Home » Security Bloggers Network » Cyber Talk-7 From Antivirus Killer to AI Security Platform: The SentinelOne Story-I

Cyber Talk-7 From Antivirus Killer to AI Security Platform: The SentinelOne Story-I

by Wickey Wang on April 18, 2026

Why SentinelOne

In the history of cybersecurity, only a handful of companies have ever crossed $1 billion in annual revenue. SentinelOne is one of them. To get there, they must have done something right.

First, a Metaphor

Imagine your office building has two security models：

The first is an old-school guard who carries a binder of mugshots. Every time someone walks in, he flips through it: have I seen this face before? Is it on the list? If not, they’re in. The problem is obvious, a criminal just needs a new disguise, a face that’s never been flagged, and they walk right through.

The second is an AI guard who never looks at a list. Instead, he watches behavior. Where did you go after you came in? What did you touch? Did you try to open a door you had no reason to open? Did you show up at 3am with a bag? The moment anything looks wrong, new face or not, he locks you down on the spot, then quietly puts everything you touched back exactly the way it was. No call to management. No waiting. Automatic.

Traditional antivirus software is the first guard, running on a database of known virus signatures, comparing every new file against the list. SentinelOne is the second, using AI to analyze behavior in real time, resolving threats in milliseconds, without any human in the loop. That distinction is the entire company.

The Founder’s Story

Tomer Weingarten grew up in a small Israeli town with few resources, and found in computers a kind of creative escape. In second grade, he met his future co-founder Almog Cohen. Through their teenage years, they built things together, took things apart, and developed a shared obsession with software and hacking.

At 24, Tomer sold his first startup and walked away with serious money. Then he did something almost no one does: he spent it all on purpose. He wanted to stay hungry. He wanted to stay foolish enough to build something genuinely big. That something became SentinelOne. Before founding the company, Tomer had served as VP of Products at Toluna, which had acquired his startup Dpolls, and co-founded a publisher monetization platform called Carambola Media, where he was CTO. He was not a first-time operator. He knew what he was getting into.

In 2013, he and co-founders Almog Cohen and Ehud Shamir launched SentinelOne around an idea that sounded almost reckless at the time: security software shouldn’t just observe threats. It should stop them and fix the damage the moment they happen, automatically, without waiting for a human to intervene.

In an October 2025 episode of the Inside the Network podcast, Tomer recalled the early conviction: “When SentinelOne launched in 2013, most endpoint vendors were still focused on signature-based antivirus. The idea of autonomous, behavior-based prevention powered by AI sounded like science fiction.” He chose to wait for the market to catch up to his judgment, rather than bend the judgment to fit the market.

That willingness to hold a contrarian position, for years, if necessary, runs through everything SentinelOne has done since.

The Timing: Why 2013

Walk into any large enterprise’s IT department in 2013 and ask how they protected against hackers. The answer was almost always the same: we have antivirus software, and we update the definitions every day. It was a reasonable-sounding answer. Tomer Weingarten thought it was a myth waiting to collapse.

The logic of traditional antivirus was elegant in its simplicity: fingerprint every known virus, store the fingerprints in a database, check every new file against the list. Flag what you recognize. Let through what you don’t. This model had run the industry for two decades. McAfee, Symantec, Norton, the combined market caps ran to tens of billions of dollars, all built on the same foundational assumption.

The problem was that the assumption had a fatal crack: it only worked if attackers used weapons you’d already seen. And real attackers never stop inventing new ones.

Ransomware, zero-day exploits, fileless attacks, these threats shared one defining characteristic: they’d never appeared in any signature database. Against them, the most expensive antivirus on the market was functionally equivalent to a locked screen door.

Tomer didn’t need a research report to understand this. He had worked across enough technology companies, watched enough security incidents play out, heard enough stories of organizations that had done everything right by conventional standards and still got breached. His conclusion was simple: the rules had changed. The tools were still speaking the old language. His answer was to invert the entire logic.

Stop asking “is this file on the list?” and start asking “is this program behaving like a threat?” Track every process in real time, what files is it accessing? What servers is it trying to reach? What permissions is it running under? The moment behavior turns suspicious, respond immediately. It doesn’t matter whether the file has ever been seen before. Block it. Remediate it. Don’t wait for a human to make the call.

In 2013, that idea sounded like science fiction. Almost no one in the endpoint security industry was taking it seriously. Tomer decided to bet on it anyway.

Early Validation: An Accidental Debut

The first few years were a grind. The product was being built. The funding was coming in, slowly. But the market hadn’t been convinced yet. SentinelOne was running proofs of concept with a small handful of companies, operating out of a borrowed office in Mountain View, held together by conviction and not much else. Then one day, everything exploded, in the best possible way.

“We arrived at the office to find our emails bombarded and the phones going off the hook,” Tomer recalled. A well-known streaming entertainment company had been quietly testing SentinelOne’s product. One of their employees, in an offhand conversation with a Forbes reporter, had said something they didn’t plan to say publicly: “You know those antivirus things? They’re garbage. They’re going away. We’re using this thing called SentinelOne and it’s going to replace all of them.” No press release. No PR campaign. No advertising budget. Just a real user, in an unscripted moment, saying exactly what they believed.

“If the market is already showing this kind of pull,” Tomer said later, “then what we’re doing is probably on the right track.” It was confirmation they didn’t expect, in a form they couldn’t have manufactured.

The Funding Journey

The market signal reached investors too. In 2013, Data Collective committed $2.5 million in seed funding, a bet on what looked, from the outside, like a pretty audacious idea. In 2014, Tiger Global Management led a $10 million Series A. After that, the rounds came faster and the numbers grew larger with each cycle. The Series D landed at $120 million in 2019. Then 2020 arrived, a pandemic year that simultaneously disrupted everything and accelerated enterprise spending on security. SentinelOne closed a $200 million Series E, then followed it with an additional $267 million round, pushing its valuation to $3.1 billion.

Then came June 30, 2021. The day the entire cybersecurity industry sat up and took notice. SentinelOne priced 35 million shares at $35 each, raised $1.2 billion, and watched its stock jump 21% on the first day of trading — closing with a market cap above $10 billion. By valuation, it was the largest cybersecurity IPO in history, surpassing CrowdStrike’s $6.7 billion debut in 2019. The ticker symbol was “S.” One letter. It had belonged to Sprint before the telecom giant’s merger with T-Mobile, and somehow landed in SentinelOne’s hands as if reserved for the occasion.

Standing on the floor of the New York Stock Exchange that day, Tomer told CNBC: “We maintain an incredible win rate across every competitor out there.” It wasn’t bravado. It was a statement of record.

The Product: How Singularity Works

SentinelOne’s core product is called the Singularity Platform, and the name is a mission statement as much as it is a brand. The idea: every security capability, in one place, running as a unified system. To understand it, you need to understand EDR, Endpoint Detection and Response.

An endpoint is any device connected to a company’s network: every laptop, every server, every smartphone, every virtual instance in the cloud. EDR’s job is to continuously monitor everything happening on those devices, every process running, every file being accessed, every network connection being made, and respond the moment something goes wrong.

SentinelOne’s differentiator comes down to a single word: automatically. The platform’s “Storyline” technology continuously maps the relationships between processes and behaviors across every endpoint. The moment a threat is detected, it isolates the attack, kills the malicious process, and restores every file that was modified back to exactly the state it was in before the attack happened, all without waiting for a human to notice, assess, escalate, and respond.

Back to the building metaphor: it doesn’t just catch the intruder. The moment the alarm triggers, it also puts every object in the building back where it was before they came in, as if the break-in never happened. This capability is built across several interlocking product lines:

Singularity Endpoint is the foundation, core endpoint protection across Windows, macOS, and Linux. The original product, and still the entry point for most customers.

Singularity XDR is the wide-angle lens. It extends visibility beyond individual devices to cloud environments, identity systems, and network traffic, stitching together threat signals from across the enterprise into a single coherent picture of an attack in progress.

Purple AI is the translator. Security analysts no longer need to write complex queries or dig through raw logs. They ask Purple AI questions in plain language, what unusual processes ran in the last 24 hours? Where did this IP address come from? and get back answers with context, not just data. At RSAC 2026, SentinelOne released Purple AI Auto Investigation in general availability: analysts can now trigger a complete, cross-source forensic investigation with a single click. Work that used to take hours or days now takes minutes.

Singularity Data Lake is the warehouse, a unified repository pulling in security data from endpoints, cloud, and identity systems. It’s the fuel that powers the AI, and the foundation that supports compliance requirements.

Singularity Identity guards the interior. Attackers rarely force their way in through the front door. They steal a key, a set of compromised credentials, and walk in quietly, then move laterally through internal systems for weeks or months before doing real damage. The $616 million acquisition of Attivo Networks was built specifically to detect and cut off this kind of movement.

Singularity Cloud (CNAPP) pushes the perimeter outward, extending protection from physical and virtual devices into cloud infrastructure itself, Kubernetes clusters, containers, cloud configurations, all of it now inside the defensive boundary.

The Acquisitions: Building the Platform One Deal at a Time

If the product lines are SentinelOne’s skeleton, the acquisitions are how it built muscle. Each deal targeted a specific gap in the platform, filling it in at the moment it mattered most.

2021: Scalyr, $155 million. Not a flashy deal, Scalyr built high-speed log management infrastructure. But without real-time, massively scalable, fully queryable data, AI is just an empty promise. Scalyr solved the foundational problem of ingesting and retrieving data at any scale. It became the engine underneath the Singularity Data Lake.

2022: Attivo Networks, $616.5 million. The largest bet in the company’s history, and the one that closed the most dangerous gap: identity. Attivo specialized in tracking how attackers move through internal systems using stolen credentials, mapping the lateral movement that traditional endpoint tools never see. With this acquisition, SentinelOne for the first time owned a complete chain of defense from endpoint to identity.

2023: Krebs Stamos Group. This wasn’t a technology deal. The firm’s two founders, former CISA Director Chris Krebs and former Facebook Chief Security Officer Alex Stamos, represented something different: strategic credibility, policy influence, and standing in both Washington and Silicon Valley. While it lasted, it gave SentinelOne something money can’t easily buy.

2024: PingSafe, over $100 million. This filled the cloud-native application protection (CNAPP) gap. Cloud workloads, containers, Kubernetes clusters, these had been outside the platform’s native protective range. PingSafe brought them in, giving enterprise customers a single platform covering both the devices their people use and the cloud infrastructure their applications run on.

2025: Prompt Security, approximately $250 million. This one reveals more about where SentinelOne thinks the next decade is going than any other deal. Prompt Security was built to protect enterprises as they adopt generative AI tools, preventing employees from leaking sensitive data into ChatGPT or Claude, detecting prompt injection attacks, and protecting AI agents from being hijacked. As AI tools become embedded in daily enterprise workflows, the security risk around them is no longer theoretical. SentinelOne moved to own that space before the window closed.

2025: Observo AI. An AI-native real-time data pipeline platform that filters, enriches, and routes security data before it reaches a SIEM or data lake, reducing data volume by up to 80% while keeping complete logs fully accessible. In an environment where security telemetry is growing exponentially, this is the intelligent filter that sits upstream of everything else.

In Tomer’s Own Words

Understanding a company from the outside has limits. Listening to its CEO, particularly in unscripted moments, often tells you more than a hundred quarterly reports.

On AI, his view is cooler than most of his peers are willing to say publicly. At the Notable Capital Conference in November 2025, he put it bluntly: “There is not a single LLM in the world today that is secure by any degree, no matter what people are telling you, no matter what they’re selling you. They are all being exploited as we speak.” His point wasn’t pessimism, it was a warning against premature confidence. “The best AI is the AI you don’t feel. The best AI is one that is totally integrated, totally embedded, and actually completely seamless.” He contrasted this sharply with the trend of bolt-on AI features that companies are layering onto existing products and calling transformation.

At RSAC 2026 in March, he took the stage with something more sweeping to say: “This year, I’ll be talking about a shift that goes far beyond technology, and why the future of cybersecurity is becoming inseparable from the future of civilization itself.” At the same conference, he announced a significant expansion of SentinelOne’s collaboration with Google Cloud, integrating the Singularity Platform’s AI-native capabilities with Google’s global infrastructure and threat intelligence, with a specific focus on helping enterprises adopt generative AI at scale without opening new attack surfaces in the process.

The Competition: Surrounded, and Growing Anyway

SentinelOne didn’t grow to this scale because the market was empty. It grew in the middle of one of the most competitive fields in enterprise technology, against opponents with more history, more resources, and in some cases more market share.

The most direct adversary is CrowdStrike. Founded around the same time, serving overlapping markets, betting on similar technology, building toward similar platform ambitions, from a distance, the two companies look almost like reflections of each other. Up close, their strategic instincts diverge sharply. CrowdStrike is more mature in threat intelligence, proactive hunting, and ecosystem integration, and it runs deep in large financial institutions and government agencies. SentinelOne’s edge lives in autonomous response and offline protection, its agent operates in user space, not the kernel, and keeps defending even when disconnected from the cloud.

That architectural difference became a story in July 2024, when a botched kernel-level update from CrowdStrike brought down 8.5 million Windows devices simultaneously. Airports went dark. Banks stopped processing. Hospitals rerouted patients. The total economic damage ran to billions.

SentinelOne didn’t issue a triumphant press release. It did something more effective: it kept repeating an architectural fact it had been stating for years. Its agent doesn’t touch the kernel. A failure in the cloud doesn’t cascade to the endpoint. The design decision Tomer had made a decade earlier, built in from day one, not retrofitted, became its most persuasive sales asset practically overnight.

As Tomer has acknowledged openly, legacy vendors still hold roughly 50% of the endpoint market. He doesn’t frame this as a threat. “This is a $100 billion market opportunity,” he said. “There’s room for multiple winners.” The incumbent share isn’t a ceiling. It’s a runway.

The Financials: Two Milestones, One Year

On March 12, 2026, SentinelOne reported its full-year results for FY2026. On the earnings call, Tomer used a single word to frame the year: landmark.

“FY2026 was a landmark year for SentinelOne. We achieved a $1 billion revenue scale, growing 22% year-over-year, and delivered full-year operating profitability, a significant milestone towards profitable growth.”

Two firsts arrived simultaneously: annual revenue crossing $1 billion for the first time, and the company achieving full-year non-GAAP operating profitability for the first time in its history. For a 13-year-old high-growth technology company, those two things happening in the same fiscal year signal something specific, a transition from “grow at any cost” to “grow with discipline.” The model is working, and it’s becoming self-sustaining.

The structural numbers beneath the headline tell an even more interesting story. Non-endpoint solutions now account for more than half of total annual bookings. The percentage of enterprise customers using five or more platform modules jumped from 9% to 22% in a single year.

What that means in practice: SentinelOne is no longer just a product customers install. It’s becoming the operating system their security teams build on. That kind of depth creates the kind of retention that can’t be manufactured, customers don’t leave platforms they’ve built into.

Purple AI’s ARR grew at triple-digit rates. Prompt Security’s ARR more than doubled sequentially following the acquisition. Data solutions crossed $130 million ARR. Cloud security crossed $160 million ARR. Each product line growing independently, each one reinforcing the others.

For FY2027, management guided toward $1.195 to $1.205 billion in revenue, approximately 20% growth, and non-GAAP operating income of $110 to $120 million. Growth holding, margin expanding.

What Comes Next: A Double Bet on AI

If you had to distill SentinelOne’s next chapter into a single phrase, Tomer has provided it across multiple stages and conversations over the past year: “AI for Security. Security for AI.”

The first half is the business they’ve been building for over a decade, now entering an acceleration phase. AI-driven threat detection and autonomous response are becoming not just a differentiator but an industry expectation. Purple AI is now attached to more than half of all licenses sold.

The second half is the frontier they’re staking a claim on. As enterprises race to embed generative AI tools into daily operations, AI itself has become a new and largely unguarded attack surface. Employees are pasting sensitive customer data into public AI tools. AI agents are being manipulated through prompt injection into executing unauthorized actions. These risks have moved from theoretical to documented. Prompt Security was the acquisition that put SentinelOne at that frontier before most competitors recognized it was one.

This isn’t just a product roadmap. It’s a bet on a specific reading of history: the companies that define security for a new technology era tend to carry that advantage forward for a long time. SentinelOne is trying to define it for the AI era before the window closes.

The Through Line

SentinelOne’s story is, at its core, about the willingness to hold an unpopular conviction long enough for reality to prove it right.

In 2013, the consensus said signature-based antivirus just needed to be faster. Tomer said the model itself was broken. He waited years for the market to see what he already saw. The ransomware wave made the case for him.

In 2024, a single update decision at a competitor brought 8.5 million devices to their knees simultaneously. An architectural choice Tomer had written into SentinelOne’s foundation on day one, not in response to a crisis, but in anticipation of one, became the clearest possible demonstration of why it mattered.

Now, AI agents are moving into the core of enterprise operations faster than any previous technology wave. New attack surfaces are opening. New rules are being written. And SentinelOne is, again, trying to be there first. As Tomer himself put it: “The moment you stop innovating, you’re dead in the water.” From where things stand right now, they show no signs of stopping.

(Next article, I will write about the Go to Market strategy part of SentinelOne Story.)

Check my previous Cyber talk articles:

Cyber Talk-1 – From Zero to Wiz: The Fastest Cloud Security Exit in History

Cyber Talk-2 From VPN Killer to Zero Trust Platform: The Zscaler Evolution

Cyber Talk-3: Vanta — How a compliance startup cut audit time by months and cost by 90%

Cyber Talk-4 Beyond Endpoints: How CrowdStrike Reinvented Cyber Defense

Cyber Talk-5 ServiceNow’s History and Next Chapter with cybersecurity acquisition

Cyber Talk-6: Fortinet’s Silicon Moat — $0 to $6.8B with the same founder

This article is based on SentinelOne’s public financial filings (FY2026 full year and quarterly results), SEC disclosures, founder interviews (Inside the Network podcast, October 2025; Notable Capital Conference, November 2025), RSAC 2026 keynote remarks, and publicly available industry sources. Nothing here constitutes investment advice.

The post Cyber Talk-7 From Antivirus Killer to AI Security Platform: The SentinelOne Story-I appeared first on Chasing Polaris – Wickey's blog.

*** This is a Security Bloggers Network syndicated blog from Chasing Polaris - Wickey's blog authored by Wickey Wang. Read the original post at: https://wickey.substack.com/p/from-antivirus-killer-ai-security-platform-story-i-wickey-k0gmc

April 18, 2026April 18, 2026 Wickey Wang

Cyber Talk-7 From Antivirus Killer to AI Security Platform: The SentinelOne Story-I

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Types of Board Game’