Discover more from Innovestor Deep Dives
Standing out from the Crowd
Since the poll for the last deep-dive, the most requested company to analyse was Crowdstrike.
Cybersecurity is not a simple industry to analyse for a generalist like myself, which is why this piece has taken me slightly longer than usual.
For the next deep-dive I would like to look at a less well known company. I’m open to suggestions, so if you have an idea message me at email@example.com, in the comments, or by twitter DM.
What is Crowdstrike and how does it work?
Industry & competition
Management & Culture
With the rise of the internet in its many forms over the past two decades, we have seen more and more vulnerabilities arise. To be frank, the early internet wasn’t built with the intention to connect the entire world. The first instance of the internet was more intended for sharing between military and academic networks. As the internet grew in reach and scale, as did the vulnerabilities.
By mid-way through the 2000’s it was clear that legacy solutions to combating intrusive malware was insufficient compared to the rate at which it was being produced. In essence, legacy cybersecurity was reactive rather than proactive. Therefore, the attackers were always two steps ahead.
Oftentimes, it takes something to go wrong before we feel the need to address the problem. The preventative nature of security goes somewhat against human psychology. In business, this phenomenon manifests in companies' reluctance to invest sufficient capital into protecting themselves from cyber threats.
With an increase in attacks over the years, the business world is beginning to take the matter more seriously. Sensitive data-leaks can bring a business to its knees.
That’s where Crowdstrike comes in.
In a world becoming increasingly reliant on digital solutions to digital problems, the Cybersecurity industry will become more and more important. In fact, cybersecurity will be essential. Businesses operating without a top cybersecurity solution will suffer.
Crowdstrike, with their best-in-class, innovative, cybersecurity solution are well positioned within a fast growing and absolutely necessary industry. Their desirable modular product suite combined with their current state of ‘hypergrowth’ sets them up to be one of the most influential Endpoint Protection Cybersecurity companies over the coming 3-5 years.
Even considering the currently lofty valuation, Crowdstrike are in-line with many of the top SaaS and high-growth peers - this is taking into account that most other businesses aren’t growing their baseline revenue at the rates of Crowdstrike.
Crowdstrike are in the perfect position to capitalize on an industry crying out for disruption, leveraging their first-mover advantage, network effects and strong management.
3. Key terminology
Before we get into the meat of the article I think it’s worthwhile outlining some of the key terms as, most likely, you will be approaching this company from a similar starting point to myself.
Any physical device that can be connected to a network. E.g. Laptops, desktops, mobile phones, tablets, servers, and virtual environments can all be considered endpoints.
Endpoints started off being relatively few and far between (e.g. personal computers). However as technology has developed, the variety of endpoints has continued to climb. Therefore, endpoint security is becoming more and more valuable.
3.2. Malware & Virus
Malware is a catch-all term for any type of malicious software, regardless of how it works, its intent, or how it’s distributed. A virus is a specific type of malware that self-replicates by inserting its code into other programs.
Each type of virus has hundreds and thousands of variations and iterations, thereby making it hard to find each new instance.
The virus, at its core, executes a process (e.g. opening a program, closing a program, sending an email). These processes result in patterns which CrowdStrike systems can locate, identify as an attack, and nullify.
Interestingly, as well as having many variations, viruses can access your system in many different ways - e.g. social engineering, phishing, spear phishing and many more. The social engineering aspect is possibly the most interesting/vulnerable aspect. As with many other things, human nature remains the fundamental weakness.
3.3. IOC vs IOA
An IoC (Indicator of compromise) is a post-infection indicator. This means after a virus has been installed into a target system, the antivirus program scans files and documents for known virus signatures (like we do with the PCR tests and Covid-19) and then quarantines the files and deletes them.
You may have seen this before with programs like McCafee, where they scan and incubate.
That's not what CrowdStrike specializes in. CrowdStrike focuses on IoA (indicators of Attack). IoA scans for suspicious processes that are started in the background by malicious files. Simply put, you can think of IoC as a ‘reactive’ method of protection whereas IOAs is a ‘preventative’ method of protection - stopping the virus before it can reach do anything harmful.
In 1987 McAfee launched its first antivirus solution which was followed by Symantec’s antivirus solution in 1991.
by 2007, roughly 5.5 million malware samples were identified in that year alone.
By 2013 400,000 new malware samples were being reported every day. From this point onwards, it was clear something within the industry needed to change. Cybersecurity needed to become preventative rather than reactive.
Several years later, in 2011, George Kurtz (the CTO of Mcafee at the time) pitched the idea of CrowdStrike to ‘Warburg Pincus’ (a private equity firm) on a Saturday morning via Skype. They instantly gave him $25M in seed money, and by the sounds of it were willing to give him as much as he needed. This small anecdote speaks volumes of the conviction the private equity firm had in George (we’ll cover this in more detail later).
George previously established Foundstone, a security firm that was eventually bought by McAfee in 2004. He has previously held key positions in the cybersecurity area at Ernst & Young and PriceWaterhouseCooper. He graduated from Seton Hall University with a degreein Accounting. As of April 2020, George owned 22.4 percent of Crowdstrike.
“My light-bulb moment for CrowdStrike happened when I was on a plane. I noticed a passenger take out his laptop and turn it on. McAfee software popped up and started to scan the man's machine. The guy was waiting for 15 minutes. He was waiting and waiting and I was just sitting there, the CTO of the company that makes the technology. I realized there must be a better solution.
That's when Dmitri Alperovitch, who was the vice president of threat research at McAfee at the time, and Gregg Marston and I decided to build a security company entirely on the cloud. CrowdStrike became the first native cloud security solution, which means that it's lightweight and nimble and doesn't slow down the user's machine.”
With the help from his two co-founders, Dmitri Alperovitch & Gregg Marston, they built the company into one of the fastest growing and most innovative cybersecurity companies in the world.
5. What is Crowdstrike and how does it work?
5.1. At a glance
CrowdStrike is a cloud-based antivirus company with the aim of stopping the cyber attack before it can execute on the target device (or ‘endpoint’). In terms of scale, and where they want to eventually reach, they make comparisons to some of the other big cloud players - such as Salesforce, Servicenow and Workday. These are ambitious, but seemingly achievable targets.
5.2. Core Product
Crowdstrike’s core product revolves around the Falcon platform, which supports 19 cloud modules using a SaaS (Software as a Service) model.
For context, the pace of innovation over the past decade has been impressive, starting out with 10 modules and adding almost 1 new module per year since then.
The company’s open cloud architecture allows third parties (along with Crowdstrike themselves) to build and deploy new cloud modules in order to provide end users with unique functionality - supporting the individual needs of companies. This is a far cry from the incumbent solutions which are slow-moving and lack flexibility.
5.3. Why CrowdStrike’s solution is better than legacy IT Cybersecurity
Typically, legacy IT infrastructure does not scale well as the number of endpoints (users, phones, laptops etc.) scales up. Typically, the more endpoints there are, the more a company must spend to secure them.
New threats also means new solutions need to be installed on EVERY end-point - thereby bloating up the system. A real life example of this many of us can relate to is the difference in speed between a new work laptop and an old one. The work PC starts off quick and responsive, however as more and more malware protection is added on by your organisation over the years, the slower it gets. CrowdStrike solves this problem.
CrowdStrike is Cloud-Native, which means the product is scalable, adaptable, and benefits from network effects.
Additionally, and possibly the most ‘next-gen’ aspect of the product is the use of Artificial Intelligence and Machine Learning. With each new ‘attack’ on the system, the AI/ML algorithm uses this data to helps to strengthen the overall network by feeding that information back into the system, helping it to learn. This new method is classed as ‘Next Gen Anti-Virus’ (NGAV).
So, put simply, the more customers Crowdstrike have - the better the end product is due to the addition of data points it has to draw from. This is know as ‘network effects’ and is extremely powerful.
One slight downside of Crowdstrike from an investor’s point of view is the complexity of the business. Without a background in IT or Cyber, this company is tricky to fully understand. This, in my opinion, makes building conviction hard.
That being said, once you can begin to understand the core business, it’s easy to see why the business model is effective and disruptive. And that mainly boils down to the laser-focus on the experience of the end user.
There are four main pricing options on the Crowdstrike platform - Falcon Pro, Falcon Enterprise, Falcon Premium and Falcon Complete.
“some of the legacy vendors in this space had hundreds of thousands of enterprise customers. The key to our rapidly expanding customer base is that we are winning customers of all sizes. From a one-person shop all the way to the largest companies in the world, we can sell into any vertical, geography or any level of technical sophistication. Essentially, we can sell to almost anyone.”
This indicates the pricing structure is working.
In comparison to other offerings, Crowstrike comes at somewhat of a premium. However, one could argue they have the superior product. The question is, will the buyers recognise the importance of having the best protection in this day and age?
One breach for a company nowadays could be catastrophic.
With the increase in high-profile security breaches over the past couple of years, I believe consumers and enterprises will com to realise this fact.
In addition to the modular option pricing (above) Crowdstrike also offers incident response and forensic investigatory services, technical assessment and strategic advisory services, as well as training to assist organizations that have experienced a breach or are assessing their security posture and ability to respond to breaches. These are listed as professional services and make up roughly 7% of total revenues (down from ~30% 5 years ago) and is a much lower margin business (35% gross margin compared to the the 76% gross margin on the subscription business).
That being said, these professional services are a great onboarding tool, as when customers encounter problems and begin to trust that Crowdstrike knows what they are talking about - then upselling modular assistance is made 10X easier.
As an example...
From the recent annual report - “After experiencing the benefits of our platform firsthand, many of our incident response customers become subscription customers. Among organizations who first became a customer after February 1, 2019, for each $1.00 spent by those customers on their initial engagement for our incident response or proactive services, as of January 31, 2021, we derived an average of $5.51 in ARR from those subscription contracts.”
5.5. Why is Crowdstrike Unique?
Crowdstrike is a pioneer of technologies and new ways of tackling problems within the cybersecurity industry. Their product is unique in several different ways - and here’s why.
Single lightweight agent: To simplify, in order for an antivirus system to work on your computer/device, you need to install what is called an ‘agent’. This ‘agent’ can be thought of simply as a programme on your PC.
Typically, for the ‘old-gen’ cybersecurity companies they would install several ‘agents’, all with different uses. The downside would be increased programmes running on your PC, therefore slowing it down significantly.
In comparison, Crowdstrike is able to solve this problem by installing one single ‘agent’ which does all the work locally on your device, then streams data back to the cloud-based Falcon platform for real-time decision making.
Artificial Intelligence & Machine Learning: Essentially, Crowdstrike’s use of machine learning via a distributed cloud architecture means that if one person experience a specific data-breach/attack, the AI/ML system will ‘learn’ - therefore protecting everyone else on the network from the same attack.
“CrowdStrike Threat Graph is the brains behind the Falcon endpoint protection platform. Threat Graph predicts and prevents modern threats in real time through the industry's most comprehensive sets of endpoint telemetry, threat intelligence and AI-powered analytics.”
With AI, a typical method of ‘training’ is to feed it other examples of known ‘attacks’ so the AI has a better knowledge of what it looks like. Just like us Humans learn by input and confirmation over the duration of our lives, computer AI systems learn by recognising patterns in data.
A great, simple, example of this principle is the story of teaching AI systems what animals look like. To us, it’s easy to identify a dog or a cat and the obvious distinction between the two. However, this kind of image recognition is far harder for computers. In order to learn - an AI system must learn by looking at other pictures of dogs and cats.
So, if the AI sees a pattern, it can correlate that pattern with a ‘learned’ virus/breech.
This model, which uses real-life examples to train the system, has the ability to scale-up by using the cloud.
Cloud architecture: As mentioned above, the nature of Crowdstrike’s cloud-based architecture offers many advantages to both the end user and the company.
Once the lightweight agent is on the end-user’s system, the cloud-based system can update modules in real-time. Whereas non-cloud-based models would require the user to upload each new module to their system - taking significant time and effort. This makes selling the platform easy.
Adding to this, the cloud infrastructure is fairly ‘lean’ in that costs are significantly reduced without the need for complex physical IT infrastructure and the various costs associated with that.
5.6. Modules - a key driver of success
As mentioned briefly earlier, one of the key drivers of Crowdstrike’s success is the constant addition of modules.
This can be shown below from the table below, highlighting as the number of modules increased from 2017 (assuming roughly 15 modules) to 2021 (19 modules) - the number of subscribers with over 4 or more modules increased from 0% to 66% as of Q2 2022.
The plan seems to be to keep integrating additional modules (organically or via acquisition) whilst increasing the ease of discoverability for end users to find and try these new modules via the Crowdstrike store.
“We launched the CrowdStrike Store, the first open cloud-based application PaaS for cybersecurity, which provides an ecosystem of trusted partners and applications for our customers. In the future we plan to continue investing in the CrowdStrike Store to empower our partners by making it easier to build applications and to enable our customers to more easily discover, try, and purchase additional cloud modules from both trusted partners and us.”
Additionally to the table above, the Q2 2022 results show 53% of subscribers have more than 5 modules and 29% of subscribers have more than 6 modules.
The beauty of this model is that as crowdstrike continues to grow and focuses on getting their subscribers signed up to as many modules as possible, the margin will increase due to the higher-nature margin of each additional module. This business model works well in cybersecurity, because (generally) cybersecurity solutions are very sticky - traditionally due to the high switching costs.
There is, however, a fine balance between focusing on increasing the number of modules per subscriber and getting new customers through the door, which is something management has mentioned in the annual reports.
That being said, in the most recent call George Kurz CEO cited an increase in new customers signing up to multiple modules - “this new CrowdStrike customer was eager to transform the security posture and adopted 11 Falcon modules, including Falcon Complete, Discover, Spotlight, Falcon X Recon, Cloud Workload Protection, and Falcon Zero Trust to proactively secure and fully manage their workstations, cloud workloads, and identity layer, as well as provide visibility into their IT assets and vulnerabilities.”
To summarize this section, it’s clear that the advantage Crowdstrike has over the incumbent Cybersecurity players is the cloud architecture which combines with the single light agent and constantly evolving AI/ML algorithms. This combination allows the sales process to happen seamlessly, whilst also providing better proactive protection for the end user.
A study by Gartner showed that almost half of the enterprises surveyed indicated that they want to consolidate their security vendors in the next 2-3 years.
6. Cybersecurity - trend or necessity?
With the digital age we’re currently living in, the core services’ a business needs inevitably changes. For example, and it’s not apples for apples, but every business nowadays needs someone (or a team) to look after the social media aspect - this did not exist 15-20 years ago. Similarly, with the increased use of ‘digital’, every company needs to protect themselves from malicious cyber attacks. Simply, if you don’t have all your bases covered with cyber security, then the business will suffer. Therefore, Cyber is an absolute must in this day and age.
6.1. The industry
According to the most recent investor presentation, the total addressable market sits at $36.5B for 2021 with the potential to increase to $43.6B by 2023. Future growth in this total addressable market is likely to be fueled by emerging areas such as cloud, IoT and home office/remote working solutions.
For me, this TAM can be broken down into three overarching drivers…
1. An increase in cyber attacks - over the past 10 years, large-scale cyber attacks have increased dramatically. These examples from Wolf Of Harcourt’s article on Cybersecurity show how common the issue is becoming.
In 2020, a Twitter breach targeted 130 accounts, including those of past presidents and Elon Musk, resulted in attackers swindling $121,000 in Bitcoin through nearly 300 transactions. (CNBC)
In 2020, Marriott disclosed a security breach impacted data of more than 5.2 million hotel guests. (Marriott)
A ransomware attack in early 2020 on the New Orleans city government cost the city upwards of $7 million. (SC Magazine)
A ransomware attack in early 2020 on the New Orleans city government cost the city upwards of $7 million. (SC Magazine)
In February 2020, a ransomware attack cost Denmark-based company ISS upwards of $50 million. (GlobeNewswire)
2. Increasing digitisation - The emergence of various technological innovations such as IoT, cloud and 5G has magnified connectivity within our modern world. We rely on these technologies along with the underlying data now more than ever.
3. Growing awareness for cloud-based cyber adoption - Relating somewhat back to point 1, many of the current large companies are not equipped for a serious cyber attack. In addition, according to Accenture’s 2021 report 50% of firms lack appropriate security management systems.
From looking at several different sources, I’m beginning to think the outlined total addressable market from Crowdstrike is looking rather conservative. With an estimate from GrandView Research of $167.13B in 2020 with an 8 year CAGR of 10.9% to become a $382.4B industry by 2028.
Additionally, Gartner estimates $150 Billion in 2021 with a 12.4% CAGR over the next 5 years - making it a $250B industry.
A combination of the above drivers have started to move the needle on more of a macro level - prompting both governments and enterprises alike to start thinking more seriously about their security infrastructure.
For example, earlier this year Joe Biden announced an executive order with the aim of improving the cybersecurity of the US which insisted on moving to Zero Trust architecture.
Examples like the above create significant monetization opportunities for cybersecurity providers, like Crowdstrike.
6.2. Growing to fill the TAM
It’s all well and good having a nice big TAM (total addressable market), however if there is no sign the company has any intention of growing into the TAM then it doesn’t mean much.
So, what do Crowdstrike have planned in order to expand into the broader TAM?
The most obvious solution to overcome the slowdown of organic growth (coming from the place of a healthy balance sheet) is to acquire companies that fit the brief.
It’s going to be a real question-mark as to whether they can move beyond their core competency successfully. Many businesses struggle. It takes extra resources and solving problems in a whole new area.
I believe Crowdstrike understands the need to acquire in order to grow. They have shown this over the past year with several acquisitions:
Preempt Security for $90M (sept 2020) - real time access control and threat prevention
Humio for $400M (March 2021) - cloud-based data logging company
I would expect to see more of this over the coming years.
Other short-to-medium term growth strategies outlined in the annual report include:
Grow customer base by replacing legacy and other endpoint security products
Upselling/penetrating existing customers
Leveraging the Falcon platform to enter into new markets
Broadening into new customer segments
Extending the Falcon platform and Ecosystem
Broadening reach into the U.S. Federal Government Vertical
Expanding into new international territories
6.3. The Competition
Cybersecurity is a cutthroat business with a fast-changing technical environment.
Some key endpoint competitors include SentinelOne, VMware, Trend Micro, Fortinet and Carbon Black - just to name a few. They also compete with antivirus solution providers such as McAfee, Kaspersky, Microsoft, and others, as well as network security companies such as Palo Alto Networks and FireEye.
The above ‘Magic Quadrants’ graph from Gartner outlines the main competitive landscape within the Cybersecurity industry, focusing on ‘completeness of vision’ and ‘ability to execute’. From it, we can clearly see the velocity with which Crowdstrike has risen to be a market leader over the past few years in a still VERY crowded market.
Despite the fierce competition within the market, Crowdstrike have been eating up market share over the past couple of years. According to research, the company increased their market-share by about 99% whilst the incumbent top 3 solutions share of the market decreased in 2018/19.
This is all in the context of being one of the more expensive solutions in the market alongside the majority of payments being up-front, which further goes to demonstrate the company’s pricing power.
CrowdStrike was the first to identify and handle the growing security demands of the cloud age, thus it benefited from a first-mover advantage. At the moment, it records 3 trillion endpoint-related events every week in real-time.
One thing you may notice from the above graphic is the closeness in competitive nature between Microsoft and Crowdstrike. At first glance it may seem like Crowdstrike could be up against stiff competition, however George Kurtz disagrees.
Speaking about Microsoft and the risk of having the same Operating System and Security System - “And, you know, there has been a lot of talk, again, at the audit committee around risk in a monoculture. And customers are becoming more and more uncomfortable with putting their eggs in one basket. So, you know, I think we have a great opportunity there.”
In relation to rate of growth - from a quick glance we can see that they must be doing something right. They are growing at orders of magnitude compared to their established competition. This is somewhat to be expected with growth companies compared to established competitors, but it is definitely something to look out for.
Lastly, a good sign of competitiveness within an industry is when rival CEO’s mention your company as a threat. For example, Palo Alto Network CEO mentioned Crowdstrike in a recent conference call - “Don't forget, in each of those areas, we are dealing with a extremely competitive situation. In the case of XDR, we deal with dedicated salespeople. And CrowdStrike, they outflank us 8:1 on the number of salespeople. So, we have to look hard at how much investment we want to make on the sales side. We do get leverage from the Palo Alto salespeople, eventually end up with hand to hand combat.”
6.4. Crowdstrike vs SentinelOne
As a relative beginner researching the space, it’s difficult to find many noteworthy differences between the two companies other than the obvious scale which likely means a higher quality of data and therefore a superior end-product for Crowdstrike.
Both operate within the same market with similar products, operating a similar cloud-based platform approach to security with similar architecture. It’s likely that SentinelOne are in a similar position to that of Crowdstrike when they IPO’d.
The question is, can SentinelOne stock follow a similar playbook to Crowdstrike considering the metrics (below) look similar?
That being said, Crowdstrike’s numbers looks better in basically every way according to these graphs, and significantly better a few. For example, FCF margin and operating margin are worrying signs for $S when you compare the two.
These initial numbers don’t look great for SentinelOne.
The thing is, in order to compete within this already crowded market, SentinelOne will need to invest heavily into growth activities which will further emphasise their margin issue. It will likely look (and currently does look) like the plan is to lower prices in order to attract more customers.
Quote from random reddit user - “Both vendors were the top 2 that we POCed last summer. You really can't go wrong with either but CS right now has the most polish, and they are rocking the world. They have a new cloud security product just added, dark web monitoring, and a few more all in the same platform. You wont be disappointed how easy it is to use either. S1 might have a little more power if you are a scripter, but CS is just easier to use.”
Another quote (below) is from a question in the Crowdstrike earnings call asking about SentinelOne and market share.
“There's a lot of noise, but I think you have to look at the numbers that we put up on the board. And, you know, one quarter of our net new ARR is probably 94% of their total ARR. So, you know, when we think about this, it's a big market.”
The problem is, burning cash as such a rapid rate is obviously not a good place to be for any company. I can easily see the next several years looking hard for the stock as they will need to continue to push prices lower, diminishing their pricing power and needing to be financed externally.
I personally don’t see another way SentinelOne can compete with other leading cybersecurity companies. The market is ridiculously competitive which basically means losses are a certainty over the next 2-3 years at least.
Probably a good company, but I am holding off investing for the time being until I see they are moving in the right direction.
One thing I’m aiming to do a more comprehensive job of in these deep-dives is looking into management and really getting an idea as to my perception of them. This takes time and is a far more subjective process than the majority of a deep-dive.
As with many companies, the CEO is a crucial piece to the puzzle. In this case it’s especially true with Crowdstrike’s CEO and founder, George Kurtz.
To start, lets look at the glassdoor ratings where we can see George Kurtz rates highly - with an approval score of 97%. In addition 82% of the 215 reviewers would recommend to a friend.
These glassdoor ratings are fairly complementary, and there are enough submissions (215) for me to take it seriously.
One of the reasons I like to look at Glassdoor reviews, is because (typically) people will be more inclined to leave reviews on a site due to negative experiences. Therefore, finding CEO’s with exemplary scores tends to be a good indication of competent management & culture.
7.1. Hiring mentality
From my readings, George tries to foster a culture of strong work ethic in a fast-paced environment. This quote from a ‘foundation capital’ interview highlights the mentality of hunger and grit that he likes to see in his employees.
“When it comes to hiring a go-to-market team, George looks for someone with a combination of hunger, grit, and book smarts. His go-to question in an interview is “What drives you more, the will to win or the hatred to lose?” In his experience, it’s usually the people who hate to lose who are often the most driven. And while this drive is extremely important to success, it is equally as important that a hire is a team player and strong cultural fit. As George puts it, “you need to want to collectively win with the team.”
This obsession with hiring employees who are the ‘right fit’ for the company is almost certainly a large contributing factor to Crowdstrike’s success so far.
He even compares hiring to be as important as financials, which is a refreshing take.
“When it comes to hiring, a focus on finding the best is better than worrying about building fancy offices. I followed this formula when I founded CrowdStrike in 2011. This is why I've always focused on hiring individuals based on performance as opposed to location.”
7.2. Building a mission
George realizes the importance of everyone in the company being 100% focused on the mission. If there is no ‘north star’ as a reference point, it’s easy to get lost in a sea of uncertainty.
He explains that for CrowdStrike, he didn’t want a static mission statement but rather a culture where employees could be passionate about the work of stopping “bad guys.” He writes…
“When you have passion, mission and purpose, you have limitless boundaries that unlock immense value to you, your shareholders and most importantly, your customers.
My journey into entrepreneurship wasn’t exactly planned and it hasn’t always been easy, but my advice is simple: Education and evolution are critical, always hire the best, and remain steadfast in believing in the change you and your team can deliver.”
In addition, the ability to focus on long-term goals rather than short-term targets is something investors love to see. The founding story is a testament to this. Back in 2011 when cloud-based cybersecurity wasn’t talked about by anyone, George Kurtz saw what it could be and didn’t stop until it became a reality.
Naturally, initial customers were skeptical. However, persistence and small steady strides towards a long-term goal saw customer’s opinions dramatically change over time. Now Crowdstrike operates the security for 63 of the fortune 100 companies, 234 of the fortune 500 companies, and 14 of the top 20 banks.
7.3. Skin in the game
According to Gurufocus, George Kurtz owns almost 45% of the business.
Equally compelling is the sizable ownership stakes from upper-management and the board of directors. To me, this indicates a management team and board of directors with significant skin in the game.
7.4. Fierce competitive nature
Crowdstrike wouldn’t have gotten very far in this industry without keeping an eye closely on the competition. This attitude tends to manifest in the management team - comparing Crowdstrike to the competition in almost every earnings call. A quick ‘Ctrl + F’ of ‘McAfee’ or ‘Microsoft’ usually brings up several results.
Here’s an example from the most recent earnings call.
“To further demonstrate my point, I'd like to share a recent customer win with a Fortune 500 company that was using Microsoft's legacy security products that failed to rise to the challenges of today's adversaries and ended up unnecessarily costing them millions of dollars.
This company experienced a long and difficult deployment process, particularly in low bandwidth environments where endpoint performance was critical. Notably frustrated, this company began to evaluate alternatives when it was unfortunately hit by ransomware that encrypted their primary and backup data, causing weeks of business disruption and a financial impact estimated to be in the tens to hundreds of millions of dollars. This is when they turned to CrowdStrike.”
And another example…
“But there's a lot of companies out there, big and small, and we still think we've got a lot of runway and still continue the migration of share from Symantec and McAfee to CrowdStrike.”
Adding to this, Crowdstrike have set up a page on their website outlining 10 reasons why Crowdstrike is a better product than SentinelOne. Here’s an example.
SentinelOne do exactly the same on their site.
It seems petty from both companies, but goes to highlight the competitive nature of the industry in which they both operate.
It’s still relatively early days for SentielOne, and pretty much day 1 in their life as a public company - so there is still a long way to go. I could easily see $S being a serious competitor to Crowdstike in the coming 5 years if they execute well.
George Kurtz is the company's founder and CEO. He was CTO of McAfee before starting CrowdStrike. His history in the industry is rich, having published a well-renound book on Cybersecurity called ‘Hacking Exposed’ and starting a company called Foundstone which was bought by McAfee in 2004.
In February 2020, Michael Sentonas was appointed CTO of Crowdstrike. He was formerly the company's Vice President of Technology Strategy. Prior to joining CrowdStrike, he served as McAfee's Chief Technology Officer – Security Connected and Chief Technology and Strategy Officer.
Lastly, Colin Black joined the business in 2015 and worked his way to become COO in 2017. Before joining CrowdStrike, he was CIO of Kratos Defense and Security Solutions, Inc. and Cymer & Mindspeed Technologies, Inc.
1. Sector tailwinds - Cloud as an industry is growing rapidly - with key drivers being secular tailwinds such as digital transformation and an increase in security breaches.
This has led to two things happening - an increase in the number of cloud-native applications available due to better efficiency and scaleability, and the diminishing effectiveness of legacy antivirus companies compared to next gen companies like crowdstrike.
2. Durable economic moat - Manifesting in three main ways: a superior product with first-mover advantage and an overall sticky platform.
- Superior product:
Efficiency - cloud-based, integrated platform meets enterprise demand for efficient consolidation of security solutions. Based on Gartner’s recent market report, most enterprises now own more than 75 security solutions, with almost half of them indicating a desire to consolidate security vendors in the next 2-3 years
Strong endpoint performance - Falcon automatically organises data that is stored locally or streamed onto the Threat Graph, hence lessening the burden on client endpoints, compared to rivals whose on-premise approach means that clients can only manually clear data from endpoints through queries.
Diversification - modular-based architecture where additional solutions can be seamlessly added, enables greater personalisation to cater to diverse needs of enterprises. This makes it easy for CRWD to acquire customers of any size and expand across verticals, geographies and technical sophistication.
- First mover advantage:
Timining looks to be key in this market. Due to the relitively early start Crowdstrike had against many of their competitors, the company have been able to utilise the flywheel effect of having more data to feed into the AI system.
This means, because of the first mover advantage, crowdstrike are way ahead of the rest of the pack.
- Sticky platform:
Similar to above, as customers continue to grow the product only improves.
The modular nature of the platform allows easy onboarding and easy upselling. Over time this leads to increased switching costs for the end user.
It's a scalable solution that gains with the network effect and copying that network effect in an instant is very difficult.
4. Constant innovation
I could talk about this point for days, but constant innovation is crucial if the aim is to remain a market leader.
This point especially applies to the cybersecurity industry where the core business model is keeping up with (or being one step ahead of) attackers. The attackers are constantly finding new innovative ways to get around Crowdstrike’s system.
Part of the strategy to be on top of the changes within the industry is to make strategic acquisitions.
Peempt (Sept 2020) - Keeping up with the need for better protection against identity security threats.
Humio (Mar 2021) - Enhancing the detection platform.
5. High Margin model - The simple strategy of ‘land and expand’, I.e. to gain an initial subscription customer with the goal of upselling modules at a much higher margin in the future is likely to be effective. This will continue to drive the Average Revenue Per User (ARPU).
1. Will the moat be there in 5 years time?
One way to measure the likelihood of a durable moat in any particular industry is to look at the number of new entrants in the last decade. Industries consisting of companies with strong moats tend to only have several main players or have consolidated to several main players.
E.g. the CPU/GPU market consolidated to NVDIA, AMD and Intel with almost no new entrants over the past decade. This indicates a strong moat.
If we then look at the TV/Film industry which is rapidly changing and evolving, there have been lots of new entrants - showing that it’s not hard to knock the market leader off the top spot (i.e. weak moat).
Cybersecurity is more similar to the entertainment industry than the CPU/GPU industry in this regard. There were countless past leaders over the last decade - e.g. Symantec, Mcafee and Palo Alto Networks. None lasted.
Because of this, it’s looking likely that within the next 5-10 years we might see a new leader. Time will tell.
2. Unprofitable on GAAP basis
CrowdStrike's top-line growth is amazing, but the company is still unprofitable under GAAP. Its net loss increased in fiscal 2020, decreased in fiscal 2021, then almost tripled year over year to $142.4 million in the first half of 2022. This growing deficit may be ascribed to the firm's recent acquisition of Humio, a cloud-based data logging company, its high stock-based compensation expenditures (which devoured 20% of its sales in the first half of the year), and escalating R&D and marketing expenses.
3. Share dilution
CrowdStrike's reliance on stock incentives has increased the number of outstanding shares since its IPO, and continuous dilution may keep its values from dropping. On the other hand, their non-GAAP earnings continue to improve. The company reached non-GAAP profitability in FY2021 and aims to raise non-GAAP net income by 64 percent to 86 percent this year.
4. Stiff competition
The cybersecurity industry is crowded in nature with a host of well established, well funded legacy companies which could limit the growth potential for a company like Crowdstrike, even with their strong value proposition.
To counter this point, beyond their main market in the US, CRWD has steadily expanded into differing industries and geographies, all of which increase the potential TAM. For example, in April’s FY21 analyst call, management estimated the Total Addressable Market (TAM) to be $43.6 B in FY23.
5. If Falcon platform is breached, it could be catastrophic
Crowdstrike take a lot of pride in their Falcon platform, having built up a level of trust and relationship with some of the worlds top companies. If they were to experience any sort of breach, this would put their whole system under question.
6. Looked at in detail by many analysts
Not necessarily a bad thing, but due to the company’s recent success they have caught the attention of most analysts. This leads to major sensitivity in share price if they don’t meet/exceed expectations almost every quarter.
Before we get into the meat of the financials, lets take a look at a few key metrics which give a good indication of performance. Bare in mind, most of these metrics are from the investor presentation and quarterly earnings call - so possibly cherry-picked by the company.
Subscription growth has increased dramatically over the past year, with Q2 2022 seeing an 81% increase Y/Y. And between 2020 and 2021 subscribers grew 82% from 5,431 to 9,896. Crowdstrike is well and truly in hyper-growth mode, having added a record 1,660 new subscription customers in the last quarter.
ARR (Annual Recurring Revenue) is increasing rapidly. Current ARR sits at $1.34 billion, having added a record $151 million in the last quarter. This is an increase of 70% y/y.
Both of these metrics go to illustrate the speed at which Crowdstrike is growing as a company. But not only that, it demonstrates that Crowdstrike is attracting the right type of customer. I.e. having 63 of the fortune 100 companies as customers is a big deal - and ‘validates’ the service to the remaining 37. Similarly, for 14 of the top 20 banks to use crowdstrike goes to show how effective the product really is.
Strong gross margins. A key aspect to the business model is the constant addition and upselling of modules to existing customers. The theory behind this strategy is that for every module added to that one customer, the unit gross margin increases dramatically. The below graph implies Crowdstrike have been successful in this endeavour over the past 4 years, with gross margin rising from 36% in FY17 to 76% in FY21.
Another statistic backing up the above graph as well as emphasizing the product’s stickiness, is the chart below. It shows that more and more customers are using more and more modules. 66% using 4 or more, 53% using 5 or more and 29% using 6 or more are impressive numbers.
Operating leverage is at an inflection point. What is operating leverage? Operating leverage, put simply, is the comparison between the core operating costs which can’t be avoided if they want to grow (Sales & Marketing, Research & development and General and Administrative). We essentially want these costs to be as small a percentage of total revenue as possible. The aim is to get operating leverage to a point where we can generate positive operating margin (see chart below).
Now we have some of the key metrics out of the way, lets get into the other financial highlights.
10.1. Income statement
The past 3-4 years have seen Crowdstrike grow in many different ways. One look at the income statement (below) will give you a good idea how well the company has come on in such a short period of time.
Revenues have been growing at an average rate of 102% over the past 4-5 years.
Gross margins have increased from 35% to 73%
Operating margins have improved from -171% to -10.2%
FCF has been positive the past two years, with 2021 seeing massive growth to $292M
For growth companies, I like to look at revenues as a proxy for the company’s success. Basically, if more people are willing to pay more money every year then the company are achieving some sort of product-market-fit. Crowdstrike are obviously achieving this from looking at the table above.
Taking a look at the revenue mix we can see that since 2017 the subscription revenue as a percentage of overall revenue has increased dramatically from 71% to 92%. This fact is good news for Crowdstrike as the subscription revenue is the substantially higher margin business.
10.2. Free cash flow
Free cash flow is separate from revenues in that only accounts for ‘cash’.
“Free cash flow is the money left over after a company has met its operating and capital expenditure requirements and it can be the best way to differentiate between a good investment and a bad one.”
The reason it is important to investors is because it goes a long way to show how much actual cash the company has at their disposal. And as we know, cash is king.
Ideally we want to be seeing cash flows from operations (money coming in from business day-to-day operations) rise significantly over time. We also want to see cash flows from financing (issuing shares etc.) and cash flows from investing (sale of investments etc.) remain relatively stable.
Crowdstrike look like they are moving more-or-less in the right direction with cash flows from operating activities increasing steadily over time.
Adding to this, as seen in the income statement section, the free cash flow margins are up to 33.4%. The cash position is looking strong.
10.3. Balance sheet
In addition to the above strong-looking financials, Crowdstrike also seem to have a healthy balance sheet with one of the drivers being the very successful $6.7B IPO in 2019.
The company previously had no long-term debt until 2021 when it spiked at $738M in order to contribute towards the $400M acquisition of Humio earlier this year. Despite this, the balance sheet remains strong with a current ratio (current assets/current liabilities) of 1.98.
10.4. Target operating model
Crowdstrike’s management have laid out their ideal future operating model. It’s useful to track in order to benchmark the quarters/years to see if the company are moving in the right direction.
By these benchmarks Crowdstrike are looking fairly successful. They are pretty much meeting the gross margin, R&D, G&A and FCF margins. Not bad if this is the long-term goal.
These numbers are maluable and likely to change over time.
Crowdstrike has been on somewhat of a run since it’s initial offering in June 2019, being up over X%. If you had placed $10,000 in crowdstrike on it’s IPO date, you would currently have upwards of $42,000. This increase somewhat reflects the stocks relative performance over the time period - beating estimate after estimate.
Now, when we use multiples to compare between businesses - crowdstrike, along with almost every other growth company ever, looks expensive. This is mainly due to the nature and popularity of the SaaS business models (i.e. high margins w/ recurring revenues). It’s desirable and highly profitable.
If we look at a collection of top SaaS companies, we can see that crowdstrike is up there with some high-quality businesses. A hefty price, regardless.
And looking at EV/FCF and EV/Gross profit basis, the company begins to look more reasonable.
Next, if we cast our minds back to earlier in the deep-dive where I mentioned that crowdstrike is comparing themselves to a small handful of cloud-native services, lets take a look at the relative valuation. At first glance it’s clear to see an obvious gap in multiples, this is mainly due to the stage of growth these companies are currently in. CRWD is in their hypergrowth stage. I would class the others as mature-growth.
Basically CRWD will look expensive at these levels. However, the key difference is the stage of growth these companies are in. Crowdstrike is in hypergrowth mode. 50-60% rev growth compared to 15-20% rev growth for the industry standard companies.
12. Final thoughts
All things considering, I have come away form this deep-dive really liking Crowdstrike as a business. Their subscription business and overall strategy has the potential to be highly profitable over the coming years.
Taking into account the imminent and very real threat of the other strong players within the industry like Microsoft and SentinelOne, Crowdstrike have proven a durable moat which should see them cement their first-mover-advantage.
Strong management/culture, powerful industry tailwinds, an astute strategy for growth and consistent innovation all work in crowdstrike’s favor - offering significant potential for future success.
Valuation can’t be ignored in this situation - and as much as I think there is potential for real upside, the risk of significant downside is also there.
Therefore, my approach to investing into the Cybersecurity industry is to take a broad basket approach for the time being - either taking small stakes in the main players, or following an ETF such as $CIBR, $BUG, $IHAK or $HACK.