This deep-dive was published on Dec 2021 for Steady Compounding Insider Stocks members.

At Steady Compounding Insider Stocks, I cover a wide range of Steady Compounders that can help growth our wealth sustainably over the long run. Click here to check out what we offer at Steady Compounding Insider Stocks.

Enjoy the deep-dive below.

George Kurtz, CEO and co-founder of Crowdstrike was previously the CTO of McAfee in the late 2000s, was on a plane and was embarrassed when he saw a fellow passenger wait for 15 minutes as McAfee was scanning the laptop for viruses. George thought it was unacceptable and there has to be a better way to protect our laptops or network.

He set out on a mission to develop a better cybersecurity product and Crowdstrike was born in 2011.

There’re many things to love about Crowdstrike—it has all of the best characteristics one could ask for in a SaaS company. It’s easy to install, a short time to value & sales cycle, mission-critical, they have plenty of reputable customers, strong network effect, their customers love them, it’s gushing with free cash flow and it still has a long growth runway!

Not kidding when I say they’re truly one of a kind for a SaaS company.

But before that, let me remind you of how troublesome traditional antivirus software is:

The Problem With Traditional Antivirus Software

Using traditional antivirus software like Symantec, Norton, McAfee is like driving with handbrakes on. They are notorious for slowing down computers.

There’re two main types of scans that occur with traditional antivirus software: (1) antivirus scans, and (2) antimalware scans.

Antivirus scans focus on garden variety threats like viruses, worms, trojans, and key loggers. And they would run continuously in the background, sapping precious processing power and slowing down your work.

Then we have the antimalware scans, which requires a deeper scan that could take hours to identify suspicious software which isn’t as obvious as our garden variety threats. Malware hijacks access to sensitive information for sabotage or espionage. Hunting for them further drains our CPU and slows down our productivity.

This is disastrous for entry-level computers, which is typically the case for most office computers because it causes the computer’s performance to drop significantly.

Furthermore, legacy providers agents were designed to be single purpose, thus they often deploy multiple agents to the endpoint as they layer additional point product capabilities on top of their initial offering. This approach burdens endpoints by consuming additional storage space, memory, and processor capability, degrading the end-user experience.

But it’s more than just reducing the amount of processing power soaked up by antivirus software—legacy players are unable to keep up with the sharp increase in ransomware.

Increasing Ransomware Attacks

The rise of cryptocurrencies gave rise to increased ransomware attacks. For example, “big game hunting” involves months of staking out a company’s IT system before installing malware that encrypts the company’s system in mass. The hackers would then demand payments in cryptocurrency to “release” the company’s system.

Here is a list (non-exhaustive) of the largest hacks of 2021:

1. Kia Motors – Hacked with Ransomware – Demand ~$20m
2. CD Project – Hacked with Ransomware – Refuse to pay the ransom – financial damage due to workers inability to access internal documents and resources -> High
3. AXA – Hacked with Ransomware (after stopping to reimburse clients for ransomware attacks) – 3TB of data Stolen
4. JBS Foods – Hacked with Ransomware – Hacker group REvil – JBS paid $11m in Bitcoin – Largest paid ransom to that date. Shutdown damage not included.

It is clear that legacy players are no longer sufficient to protect their users against today’s environment.

Let me explain why.

Legacy antivirus solutions could only protect a system against malware attacks that have been previously identified as malicious and stored in a database—this is reactive in nature—and it has been rendered ineffective. 

By 2007, there were more than 5.5 million malware samples identified and by 2013, more than 400 thousand malware samples were reported daily.

It was clear that the legacy antivirus providers’ databases could not be updated at the rate of new malware being created.

You could sense the despair on the state of cybersecurity by reading Gartner’s report on End Point Protection in 2016: “When 44% of reference customers for EPP solutions have been successfully compromised, it is clear that the industry is failing in its primary goal: blocking malicious infections…Presumably, protecting 60% of customers has somehow become the industry benchmark for success.” 

Detecting such attacks requires AI-powered tools. These tools learn what’s normal for each unique user and device and use that information to detect subtle signs of unusual activity indicating potential cyberattacks—this is proactive in nature—and this will be the future of cybersecurity.

And this is exactly what George Kurtz set out to provide with Crowdstrike.

Time to Value

Legacy on-premise security solutions also lag behind when it comes to time to value, with an average deployment taking three months. This timeframe is necessary because legacy AV often relies on hardware to be installed at the physical premises. Moreover, once installed, most legacy solutions require quite a bit of tuning and configuration for them to be fully functional.

Here is what the CEO mentioned in a 2019 conference call:

“During the sales process, this customer deployed Falcon on over 15,000 endpoints over a weekend, where it had taken one of the incumbent vendors one year to reach a similar level. After seeing how quick and easy it was deploying scale with [Phonetic] the Falcon platform across their environment, they increased the scope of the deployments to include servers, significantly increasing the overall deployment to well over 100,000 endpoints and workloads.

The CISO at this new CrowdStrike customer estimated that by replacing the software, hardware and labor costs associated with these other vendors, they will attain a compelling ROI in less than eight months.”

Deploying a true cloud-native NGAV solution, however, is nowhere near as cumbersome and can take just a few hours to fully implement. Because NGAV is based in the cloud, there is no additional hardware or software to procure, no infrastructure to deploy, no need to architect a new solution, and the pain of ongoing maintenance and signature updates is eliminated.

Moreover, once a customer deploys Crowdstrike’s lightweight agent on their endpoints, Crowdstrike can activate additional cloud modules in real-time.

What Does Crowdstrike Falcon Do?

Crowdstrike started out as a disrupter in endpoint security. It is the first cloud-native SaaS endpoint security platform. 

Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more. 

Today’s sophisticated attackers are going “beyond malware” to breach organizations, increasingly relying on exploits, zero days, and hard-to-detect methods such as credential theft and tools that are already part of the victim’s environment or operating system, such as PowerShell. 

CrowdStrike Falcon responds to those challenges with a powerful yet lightweight solution that unifies next-generation antivirus (NGAV), endpoint detection and response (EDR), cyber threat intelligence,managed threat hunting capabilities and security hygiene — all contained in a tiny, single, lightweight sensor that is cloud-managed and delivered.

In other words, it protects desktops, laptops, smartphones, and more from being hacked. In the future, this could mean our autonomous vehicles (i.e. self-driving cars) and more.

Any device that connects to the corporate network from outside its firewall would require endpoint security protection. And this trend has been accelerated by the work from home (WFH) phenomenon, or rather, work from anywhere. Employees are bringing their computers and devices with tons of sensitive information to work at home, co-working spaces or cafés. 

With its strong R&D team and visionary CEO, it has expanded into a business with multiple products—spanning from cloud security to identity security and more.

Crowdstrike IPOed in June 2019 with only 10 security modules and has expanded its offerings to 19 modules. The company plan to keep integrating new modules into its Falcon platform organically or through acquisitions (e.g. Humio acquisition).

Of these modules, Prevent (next-generation anti-virus), Discover (IT Hygiene), OverWatch (managed threat hunting), and Insight (endpoint detection and response) are the most installed amongst Crowdstrike’s ~10,000 subscriber base. These four modules grew at a similar rate last year compared to the overall customer base.

There are three modules management identified as “hypergrowth” modules, Falcon Complete (managed detection and response), Falcon X (threat intelligence), and Falcon Spotlight (vulnerability management).

To know more about these 7 products, read my thread here.

A disrupter in cybersecurity

Crowdstrike Security Cloud consists of three parts: (1) cloud-native modules, (2) a lightweight intelligent agent and (3) a sophisticated database called the “Threat Graph”.

Crowdstrike is the first native cloud security solution to enter the market in 2011. The company launched its cloud-native endpoint security platform: Falcon.

Being cloud-native significantly reduced its time to value (TTV). For the legacy players, it takes weeks to months to fully deploy their cybersecurity solutions. Crowdstrike is able to do so within a few hours without affecting its users’ productivity, with no chunky downloads, long installation process or endless restarting of devices.

Because it’s cloud-native, Falcon is able to develop two other characteristics that stand out from its competitors: a lightweight agent, and a threat graph.

The lightweight agent (approximately 35 MB)  is a software program that is installed on any device connected to the internet for local detection & prevention capabilities. It collects and streams high-fidelity data to the Falcon platform for real-time decision-making.

These cybersecurity data will be fed to the Threat Graph, which processes, correlates, and analyzes the data in the cloud using AI and behavioral pattern-matching techniques. Since the threat graph looks for correlation across all its users, it can detect threats and stop security breaches at a scale that on-prem legacy security solutions are unable to match.

There’s a network effect at play here—with the increasing number of customers,  more devices are connected to this network, which translates to more data fed into the threat graph. Hence, this increases the capabilities of Crowdstrike to stop hackers vis-à-vis its competitors.

For example, a company in California gets attacked by a new virus. Once Crowdstrike picks up the pattern, all its customers worldwide will immediately be protected against this virus.

The dashboard (i.e. processing) is on Crowdstrike’s site to minimize load on your device. Unlike legacy antivirus software lags your computer significantly as it takes up processing power, Crowdstrike omits filesystem scanning entirely and instead focuses on monitoring system activity. 

Who Are Their Customers?

Crowdstrike has gained the trust of the largest companies and banks. This vote of confidence will trickle over to other large companies and small businesses.

According to Robert Cialdini, author of Influence, “The principle of social proof says so: The greater the number of people who find any idea correct, the more the idea will be correct…We will use the actions of others to decide on proper behavior for ourselves, especially when we view those others as similar to ourselves…When we are uncertain, we are willing to place an enormous amount of trust in the collective knowledge of the crowd…First, we seem to assume that if a lot of people are doing the same thing, they must know something we don’t…Social proof is most powerful for those who feel unfamiliar or unsure in a specific situation and who, consequently, must look outside themselves for evidence of how best to behave there… Since 95 percent of the people are imitators and only 5 percent initiators, people are persuaded more by the actions of others than by any proof we can offer.”

When you think of the management of most non-tech companies, they’re seldom the most tech-savvy person, they are usually promoted to the C-Suite because they’re good at selling or product design. Social proof becomes an important selling advantage because of how niche and complex cybersecurity is.

Decision-makers are more likely to make purchase decisions based on this mental heuristic and take comfort that the largest companies in America have already done their homework before deciding that Crowdstrike is the best cybersecurity software.

Undisputed Leader in Cybersecurity

Looking at Gartner and IDC’s data, it is clear that Crowdstrike is the leader in endpoint security. The interesting thing is that, aside from SentinelOne, other competitors in the leader quadrant are all legacy-type companies. Crowdstrike, by starting with a cloud-based architecture, has a significant advantage.

Similarly, IDC MarketScape research put Crowdstrike as the leader in endpoint security.

Herein lies the company’s biggest risk—an industry where a company can climb to the top in less than a decade is highly dynamic. As investors, we will have to closely monitor the developments in this industry. In other words, Crowdstrike is not a buy-and-forget investment.

Crowdstrike’s Success Factors

There’re a few factors at play that contributed to Crowdstrike’s success.

Firstly, Crowdstrike has a timely and excellent grasp of its users’ needs. Being cloud-native allowed for Crowdstrike to collect cybersecurity data on its users and develop new solutions for its users in a cost-efficient manner. Furthermore, management is customer-obsessed. For example, George Kurtz undertook a 100-day campaign with Mike Carpenter, president for global sales and field operations to meet with their current and prospective customers.

Here is what George has to share, “After completing our second “100 in 100” customer tour during which I met with 100 customers and prospects in 100 days, I heard unequivocally that organizations are looking for a modern, identity- and workloads-centric Zero Trust security strategy to lay the foundation for their security transformation. What I heard was that the traditional firewall was disappearing and that what mattered to customers was Endpoint and Identity.”

With a good overview of customers’ needs, Crowdstrike is able to implement targeted product development. We see evidence of efficient R&D expenditure being played out here, with R&D as a percentage of revenue sharply declining over the years.

Secondly, George Kurtz designed the product for scaleability since day one. Once Crowdstrike’s lightweight agent is installed, customers are able to add on modules as needed seamlessly. The new modules sold are almost pure profits, as Crowdstrike does not need to incur additional outreach investments or installation costs. 

Hence, we can observe gross margins more than doubled, from 36% in 2017 to 74% in 2021. Likewise, we see sales and marketing (S&M) expense as a percentage of revenue declining from 102% in 2016, to 46% in 2021.

With a firm grasp of its customers’ needs with data and on the ground insights, coupled with a product that was built to scale since day one, Crowdstrike has been a beast with the land and expand strategy. We can observe that its dollar-based retention rates hovering above 120%—which means that existing customers are spending 120% more than the previous year.

Enjoyed this deep-dive so far? Then click here to check out our insights at Steady Compounding Insider Stocks.

Gross retention is also consistently high at over 97%, which means that there’s less than 3% churn. A low churn rate leads to a higher customer lifetime value (LTV).

In the recent earnings call, Crowdstrike’s CFO highlighted that more and more customers are adopting multiple modules upon sign-up because of the ease of deployment and the rationalization of the total cost of ownership. Crowdstrike’s cloud-based platform eliminates customers’ need for initial or ongoing purchases of hardware and does not require manpower to configure, implement or integrate disparate point products.

In terms of pricing, the Falcon platform has four product offerings: Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete. In their earnings call, management explained that they have found success in securing both big enterprises and smaller accounts. 

To quote the management, “some of the legacy vendors in this space had hundreds of thousands of enterprise customers. The key to our rapidly expanding customer base is that we are winning customers of all sizes. From a one-person shop all the way to the largest companies in the world, we can sell into any vertical, geography or any level of technical sophistication. Essentially, we can sell to almost anyone.”

The number of customers have grown from 447 in 2017 to 13,080 in Q2 2021, at a CAGR of 112%.

And having a subscription business model meant that the recurring revenue is growing beautifully. 

Professional Services

On top of its subscription model, Crowdstrike also has a non-recurring Professional Services segment. This includes incident response and forensic investigatory services, technical assessment and strategic advisory.

Basically, companies call onto Crowdstrike’s Professional Services when trouble hits the roof, i.e. their security got breached. 

Even though Professional Services command lower gross margins of 34% versus Subscription’s 77%, it is a great customer acquisition tool. Similar to Twilio’s SMS API services which command a low 48% gross margins, it leads to other use cases such as SendGrid Email API which command over 80% gross margins.

In moments of a security compromise, Crowdstrike’s incident response services begin by deploying their lightweight agent to a customer’s endpoints and perform remediation thereafter. After resolving the breach, the companies are likely to switch over and use Crowdstrike as a trusted endpoint security vendor.

 Here is what they have to say in their 10-K “In addition to providing valuable breach remediation to our customers, our incident response services also act as a strong lead generation engine for our Falcon platform and cloud modules. After experiencing the benefits of our platform firsthand, many of our incident response customers become subscription customers.”

We can see that over time, the revenue mix leaning towards the recurring subscription revenue. Suggesting that Crowdstrike has been converting customers who needed them for professional services into subscribers.

Growth Opportunities

Based on IDC and Crowdstrike’s estimates (mostly IDC’s estimates), the total addressable market (TAM) is $36B in 2021, $44B by 2023 and $106B by 2025. While most of its growth is coming from endpoint security and the US markets, the second and third growth engines will be coming from cloud workload protection (CWP) and international markets.

Endpoint Security

Let’s go over the endpoint security first, Crowdstrike currently has about 13,000 customers while the legacy players have hundreds of thousands of customers. They will continue to donate market share as and when the contracts are due (security contracts are typically 1 to 3 years). And then there are Microsoft customers, whose confidence has been shaken from the recent Microsoft Exchange Server hack and zero-day exploits such as Microsoft PrintNightmare vulnerability. The market remains huge for endpoint security as they continue to grab market share from big share donors.

Cloud Workload Protection

Next on CWP, we see a megatrend of companies migrating onto the public cloud services for its cost-efficiency, agility and breadth of functionality. When it comes to cloud security, it follows a shared responsibility model—the cloud service provider (e.g. AWS or Azure) is in charge of the cloud’s underlying infrastructure and end-users are responsible for protecting their own data and assets stored on the cloud.

The benefit of cloud computing is also its main drawback: Users can access cloud environments from anywhere with an internet connection — but so can cybercriminals and adversaries.

The Crowdstrike Falcon platform was built in the cloud for the cloud. With the continued migration towards cloud, Crowdstrike is in a good position to capture this opportunity.

Lastly, IDC highlighted that current cloud security spend is 1% and it should trend upwards towards 5 to 10% as more of their workload migrates onto the cloud.

Crowdstrike as a Cybersecurity Platform?

Here is the thing, there’re many aspects to cybersecurity and Crowdstrike doesn’t provide everything, especially when there are other players out there who could do it much better.

Instead, Crowdstrike brings in partners such as Zscaler and Okta using APIs to provide a comprehensive suite of solutions. The beauty of it is that all these are seamless because clients would not want to have to deal with multiple parties.

A brief overview of how they work together using a medieval example (this example was shared by Jonathan Ang):

Crowdstrike is like the moat, protecting the castle within. In other words, Crowdstrike is focused on protecting the device or system (endpoint).

Zscaler is focused on protecting the messenger who delivers messages from castle A to castle B. In other words, Zscaler is focused on protecting the outgoing and incoming traffic, or the network.

Okta is the security guard who verifies anyone who tries to enter the castle. That’s not, it’ll verify you at every single room you try to enter. In other words, Okta is focused on identity access management, ensuring that the user assessing the system is authenticated.

Risks

Firstly, the endpoint security landscape is a rapidly evolving one and we can see that legacy players (Symantec, McAfee, etc) who failed to keep up have been donating market share heavily to next-generation companies (Crowdstrike & SentinelOne) and Microsoft.

From the table by Gartner report, legacy companies “donated” 33% market share to Microsoft and next-generation players.

Crowdstrike will have to continuously innovate and keep up with the latest cybersecurity trends to maintain its dominance or it will suffer the same fate as the legacy players.

Secondly, competition is intense. SentinelOne is a close competitor that has just IPOed, their products are similar to Crowdstrike and are offered at a lower price point. Currently, Crowdstrike has the first-mover advantage, which allows them to land numerous reputable customers and have a stronger AI due to network effect. 

SentinelOne will have a lot of work to do to close the gap on Crowdstrike’s marketing and distribution capabilities.

Based on the market share data, Microsoft emerged as a powerhouse out of nowhere in 2018. It shows Microsoft’s distribution strength over enterprise customers. They are one of the best at land-and-expand, after getting customers to buy Microsoft 365, they’ll start selling a suite of other products. 

And who’ll ever get fired for choosing Microsoft as its vendor for something as mission-critical as cybersecurity?

However, with the recent Microsoft Exchange Hack, there have been a lot of doubts on how strong their security offerings are. And with something as mission-critical as cyber security, it pays to go with the best in class.

Thirdly, is the risk of the Crowdstrike Falcon platform getting breached. Hackers are working in the dark while Crowdstrike are out in the light, and they’re locked in an arm’s race to outmaneuver each other.

Valuation

A lot of good news has been baked into Crowdstrike’s valuation. If we assume that sales will grow at 60% and decelerate at 10% each year, with a net margin of 30%, buying at today’s price will provide us with measly returns of 5.56%.

Although Crowdstrike has been aggressive and effective at rolling out new products and at selling them, I don’t consider the risk-reward to be favorable at today’s price.

Conclusion

Crowdstrike has been an absolute beast of a company, and they execute well on all metrics: revenue growth, improving operating margins, free cash flow, a fast time-to-value, low churn rate and a high dollar-based retention rate. Also, with the threat graph, its AI becomes stronger with time and its distribution prowess makes it tough for new entrants to compete.

However, Crowdstrike is in a fast-changing industry and there’s plenty of venture capital money sloshing around in this field, Crowdstrike will have to keep innovating and be one step ahead of competition and hackers.

>>> Click here to become a member of Steady Compounding Insider Stocks

Disclaimer: This research reports constitute the author’s personal views only and are for educational purposes only. It is not to be construed as financial advice in any shape or form. From time to time, the author may hold positions in the below-mentioned stocks consistent with the views and opinions expressed in this article. Disclosure – I hold a position in Crowdstrike at the time of publishing this article (this is a disclosure and NOT A RECOMMENDATION).