Where Are We Now
Updated on: 11/8/2021
Security is seriously underrated for the trillions of dollars of damage caused each year by cyber breaches. Good thing we have CrowdStrike, a phenomenal cybersecurity system ecosystem that uses huge amounts of data to get better every single day. Although we think CrowdStrike is expensive, the company will undoubtedly gain prominence as the world shifts to the digital realm and consequently becomes more vulnerable to cyber attacks.
CrowdStrike shares are expensive for a reason – total revenues are increasing at a rate of 70% per year. The company is adding subscription customers at a rapid pace to the tune of over 80% per year.
CrowdStrike continues to add modules to its platform so there is something for everyone. The platform now hosts 21 different modules customers can use to tailor to their specific cybersecurity needs.
CrowdStrike Holdings, Inc. (“CrowdStrike”) is a leading provider of AI-driven, cloud-native threat intelligence, response, computing device protection, and several other cybersecurity services for small to large enterprises. The Falcon platform, CrowdStrike’s ecosystem of cybersecurity modules, aims to prevent and resolve malware breaches, as well as malware-free breaches, historically a blind spot in cybersecurity solutions.
CrowdStrike’s platform provides companies with a cost-effective, lean-and-mean, and single-agent solution that processes, stores, and analyzes trillions of cyber signals in real time to provide full protection across all computing devices within seconds.
The Falcon platform uses machine learning, artificial intelligence ("AI"), and behavioural analysis using data aggregated from each customer on the platform to improve cyber protection in real time for all customers. As the Threat Graph - the Falcon platform’s data store - processes an increasing number of signals over time across a wider customer base, the platform grows smarter, stronger, and becomes more effective in reducing false breach signals and preventing genuine breaches.
Cybersecurity is a growing concern with the digitalization of the globe and distribution of our devices and networks. Demand for CrowdStrike’s AI and cloud capabilities is poised to grow exponentially as cyberattacks are costing organizations trillions of dollars each year, and this number is set to grow.
CrowdStrike has a massive Total Addressable Market ("TAM") of over $40 billion in 2023. Within this TAM, CrowdStrike has optionality with its data capabilities to provide expanded solutions within and outside cybersecurity given its strong balance sheet, operating leverage, highly scalable business model, and history of intelligent acquisitions to expand the Falcon ecosystem. However, this comes at a lofty premium with shares trading at many multiples of sales.
CrowdStrike pioneered a new path when and where nobody else was looking. Salesforce drove massive change with the CRM cloud and Workday defined the HR cloud category. In 2011, CrowdStrike took the initiative to define “Security Cloud”.
While competitors dialled in on malware breaches, CrowdStrike sought to prevent and resolve the 40% of breaches that are malware-free and undetectable by traditional cybersecurity solutions. Fast forward a decade later after rapid expansion of cloud security adoption - cloud workloads are still significantly under-protected.
Companies spend about 1% of their cloud IT budget on cloud security whereas the IDC believes that this figure should be between 5% and 10% of organization cloud IT budgets.
CrowdStrike differentiates itself from peers by leveraging its cloud-native endpoint security platform. Other market offerings are a combination of on-premise and cloud solutions at best, and generally expensive, ineffective, and clunky solutions. In a time when mass digital adoption in a work-from-anywhere, virtual world was accelerated by many years due to COVID-19, CrowdStrike’s leading cybersecurity products will aid in making this grand shift a smooth transition and save the world trillions of dollars in the process.
The stakes are high and CrowdStrike is here to protect our work, data, knowledge, and identity every step of the way.
CrowdStrike was founded in 2011 by George Kurtz (current CEO) and Dmitri Alperovitch (ex-CTO), both former McAfee executives with valuable experience in cybersecurity.
The company aimed to fill a gap in the security industry – provide the world’s first cloud-native endpoint security platform (endpoint: a device that communicates with a network, such as laptops and mobile phones).
To this day, most industry incumbents solely offer on-premise solutions, clunky, outdated, and inefficient platforms that are ripe for disruption by security cloud providers, like CrowdStrike.
CrowdStrike is widely known for the CrowdStrike Falcon platform, their proprietary platform built to prevent and stop cybersecurity breaches with their set of cloud-delivered technologies and artificial intelligence.
Since its founding, the company has played a key role in the resolution of a few high-profile cybersecurity cases, such as the Sony Pictures hack in 2014, the Democratic National Committee investigation into how hackers breached the DNC network and released email in 2016, and various other espionage cases against the United States.
CrowdStrike’s main product offering is the Falcon platform. It is 100% cloud-based and delivered as a SaaS product to customers. Falcon combines advanced antivirus, endpoint detection and response, cyber threat intelligence, managed threat hunting, and security hygiene capabilities all within small sensors that are cloud-managed and delivered. CrowdStrike’s Falcon platform has two layers:
Easily deployed, lightweight sensor
Cloud-based dynamic graph database called the “Threat Graph”
The sensor is installed on each endpoint of the customer’s organization or on their cloud workloads to provide local malware detection and prevention. The data collected by these installed sensors then feed the “Threat Graph”, which essentially is a large database of information aggregated and collected from all customers.
This collected data is processed, correlated with other information, and analyzed in the Threat Graph using graph analytics and AI. Customers benefit from this data collection tremendously – if one organization faces a cyberattack, the Threat Graph processes this information and quickly protects all other customers. It also helps CrowdStrike build its algorithms to prevent future breaches and enhance security.
CrowdStrike primarily sells their platform and cloud modules using a direct sales team. Thanks in part to CrowdStrike’s channel partner network, the direct sales team has grown the customer base at a rapid pace.
CrowdStrike customers include high-calibre companies across the Fortune 500, major government organizations, and top banks. CrowdStrike obtained contracts with over 40% of the Fortune 500 and over half of the top 20 banks.
Some of their customers include Goldman Sachs, Amazon Web Services, MIT, Sony, Hyatt, the City of San Diego, among many others. Most of CrowdStrike’s revenues are generated in the US, however, CrowdStrike is on the international radar with about a quarter of revenues generated outside of the US.
CrowdStrike forms strong relationships with its customers, evident in dollar-based net retention rates consistently above 100% and near-zero churn rates. Customers are not only choosing to stay with CrowdStrike rather than switch to competing products, but they are also spending more after they are onboarded.
CrowdStrike offers customers the flexibility to choose any number of modules for their business and the ability to secure any amount of endpoints within their organizations. Products are not aggressively pushed or bundled in complicated ways – the customer is always in control. Customers reward this sales approach by subscribing to more modules over time.
CrowdStrike’s aggregate customer base on 4 or more module subscriptions expanded rapidly. Customers are not coming to CrowdStrike to use only one module. If they do start with only one, they are very likely to add on more modules.
We believe CrowdStrike’s financial results reflect their product quality, customer care, effective sales approach, and powerful recurring revenue subscription model. Annual recurring revenue (“ARR”) grew at a quick pace, as shown in the graph below.
CrowdStrike’s most obvious competitive advantage is the inherent network effect briefly touched upon earlier in this primer. Falcon uses AI technology to expand its database and grow “smarter” the more CrowdStrike’s customers are attacked by cyber threats and as Falcon is used more across increasingly vast geographies. Each week, approximately trillions of signals are streamed to the Threat Graph and this number continues to grow.
CrowdStrike can collect high-fidelity signals and data about both potential attacks and benign behavioural patterns across the whole customer base thanks to the multi-tenant structure of the cloud. AI algorithms are updated constantly from a wide customer base, instantly protecting all other customers on CrowdStrike platforms the moment any customer experiences an attack or a breach. This network effect has a dual positive effect: (1) false positives are reduced and (2) the ever-growing amount and types of breaches are stopped. In simplest terms, the Falcon platform gets better as more customers use it and purchase more modules.
CrowdStrike uses the “land-and-expand” sales model to obtain customers and provide custom solutions from a customer’s inception. As noted earlier, customers typically expand the number of modules they are subscribed to over time, inherently increasing the switching costs from a financial standpoint. More importantly, a customer that decides to sever ties with CrowdStrike loses out on the benefits obtained from Falcon collecting, processing, and analyzing internal company data and providing increasingly improved security protection via the cloud.
Additionally, it is generally easier for companies to manage one cybersecurity platform on the cloud rather than a combination of complex on-premise and cloud agents from different providers. Companies certainly will not be hiring their own in-house cybersecurity teams either – they are both expensive and difficult to attract. CrowdStrike is the one-stop shop for cloud cybersecurity protection, making it extremely unappealing for customers to leave.
The best businesses in the world generally possess two key powers – a sticky product or service that customers love and the resulting strong financials that enable further investment to make their products and services even better. We believe CrowdStrike possesses both along with operating leverage.
Gross margins are improving substantially, and the company generates positive free cash flow amid heavy reinvestment into the business. CrowdStrike obtains this operating leverage from the low incremental platform costs of onboarding new customers, high net retention, and margin expansion through the “land-and-expand” model. CrowdStrike is also leaner than its competitors – the Threat Graph operates at approximately 13% of the standard on-premise solution cost. As revenues continue to grow, CrowdStrike can exercise its option to invest into more modules and/or target verticals and new use cases outside the cybersecurity realm.
By 2025, worldwide cybercrime costs are expected to top $10.5 trillion. These costs will continue to grow because of the accelerated digital adoption due to COVID-19 and the one million people who are joining the internet daily.
We are now using more devices, more frequently as the world shifts to a work-from-anywhere model. The total number of people on the internet will be 6 billion by 2022 versus the 5 billion figure recorded in 2020.
CrowdStrike will benefit from these macro tailwinds as a leader in the security cloud market in a time when companies, governments, and organizations are rapidly adopting digital solutions and cloud services. We believe that organizations will turn to CrowdStrike to obtain cybersecurity solutions on their cloud-native Falcon platform.
Optionality Within and Beyond Cybersecurity
George Kurtz has made several references to developing new cloud modules for broader endpoint use cases. This means venturing outside the world of cybersecurity is on the table and actively explored by management. When the company first went public in June 2019, the CrowdStrike ecosystem contained 10 modules. Today, CrowdStrike offers 19 different modules and the CrowdStrike Store. Forensics, Identity Protection, Situational Awareness, and Log Management are a few areas CrowdStrike explored and executed as new modules since the IPO. CrowdStrike is uniquely positioned amongst peers to take advantage of these sorts of opportunities because of their data processing abilities and cloud-native model. Customers trust their products and because they constantly look for ways to simplify operations and cut costs, CrowdStrike’s growing one-stop shop gains value with each new module introduced.
Management is focused on a few key areas to exercise optionality now and in the future:
Falcon Discover can be leveraged for use cases outside of security, including application license management, AWS spend analysis, and asset inventory.
The CrowdStrike Store is the first open cloud-based application platform-as-a-service for cybersecurity in the world. It allows customers to discover and try additional cloud modules from trusted partners, who build applications and post these on the CrowdStrike Store, and from CrowdStrike itself.
The authorization of CrowdStrike products by several US federal agencies via the Federal Risk and Authorization Management Program (“FedRAMP”) allows customers to launch the Falcon platform in AWS GovCloud as well as directly serve government agencies with an array of security tools.
Growing usage of “containers” and cloud workloads in computing is driving demand for the protection of these areas as global cloud adoption accelerates and workloads are placed onto the cloud by businesses and other organizations.
We believe CrowdStrike has optionality stretching far beyond management’s sights and possibly greater than management’s TAM estimates of $36.5 billion and $43.6 billion in 2021 and 2023, respectively. Including new offerings and the cloud security opportunity, CrowdStrike and the IDC believe the TAM in 2025 could be over $100 billion. Cyber threats are constantly evolving and growing in magnitude, and high-quality data is growing in terms of importance. Customers are also eager to add modules after onboarding, which should encourage management to continue exploring opportunities in and beyond cybersecurity as they mature and learn the market and penetrate a growing share of a rapidly growing TAM.
Some of the aforementioned modules introduced to the market were added after acquiring other companies. When CrowdStrike spots a great industry player in a niche market, it will probably seek a way to integrate their products into the CrowdStrike ecosystem. For instance, Zero Trust capabilities were added after the acquisition of Preempt Security, a leader in the Zero Trust market. Formerly without an identity management arm, CrowdStrike now competes with other Zero Trust providers and leverages its existing customer base to adopt this module on top of other Falcon modules for their cybersecurity needs.
CrowdStrike also acquired Humio to enter the log management and observability solutions industry and help developers, IT professionals, and analysts gain insight into threats, vulnerabilities, and computer-generated data in real time. CrowdStrike now competes with large log management companies, such as Splunk, Elastic, Sumo Logic, and Datadog.
CrowdStrike appears to make acquisition decisions for long-term value creation, integrating modules that leverage its already-robust data-driven, AI-enabled, cloud-native security platform. It is likely CrowdStrike will continue to make many unexpected acquisitions that expand product offerings in the short run and unlock tremendous value over the long run. With over $900 million in net cash on its balance sheet, CrowdStrike has significant room to mobilize capital to perform intelligent acquisitions and further expand its ecosystem.
We believe CrowdStrike and its ability to expand and hold onto its lead could be limited by the following forces:
CrowdStrike operates as a generalist player in a competitive environment with many large incumbents across various cybersecurity solutions. For example, Symantec, Microsoft, and McAfee in the antivirus market, Blackberry Cylance, VMware Carbon Black, and SentinelOne in the endpoint security market, and Palo Alto Networks and FireEye in network security pose a threat to CrowdStrike with their brand reputation, recognition, and highly rated solutions. CrowdStrike may find itself in a poor competitive position should a price war ensue or if the market becomes further saturated with additional offerings from incumbents and new entrants.
The “land-and-expand” sales method and flexible solution offerings could work against CrowdStrike if customers churn out of the CrowdStrike ecosystem. Customers that are not wholly immersed in the CrowdStrike ecosystem could find it easy to switch to other services all while having provided CrowdStrike with trivial revenues.
CrowdStrike’s openness to verticals and other opportunities could result in a lack of focus on general operations and core modules. It is imperative that CrowdStrike continues to invest in its operations considering the competitive environment in which it operates while competitors also seek ways to gain market share. CrowdStrike may also experience cost increases and a reversal of some of its operating leverage if future penetrated verticals are vastly different from its core operations and separate teams are built to manage these segments.
On the valuation front, CrowdStrike faces significant risk in the short- and intermediate-term due to heightened software and cloud valuations amid accelerated COVID-19 demand for digitalization. Although CrowdStrike is growing revenues quickly, it still trades at massive multiples on forward sales estimates. There is significant downside in the case of multiple compression or increasing competition souring investor sentiment towards CrowdStrike.
CrowdStrike is growing rapidly within a nascent and niche cloud industry, paving the path towards mass security cloud adoption. Security and customer value come first, and competitive advantages follow. CrowdStrike established a moat with its cloud-native, AI-enabled cybersecurity ecosystem that gets smarter the more it is used. Customers discover this value after they are onboarded and generally add on multiple modules to protect their data and operations.
CrowdStrike will continue to grow despite a relatively crowded competitive playing field. Valuation may be a headwind for shareholders, but it surely reflects the quality of CrowdStrike’s recurring revenues, operating leverage, and net cash position on its balance sheet. Secular industry tailwinds, expanding TAM, optionality through verticals and other use cases in and around cybersecurity, and intelligent acquisitions should propel CrowdStrike ahead of its competition. CrowdStrike should be on every investor’s watchlist throughout the next several years as it revolutionizes the cybersecurity world.