What You Need To Know About CrowdStrike Before You Invest

Business Model

CrowdStrike is an industry leader in endpoint and cloud workload protection, which essentially means it analyses, anticipates and prevents cyber-attacks on endpoints such as laptops, servers, IoT devices and cloud workloads. CrowdStrike aims to incorporate automation, so as to alleviate the pressure on already thinly stretched cybersecurity teams in various companies. Secondly, CrowdStrike aims to be a cloud-based service provider, adopting the service-as-a-software model, so that it is quickly deployable, easily scalable and causes minimal downtime and keeps disruptions to a business’ operations to the minimal. Lastly, CrowdStrike adopts a predictive rather than reactive model, meaning that it aims to prevent breaches from happening rather than trying to remedy breaches only after they occur, keeping customers ahead of attackers.

Incident Response Services

In addition to our Falcon platform and cloud modules, CrowdStrike also offers incident response services to assist organizations that have experienced a breach or are assessing their security posture and ability to respond to breaches. 

In addition to providing valuable breach remediation to customers, CrowdStrike’s incident response services also act as a strong lead generation engine for our Falcon platform and cloud modules. After experiencing the benefits of the platform firsthand, many of CrowdStrike’s incident response customers become its subscription customers. Among organizations who first became a customer after February 1, 2020, for each $1.00 spent by those customers on their initial engagement for incident response or proactive services, as of January 31, 2022, CrowdStrike has derived an average of $5.71 in ARR from those subscription contracts.

CrowdStrike’s Product Superiority

CrowdStrike aims to differentiate itself by overcoming the architectural limitations of legacy cybersecurity products.

The latest Forrester Wave for Endpoint Detection and Response Providers ranks the top leaders in the EDR market. CrowdStrike remains in a league of its own, with Microsoft (MSFT) the only competitor that is managing to keep pace, and when it comes to Cybersecurity, companies will almost always opt for the best protection possible.

/var/folders/yf/xp113b3d1_38r4v8h0bqtjch0000gn/T/com.microsoft.Word/WebArchiveCopyPasteTempFiles/56518551-16559848058124454_origin.png

Its relevance in the Endpoint Security Market is also evident through its increased market share, from 7.9% in CY2019 to 14.2% in mid-CY2021.

Compared to whitelisting

Application whitelisting products resort to an “always allow” or “always block” policy on an endpoint in order to allow or prevent processes from executing. Whitelisting relies in part on manually creating and maintaining a complex list of rules, burdening end users and IT organizations. This does not prevent fileless attacks from exploiting legitimate whitelisted applications, compromising the integrity of the whitelisting product.

Compared to legacy, on-prem solutions

CrowdStrike has built a more intelligent, effective solution to detect threats and stop breaches that on-premise security and bolt-on cloud products cannot match. On-premise products are siloed, lack integration, and have limited ability to collect, process, and analyse vast amounts of data—attributes that are required to be effective in today’s increasingly dynamic threat landscape.

Compared to signature-based solutions

Signature-based products are designed to detect attacks that have been previously identified. As a result, such products are fundamentally unable to prevent unknown threats resulting from shifts in attacker tradecraft. It often only takes a slight modification on the part of the attacker to bypass signatures. Many significant breaches seen in the last two decades have involved the failure of a legacy signature-based antivirus product to detect a previously unknown or modified version of a previously known attack.

Compared to Malware-Focused Machine Learning Products

Traditionally, organizations have focused on protecting their networks and endpoints against malware-based attacks. These attacks involve malware built for the specific purpose of performing malicious activities, stealing data, or destroying systems. A malware-centric defensive approach will leave the organization vulnerable to attacks that do not leverage malware.

What CrowdStrike does

CrowdStrike’s Falcon platform consists of its easily deployed, intelligent lightweight agent, and its groundbreaking graph technology.

With the lightweight agent installed on each endpoint or cloud workload, this enables CrowdStrike’s Falcon platform to intelligently ingest and stream high fidelity data back into the Security Cloud to continuously improve Falcon platform’s AI algorithms.

The Threat Graph is able to contextualize and turn this data into action, automatically delivering protection to every customer. This also provides customers with increased visibility of attacks for proactive threat hunting and timely detection and remediation of novel threats.

Business Model – How does CrowdStrike Make Money

CrowdStrike offers cloud-based modules that integrate seamlessly with the Falcon platform that users can subscribe to. Currently, there are 22 modules that spans multiple large markets, including corporate workload security, security and vulnerability management, managed security services, IT operations management, threat intelligence services, identity protection, and log management.

Key Metrics

Number of Subscription Customers

CrowdStrike grew from 1,242 subscription customers in 2018 to 16,325 customers in 2022, representing an impressive 90.4% CAGR.

CrowdStrike has made many strategic partnerships which form a crucial part of its sales and marketing strategy to acquire more customers. One such example will be CrowdStrike’s partnership with Google Cloud Platform. Potential clients who have built their work on Google’s Cloud Platform can purchase CrowdStrike’s products directly through the Google Store. This dramatically shortens the sales cycle and gives CrowdStrike access to Google Cloud’s 900,000 plus customers.

Annual Recurring Revenue (“ARR”)

ARR is calculated as the annualized value of our customer subscription contracts as of the measurement date, assuming any contract that expires during the next 12 months is renewed on its existing terms.

CrowdStrike increased its ARR from 141.3 million in 2018 to 1.7 billion in 2021, which represents a 87.1% CAGR.

Dollar-Based Net Retention Rate (DBNRR)

A dollar-based retention rate measures how many existing customers increase their spending on CrowdStrike’s products and services, from one reporting period to the next.

CrowdStrike has managed to keep a dollar-based net retention rate of consistently above 120% since 2019, which is one of the highest among the top SaaS companies. Its gross retention rate has improved slightly and now stands at 98%. 

This shows that most customers are satisfied with CrowdStrike’s products, and are even willing to spend more when they add more modules or endpoints. This is another testament to CrowdStrike’s superior product performance. 

Number of Modules Per Customer

/var/folders/yf/xp113b3d1_38r4v8h0bqtjch0000gn/T/com.microsoft.Word/WebArchiveCopyPasteTempFiles/56518551-16559859024824116_origin.png

As of January 31, 2022, 69% of CrowdStrike’s customer base had adopted four or more modules, 57% of its customer base had adopted five or more modules, and 34% of its customer base had adopted six or more modules. 

As of January 31, 2021, 63% of CrowdStrike’s customer base had adopted four or more modules, 47% of its customer base had adopted five or more modules, and 24% of its customer base had adopted six or more modules. 

As of January 31, 2020, 54% of CrowdStrike’s customer base had adopted four or more modules and 33% of its customer base had adopted five or more modules. 

Industry Background: The Trends Driving a Need for a New Approach to Security

Cybersecurity Threats are More Sophisticated and More Damaging: Cybersecurity threats have increased throughout the past decade, and as the world becomes even more digital, the threat of cyberattacks is only going to keep increasing.

Hybrid, Remote Workforces and the Proliferation of Workloads Expands the Attack Surface: Organizations everywhere are embracing digital transformation and are becoming more distributed as they adopt the cloud, increase workforce mobility, and grow their number of connected devices. They are adding more workloads to a myriad of different endpoints beyond the traditional cybersecurity perimeter, exposing an increasingly broad attack surface to adversaries. This existing trend was accelerated significantly with the need to support an increasingly remote workforce in 2020 due to the COVID-19 pandemic and we believe this trend continues today. 

Growing Cyber Skills Gap: Trained cybersecurity professionals are in high demand, and organizations continue to face a dire shortage of talent to fill much needed cybersecurity positions. As a result, existing cybersecurity teams are often overwhelmed by the velocity of cyberattacks. Adversaries exploit this vacuum by continuing to accelerate their sophisticated attacks.

Investment Thesis/ Growth Drivers

1. Switching Costs

CrowdStrike has been consistently growing the number of users that subscribe to more than 4 modules. Besides offering a superior product, it is also costly for any company to switch to another cybersecurity provider, as it would likely involve a huge overhaul of the company’s systems.

Furthermore, with every additional CrowdStrike module adopted, CrowdStrike becomes more and more engrained in these businesses, making it even tougher for these companies to switch away from CrowdStrike.

In addition, CrowdStrike offer training and certification services to customers and partners on CrowdStrike technologies and cybersecurity topics to facilitate the adoption of CrowdStrike and to broaden and deepen their skills. This adds another layer of switching costs as it may be time- and resource- consuming to retrain the cybersecurity personnel to learn how to use a different cybersecurity platform.

2. Network Effects

CrowdStrike’s crowdsourced data enables every customer to benefit from contributing to the Security Cloud. As more high fidelity data is fed into our Security Cloud, its AI models continue to train and improve, increasing the overall efficacy of the Falcon platform. This improves CrowdStrike’s ability to prevent cyberattacks, which increases CrowdStrike’s lead against its competitors, which in turn leads to more customers.

This creates a powerful network effect that increases the overall value CrowdStrike provides.

3. Industry Growth

The global endpoint security market is projected to grow from $13.99 billion in 2021 to $24.58 billion in 2028 at a significant CAGR of 8.3% in the forecast period. Falcon earned $1.45 billion in FY22, which represents only about 10% of the total addressable market.

Given the limitations of existing legacy and other endpoint security products, many organizations are replacing their existing legacy and other endpoint security products with our Falcon platform.

In fact, the cybersecurity market has risen much faster than industry estimates in the past few years, and may continue to exceed analyst growth expectations going forward.

As CrowdStrike branches out into other cybersecurity-related fields such as IT operations management and identity protection, its total addressable market increases. 

4. Increasing Total Addressable Market/Growth Initiatives 

Leveraging Falcon Platform to Enter New Markets. Because CrowdStrike’s lightweight agent collects diverse endpoint data once for repeated use, CrowdStrike can expand its addressable market by rapidly adding new cloud modules that leverage this data. For example, Falcon Discover includes use cases outside of security, such as application license management, AWS spend analysis, and asset inventory. CrowdStrike intends to continue to develop new cloud modules for broader endpoint use cases.

CRWD

Broadening Reach into New Customer Segments. As illustrated above, there remains significant opportunities in the small and medium businesses as well as public sector segments, where there is less than 1% market penetration.

While CrowdStrike initially targeted large sophisticated enterprises, it has expanded its go-to- market efforts to include customers of all sizes. Today, the flexibility and scalability of the Falcon platform has enabled CrowdStrike to seamlessly offer its solution to the largest enterprises or smallest businesses with any level of security sophistication and budget. 

page25image1479114800

Extending Falcon Platform and Ecosystem. CrowdStrike launched the CrowdStrike Store, the first open cloud-based application PaaS for cybersecurity, which allows customers to purchase CrowdStrike products and provides an ecosystem of trusted partners and applications for its customers to choose from. 

Expanding International Footprint. CrowdStrike grew our international revenue from $247.0 million for fiscal 2021, to $405.1 million for fiscal 2022, representing an increase of 64%. CrowdStrike intends to grow its international customer base by increasing its investments in its overseas operations, including adding headcount in Europe, the Middle East, Asia-Pacific, including Japan and expanding current data centers overseas.

Financials

Revenue

Revenue for CrowdStrike increased from 52.8 million in 2017 to 1,451.6 million in 2022, representing a 94% CAGR. This clearly puts CrowdStrike under the high-growth category of stocks.

In addition, management has given its ARR guidance to be $5B by FY2026, representing a CAGR of 30.37%.

Net income 

CrowdStrike is still unprofitable as of now, making a net loss of 235 million in 2022, compared to 141 million in 2018. Management has also said that it expects continued losses in the upcoming years as it continues to invest heavily on sales and research expenses. The good news is that while the absolute loss is increasing, the net margin is actually improving, decreasing from 118% in 2018 to 16.2% in 2022.

Magic Number is calculated by performing the following calculation for the most recent four quarters and taking the average: annualizing the difference between a quarter’s Subscription Revenue and the prior quarter’s Subscription Revenue, and then dividing the resulting number by the previous quarter’s Non-GAAP Sales & Marketing Expense. 

In 2022, CrowdStrike attained a magic number of 1.4, which in other words mean that for every dollar CrowdStrike spends on sales and marketing, the management earns $1.40 in the next twelve months. Given that the massive market opportunity and high returns on investments, CrowdStrike has spent 42% of its total revenue on sales and marketing alone.

Free cash flow

While CrowdStrike has been unprofitable thus far and likely to be so for the next few years, it has generated a positive free cash flow since 2020. This is due to the heavy stock-based compensation the company incurs, a common practice by young growth companies to pay their employees in the form of shares instead of cash.

Stock-based compensation for the company has hovered around 10%, and therefore it is recommended that this rate does not go too high.

Risks

1. Competition 

The market for security and IT operations solutions is intensely competitive, fragmented, and characterized by rapid changes in technology, customer requirements, industry standards, increasingly sophisticated attackers, and by frequent introductions of new or improved products to combat security threats. We expect to continue to face intense competition from current competitors, as well as from new entrants into the market.

Two of CrowdStrike’s most significant competitors include the following:

• Microsoft Corporation, who offer a broad range of approaches and solutions including traditional signature-based anti-virus protection;

• SentinelOne, who offer a mix of on-premise and cloud-hosted products that rely heavily on malware-only or application whitelisting techniques;

2. Failure to stop attacks

Organizations are increasingly subject to a wide variety of attacks on their networks, systems, and endpoints. No security solution, including the Falcon platform, can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident.

If CrowdStrike’s solutions fail or are perceived to fail to detect or prevent incidents, its brand and reputation would be harmed and lower customers’ trust in CrowdStrike’s products.

/var/folders/yf/xp113b3d1_38r4v8h0bqtjch0000gn/T/com.microsoft.Word/WebArchiveCopyPasteTempFiles/56518551-1655990206523265_origin.png

That being said, CrowdStrike is recognized as the leader within its industry, so even if it does fail to stop a large cyberattack, customers are still unlikely to find an alternative cybersecurity provider that does a better job.

Summary

As more companies start to migrate their workloads to the cloud, they will require more protection from increasingly sophisticated cyber threats. Cybersecurity will continue to make up an even greater portion of companies’ IT budgets and this represents an excellent growth driver for CrowdStrike.

In my opinion, the biggest risk with CrowdStrike is the competition, as many companies are also developing their own cybersecurity capabilities in a bid to capitalise on this lucrative growth trend. 

According to CrowdStrike’s CEO, George Kurtz, Microsoft still primarily adopts a signature-based antivirus solution, which as explained previously, is not as effective in identifying unknown threats. Another differentiating factor that CrowdStrike has is that its platform works more seamlessly across different operating systems, like Windows, MacOS and Linux.

Hence, I believe that CrowdStrike still maintains an advantageous position and a clear lead in the cybersecurity market for now. As long as the team continues to innovate and develop new cloud modules and improve its existing ones, CrowdStrike should be able to continue its outperformance against its peers.

On the financial side, I will like to see the company breakeven soon and achieve operating leverage, while continuing to improve its gross margins.

And just a note on valuation. I think the recent stock market downturn has just reminded us that it is a myth that “any price is a good price to pay for an outstanding company with excellent fundamentals”. CrowdStrike currently trades at a Price-to-Sales ratio (P/S) of 26, which is lower compared to the companies’ historical ratios, but still much higher than what I am comfortable with. Many companies with similar high growth rates are trading nowhere near such sky-high valuations. While CrowdStrike is in my opinion, a great business and therefore deserves a premium valuation, there needs to be a limit to the how much premium we as investors are comfortable to pay. 

Add a Comment

Your email address will not be published.