud and container workload protection. Our modules help customers with today's critical management, protection and visibility challenges. In Q2, we enhanced our capabilities around automation, 0 trust and data.
First, automation. Automation is key to neutralizing threats effectively and in real time. Security teams simply can't analyze and respond to billions of events every day. The response piece is especially important. A human-powered 1-10-60 benchmark is a legacy model. Our customers want real-time response and protection. This is why our patented Storyline technology is so important. It monitors and contextualizes all events across an enterprise at machine speed. That means fewer and more accurate alerts based on data. It also means autonomous remediation, taking machine-delivered responses to a whole new level of automatic efficiency.
The Chief Information Security Officer of a Fortune 500 oil company captured it well saying, "SentinelOne's Storyline technology fundamentally changes EDR. Instead of people having to manually assemble data points, the technology assembles stories for us and even makes decisions in real time. Game changer."
We listen to our customers, adding even more automation capabilities. In Q2, we added Storyline Active Response, or STAR. With STAR, security teams can now create custom detection and response rules and deploy them in real time. In other words, write the rules once and let it trigger automatic alerts and instant responses enterprise-wide. That's more control and more automation and more prevention.
The second area of focus is around 0 trust. Every edge of the network must be secured. We did this in 2 ways in Q2, tackling rogue IoT devices and expanding 0 trust partnerships. An enterprise can protect what it can see, including IoT and unmanaged devices. One compromised printer can quickly become an adversary's home base for an attack. The solution for the IoT and unmanaged device challenges our Ranger module. Ranger identifies and corrects all rogue IoT devices, and we've just released auto deploy.
Our new auto deploy capability tackles one of the oldest problems in enterprise IT, quickly deploying protection to unmanaged and sometimes unreachable assets with ease. Ranger auto deploy takes a SentinelOne endpoint and enables it to transmit protection to any and all unmanaged devices surrounding it. This is a first, and we're already seeing demand for auto deploy, which helped secure $1 million customer win in Q2, where we replaced legacy AV in one of our other major next-gen competitors.
We also expanded our marketplace ecosystem through new partnerships with Zscaler and Cloudflare. Partnering with other 0 trust leaders strengthens our customers' security postures.
Finally, we're focused on data. Cybersecurity is fundamentally a data problem. We use AI to parse petabytes of data, identify anomalies and autonomously mitigate attacks in real time. Earlier this year, we acquired Scalyr, enhancing our ability to ingest index-free data at scale from structured and unstructured sources. Our goal is to optimize for scale, performance and cost. We're excited about the future go-to-market synergies. We've also begun transitioning our data back into Scalyr for new proof-of-concept deployments, onboarding new customers at scale.
Before I turn it to Nick and Dave, I want to say I'm excited about what we've achieved as a company. I'm proud of the scale of our business and the triple-digit growth rates we've now delivered for 2 consecutive quarters. This is truly a testament to the hard work of the entire team at SentinelOne. Thank you to all of our employees and also our customers and partners. Your feedback and trust puts us in the winning side of cyber warfare every day.
I'm even more excited about what we can do from here. The endpoint security market is large and growing, and we're just at the beginning. Cyber defense should be even more holistic. It has to be flexible and automated. And that means not just across endpoint operating systems but also IoT devices, servers, cloud workloads and the data itself. This is XDR. We are XDR.
And with that, let me turn it to Nick Warner, our Chief Operating Officer.
Nicholas Warner - COO
Thank you, Tomer, and I'd also like to welcome everyone. I've been at SentinelOne for over 4 years now. Everyone here has a lot to be proud of, especially how quickly we scaled in just the past year alone. We've built a go-to-market flywheel of sales and marketing, our channel and technology partners. Together, our brand and market traction is reaching new highs.
Let's discuss the business. ARR of nearly $200 million and growing 127% is nothing short of astounding. Looking back, it took over 3 years to reach $100 million in ARR and just 3 quarters to nearly reach the next $100 million. Our future is unbounded. That's because of vision, execution and listening to the needs of our customers. Over 5,400 customers use our Singularity XDR platform. That's over 2,000 more than last year.
I'm delighted to help protect that many businesses. Our customers are diverse in size, scope and geography. Our focus on automation, speed and accuracy is critical to any enterprise -- in fact, all enterprises. We're protecting even more mission-critical businesses. In Q2, we added one of the largest telecommunications and mass media companies in North America. And we also added one of the world's largest global financial institutions as well. Make no mistake, this is a competitive market. We go up against incumbent and next-gen players all the time.
When I think about how we're doing in the market, 3 things capture it most effectively: one, our 97% gross retention rate, which means our customers are happy and staying with us; two, we don't compete with our channel partners. So they are able to lead with our technology platform. We enable and embrace the channel; and three, we win more than 70% of POCs against the competition. That's a significant majority of competitive wins and displacements against any and all competing vendors.
Let me share some more details from the quarter. We're making tremendous progress with large enterprises, which represent about 2/3 of our business. We grew customers with ARR over $100,000 by 140% versus last year. We added the highest number of million-dollar ARR customers this past quarter. In the past year, we've more than tripled the number of customers with ARR over $1 million. It's clear from both of those points that we're succeeding with larger customers and landing in larger deals.
Our net retention rate was 129%, a new record for our company, fantastic execution from our sales and go-to-market teams. We're helping customers expand agent deployments, access more functionality with package tiers and adopt new module solutions.
When it comes to our modules, our innovations help enterprises do more. Just looking at our modules that cover IoT, cloud and data, these grew more than 6x year-over-year in Q2 and represent over 10% of the quarter's new business. We're still early with our modules and see this as a long-term lever for our business.
Next, I'll share some insights on our go-to-market. Our internal sales and support teams, combined with our diverse and growing partner ecosystem, gives us an incredibly vast reach. Earlier this year, we rolled out a new channel partner training and accreditation program. Feedback has been positive, and we've issued over 2,000 accreditations to date. Our strong channel metrics are leading pipeline and traction indicators.
We partner with managed security service providers, MSSPs; managed detection and response providers, MDRs; and incident response, IR, partners. We equip them with industry-leading capabilities. And in return, we get tremendous market access and scale. We don't compete with them. We support and enable their business. We're rapidly expanding this ecosystem, and it's driving meaningful growth for us.
I want to double-click on our incident response partnerships. Driven by the rising wave of ransomware attacks, breaches have become pervasive for businesses around the world. In the unfortunate but often common case of a company being breached, IR partners are called in to identify and remediate the attack. They use our technology to understand what's going on, stop the attack and remediate the network. Our ecosystem of IR partners are armed with the best technology available when it comes to rapidly recovering from a breach.
After seeing the immediate value of our technology, we see extremely high adoption rates post breach as post-breach enterprises standardize on SentinelOne as a modern approach to cybersecurity. In Q2, we added over a dozen additional IR partners and are bringing more online in Q3 and beyond. It's not just quantity but quality.
In Q2, we added world-renowned IR partners like Kroll, Alvarez & Marsal and Group IB. These and others are global leaders with extensive enterprise relationships. These are the go-to experts who cyber insurers and Boards call when there is a breach. In fact, our IR partner ecosystem is our fastest-growing channel. For all of us at SentinelOne, our values and goals align on protecting customers and putting them first. From sales to support, marketing to channels, business development to customer success, Vigilance MDR to SentinelLabs, our go-to-market organization is world class. And I'm proud to work with this global team of relentless Sentinels each and every day.
Thank you. And let me turn it over to Dave Bernhardt, our CFO.
David Bernhardt - CFO
Nick, Tomer, thank you. And thank you all for joining us today and hopefully in the future. I'll touch on a few of the highlights before we open for Q&A. There's a lot more detail in our shareholder letter, which I welcome you to view on the Investor Relations section of our website. We are very excited about our performance in the second quarter.
Looking at our Q2 results. We achieved record revenue of $46 million, increasing 121%. Fueled by new customers and existing customer expansion, we delivered ARR of $198 million in the quarter, accelerating 127% year-over-year. Even after backing out the $10 million in acquired ARR from Scalyr, our organic growth was still well into the triple digits. Obviously, we're very enthusiastic about our top line drivers.
Now I'll discuss our costs and margins and then provide our guidance outlook. Our non-GAAP gross margin in Q2 was 62% and expanded 900 basis points, a healthy pickup from last quarter. The biggest benefits are coming from our increasing scale and business expansion. Additionally, we're also starting to see benefits from our renegotiated cloud hosting agreement, which we signed earlier this year to align with our expected growth.
Looking at the rest of our P&L. We're investing for growth, and it's clear that it's working, once again reflected in our triple-digit top line growth rate. During the quarter, we made strategic investments in preparation for becoming a public company, enhancing our product and scaling our go-to-market.
Our non-GAAP operating margin was negative 98%, an improvement over negative 101% in the year-ago quarter, even as we prepared for our IPO. In the shareholder letter, we've reiterated our long-term margin targets. These are the same targets that we shared during the IPO. The key point is that as we progress to our long-term targets, we intend to invest in growth while also improving our margins and profitability.
A recent example is the diversification of our R&D footprint outside of Israel and Silicon Valley. We just announced that we'll be expanding our engineering excellence into the Czech Republic. With all of this opportunity in front of us, fiscal 2022 remains an investment year.
Now for our outlook for Q3 and the full fiscal year. In Q3, we expect revenue of $49 million to $50 million, reflecting growth of 102% at the midpoint. For the full year, we expect revenue of $188 million to $190 million or 103% growth at the midpoint. We expect the strong momentum we saw in Q2 to continue next quarter and our structural tailwinds to persist. Combined with ongoing benefits from our product innovation, improved brand awareness and continuing to scale our go-to-market, this collectively supports our triple-digit growth outlook.
We expect Q3 non-GAAP gross margin to be between 58% to 59% and full year gross margin of 58% to 60%. Most importantly, this remains well above 53% we reported in the first fiscal quarter this year and at or above 58% we delivered in fiscal 2021. We are benefiting from increased scale, cloud hosting agreements and processing efficiency gains.
Reflected in our guidance is our plan to migrate existing customers to our Scalyr back end in Q3 and Q4. The migration will result in some duplicative storage and processing cost as we ensure data and performance continuity. This is intended to further improve data processing for the future and unlock long-term platform and go-to-market synergies. Excluding the redundant costs for the Scalyr migration, we estimate fiscal 2022 gross margin would be roughly similar to our gross margin we achieved this quarter.
Finally, for operating margins, we expect negative 96% to 99% in Q3. Our full year operating margin guidance is for negative 99% to 104%. This is an improvement upon our fiscal year 2021 operating margin of negative 107%. We see tremendous opportunity for growth, and the investments we're making today will put us in a position to succeed for the long term.
Finally, we have 2 quick housekeeping items. Both of these are included in the shareholder letter with more detail as well. The first item is share count. We ended Q2 with total basic shares outstanding of 265 million. This is the base run rate going forward. The second item is the lockup. We have 2 triggers. The first is on September 28. If the stock price remains at current levels, it will unlock up to approximately 40 million outstanding shares as of July 31, 2021, excluding vested equity awards. The remainder of the lockup will expire subsequent to our Q3 earnings report.
In closing, Q2 was an excellent quarter with strong execution, and we're expecting that momentum to continue into the second half of the year. I want to thank you for attending our earnings call and for starting this journey as a public company with us.
Operator, can you please open up the lines for questions? Thank you.
Operator
(Operator Instructions) The first question is from the line of Hamza Fodderwala with Morgan Stanley.
Hamza Fodderwala - Equity Analyst
Congrats on your first quarter post IPO. Just on -- maybe a question for either Nick or Tomer. I wanted to dig into some of the partnership announcements you guys have made in recent months, particularly with Zscaler and Cloudflare. What do you think -- one for Tomer. To what extent does that validate your technology given that you're partnering with other next-gen vendors on the network security side? And then from a go-to-market perspective, for Nick, what type of incremental benefit will these partnerships bring?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. Thanks for the question, Hamza. And for us, it's really about really stepping forward towards a more inclusive open XDR approach and also kind of producing a more 0 trust ecosystem around the SentinelOne Singularity platform, really fusing together endpoint, which is kind of the edge of the network, with the cloud and now identity and the user as well. To us, that's really the trinity that forms 0 trust, and that's why we're partnering with these vendors. Obviously, we find them in more and more accounts that we sell into. So that also becomes something that our customers are asking us to do.
So all in all, I mean, it just really kind of falls in line with both of our 0 trust strategy and our open XDR approach. And the idea is, over time, to continue and ingest more data from all these adjacent solutions in the enterprise into our open XDR platform. So to us, again, it really falls into the strategy that we took by enabling our customers to pick any vendor and really build on top of the Singularity platform.
Nicholas Warner - COO
This is Nick here. From a go-to-market perspective, what it means for our customers is we really allow them to realize even greater ROI on previous solutions that they purchased. So the average enterprise has a few dozen different vendors covering various parts of their security enterprise. And with our vision of XDR being open, being inclusive, being easy to use, what we're really doing is up-leveling the capabilities of those traditional and already installed products, adding tremendous value with the Singularity platform but leaving that all in together to a complete and holistic view of security, which is really the promise that we're delivering upon with XDR.
Operator
The next question is from Brian Essex with Goldman Sachs.
Brian Lee Essex - Equity Analyst
Congratulations on another really nice quarter of acceleration here. Maybe, Tomer, I would love to get your feedback on -- I think in your prepared remarks, you talked about 2/3 of your business is enterprise focused. What was the mix in the quarter? And what do you anticipate going forward for large enterprise mix? I see that landed cost per new logo is certainly much higher than it was last quarter. So just trying to think about the trajectory there and maybe the most fundamental thing that changed in the quarter to drive that improvement.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. For us, it really is a good mix. I mean we feel like our traction in the enterprise -- and definitely 140% growth year-over-year on $100,000 deals and above is a good reflection of how much bigger we're landing in accounts. 225% on $1 million deals, again, a good reflection of our traction in the enterprise. But at the same time, we feel presence in the mid-market is important, and it's something that actually is a very efficient go-to-market for us.
So we like that mix. We feel it's a good mix for us. We'll continue and drive it. Definitely on the enterprise side, we're seeing more lands with our Complete tier, actually, with more attached to Ranger, more attached to Vigilance, more attached to Data Retention. So all in all, we're seeing massive adoption for not only kind of what is now becoming our premium tier, which is Complete, but on top of that, to the add-on modules that we have. And we intend to do the same also on the mid-market where we enable our channel ecosystem to carry more than just endpoint protection and sell also cloud security. So all in all, we feel that the mix is a healthy one and one that we would like to carry into the future.
Brian Lee Essex - Equity Analyst
Got it. Maybe just a quick follow-up for Dave. I mean you mentioned real quick the duplicate costs associated with the Scalyr migration. When might we see that abate and maybe the margins might be able to maybe better accelerate off the conclusion of that?
David Bernhardt - CFO
Sure. It's predominantly in the second half of this year. So you'll see it in Q3. You'll see it in Q4. And then it should dissipate beyond there. We're working on getting our largest customers over first, which is why you see the dip that we're expecting in the second half. But going forward, we think we should have a baseline of around where we're at right now, barring any other efficiencies we see in the product as we continue to advance it.
Operator
The next question is from Saket Kalia with Barclays.
Saket Kalia - Senior Analyst
I echo my congrats on becoming a public company. Tomer, maybe for you. I was wondering if you could just talk a little bit about kind of the broader distribution channel a bit. I guess the question is, how do you sort of judge the scale of your channel? And where do you see it kind of going in the next year coming off the IPO?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. It's a great question because we look at our channel in a very inclusive manner. We definitely kind of look at the distribution channel, reselling channels. The ones that are a little bit more classic to security is one that we're incredibly strong in. And at the same time, the ability to also take the same platform, license it to MSP providers gives us a tap into a complete different part of the TAM. And as Nick mentioned in the prepared remarks, our ability to now sign up most of the incident response providers, most of the leading incident response providers in the U.S. is providing for another channel that kind of expands the gamut of what we see in terms of market opportunities.
So all in all, we feel pretty good about our market presence in the channel ecosystem. We're growing. We're making more accreditations. We're training the channel better. We're expanding globally. So to us, I mean, we feel like we built a really strong foundation in the channel. But now they're just growing and accelerating and obviously, enabling the channel. Preparing more modules is another tier in our ability to unlock the vast opportunity in the channel ecosystem.
Nicholas Warner - COO
What I -- this is Nick here. What I'd also add to that is uniquely with SentinelOne, we've made strategic decision to enable and not compete with the various multidimensional channel partners out there, whether that's MDRs, MSPs or incident response partners, obviously, as well as your traditional resell partners. And what that's really driven, by enabling their business and not competing, is incredible loyalty and brand loyalty with SentinelOne. And that's something we've been working really hard on for the last several years. So we're really starting to see that flywheel kick in, in all the different facets of our go-to-market channel partner ecosystem.
Saket Kalia - Senior Analyst
Got it. That's really helpful. David, maybe for my follow-up for you. Tomer just sort of talked about this just briefly on the last question. But I was wondering if you could just double-click a bit on the mix of customers across the different Singularity tiers, specifically Core, Control and Complete. What are you sort of seeing in terms of new customers and existing customers in terms of the tiers that they're sort of opting for?
David Bernhardt - CFO
Sure. So about half of our customers still use Core or Control with the larger enterprise customers, obviously, using the Complete solution. And there's a mix across all of them, but there's certainly an opportunity for us to continue to see the customers in Core, Control to expand up to the more Complete offering as well as add more modules, et cetera, et cetera. I think that goes into why you're seeing 129% NRR. We're seeing customers not just expand their footprint in terms of endpoints but also expand into much more robust offerings.
Operator
The next question is from the line of Rob Owens.
Robbie David Owens - MD & Senior Research Analyst
Great. I think building a little bit on Saket's question, but I wanted to touch on the net dollar retention rates. And is this coming from an expansion in seats? Is this coming from the tiers that you talked about and the upsell within the base? Or is a lot of that growth coming from adjacent modules?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
It's actually all of the above. And we definitely focus on basically providing the customer the choice. License counts naturally organically extend over time. We see that time and time again. But at the same time, it's very clear that we have much more in the back today versus maybe a year ago, and customers want to procure more from SentinelOne. They want to cover more surfaces. They want to use more abilities. They're opting up for our services.
So all in all, we're seeing traction all across these 3 different vectors, which will be, again, seat count expansion, more modules, different tiers. We see that time and time again, and we like that net retention rate. I mean we feel it's going to hover around these rates for kind of the foreseeable future, and we like that contribution.
Robbie David Owens - MD & Senior Research Analyst
And as we look at customer acquisition, typically, who are you going up against? So are you still seeing a lot of replacement of legacy out there, which would imply that there's still a long way to go in this market? Or is the battle coming down to more of the next-gen providers?
David Bernhardt - CFO
Yes. No, I think it's 99% displacing an incumbent. It's always going to be competitive with at least one other next-gen competitor. But outside of that, I mean, we are doing displacements here and there. Very anecdotal. But we have those. But the vast majority of what we see, it's absolutely taking market share from the incumbent. It's always a displacement. We've had multiple years long customers of Symantec and McAfee switching over to SentinelOne this quarter as it has been with the past quarters as well. So we think the market momentum in customers understanding that they need to change the mindset and really move over to a next-gen offering is now really mainstream, and I think that comprises the vast majority of our pipeline.
Operator
The next question is from Brent Thill with Jefferies.
Brent John Thill - Equity Analyst
Tomer, you mentioned IoT, cloud and data center seem really good uptake. I'm curious if you could just talk through how you look at the next couple of years in this segment and what you're seeing. I know you mentioned one of the IoT wins drove $1 million-plus win. Can you just maybe help shape what's happening when these transactions are getting involved and what you're seeing with overall expansion of deals?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Absolutely. Ranger for us has become truly a competitive advantage. Our ability to not only discover all devices on the network but now also to automatically deploy and help customers reach all these devices in a complete automatic manner is something that is incredibly unique in the space, and it's driving more adoption and driving more seat count. And all in all, it drives this ability for customers to shift away from their incumbent vendor with ease. So it's not only about protecting those attack surfaces. It's also about ease of deployment and simplicity of use.
So we're seeing massive traction with that. We're seeing the ability for almost every customer that we have today to go in and provide by that functionality. It's 0 additional deployment. It's completely cloud delivered. So it's incredibly easy to consume. Again, Ranger is one of our fastest-growing modules.
And same goes for Data Retention. We're now seeing -- think about the White House Executive Order that mandates low collection, data retention. The ability to keep security data endpoint telemetry for longer is actually fueling customers to procure more and more data retention and archiving directly from our platform. It's something that's highly unique to us, definitely part of the reason why we've expanded our offering and now with Scalyr as a data analytics back end. So the ability to really address all of these new opportunities in cybersecurity that might have not been there a couple of years ago are now not only an opportunity but also a competitive differentiator that we have.
Operator
The next question is from Tal Liani with Bank of America.
Tal Liani - MD and Head of Technology Supersector
Congrats on a great quarter. I have a few questions. I want to speak about competition. Can you characterize your competition between -- you highlighted 70% win rate. Can you characterize the competition? How is it going versus legacy players? And what drives corporates that were on legacy system for a long time, what drives them now to migrate? And then also the competition versus the new players like CrowdStrike and others. And if you can talk about your -- you spoke about product differentiation, but I want to talk about the value of automation, how is that coming to play and also pricing differences. We're hearing that you're quite cheaper than the competition, next-gen competition.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. I believe for us, it's really about the holistic approach we're taking that allows us to win both against incumbents and against next-gen peers. The ability to give a full spectrum solution, a full-spectrum platform that ranges from best-of-breed prevention all the way to detection and response and remediation, all of that in a complete, uniform, autonomous manner. It's a big difference from what the others are doing in this space.
We feel like for a lot of these customers, I mean, they're growing more and more frustrated by this need to constantly put down fires. And for us, I mean, if you take a more prevention-first approach, you can actually stop these fires from actually ever happening, and that just drive efficiencies. And I think if you're looking at all these incumbent vendors and incumbent footprint, obviously, there's a massive amount of breaches there. Even for the next-gen peers, I mean, we're seeing a lot of their customers.
And we've had a multimillion-dollar displacement this quarter for a customer that grew increasingly frustrated with the multiple infections, with inefficiency on protecting server environments, and they wanted a more automatic solution. They wanted a solution that can actually remediate and clean up all the infections that we're seeing, but at the same time, turn into more of a preventive approach where I'm not saying that you can prevent everything, but you can absolutely do a better job on prevention and really stop that firefighting mode or improve it significantly.
And that is what our platform is incredibly unique in. That's the advantage of AI and machine learning. And I think that's the reason why we're winning both against incumbents that don't only provide the protection piece but also think about hardening, think about anti-tampering. These are all things that our platform can cover today. It's incredibly holistic again in nature. And once again, when you look at the peers, they're focused on detection and response. That's what they do. They bundle service with it. For us, it's about technology. It's about creating a more secure endpoint in the most holistic way possible.
Tal Liani - MD and Head of Technology Supersector
Got it. And about pricing, is it -- is being cheaper than next-gen competition the strategic goal for you? I mean how do you characterize your pricing versus competition?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. I don't think we're cheaper than the competition. I think if you look at it apples-to-apples, you'll see that the prices are pretty much similar. I think we take a different approach. I think we take a much more transparent approach, and we don't force customers to opt into tiers. We don't force them to use our service. So all in all, I mean, they can actually choose what they want to procure from us. But again, apples-to-apples, I think you'll see that prices are very, very similar. I don't think we're cheaper by any degree.
Nicholas Warner - COO
One thing I would add to that -- this is Nick here. From a budget perspective, what we don't try to do is hijack a customer's security budget into forcing them to buy reams of services hours to support a nonautomated product. What we're bringing is automation and machine learning, ease of use, and really we're democratizing very advanced technology. What that enables customers to do is achieve the outcome we're driving for them and our prospects and customers, which is protection and prevention.
And so from an apples-to-apples perspective, we're typically at or higher from a technology perspective, but we enable customers to best put that money to use buying technology and more importantly, really implement that technology fully to get the best protection and visibility on the planet.
Tal Liani - MD and Head of Technology Supersector
Great. I have a quick one, if I can squeeze in. If not, I'll ask you privately. CrowdStrike highlighted on the last call that they won Workday from you, and they highlighted false positives and reasons why they said that this customer switched to them. I think it's just fair to ask the question, if you can refer to their statements and announcements on this customer.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. I mean I think it's something that you'll see anecdotally happening. I mean we've had in excess of $1 million ACV displacement this quarter as well for a Fortune 500 company, and they cited the same. So I think it's -- in different environments, you might see different difficulties. I think a lot of it is sometimes about relationships. But I think what's incredibly interesting about the customers that we've displaced is the reference they made to the amount of infections they have to deal with, which to us is really why you're bringing in the cybersecurity solution. You want to prevent these infections from happening.
So to us, I mean, false positive performance, it's always something that you deal with. I mean they deal with that. We deal with that. It's something that you'll deal with that forever. But again, infection is something that's unacceptable. And I think that's why you see customers at scale, again, multimillion-dollar ACVs shifting away, and that's kind of what we see in the space today.
Nicholas Warner - COO
And this is Nick here. Time and time again, what we've seen for several years now is folks go with SentinelOne for really a unique combination of prevention, OS coverage and support, automation and then lastly, as Tomer has mentioned, efficacy. So our ability to protect, to prevent and to keep our customers safe.
Operator
The next question is from Andrew Nowinski with Wells Fargo.
Andrew James Nowinski - Senior Equity Analyst
Congrats on a very good quarter. Just 2 quick questions for you. A number of vendors are talking about the start of another firewall refresh cycle. But given the comments you've made today, it sounds like you're indicating that we're also at the start of an endpoint refresh cycle and -- as more enterprises rip out their aging legacy solutions. So I'm just wondering if that's the right characterization of the strong demand that you're seeing. Or do you think the ransomware attacks that we've seen over the last 9 months, maybe fueling the momentum? I'm just really trying to get a feel for how long this exceptionally strong momentum can continue.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
I think it's a combination of quite a few factors. I mean definitely some tailwinds. I mean some -- the hybrid work environment, and two, refresh sales cycles to increased need of abilities to the government pointing out EDR solutions is one that should become mandatory in environment. So I think there are many different drivers to what we're seeing right now in endpoint security.
And I think the road is long. And I think what really is important to understand about our platform is we're much more than endpoint security. So for a lot of these new accounts that we're winning, the net new logo motion that we have is already going into other adjacencies in the enterprise, whether it's IoT security or cloud security. So it's not only the endpoint refresh cycle. It's actually something that drives an overall look at your entire cybersecurity posture. And we're becoming the trusted partner for these enterprises to actually continue and grow up and down the stack and in different surfaces.
So all in all, I mean, it drives, I think, a complete overhaul of the cybersecurity stack. I wouldn't call it necessarily a refresh cycle just because they're assuming different secular trends that are pushing it toward just modernized environment and the ability to extend into every part of what is now a completely flexible parameter versus the parameter that we've seen in the past. It was mainly kind of firewall bound. Today, that's completely dissolved. Today, it's device to cloud. And that's really what's driving massive motion in our market.
Nicholas Warner - COO
I think what we're seeing really is best characterized as a generational shift away from signature-based approaches to machine learning and automated driven protection and visibility. And that's what we're experiencing. We're still in early innings, but it's massive. It's macro and it's global.
Andrew James Nowinski - Senior Equity Analyst
That's great. And just my follow-up question. As it relates to some of the $1 million ARR customers that you landed, I'm wondering if you could just give us any more color in terms of maybe how many agents those deals typically involve or how many modules they typically purchase. I'm just wondering, ultimately, how much of an opportunity there is at those customers for additional purchases down the road. Are they buying everything and maxing out their purchase on the initial purchase to get to that $1 million-plus spend? Or is there a big opportunity with those going forward?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
We feel it's far from it, and it can vary significantly. We definitely see the ability to expand into other footprints in the enterprise in almost every account that we land. We're also putting more and more modules. Just last quarter, we actually added 2 new modules into our roster and portfolio of capabilities.
So all in all, we feel pretty good about our ability to continue and grow in these customer accounts, both in terms of covering more footprint but also in terms of selling more modules. We're definitely seeing better adoption for our Ranger module, as I mentioned. But again, we've got so many different abilities right now. And we're seeing the beginning and the first innings of traction with a lot of our newer modules. And it's kind of a gain that we saw, a film that we already saw, and we see it growing over time. So all in all, the potential is quite significant.
Operator
The next question is from Patrick Colville with Deutsche Bank.
Patrick Edwin Ronald Colville - Research Analyst
So sequential ARR grew $37 million, if I'm not mistaken. Just a kind of housekeeping item. I presume Scalyr -- that closed in the first quarter, right? So that $10 million you called out of inorganic ARR fell in 1Q, right? So that $37 million that you guys did this Q was all organic. Is that right?
David Bernhardt - CFO
That's correct. We got $9 million ARR when we acquired Scalyr. It's now $10 million. Our focus with Scalyr has obviously been on implementing the technology, not on really pushing our go-to-market. That's something we'll advance once we get it completely tied into the SentinelOne back end. So yes, $36 million of the $37 million.
Patrick Edwin Ronald Colville - Research Analyst
Sorry, just for clarity, so that $10 million was in 1Q and [there's 0 for 2Q].
David Bernhardt - CFO
$1 million incremental between Q1 and Q2 for Scalyr. So we acquired them at $9 million. They're currently $10 million.
Patrick Edwin Ronald Colville - Research Analyst
Okay. That's great. Can I just, I guess, follow on about the competitive environment. I mean how has going public helped in the enterprise or I guess landing kind of VAR partners or SI partners? Is -- has the, I guess, the publicity and the profile of being a public company kind of assisted in that? Or is it actually kind of very similar to what you guys are already seeing pre-IPO?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
I think we're definitely seeing an elevation of the brand, and we're definitely seeing more market presence. I think the tack that we choose to be very transparent about what the company does is dispelled, I think a lot of the misinformation that was there around us in the market, mainly fueled probably by competition. So for us right now, we feel better traction, we feel a better competitive environment, more at that for sure.
And that's not only fueled by our IPO but also our great performance in the Gartner Magic Quadrant, where we were singled out as a vendor with the most critical capabilities out of every vendor out there for any buyer type. I mean that just comes to show that from prevention and all the way to detection, response and remediation, our platform today holds the most capabilities out of any other platform out there.
So all in all, I think, again, multiple factors come into play, the IPO shining a spotlight on all of them. And now we're seeing, I think, just increased and accelerated traction across the board, both in partners and with customers, with sales cycles and with competitive win rates.
Operator
The next question is from Shaul Eyal with Cowen.
Shaul Eyal - MD of Communications, Security & Infrastructure Software and Senior Analyst
Congrats, guys, on the strong debut quarter. Dave, when we think about your Czech Republic R&D facility, is that driven by global lack of talent? Is it driven by higher R&D costs in the West Coast or in Israel? Or is it pretty much all of the above? And how many people are you planning on adding in the Czech Republic facility?
David Bernhardt - CFO
Sure. So we obviously look for global talent everywhere. One of the reasons we're looking at Czech Republic is because they do have an excellent amount of [talent in terms of security assets]. We don't have this in the U.S. So we're going to continue to look for areas where we can advance, what we need in terms of driving our products and our innovation. Obviously, there are areas that are economically more viable in terms of growth strategy. So we're going to continue to monitor that, and we'll do that for the foreseeable future.
Shaul Eyal - MD of Communications, Security & Infrastructure Software and Senior Analyst
Got it. Got it. And maybe a question on cohort analysis, if it's not too early. Can you talk to us maybe from a quantitative or maybe just from a qualitative perspective on the LTV of cohorts over the past few quarters now, I want to say even a few years, specifically on the heels of the fact that your deals greater than $1 million have been fantastically on the rise as of late?
Nicholas Warner - COO
This is Nick here. So we really think about growing the business from a new logo perspective as well as land and expand. If someone asked a question on that, the answer is yes, we're doing both. What we're seeing, and Tomer talked about this, is with the tremendous innovation, introduction of new modules, new surfaces to protect, new problems to solve, we've seen huge land-and-expand opportunities. And in fact, 50% of our customer base is running our Core or Control package. We can upgrade those folks to Complete. We have many modules to cross-sell and upsell.
What we're also finding is at time of sale for new customers, they're traditionally landing with a Complete package with other modules as well. So we're really seeing a combination of both of those things driving our average deal size, our NRR, our retention. All of those things are up into the right for really those reasons.
I think the last thing I would leave you with is just echoing sort of overall market momentum, awareness and adoption of technology like SentinelOne is really taking leap in a big, big way. And so that's also driving a lot of the adoption.
Operator
The next question is from Roger Boyd with UBS.
Roger Foley Boyd - Associate Analyst
I guess relative to the net retention result, you called out the success with tiers and modules. Wondering if you could talk about the impact of cloud workload protection, where you think you are on that opportunity and any sense of the penetration that, that product has with customers today.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. We're looking definitely to expand more and more into cloud security. And specifically, when we talk about cloud security, we talk about workload protection platform and broadband protection. Today, I think we've shared that it's already about 10% contribution into our revenue is coming from the cloud and server protection piece that we sell. We're seeing more and more traction in cloud security. And to us, we also continue to bolster the capability set there.
We've added CIS benchmarking capabilities just a couple of quarters ago, and we're seeing better and better reduction. We've introduced cloud workload protection platform as an integral part of the AWS marketplace, and that drives adoption as well. So all in all, we're definitely seeing an opportunity. That's almost completely greenfield there. And we feel like a lot of our customers are coming back to us now that they're starting to transition into the cloud, and they're deploying into their Kubernetes environment, into native cloud environment. We actually have a product that is completely agentless that's been tapped into the Kubernetes control plane and immediately cover all containers.
So all in all, we feel well positioned to continue and capture market share in the cloud workload protection platform space. And to us, again, if you couple that with the platform approach, with everything coming back to the same security data lake, then you really start unlocking synergies. And you allow security teams to really ask a question once and get an answer from every part of their enterprise network that spans from the endpoint to the cloud, and that becomes a very unique proposition.
Operator
The next question is from Alex Henderson with Needham.
Alexander Henderson - Senior Analyst
Great. That was a great question from Roger, but I wanted to go into a slightly different angle on the cloud architecture that you bring. Certainly, selling to the IR partners and selling to other MSSPs and the managed direct people, you end up having to integrate them into your platform. Can you talk a little bit about the degree that your cloud structure, your ability to integrate micro services, your cloud-native characteristics give you a differential advantage? And to what extent that partnership integration makes your partners more sticky over time and amplifies that loyalty?
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Yes. For sure. And our platform is 100% cloud native. I mean we started in the cloud. I mean it's something that is today built in a complete multi-tenanted way, which is actually something that's relatively unique in our space. And it's also what enables these partners to basically deliver their services in a much more effective manner. So they get up and running in seconds. They get a complete cloud tenant for themselves. They immediately deploy using our discovery and deployment services. And then they leave the platform there for us to come in and monetize.
And once again, all of that is 100% pure cloud motion, which not only enables speed, but once again, ease of use, ease of deployment, which just turns out to be a much more efficient model than the platforms that they've been using in the past, which obviously were more on-prem down. So to us, again, being completely cloud native, being multi-tenanted is the competitive differentiator we have for that part of the market. But also, you can probably -- probably see the same type of buying motion in the enterprise as well, where conducting a POC, deploying the platform is becoming easier and easier in all in the cloud delivered fashion.
Alexander Henderson - Senior Analyst
I realize we're running long here, but I wanted to add a second question. Could you talk a little bit about your hiring plans and sales -- what type of capacity you see going forward in terms of your adds for the next couple of quarters? And then what's the availability look like? And what does the cost look like? Are we seeing escalation in the prices of labor? And are there enough people out there to fulfill your needs?
David Bernhardt - CFO
Yes. We're definitely investing for growth. It's an enormous opportunity out in front of us. So we're going to continue to invest and build and grow our go-to-market team, our sales reps, sales engineers, channel managers, really investing in our go-to-market engine. But at the same time, what we've been also able to yield is increasingly greater sales efficiency. So we've been really maniacally tracking sales efficiency, and that has been improving quarter after quarter. So we're going to actually have each quarter a bigger sales team that is also more efficient, helping us continue to drive growth.
But the last thing, and this is not to be underestimated with our unique go-to-market business, is that multidimensional channel that we talked about, massive sales forces at various channel partners in the MDR space, MSSP partners, IR partners, traditional resellers and distributors. And so that's the right way to think about our global field presence, is adding all of those folks up and understanding that each time we're adding a partner behind that are hundreds of sales reps doing 2,000-plus accreditations to date. That's really building that flywheel, but we're absolutely going to continue to invest in our own SentinelOne personnel as it relates to go-to-market.
Alexander Henderson - Senior Analyst
And on the cost and availability?
David Bernhardt - CFO
What we're finding, and this sort of goes back to a question before around some of the benefits that we've seen with our IPO, is that, that brand recognition doesn't just extend to channel partners and customers. It importantly extends to the best talent in the market. And so our ability to get really, really good folks who can hit the ground running, bring tremendous yield, that's enabling us to have great attraction and appeal to get the best talent in the market.
Operator
I would now like to pass the call back over to Tomer Weingarten, CEO of SentinelOne. Thank you. You may proceed, Mr. Weingarten.
Tomer Weingarten - Co-Founder, Chairman, President & CEO
Thank you, and thank you all for joining us today, and we look forward to talking to you again in the near future. Thanks a lot.
Operator
That concludes the conference call. Thank you for your participation, and enjoy the rest of your day.