Welcome to BlueOceanCapital’s Newsletter. I write about high-quality businesses that have long runways and are at the inflection points of their growth cycle.
If you enjoyed this, tell your friends!
Due to the pandemic, we have seen a rapid shift to digital transformation, accelerating the adoption of cloud technologies across industries. Coupled with the proliferation of mobile devices and IoT (the Internet of Things), this secular trend has increased the opportunities for targeted attacks with a wider range of managed and unmanaged endpoints and identities.
We’re a bit over halfway into 2021, and it already has got to be one of the most eventful years in memory for U.S and Federal cyber-security. Over the past year, there have been high-profile hacks, massive security breaches, cyber espionage, and ransomware attacks. Recent cyber-security incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline attack were a wake-up call to many. They showed that there are insufficient cybersecurity defenses and that cybercriminals are using increasingly sophisticated methods and coordination in their attacks.
In this deep dive article, I share my views on why Crowdstrike (CRWD) is the top dog in the Endpoint Protection ('EPP') & Endpoint Detection and Response ('EDR') space, how the company stands to gain from this environment and why it'll continue to provide market-beating returns into the foreseeable future.
1. INDEX
In this deep-dive we will talk about the following:
Introduction to Crowdstrike
How it all started
Business Model (how does Crowdstrike make money?)
Key metrics
Management quality and culture
Strategic Partnerships
Financials
Competition
Humio, Preempt & TAM
Valuation
Risks
Final Words
Please feel free to jump around, i.e. if you’re familiar with the company you can start straight from Management quality and culture.
1. Introduction to Crowdstrike
CrowdStrike (CRWD) is a leading cybersecurity company protecting customers from all cyber threats by leveraging its Security Cloud to stop breaches (which also is the company's mission statement). With its Falcon platform, the company believes it defines a new category called the Security Cloud, similar to how the cloud has transformed companies like Salesforce and ServiceNow.
Falcon is a SaaS-based, cloud-native platform for endpoint protection that detects, prevents, and responds to attacks. Examples of endpoints are desktops, laptops, servers, cloud workloads, mobile, and IoT devices.
There are two categories: EPP and EDR. This is the difference:
Endpoint Protection ('EPP'): Protecting the endpoint device and its data
Endpoint Detection and Response ('EDR'): Monitoring of those endpoints, recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place.
Product
Falcon platform supports 19 cloud modules via a SaaS-subscription model that spans multiple large markets, including corporate workload security, security and vulnerability management, managed security services, IT operations management, threat intelligence services, identity protection and log management. It had only 10 cloud modules when it IPO-ed in 2019, which shows us the pace at which the company is innovating.
Crowdstrike’s single data model and open cloud architecture enable it and third-party partners to rapidly innovate, build, and deploy new cloud modules to provide their customers with additional functionalities across a myriad of use cases. The platform is designed to be rapidly deployable, easy to use, and extensible. The Falcon platform transforms how organizations combat threats from slow, manual and reactionary to fast, automated, and predictive.
Falcon platform vs On-premise software
For years now, cloud-based software has been eating up the market share of on-premise software. In cybersecurity, we come from Symantec or McAfee, legacy names in on-prem.
So what makes the Falcon platform superior to on-premise software like Symantec and McAfee?
The Falcon platform uses two different approaches to endpoint protection, while on-premise software only uses a single one.
On-premises uses the more traditional IOC tracking (signature-based), while Falcon uses both approaches to protect the endpoints.
Indicators of Compromise (traditional), commonly known as IOCs, are the evidence that indicates that the security of the network has been breached. This is a reactive approach.
Indicators of Attack (AI/ML), commonly known as IOAs, is the focus on the intent of what the attacker is trying to accomplish. This is a proactive approach, based on AI (artificial intelligence) and ML (machine learning).
To give an example, imagine if you were an officer at the airport helping passengers stamp their passports in the departure terminal. There is a picture of a new wanted man who just got into your list of people to look out for. In the picture, he is wearing a blue shirt, is short-haired, and wears spectacles. Though we try to track and observe these unique characteristics, what happens when the wanted man comes to you but is wearing a different colored shirt, a wig, and not wearing any spectacles? The result? The wanted man gets past you and is able to escape to another country. This is because you were relying on indicators that reflected an outdated profile (IOCs).
However, if the team had used the IOAs approach, they would be looking at characteristics of a wanted man trying to get out of the country. Possible characteristics would be a person behaving suspiciously around the counter, having his eyes on the cameras, and fidgeting constantly, maybe there's even face recognition software involved. This system could identify that the person might be trying to escape the country. In this case, you might have been able to stop the wanted man’s attempt to escape.
What makes the Falcon platform unique?
a. Single Intelligent Agent
Crowdstrike uses an intelligent lightweight agent which can be installed on Windows, Mac, and Linux systems. What exactly is an agent? An agent is the piece of software that sits on the endpoints being protected and gives Crowdstrike a view into what is going on in the device (like a CCTV), helps to capture data which is then analyzed centrally and has the ability to intervene from afar whenever there are problems. An agent runs in the background without the user noticing, and continues to protect the device and track activity even when offline.
Falcon provides multiple functionalities using only a single agent. Because it’s lightweight, it just takes about 5s to deploy, occupies less than 35MB of storage space and requires no reboot (!).
Compared to the Falcon platform, legacy providers use agents which are designed for a single functionality, hence they often need to deploy multiple agents to the endpoint. This results in agent bloat, a situation where the layered agents consume too much storage space, memory space and processor capacity which affects the end-user experience, causing lag. We live in a time where every single second counts, so imagine how frustrating it is to have your device lag because of the antivirus software running.
b. Cloud-based architecture
Being a cloud-native platform means rapid time to value. Once a customer deploys the lightweight agent on their endpoints, the Falcon platform can activate additional cloud modules in real-time. Having a cloud-based architecture also means that it’s highly scalable. This allows Crowdstrike to buy as much data as they want and scale their needs as they grow.
On the contrary, on-premise solutions take time to install, configure, deploy and maintain. This hence results in lengthy implementation periods and poor customer experience. Remember restarting your computer just to let the new updates take effect? It is also more costly to buy and maintain IT infrastructures like servers and hire more personnel in an on-premise environment.
c. Proprietary Distributed Threat Graph
The Falcon platform uses its cloud-based graph database called Threat Graph. Falcon uses an AI/ML-based (artificial intelligence/machine learning) approach over threat detection. As more data and events are fed into the Falcon platform, there is more data to train their AI models with, which makes the entire platform smarter, creating a powerful network effect.
This means that if Customer A suffers from a potential breach, this data is fed immediately into the Threat Graph, and it will be automatically shared across the rest of the customers in real-time. Threat Graph can then learn and identify warning signs once and rapidly deliver protection to every customer in the Crowdstrike community. This allows all customers of Crowdstrike to benefit from contributing to the Threat Graph.
“We handle about 4 trillion events per week, so in a day we handle more events into our cloud, than Twitter has the number of tweets in an entire year. “ — CEO George Kurtz
4 trillion real-time events are captured per week by the Threat Graph! This means that with each passing day, Crowdstrike’s competitive advantages grow stronger as its platform becomes more effective in identifying cyberattacks.
In addition, Crowdstrike has its elite internal teams of security experts who constantly analyze the threat database, and this helps to improve the productivity of the customers’ security teams.
Achievements
Being such a high-quality platform has also made Crowdstrike highly recognized in the industry:
It has the highest score for lean forward organizations in Gartner’s Critical Capabilities for Endpoint Protection Platforms report
It's a leader in the Gartner Magic Quadrant for Endpoint Protection Platforms (only company to not only maintain its Leader position but obtain the furthest position in Completeness of Vision, more on this later)
Leader in endpoint security software-as-a-service in the Forrester Wave Q2 2021 report. Highest scores possible within 17 criteria in the report
Leader in both the Forrester Wave Q1 2021 Managed Detection and Response and External Threat Intelligence Services reports
Best cloud computing security solution and best-managed security service at the 2021 SC Awards
100% detection coverage in all 20 steps of the MITRE ATT&CK evaluations
100% protection rate in the AV-Comparatives business real-world protection test and highest AAA rating in Q1 enterprise endpoint protection evaluation from an independent testing organization, SE Labs
Crowdstrike has FedRAMP, giving them access to government contracts
All of these achievements just show the efficacy of the Falcon platform.
So…why make the switch?
Companies usually incur switching costs when they try to deploy new software across their operations. If a company abandons the older, on-premise software for the next-gen AV provider like Crowdstrike, they’ll have to abandon some or all of the IT infrastructure they had bought earlier.
Also, as Crowdstrike becomes the gold standard in the EPP and EDR space, it can also become a career-saver for anyone making security purchase decisions. Imagine the repercussions that happen when a data breach occurs. Would the person making the security decision want to risk buying an inferior security product?
Let’s move on to how the Falcon platform was created.
2. How it all started
The world’s greatest inventions were often born out of a need. This was the case for Crowdstrike as well.
Crowdstrike was founded by the current CEO, George Kurtz, Dmitri Alperovitch (former CTO) and Gregg Marston (former CFO, retired), back in 2011. For now, only Kurtz is still around in the company. He is an incredible leader and I will talk more about it under the Management section of this article.
George has always loved computers, even as a child. He started programming in fourth grade on a Commodore CP/M (that's another way of saying 'a super old computer'). But when he got to college, he was determined to get a business degree. So, he majored in accounting. As a result, this led him to join Price Waterhouse (currently PwC) as an intern in 1993 post-graduation. It was during this stint that he began creating programs to help with the tedious process of data input (audit).
Someone took notice of George’s initiative and drafted him into the PwC computer security group. He was the fifth person on the team. At this time, firewalls were just starting to become commercially available and George was put in charge of figuring out how to make it work. George ended up figuring all that out, building controls around it, how to hack it and ended up writing a book on it, called Hacking Exposed.
Hacking Exposed written by George and his colleagues (Source)The book started a series that sold more 1,000,000 copies and was translated into 30 languages. The funny thing is that, without mentioning the co-author, this is on Palo Alto Networks (PANW) website in the 'cybersecurity canon'. If you wouldn't know, Palo Alto is probably the biggest competitor of Crowdstrike:
There are not a lot of technical books that meet the definition of “timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete,” but the Hacking Exposed series does.
In 1999, George saw an opportunity in vulnerability assessment for large enterprises and decided to make the leap into entrepreneurship. He jumped in head-first to start his first company, Foundstone (this made him learn a valuable lesson, more on this later).
After raising $3.5M in VC funding, he began learning the ropes of running his own business. But when it came time to raise more money in 2001, it was very tough since the dotcom bubble had just burst. So Kurtz started pitching. It was a taxing process, but eventually, he found the right fit and Foundstone went on to raise their Series A and was acquired by McAfee in 2004.
Kurtz then spent seven more years at McAfee. Just as he was getting ready to move on, a new CEO joined and refreshed the executive team, so George stuck around, as the CTO, to help him rebuild for a couple more years. It turned out to be a great experience, ultimately revealing to George how challenged the security industry really was.
At that time, most major security companies were focused on stopping malware, when they should have been thinking about stopping breaches. There are so many types of attacks other than just malware. There was also no foundational cloud platform company in security. So, he thought to himself, 'How do we create endpoint security from the cloud itself?'
A fateful encounter in the air, while he was with McAfee, contributed to his trajectory towards CrowdStrike. Seeing a fellow plane passenger experiencing less than desirable UX with a McAfee security program, he thought, “There must be a better way forward.”
It was George’s frustrations with the lack of innovation at McAfee and him seeing how security programs slowed down computers that led to him and his peers starting Crowdstrike. George and his team made 25 slides to pitch his vision of Crowdstrike to PE firm Warburg Pincus and received $25M seed funding. From then onwards, Crowdstrike went on a hypergrowth trajectory. Meanwhile, McAfee got acquired by Intel.
3. Business Model (How do they make money?)
As mentioned above, being cloud-native and having a single lightweight agent are some of the reasons why Crowdstrike is winning. Legacy providers often deploy multiple agents to add additional functionalities to the security. This ends up burdening the endpoints, slowing down the speed and affecting the end-user experience.
By being in the cloud with a single agent, Crowdstrike is able to consolidate and remove unnecessary agents from their customers’ endpoints and restore endpoint performance. Being in the cloud allows Crowdstrike to collect data once, and apply it across all their users, without burdening the endpoints. Being in the cloud allows customers to activate additional modules (functionalities) in real-time.
Crowdstrike also has a 15-day free trial period for customers to try out additional modules, and as all the modules are integrated into their single, lightweight agent. This removes the need to install additional security solutions and for a salesperson to do anything as any additions can be done with a click of a button as long as the customer is within the platform. This reduces friction for the customers as they are allowed to try them before purchasing additional add-ons. All of this is part of Crowdstrike’s plans to expand the number of endpoints/modules that customers take up.
Crowdstrike, like most other SaaS providers, use a Land and Expand strategy. What does that mean? It means you first try to “Land” a customer into your platform, and from there “Expand” the modules that they take up. What makes this even more attractive is that for every module that is added by the customer, as the modules is tapping the same data, it gives Crowdstrike close to 100% margins, money that all falls to the bottom line. I will share how successful this strategy has been for Crowdstrike later on under Key metrics.
As seen above, Crowdstrike makes money depending on 3 factors,
1) No. of endpoints 2) No. of modules & 3) No. of customers.
Because it is a subscription business, it collects cash upfront from customers annually and uses the deferred revenue recognition method to account for its revenue,
Isn’t that a wonderful business model? This means that Crowdstrike runs a very low risk of having customers who don’t end up paying their bills and they get the cash flow instantly that can be used for their business operations.
That being said, other than the Subscription revenue part of their business, they also have another component called Professional services.
In cybersecurity, the strategic value comes especially to the customers in their times of need. That’s exactly what Professional services does. Professional services basically acts like a SWAT team/Triage for companies under attack. When their current security offerings fail them, that’s when the Crowdstrike team comes in. The team solves the breach, gain the trust of the customers, they know your product works, and they’re willing to pay a premium for the fact that it actually works.
It’s on an ad-hoc basis, and Crowdstrike has said that many of these customers subsequently become subscription customers after understanding and seeing how the Falcon platform works. Crowdstrike sees the professional services business primarily as an opportunity to generate leads and cross-sell subscriptions to the Falcon platform and cloud modules.
Some incredible stats from the latest earnings call:
Among organizations who first became a professional services customer after February 1, 2019, the average subscription ARR derived for every $1 spent on initial incident response or proactive service engagement grew to $5.51. This is up 48%(!) when compared to $3.73 reported last year.
This means that for every $1 spent, Crowdstrike makes $5.51 in recurring revenue, talk about Returns on Investments!
According to Kurtz, he used the same model for Foundstone, the first company he founded, but faced backlash from investors who said it couldn’t work. Eventually, he proved that Professional services was an effective lead generation model, an effective way to land customers, and today, many businesses are using the same strategy.
Crowdstrike’s business model is highly lucrative, with recurring subscription revenue and frictionless methods to upsell its modules to its customers.
4. Key Metrics
There are a few key metrics that we can look at to determine how the business is performing. You'll see that these are pretty much the same as other SaaS businesses:
Annual Recurring Revenue & No. of subscription customers
One glance at the graphs tells us that the company is still in hypergrowth mode. The company’s ARR has grown at a rate of 74% y/y, and the number of customers has increased 82% year-over-year We can also see that Crowdstrike is not just getting more customers, it's getting the customers that matter. When 65% of the top 20 banks use your services, it creates a halo effect around the Falcon platform. Potential customers will buy the products because the risk of the product being bad is lower given that the biggest corporations have ‘vouched’ for the platform’s efficacy.
Now, let’s go deeper.
Looking at this chart gives us a clearer picture. We can see that the ARR growth is decreasing on a quarterly basis. Does that mean the company’s growth is slowing? Not really.
Due to the law of large numbers, as a company gets bigger, the % gain for revenue will gradually become smaller, even as the absolute numbers are increasing. You can see that from January 2019 to April 2021, while the ARR percentage growth dropped from 121% to 73%, the “Net New ARR” actually increased from 58.5M to 139.9M, which is a 139% increase! We can’t compare a company when it’s making $1 billion in ARR to when it was making $200 million in ARR, as the growth % will definitely be different!
And as for Q1, the record net new ARR, which is the measure that we look at in terms of the health business. Q1 is the toughest quarter. But for us to post a quarter that’s larger than Q4, basically delivering 2 Q4s in a row, that’s something special and so we’re proud of that.
— CFO Burt Podbere on Baird 2021 Global Consumer Conference and EC
What did the CFO mean by delivering 2 Q4s in a row? Let’s see.
You can see what the CFO meant when he said Q1 is the toughest quarter for the company. For FY20 and FY21, the sequential quarter-over-quarter drop has always been more than 10%, but in this year the drop is only 2%. This doesn’t seem like slowing growth to me at all! In fact, quite the opposite!
2. Dollar-Based Net Retention Rate ('DBNRR)
Next, we look at the DBNRR (Dollar-Based Net Retention Rate) for Crowdstrike. Anything above >120% will be among the top percentile in the SaaS industry. What exactly is DBNRR?
DBNRR measures the change in spending for all of the customers a year ago compared to the same group of customers today. It includes the positive effects of upsells (expansions) and negative effects on customers who leave or downgrade (churn). You also see DBNER sometimes, dollar-based-net-expansion rate, and that doesn't include churn but only measures what the customers that have stayed have spent. DBNRR is cleaner and will usually be lower.
To illustrate, if a customer orders 4 modules in Year 1, and 5 modules in Year 2, assuming each module costs the same, the DBNRR would be 125%. [(5–4)/4 ]* 100%
At first glance, you can see that DBNRR has been slowly trailing off for the past few quarters while gross retention remains incredibly high at 98% range. If you follow the company close enough, you’ll also notice this is the first quarter that the company did not indicate the absolute DBNRR %, only indicating that it exceeded the 120% benchmark. While it may mean that the % dropped, it might not be that worrying. Here’s why.
Kurtz has mentioned in earnings calls recently that they’re seeing a trend of new customers who are landing more modules from the get-go, and spending more. DBNRR measures spending on a year-year basis. If a customer orders more modules in the first year straight away, it will make sense for the DBNRR to drop.
Using the same example earlier, if a customer starts with 4 modules vs 5 modules, when they end up increasing 1 module next year, what would be the difference between the two?
4 modules = 125% [(5–4)/4 ]* 100%
5 modules = 120% [(6–5)/5 ]* 100%
You get the idea?
3. Subscription customers with multiple cloud modules & Gross Margins
This graph shows us 2 things :
How good are they are upselling their products to current/new customers?
How sticky is the platform to the customers?
When they first IPO-ed in 2019, their % of customers with 4 or more modules was 47%. It has currently grown to 64%! Also, you can see the Falcon platform like an Apple ecosystem. It just works better when you get more Apple products. iPhone+ Airpods? Why not add on a Apple Watch to sync everything together?
(Crowdstrike’s gross margins chart)
As mentioned above, when customers add modules, these additions are extremely high gross margins that flow down to the bottom line. And as seen from the chart above, we can see gross margins on an upward trend, similar to the number of modules. There’s definitely a correlation between the two. Hence, if Crowdstrike continues to upsell successfully, this gross margin might even hit 80+% territory.
Of course, what every SaaS investors want to see ultimately is improving operating leverage. What exactly is operating leverage? As a SaaS company, Crowdstrike needs to invest in Sales&Marketing, Research&Development and General&Administrative costs in order to fund revenue growth. Having improving operating leverage means that the rate at which revenue is growing is higher than the rate at which the 3 types of expenses are increasing, which is clearly shown on the graph. In the long run, we want improving operating leverage so that the company will be operating profitably (eventual goal).
Crowdstrike’s execution thus far has been flawless, as you can see from the pace they’ve improved their operating leverage.
We have looked at the business model and metrics in detail. Let’s now take a look at the people driving the company.
5. Crowdstrike's Management
I focus a lot on the quality of the management before deciding to invest in a company. While many investors love to look quantitatively (numbers) before qualitatively (management), I think the focus should be the other way round. It is the qualitative factors that result in the quantitative outcome. To put it simply, without Jeff Bezos and his team's focus on customer experience, we would not have the Amazon we see today. Without Elon Musk’s tenacity and vision, Tesla would not have the success it sees today.
For Crowdstrike, it's all about George Kurtz. As we saw in the previous installment, Kurtz has co-authored one of the classic books of cybersecurity, Hacking Exposed. That's a great start but not nearly enough, of course.
a) Long term oriented
I have listened to various interviews and podcasts, and I believe that George Kurtz is the visionary CEO that investors look for. A visionary CEO is able to look at things far out into the future and ignore any short-term distractions that come his or her way. Even when nobody believes in them, they will push on and work towards their goal.
Ignoring short-term distractions, Seeing the big picture
Back when being a cloud-native platform wasn’t even a thing, Kurtz saw it as clear as day. There was no foundational cloud platform company in security back then. As a result, Crowdstrike saw some pushback from customers when they tried to sell their Falcon platform. It was this fear of the cloud which helped shape his founding thesis for Crowdstrike. He saw that the cloud was bigger than security and that there was going to be fast adoption of the technology.
In the earlier days of Crowdstrike, Kurtz went into a large Swiss bank trying to sell his technology, which was completely new to the market. However, the Swiss Bank cited various reasons, and ultimately rejected the idea of cloud security saying that they’re a Swiss Bank, and cloud is not the way for them. Kurtz then confidently said he’ll come back and would sign the bank 2 years later, which he eventually did. Today, the Swiss bank remains a large customer.
From this, he shared the lesson that one should never fall into the trap of satisfying the customer for short-term revenue. Had he allowed the Swiss bank to dictate how he was going to provide his services (through on-premise) we might not have the cloud-native platform we see in Crowdstrike today. Kurtz had a high resolve that simply could not be shaken.
Forming his own Board
As the CEO of Foundstone, Kurtz didn’t have the flexibility to be picky with his investors. This resulted in selling Foundstone earlier than he was ready to. The VCs wanted to cash out in 2004 after suffering big losses due to the dotcom bubble crash (Foundstone being one of the few that survived the crash).
For Crowdstrike, Kurtz handpicked the investors. “I wanted to make sure I wouldn’t be pushed into a sale too early again,” he says. He did this by surrounding himself with people he could trust and who understood the vision.
As of the latest filings, Kurtz holds 7.2% of the total shares outstanding and has 33% of the voting powers assigned to him.
What attracted him to CrowdStrike was more than the chance to continue his passion for innovating and disrupting the industry. It was the prospect of working with CrowdStrike founder and CEO George Kurtz. “George could create a board that would propel the company into rare air,”
-CFO Burt Podbere in an interview
Anti-dilution
In Jan 2021, Crowdstrike reported that it would raise $750M in interest-only notes, 3% interest until 2029. This means that these notes are not convertible to shares. Convertible notes tend to offer lower interest rates for the issuers.
When asked in an interview why Crowdstrike didn’t raise more money given the low interest rates environment, George’s answer was simple.
We already have a $750 million extra credit facility with the bank that’s untapped, and we’re already generating free cash flow on our business. We didn’t want to fall in the convertible trap, and create dilution to our current shareholders. We also want to maintain our AAA rating. When people look at Crowdstrike, we want them to think “Wow that’s really well run.”
In Feb 2021, it was announced that Crowdstrike was acquiring Humio (more on this later) for $352 million in cash and $40 million in stock options.
In both scenarios, when raising cash and acquiring Humio, Crowdstrike chose to use cash instead of shares to fund their growth. And take note, this is the period when Crowdstrike was near its all time high (~$220), so a lot of people would think that it would have made a lot of sense for them to issue shares 'at a premium'.
Can’t you see how deliberate Crowdstrike’s business decisions are? It could have chosen the easy route of diluting current shareholders, but instead, it did not want to issue more shares to reduce the current shareholder’s stake. This is exceptional for a company growing so fast and it adds to Crowdstrike's appeal. It treats its shares as very precious and doesn't dilute the shareholders with every chance they get. It also shows the management is very long-term oriented.
b) Glassdoor ratings
A quick search on Glassdoor/Comparably shows that close to 80% recommends others to work in Crowdstrike and that 98% (!) of the employees approves of the CEO:
One reason why I focus on employee reviews is that it shows how the company treats its employees and whether there are any internal problems within the firm that just can’t be seen by looking at the stock prices. Simply put, a company will not be able to create long-term value by treating its employees poorly. Happy employees tend to treat customers better. Do a Google search for any of the FAANG stocks, and you'll see any of them will have good Glassdoor reviews. The company will only be able to achieve optimal results provided that its employees are motivated as well.
In an interview conducted, Kurtz mentions that he’s looking for people with a combination of hunger, grit and book-smart people. His go-to question in an interview is “What drives you more, the will to win or the hatred to lose?”
From his past experiences, he knows that it is usually the people who hate to lose who are the most driven people. He also mentions that an incredibly talented candidate may not get the job, because what he’s looking for is a team player and someone with a strong cultural fit.
With the criteria that Crowdstrike looks for in potential candidates, it’s no surprise that the company is the success it is today.
c) Extreme Confidence
How does Crowdstrike's management show that it's extremely confident about its product? One of the ways they do this is by pinpointing their competitors’ shortcomings every earnings call. While I tend to not like it when the management is so frank, I think given the competitiveness of the industry they’re in, and the severity of a security breach, Crowdstrike needs to let companies know who is the best in their business. On top of that, competitors like Palo Alto do it as well. This is an example from Crowdstrike's Q3 2021 earnings call:
Target Corporation was looking to rapidly move away from Symantec and transition to a single-agent cloud solution that could be deployed in days, not months or years… Falcon was deployed across their environment in less than 10 days, allowing them to immediately take advantage of the platform and drive ROI.
With all these commentaries, Crowdstrike shows that its product is better than what its competitors have.
McAfee and SentinelOne had to be removed from their environment where it cannot be deployed because of performance and interoperability problems. Unlike our competitors, CrowdStrike was able to deploy to thousands of endpoints and servers in just three days without a reboot. — Q4 2021 Earnings Call
Of course, Crowdstrike does not forget to compare what makes it different from the crowd. On its website, it actually has a segment explaining why its products are superior. SentinelOne obviously sees Crowdstrike as its biggest competitor, they too have a comparison of their platform against Crowdstrike. While they provided 3 reasons why they’re better, Crowdstrike gave over 10 reasons to show it has a superior platform. More on this later.
I’m not too sure how many companies out there are so confident about their offerings that they’ll list down their direct competitors and show their web visitors what makes their products superior. This is definitely a show of confidence in Crowdstrike and its products.
Of course, Crowdstrike has the right to boast. As mentioned above, Crowdstrike is winning awards left, right and center. Falcon, the platform has also been put to the test and achieved the following:
100% detection coverage in all 20 steps of the MITRE ATT&CK evaluations
100% protection rate in the AV-Comparatives business real-world protection test
AAA rating in the Q1 enterprise endpoint protection evaluation from the independent testing organization SE Labs
Crowdstrike wastes no time in calling out its competitors again:
A crucial part of our commitment is to continually test our solution, validate its capabilities, and find opportunities to improve. It’s unfortunate that some vendors decline to compete in these public tests, including so-called next-gen players. This lack of scrutiny is a significant disservice to all customers who would benefit from greater transparency. — George Kurtz, CEO on Q1 2022 Earnings
d) On the ground CEO
Kurtz isn’t like any other CEO. He understands how important it is that you understand the technology as well as the problem you’re trying to solve for the customer. He is very on the working floor. He conducts what he calls “100 in 100” customer tours, where he meets with 100 customers and prospects in 100 days, to understand what organizations are looking for.
“When I talk to them, I want them to know they are taken care of. But also, what will help retain them? What else do they need? Is there a service we are capable of that we’re not offering them? What I heard was that the traditional firewall was disappearing and that what mattered to customers was Endpoint and Identity.
He understands that organizations are looking for a modern, identity- and workloads-centric Zero Trust security strategy to lay the foundation for their security transformation. That was also what lead to Crowdstrike’s acquisition of Preempt (more on this later).
Kurtz can also be often seen on the ground with his employees, testing out and developing new modules. As an investor, what you want is a CEO who understands what’s going on at the ground level, and seeks to solve his customers’ pain points.
Let’s now look at the strong partnerships that CRWD has set up for its business to prosper.
6. Strategic Partnerships
Crowdstrike has entered into several partnerships in the past few years. Starting with Netskope, Zscaler, Okta & Proofpoint, EY and also big cloud platforms like Amazon Web Services ('AWS') and Google Cloud Platform ('GCP')
So how does their partnership work? From their 10-K:
The Company uses channel partners to complement direct sales and marketing efforts. The partners place an order with the Company after negotiating the order directly with an end customer.
The Company’s contract is with the partner and payment to the Company is not contingent on the receipt of payment from the end customer. The Company recognizes the contractual amount charged to the partners as revenue ratably over the term of the arrangement once access to the Company’s solution has been provided to the end customer.
Partnerships with players like AWS and integrating the Falcon modules within the AWS marketplace allow AWS clients who have built their work on the AWS platform to easily subscribe to Crowdstrike’s solutions. This move gives Crowdstrike access to over 1 million potential customers, saving Crowdstrike money and time from acquiring new customers. The CFO mentioned recently in a conference that Crowdstrike can close deals 80% faster, because of time saved on going back and forth for negotiations. You can see it as a food franchise, with one store you can only do so much. But with multiple franchisees, the sales opportunities are endless.
Well, it means that when we go to market in their marketplaces, a customer comes in, we’ll pay their reps, they’ll get credits. They have the — think about it as a Starbucks card where you come in and they can draw down on credits they have on the usage of their other products. And they can use those credits to purchase our solutions. So that makes it easy. — CFO Burt Podbere on a recent Baird conference
Channel partners like these bring in a lot of revenue, about 75% of the revenues were brought in by Channel Partners in the latest quarter. This is why Crowdstrike strives to make it a win-win situation for both of them. Burt also mentions that one executive staff is tagged to every partner, and they’re responsible for checking up with the partners every quarter to ensure that the relationship is still going down the right path. This shows how much it values its partnerships.
So when we think about EY, we’re really excited because they’re just so embedded in large enterprises. They’re so trusted. And to have our technology as part of their solution worldwide is really a great win for us, and them and the customer.
Crowdstrike's earnings call, on Ernst & Young partnership
There are many other partners, but I just want to mention the one with Zscaler.
Zscaler is another cloud-based security provider just like Crowdstrike. They have integrated their services together, to provide joint customers with double protection.
The companies' offerings are aimed at different market segments that are complimentary. Crowdstrike’s Falcon is used to protect endpoints (phones, computers, cloud workload), while Zscaler is used to protect the network (the flow of information from your computer to another). Basically, Zscaler has a network of 100+ data centers where customers’ traffic is all routed through them, and they act like a VPN. Hence, there’s synergy in this partnership. CEO George Kurtz at the Q1 2022 earnings call:
Its customers are looking for a next-gen endpoint workload technology platform like CrowdStrike combined with next-gen network technology, and they’re looking to replace their legacy Palo Alto Networks
Palo Alto Networks is another cybersecurity player that is more of a security platform play. They do both EPP, like Crowdstrike, and Network protection like Zscaler. Crowdstrike and Zscaler are combining forces to take on Palo Alto.
Zscaler also recently became a customer of Crowdstrike and more technology integrations are going through. Crowdstrike also commented that one of the large wins for the quarter was due to their tech alliance with ZS.
To understand security-related stuff on a deeper level, you can read up Muji’s outstanding articles.
Flavors of Security : Flavors of Security
What is Zero Trust? : What is Zero Trust?
Crowdstrike Racing (Mercedez)
Did you know that George Kurtz is a competitive racer as well?
I seldom hear people mention this, but the CEO is a competitive racer! This definitely shows his competitive side. Every year, Crowdstrike invites C-suites to a half-day cybersecurity summit to talk about the latest cybersecurity threats.
Kurtz mentions that some of these C-suites are given the chance to drive behind Mario Andretti, one of the most famous American racing drivers, on the back of an Indie car, and that has “generated an amazing amount of business” for Crowdstrike. Talk about being opportunistic!
Crowdstrike's also has a partnership with Mercedez and together, they sponsor the safety cars in Formula-1 races. Crowdstrike = safety, that link, you see?
7. Financials
I will keep this portion brief, only picking items that I think are important to highlight, since most of the important points have been mentioned in the key metrics section in part 1 already.
Based on this table comparison above, you can see Crowdstrike’s phenomenal execution for the past 8 quarters. Every single metric is going in the right direction, revenue increasing, operating expenses as % of revenue dropping, Operating margin turning from negative to positive (!) Crowdstrike’s figures are very rare in the SaaS space, which makes it a very high-quality company.
Take note that revenue figures are a by-product of the ARR, as mentioned above on the deferred revenue recognition concept. Take note that the figures used to calculate is also Non-GAAP, to remove the non-cash expenses and irregularity of one-off expenses.
For me, revenue is actually one of the important numbers I look at in any company. Why? A company’s revenue results are just like elections; just that customers are using their money to vote for the best product out there. Also, as much as a company can cut costs, in order to grow the bottom line (profits), the top line (revenue) needs to grow first or it's unsustainable.
Some investors I know track the sales mix, which I don’t really care about. Subscription revenue is recurring in nature and a high margin business for Crowdstrike. If that revenue comes in through Crowdstrike's professional services or another platform like AWS, either way, it's a win for the company.
Free Cash Flow Margins
Cash flow statements only look at cash related items, so it takes off items like depreciation expenses, stock-based compensation etc.
Free cash flow is a number from the cash flow statements. A company increasing revenue might not necessarily be increasing cash flow, as revenue might be recorded first, but cash only booked in later. Free cash flows are essentially the cash flow from operating activities less any capital expenditures as a percentage of revenue. Free cash flows are money that can be used to redistribute to the shareholders (either as dividends or, more appropriate for Potential Multibaggers, reinvestments into the business).
I also care about the company’s free cash flow margins. As seen above, Crowdstrike’s FCF margins were 38.6% in the last quarter. It's a cash cow at the moment.
Target Operating Model
One of the key things that Crowdstrike’s management tracks very carefully is whether they’re on the path to their target operating model. It shows us what the management team wants the margins to look like in the long run. We can see that the company has already hit the margins it's expecting in the latest quarter (except S&M as % of revenue), which is only 4% off.
This target operating model wasn’t the first version that the management created. This is what CFO, Burt Podbere mentioned in the BOA conference:
Second piece, of course, is optimizing our public and private cloud usage, right, and turning the dials to make that really effective and cost effective for us as well as effective in terms of usage and our ability to use it. And I felt so confident that we’re going to continue our expansion of gross margin. I raised the long-term target — market target for gross margin in April to 77% to 82% plus,from 75% to 80% plus.
The company is so confident in its long terms prospects that it actually raised its gross margins by 2%, from 80% to 82%. Another great sign.
Debt
Crowdstrike's debt position is very healthy. It's holding a $1.7B cash position after 2 recent acquisitions, and the only debt in the books is the recent $750M debt offering.
The liabilities portion of the Balance sheet is very misleading for Crowdstrike, as a bulk of the liabilities of $1.5B, are actually unearned revenue. It's revenue that has already been recognized but is not on the bank already.
Under the ASC 606 accounting protocol, a SaaS provider recognizes revenue when it transfers its service to the customer. Suppose a company pays $120,000 on a yearly basis, Crowdstrike can only recognize $30,000 each quarter, the rest are liabilities.
Net Operating Losses
One thing that wasn’t in the financial statements which I felt was worth noting is that Crowdstrike, because of losses in the past, has around $1.88B(from various regions) worth of net operating losses carried forward. Currently, Crowdstrike does not pay any taxes because it’s still “loss-making” on paper.
This means that eventually, when the company records GAAP income, it has this $1.88B worth of losses that can be used to net off against the taxes it needs to pay. These are like “deferred revenue” for CRWD as well.
This is actually a huge deal, and it also explains why “loss-making” companies like Amazon paid little to no taxes in the past.
In the last and final part of this deep dive, we will look at Crowdstrike's competition, the Humio and Preempt acquisitions, Crowdstrike's total addressable market, the risks and the stock's valuation.
8. Competition
To look at the competition, we can take a look at the Magic Quadrant for EPPs (Endpoint Protection Platforms) that Gartner has published. This Magic Quadrant assesses the innovations that allow organizations to protect their enterprise endpoints from attacks and breaches. The companies are ranked based on their completeness of vision, and their ability to execute.
If we were to compare the two Magic Quadrants in separate years together, we can see that Crowdstrike has made a leap jump in terms of ranking. In 2017, they were even under SentinelOne (S), a competitor that recently had its IPO. Fast forward to 2021, and Crowdstrike has become the leader for EPP alongside Microsoft. It just shows us how much Crowdstrike has evolved as a platform over the past 3 years to become the leading platform today. What has not changed is that the market is still extremely competitive, with many players fighting for market share.
George Kurtz doesn't see Microsoft as a good cybersecurity player, though.
There’s a lot of customers that are looking at this and saying, ‘Hey, we need to de-risk our environment, and we need another provider. The proverbial, ‘You don’t want the fox guarding the henhouse.’ Just over the last couple of months, this has really highlighted the risk in using a monoculture for both security and operating systems.
(Source)
This may sound harsh but Kurtz pointed this out in the context of the SolarWinds breaches, which were caused by weaknesses in Microsoft's 'antiquated and complicated' architecture. (source)
Most of the Pros for Crowdstrike were already mentioned in the previous parts, but let's also look at the cons. One of the disadvantages indicated by Gartner is pricing.
CrowdStrike Falcon deployments often require extra cost options to provide the full range of capabilities, and this increases overall cost when compared to more inclusive competing solutions. Also, for multiyear contracts, CrowdStrike insists on upfront payment. This is reflected in lower scoring for pricing in this Magic Quadrant
To me, this indicates Crowdstrike’s pricing power more than anything else. If customers are willing to pay a premium for their services and pay upfront, there must be a reason why.
Source: IDC Report 2019 on Endpoint Security Market Share
I tried very hard to find a more updated version of the market share, but failed to do so. If there’s anyone who has a source, do let me know!
Based on this table above, we can see that there has clearly been a power shift between the legacy vendors and Crowdstrike. More notably, Crowdstrike’s growth from 2018–2019 is a multiple of that of all of its competitors, which implies Crowdstrike has a secret sauce. While legacy vendors are still holding a large chunk of the pie (40+%), I believe it will not be for long.
Companies like Cisco, VMware, Tanium, BlackBerry, and Palo Alto Networks each increased their revenue near or above two times the market’s growth rate (8.8%) in the corporate segment.
The best part is, Crowdstrike CEO in their earnings call mentioned that IDC released an updated worldwide market share stat from endpoint security, and Crowdstrike was ranked №1, ahead of Microsoft and other legacy vendors. He also mentioned that Crowdstrike is still in the early innings of grabbing market share from legacy vendors, which means we can continue to see sustained revenue growth from Crowdstrike in the coming quarters.
But there’s a lot of companies out there, big and small, and we still think we’ve got a lot of runway and still continue the migration of share from Symantec and McAfee to CrowdStrike.
What else is a better way to show that you’re doing something right other than your competitors being frustrated about you in their earnings call? Credits to Kris for this info!
Don’t forget in each of those areas, we are dealing with extremely competitive situation. In the case of XDR, we deal with dedicated salespeople in CrowdStrike. They outflank us 8–1 on the number of salespeople. So we have to look hard at how much investment we want to make on the sales side.
-Palo Alto Networks CEO
You can see how much the Palo Alto CEO sees Crowdstrike as a threat based off this comment above, and I think the reason why Crowdstrike has so many salesperson might be attributed to their partnerships as well.
Sentinel One
I just wanted to spend some time touching on SentinelOne, who’s going to IPO in a few weeks time. I believe both Crowdstrike and Sentinel One see each other as key rivals, given how they mention each other so many times in earnings call and their websites.
In SentinelOne’s S-1 (IPO form), while explaining its offerings, the company mentioned this: “higher accuracy than possible from any single human or even a crowd”, is a clear reference to its competitor.
I spent some time reading through the S-1, but can’t really find the difference between what Sentinel One and Crowdstrike offers. I'm pretty sure that Crowdstrike has more data because they have more customers and being around for longer. However, thanks to Jamin (he does incredibly useful SaaS comparisons!) who posted the comparison, I have some things I can comment on.
S1 comparison by Jamin Ball
However, 1 metric stood out the most to me : their operating margins is -134% compared to -55% when CRWD IPOed. What does -134% margins mean? It means that for every $100 revenue you take in, you’re spending $234 to get that revenue! Seems like an absolute disaster. -134% is a far comparison from -55%. This means you’re losing $134 in Year 1.
The worst part is, this will only get worst as their revenue growth continues. With gross margins of 56%, it means their cost of revenue would be $44, which translates to OPEX being $190 ($234-$44). Even if there is slight operating leverage (improving margins), they will still be losing more money in absolute numbers, as their revenue gets bigger, their OPEX will increase in tandem as well, perhaps at a slower rate.
Example:
Year 2: Revenue grows to $200.
GM improves to 60%, meaning the cost of revenue is $80.
Operating expenses increase only 80% (showing operating leverage), we get OPEX of $342. Adding the cost of revenue, the total expense is $422.
This means that for this year, even with improving margins, the losses actually widens to $222, compared to $134 from the previous year.
The issue here is there’s no alternative for SentinelOne, as this is an extremely competitive market where you need to spend big in order to get customers, and sometimes you might have to lower your prices to attract more customers which then affects your pricing power. And you know what happens when a company runs out of cash, they run to the investors for money again or issue more debt. Of course, these losses eventually get better, but it’ll probably take a few years. Therefore, at the moment as an investment, I do not think SentinelOne is a worthy competitor.
If you look at the Gartner Magical Quadrants again, you'll see that Sentinel One had a headstart compared with Crowdstrike but Crowdstrike has left it in the dust. Again the Magical Quadrants for EPP. Search for Sentinel One.
This means that for this year, even with improving margins, the losses actually widens to $222, compared to $134 from the previous year.
The issue here is there’s no alternative for SentinelOne, as this is an extremely competitive market where you need to spend big in order to get customers, and sometimes you might have to lower your prices to attract more customers which then affects your pricing power. And you know what happens when a company runs out of cash, they run to the investors for money again or issue more debt. Of course, these losses eventually get better, but it’ll probably take a few years. Therefore, at the moment as an investment, I do not think SentinelOne is a worthy competitor.
If you look at the Gartner Magical Quadrants again, you'll see that Sentinel One had a headstart compared with Crowdstrike but Crowdstrike has left it in the dust. Again the Magical Quadrants for EPP. Search for Sentinel One.
To remain relevant, Crowdstrike has also acquired some companies in the past year. We'll look at them in more detail.
9.Humio & Preempt & TAM
Preempt
In 2020, Crowdstrike announced plans to acquire Preempt. A leader in Zero Trust identity hygiene and security. Preempt delivers a modern approach to securing identity with its patented Conditional Access technology, helping customers preempt security threats in real-time based on identity, behavior and risk. This acquisition is very timely given the recent executive order by the U.S government to get companies to work towards ZTA (Zero Trust architecture.)
What exactly is Zero Trust? Imagine this. In the past, the security model was just like a locked front door. Once you get in through the front door, you’ll be able to access every other rooms in the house. This means that once a hacker gets through the first layer of defense, they’re free to do whatever they want. With Zero Trust, it means that you’re required to have credentials to enter or do anything in the house. Want to enter a room? Show that you're authorized. Want to on the computer? Show that you’re authorized.
What does Preempt actually do? Preempt goes into an organization and collects identities and credentials information from companies like OKTA, Microsoft, etc. They can then use this to create a profile so that when they see an employee opening a folder that he doesn’t usually access, they’ll block the access, then force a re-authentication via multi-factor authentication, just to ensure that the employee is really who he is. It also works if the employee appears to have too much access privilege and is accessing something that their profile wouldn’t need to. Preempt claims that “80% of all breaches involve compromised credentials.”
The hybrid work environments that we’re in make this acquisition particularly vital, given that workers are working from different locations and will often need to access employee-restricted data. With this acquisition, CrowdStrike plans to offer customers enhanced Zero Trust security capabilities and strengthen the CrowdStrike Falcon® platform with conditional access technology. The addition of Preempt’s technology to the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement on identity data.
To me, the best part is Preempt can be integrated seamlessly into the Falcon’s single agent and start preventing insider threats very quickly. Crowdstrike collects the data once and uses it many times. That's what makes them so strong.
Humio
In 2021, Crowdstrike announced plans to acquire Humio, a leading provider of high-performance cloud log management and observability technology.
We founded Humio with the vision of enabling engineering teams to easily collect all of their data in real time and at scale to proactively manage anomalies and recover quickly from various incidents.
We architected Humio’s platform to easily ingest massive amounts of machine and application data in true real time, enabling enterprises to monitor, analyze, investigate and search all of their data at an industry leading TCO
Humio's CEO Geeta Schmidt, source
Humio’s acquisition shifts Crowdstrike its EDR (Endpoint Detection Response) into XDR (eXtended Detection Response), basically an enhanced version. Humio’s platform helps Crowdstrike with its massive amount of data from Threat Graph. All of this data means mountains of logs. Humio helps to manage these logs for its customers and allows them to solve more security/ non-security use cases in real-time. Essentially, it helps its customers keep more data, with less cost and also allows query searches faster. It also allows for customizable dashboards that give customers greater actionable insights, in real-time.
This, of course, expands Crowdstrike’s TAM (Total Addressable Market). Is Crowdstrike entering into the log management space as well, where Datadog (DDOG) is in? It sure looks like it.
Talking about TAM, Crowdstrike believes their current TAM for 2021 is $36.5B, which will grow at a CAGR of 9% to $43.6B in 2023. By 2025, Crowdstrike believes its TAM will be $106B! One can only believe that management has already planned the future areas that it will expand into.
For Crowdstrike to expand its TAM by that much, it's probably going to need to move into other security markets other than EPP and EDR. Perhaps venture into providing consumer security offering? As of now, Crowdstrike only serves enterprise customers. Crowdstrike can also look to penetrate more into international markets, with revenues from international markets only at 27% currently.
Given the past 2 acquisitions, it’ll be interesting to see where Crowdstrike will be moving into next.
10. Valuation
Crowdstrike’s share price appreciation since IPO
Crowdstrike’s shareholders have been rewarded very well since its IPO. If you had invested $10k in Jul’19, this amount would be $43.79k currently. Rightfully so, given that all the quarters since its IPO have beaten analysts' estimates.
SaaS companies have grown popular in the last 3 years, due to the attractive business model of recurring revenue and high margins per extra customer.
As a result, most SaaS companies trade at a premium valuation. Given that Crowdstrike is an extremely high-quality company, this is also the case.
If we based the valuation on EV/NTM Revenue, Crowdstrike is the 6th most expensive SaaS company out there. However, what if we were to value it based on EV / FCF or Gross Profits?
We can see that Crowdstrike immediately becomes the cheapest relative to those who were originally cheaper in terms of valuation. Using revenue in this example is unfair because a company that generates high FCF (>30%), cannot be seen in the same way as a company that is FCF negative or has low FCF margins.
This is also the same for gross margins. Similarly, if we were to use EV/GP, we can see that Crowdstrike becomes the 9th most expensive, instead of 6th.
I also tried to compare Crowdstrike to the big cloud-native platforms that they envisioned themselves to be when they first started (Salesforce, ServiceNow, Workday). It’s probably a good gauge to see how CRWD will be trading at a few years down the road.
If we were to see this chart, it may seem that Crowdstrike is valued extremely high, even on an EV/FCF basis. However, we shouldn’t be comparing them this way. Crowdstrike is still in hypergrowth mode, which means we’ll probably continue to see it grow in the high 50s-60s % for a while. Meanwhile, mature companies like Workday, Salesforce and Servicenow are growing at 15%, 25% and 30% respectively. This means Crowdstrike’s growth rate is at least twice or thrice the growth of other companies. Assuming EV remains around the same, but FCF increases in the subsequent years, we can see Crowdstrike’s valuation will very quickly close up the gap to the other 3 companies. If we were to compare it this way, Crowdstrike suddenly doesn’t seem as expensive as it does now.
IDC or International Data Corporation is a company that has specialized in IT market intelligence. It estimates that revenue for Cloud IT spend will grow from $106.4B in 2020 to $217.7B in 2023. However, Cloud security spend is only ~1% in both periods. IDC believes that an organization should spend 5% to 10% of its IT budget on security, especially given the recent high-profile breaches. Crowdstrike estimates that this spend might be up to 5.7%, which makes the cloud security opportunity 10X bigger in 2023 than what was spent in 2020 for cloud security. Crowdstrike is well-positioned to take advantage of this increase in spending as well.
11. Risks
11. Risks
So what are the risks to owning this company? There are a few.
a) It’s Hawk-eyed by Wallstreet analysts
Given that it is a high-growth company with a premium valuation, this company is definitely tracked very closely by Wallstreet analysts. This is an example:
You saw no seasonality from Q4 to Q1, which I think is the first time at least the last three years where net new ARR has not declined sequentially, clearly indicating a significant change in the spending environment — Analyst on earnings call
If Crowdstrike were to post any steep deceleration in earnings, we can expect these analysts to pick it up as well, and the valuations will definitely take a hit.
With such premium valuations, Crowdstrike is expected to do well, it’s like the student in class with all As. When he does well, it’s seen as normal. But when there’s a less-than-perfect test, everyone notices. Wallstreet is merciless.
Given COVID19 has definitely ramped up some security spending, the comparisons for the coming quarters will definitely be harder, so everyone will be watching whether Crowdstrike can still perform as well.
b) Breaches
Trust Takes Years To Build, Seconds To Break And Forever To Repair — Dhar Mann
Crowdstrike operates in a very sensitive industry where any breaches are likely to cause millions or even billions in damages. The recent Solarwinds hack may cost up to $100billion to recover, with so many affected parties involved. This can mean the end of smaller enterprises that have leaked confidential data of their clients. When the Solarwinds hack was announced, the share price of Solarwinds plummeted 36% instantly.
Therefore, even though Crowdstrike was the one that Solarwinds brought in to remediate the breaches, it is possible that Crowdstrike may one day be exposed to such a breach. When that happens, nobody remembers the awards Crowdstrike has received in the past, only the trust that it has lost from its customers.
This scenario could easily mean a 20–30% haircut in the share price.
c) No desirable acquisition targets
There could be a time when Crowdstrike is unable to continue to add additional modules at the same pace it's doing now, and this may slow down the company's revenue growth. As mentioned above, to continue expanding its TAM, Crowdstrike will need to expand into other segments or acquire more companies.
Just like SentinelOne was overtaken by Crowdstrike from 2017 to 2021 in the Gartner Magic Quadrant, Crowdstrike could lose its edge too as the innovative provider for EPP and EDR services. As a result, it could lose market share to other more innovative providers who offer more advanced solutions.
An issue about acquisitions is that it may not always be so easy for Crowdstrike to find complementary and synergistic acquisitions. Crowdstrike would need to find companies to acquire only in situations where its products are superior or synergistic, and where the ROI (return on investment) in the long run exceeds the cost of acquiring the companies.
If Crowdstrike is unable to find desirable targets, this may directly impact the revenue growth of the company, leading to a fall in valuation.
12. Final words
I firmly believe that Crowdstrike has a shot at becoming the company with the biggest piece of the pie of the endpoint security platforms in the next few years. It has a few advantages to reach that goal:
a) Lower customer acquisition costs: Free trial allows customers to add on free modules on their own with no cost, drastically reducing the hurdle rate required to acquire customers and increase the module add-ons. Crowdstrike’s partnerships have also helped in expanding the sales opportunities outside of just their own salesforce.
b) FedRAMP certification/AWS GovCloud: Recent executive order will accelerate spending in endpoint protection. The federal government seems to be serious this time round in wanting to halt these malicious cyber threats. It took Crowdstrike 4 years (!) to get this certification, and these certifications allow Crowdstrike to service government organizations. Crowdstrike’s management seem very positive in their ability to get more contracts.
c) Security is mission-critical
Source: Morgan Stanley Research 2020
Unsurprisingly, endpoint security remains a top priority for security spending, in a survey conducted by Morgan Stanley among CIOs in 2020. Security spending is mission-critical. In times of economic slowdown, there might be a reduced expenditure in other areas like R&D but cyber attacks are relentless and continuous. That's why companies will have to continue putting money into cybersecurity solutions.
d)Increase in Cloud security spending.
More and more companies, like Facebook and Standard Chartered are allowing permanent flexible working, and Apple employees are raising objections at the idea of heading back office. Even with the vaccine rolled out, we’re not going to go back to working the same way. With digital transformation accelerated (the growth in IoT devices (the Internet-of-Things), and the work-from-anywhere trend rising, the need for endpoint security is only going to be amplified.
Cloud workload security is still in its infancy, and more companies will be forced to shift their workload work-from-home context. This has not to do with the pandemic anymore but people wanting to work at home one or a few days every week.
e) Shift from Legacy providers to next gen-AV will only continue
As mentioned above, the transfer of market share from the legacy providers to Crowdstrike has just started and will continue as Crowdstrike remains the superior solution.
I hoped you have enjoyed this deep dive!
Disclosure : I am long CRWD. This is not investment advice. I am not a registered investment adviser. Please perform your own due diligence before buying any shares of CRWD.
Amazing read! Looking forward to more from you