Taking on the Incumbents: 5 Lessons from Building and Scaling SentinelOne

At ICON's Conference last month, I had the opportunity to sit down with Tomer Weingarten, Co-Founder and CEO of SentinelOne, to discuss the company's journey from ambitious young startup to cybersecurity leader. Since its founding in 2013, SentinelOne has grown to serve over 11,000 organizations worldwide, recently crossing $1 billion in ARR, a milestone that reflects both the company's execution and the massive opportunity in endpoint protection.

Our conversation covered everything from the decision to enter a crowded market to the evolving role of AI in cybersecurity. Here are some of the key insights Tomer shared.

Betting on Disruption in a Crowded Market

When SentinelOne launched, the endpoint protection space was dominated by established players like Symantec and McAfee. Most founders would hesitate to take on such entrenched competition, but Tomer and his co-founder saw an opening.

"We had this innate knowledge that the current solutions aren't really working well, they're not solving any of the evolving issues, and attackers were getting better. The cloud was just getting started," Tomer explained.

The team made a calculated bet: the incumbents wouldn't be able to pivot quickly enough. "These guys are not gonna be able to innovate; the problem set is so different from the technology they have, plus they don't really have the mindset nor the financial incentive to go and basically revamp, re-architect, redo everything they're doing," he said.

That bet has proven correct and cultivated the path for a new generation to emerge. As a decade has passed since that wager, Tomer noted that legacy players still hold roughly 50% of the endpoint market, there's room for multiple winners in a $100 billion market opportunity. It’s a sentiment that’s clearly echoed today in our current AI moment, we are in the early innings and there will be room for multiple winners.

The Validation Moment

Early validation came from an unexpected source. While still in beta, SentinelOne was running a proof-of-concept with a leading streaming entertainment service when something remarkable happened.

"One day, we arrive at our very small office here in Mountain View, and our emails are being bombarded, the phones are going off the hook, everything is exploding in a good way," Tomer recalled. "Apparently one of the folks over at the streaming service gave an impromptu interview to a reporter at Forbes and said, you know, these antivirus things, they're shit. They're gonna go away. And you know, we're using this thing called SentinelOne that's gonna replace all the antiviruses."

The sudden demand confirmed they were onto something significant. "If this is the type of pull that the market is showing, then what we're doing is kind of on the right track," Tomer said.

Building for Resilience

One of the most critical design decisions SentinelOne made was architecting for continuity from the outset, a choice that has become even more important following high-profile outages in the cybersecurity industry.

"When we designed our product, we actually thought about it literally from day one," Tomer explained. "Let’s build an architecture that will work no matter what. So our endpoint component, even if the cloud portion of what we do is totally down, as long as your device is working, your protection should be working and it should be effective."

This architectural resilience has become a key differentiator, particularly for mission-critical deployments. But Tomer emphasized that resilience isn't just about bulletproof technology, it's about planning for failure.

"You can't allow yourself to think that you're never going to fail," he said. "You have to make sure that you're prepared to fail and that when you fail, you fail gracefully. And when you fail, you can recover. And when you can recover, you can recover fast."

The AI Reality Check

While much of the industry is racing to add AI capabilities, Tomer offered a more nuanced perspective on the current state of AI in cybersecurity.

"There is not a single LLM in the world today that is secure by any degree, no matter what people are telling you, no matter what they're selling you. They are all being exploited as we speak. And that's a huge gaping hole for everybody that's adopting AI right now," he said.

For SentinelOne, the approach has been measured. The company has embedded AI capabilities for years, but in a controlled, narrow scope that prioritizes reliability over hype. "The best AI is the AI you don't feel," Tomer said. "The best AI is one that is totally integrated, totally embedded, and actually completely seamless."

He contrasted this with the current trend of bolt-on AI agents: "Everybody's coming in and saying, oh, now I can automate that stuff for you. So basically you're saying, I got this ancient stack of things and now I'm gonna bring best-of-breed AI to go and press buttons in my ancient stack of things. That's not really AI, you know, in my book that's like RPA 2.0."

The desire for AI adoption isn’t going away, it’s only heating up. But what this does create is an even greater need for security as executives want to balance cutting-edge innovation and measured risk with trust and safety.

Staying Ahead

When asked how SentinelOne plans to avoid becoming the old-generation incumbent, Tomer's answer was straightforward: never stop innovating.

"The moment you stop innovating, you're dead in the water," he said. 

The company maintains this edge through continuous R&D investment, strategic acquisitions (recently adding Prompt Security and Observo AI), and actively partnering with emerging startups. "We invest in a lot of startups. That allows us a great vantage point into what's coming next," Tomer told me.

Thanks to Tomer for the candid conversation and to the ICON team for bringing together such a thoughtful community of builders and operators in cybersecurity.