We believe CrowdStrike (CRWD) has re-established growth momentum while still working through the financial and reputational overhang of the July 19, 2024 global outage. The company recently delivered net new ARR reacceleration ahead of expectations, showcased strong platform expansion across cloud, identity, and Next-Gen SIEM, and leaned on Falcon Flex as a durable consolidation lever. In our view, the near-term debate centers not only on churn or Flex conversion but more on net new ARR performance, valuation skepticism, and whether identity and SIEM can offset a maturing core endpoint business while fending off intensifying competition. The mainspring of CrowdStrike’s success remains relentless product innovation, increasingly defined by its platform. We believe its unified platform and AI-driven threat defense at scale underpin the company’s premium valuation through customer consolidation, stickiness, and durable ARR growth.
In this Breaking analysis and ahead of Fal.Con 2025, we update you on CrowdStrike in the context of the cybersecurity industry. We’ll share some financial metrics with key competitors, look at how customer spending patterns have changed since last summer and identify key items to watch for at this year’s event.
CrowdStrike Continues to Outperform its Peers
Let’s start with a look at the performance of cyber stocks relative to the tech-heavy Nasdaq.
Below is a one-year view of CrowdStrike, Zscaler, the BUG ETF, Palo Alto Networks and the NAS – which by the way didn’t benefit from the recent Oracle surge because that stock moved from the Nasdaq to the NYSE. Regardless, we see CrowdStrike and ZS leading the pack up more than 70% in the past 12 months. Diverging from what we’ve reported in previous Breaking Analysis episodes, the BUG ETF at 17%, lags the performance of the Nasdaq, which was up 27% in the past year as of Friday morning.
On a 5 year basis, Palo is the king, up 390%, but:
Earnings unpredictability, growth concerns and valuation have investors pulling back for a period of time. Moreover, the recent $25B CYBR deal weighs on share price. But we’re positive on that deal as it fits nicely with the Nikesh Arora’s “platformization” narrative and provides more direct TAM expansion into CrowdStrike and Microsoft strongholds. It’s a Big number – $25B – but it’s a cash + stock deal and Palo is using appreciated stock to expand its portfolio and market opportunities..we like the move.
CrowdStrike Commands a Premium Valuation
The financial picture has changed as a result of these factor. Here’s a quick look at CrowdStrike, Palo and Zscaler.
Above we show data from the most recent quarter for the top three quality stocks in the space. We show revenue run rate as the most recent quarter x 4, the growth rate, ARR, operating and FCF margin, cash on hand, market cap and run rate revenue multiple. Note that Palo Alto’s ARR reporting is only for what it calls NextGen Security which is growing in the 30%+ range. What stands out here is CrowdStrike, despite the challenges it has faced over the past year, continues to command a premium valuation relative to Palo and Zscaler. Typical SaaS revenue multiples are generally lower, in the 5-8X range with high growth startups at the 10-15X – so all three of these companies are trading at a premium relative to other software companies.
V-Shaped Recovery from the Effects of Last Summer’s Outage
What’s remarkable about CrowdStrike is the durability of its valuation. Take a look at the ETR spending data for Crowdstrike below.
The chart above from ETR shows the granularity of its Net Score methodology, which measures spending velocity on a platform. It represents the percent of around 400 CrowdStrike customers in the survey that are new logos (7% – the lime green); Spending up 6% or more (36% – the forest green); Flat spend (43% in the gray); Spending down 6% or worse (8% – the pink); Churning or isolating the platform (6% the bright red). Subtract the red from the green and that’s the blue line of Net Score, which is right around 30%. Anything over 40% is considered highly elevated.
CrowdStrike at its peak pre-last summer had a Net Score well over 50%; and churn was in the low single digits. So CrowdStrike is not out of the woods yet and hasn’t fully recovered to the pre-outage highs. The impact from last July was meaningful because the green compressed and the red escalated dramatically. But notice that both of those metrics are moving in positive directions – the green is slowly growing and the red is declining quite dramatically. As well, note the yellow line, which is Pervasion and measures the account penetration in the security sector, which dipped after the outage and has recovered nicely.
This is all quite impressive given the fast timeframe in which CrowdStrike rebounded in the context of last year’s customer disaffection. In a flash survey ETR conducted last July, the day of the outage, 96 out of 100 customers contacted were impacted. Notably, 46% of those contacted said the outage was significant or extremely significant. At the time, 44% said they’re likely to replace CrowdStrike and 58% said they would reconsider plans to consolidate around CrowdStrike.
Alternatives Considered
Security customers cited numerous options in the stack that they were considering as alternatives to CrowdStrike, shown below.
The survey data above was captured in April of this year, and at that time, the percent of customers saying they had firm plans to replace CrowdStrike was at 10%, in line with the April data on the previous chart. Another 24% said they were still contemplating replacement (vs 44% last July).
When asked which firms they evaluated, Palo and Microsoft led the list, SentinelOne with its endpoint credibility was #3 and Cisco and Fortinet with their large portfolios and footprint were also considered, as were some others.
Customer Care Program – A Study in Making Crisis Management
Post last July, CrowdStrike did more than go on an apology tour. They were transparent about what happened, took responsibility and implemented an aggressive customer care program (CCP), anchored by Falcon Flex.
Let’s explain in more detail. After the July 2024 outage, CrowdStrike moved quickly to preserve customer trust with its CCP, which bundled steep discounts, credits, and added support to offset disruption. While the program created short-term revenue headwinds, management used it strategically to seed Falcon Flex — a flexible licensing model that allows customers to onboard quickly, consume modules as needed, and easily expand into adjacent solutions. By delivering CCP through Flex, CrowdStrike hoped to turn a crisis response into a platform tailwind. Based on the data, customers not only stayed but often expanded, with many early adopters “re-Flexing” into larger commitments. This strategy cushioned churn risk, deepened stickiness, and positioned Flex as a durable growth lever that now anchors CrowdStrike’s long-term path to $10B in ARR.
CrowdStrike is Sticky
The combination of CrowdStrike’s transparency, the CCP and importantly, it’s not trivial to migrate off of a platform like CrowdStrike.
We reported on this several quarters ago but it’s worth emphasizing that 81% of customers indicate it’s not so easy to migrate off CrowdStrike. Why is this? Falcon’s agent are deeply embedded into the operational infrastructure of CrowdStrike’s customers. Replacing CrowdStrike means ripping out sensors from tens of thousands of endpoints. But more importantly, many processes and procedures are fossilized at its customers, and the skill sets built around CrowdStrike are difficult to migrate. The bottom line is the operational and compliance risk make the business case exceedingly negative.
Just a word on CrowdStrike’s response as they are not in the clear yet. It is generally accepted among enterprise customers that CrowdStrike acted with above-average transparency compared to industry norms after the incident – particularly because many security vendors bury the details when things go wrong. That said, for those directly impacted, there is a lingering perception that the company was more focused on damage control than full disclosure in the early hours, which is frankly ok by us. We know for a fact that CrowdStrike prioritized mobilizing its resources to help customers get back on their feet. In our view this was more important, at the time, than diverting more resources to figure out and communicating the anatomy of what exactly happened. Immediately after the incident, the priority was helping organizations get back on line.
From Best-of-Breed Product to Platform Excellence
CrowdStrike’s future performance is not without risks, and as shown earlier – its a premium-priced stock. Let’s take a look at its platform approach and what we see as the ARR growth engine.
CrowdStrike’s latest disclosures highlight the growing importance of its platform businesses as shown above. Next-Gen SIEM, Identity, and Cloud together account for $1.56B in ARR, or roughly one-third of the total. SIEM stands out as the fastest-growing segment at +95% y/y, while Cloud leads by scale at $700M ARR (+35% y/y). Identity remains smaller but strategic, surpassing $435M ARR (+21% y/y).
The takeaway is that CrowdStrike is no longer just an endpoint company. It’s a platform. George Kurtz likes to say that these businesses are large enough to be “IPO-able” on their own, yet because they’re integrated through Falcon, they reinforce the consolidation thesis and justify a platform premium. For these reasons, we believe the whole is greater than the sum of its parts, with Flex accelerating adoption across modules and embedding CrowdStrike deeper into enterprise security stacks.
What to Expect at Fal.Con 2025
CrowdStrike remains one of those cybersecurity companies with both the scale and innovation velocity to justify a premium multiple. The July 2024 outage left scars, no doubt — financial, legal, and reputational — but it also accelerated the company’s shift toward Falcon Flex, a contracting model that deepens customer stickiness and fuels multi-module adoption. With SIEM, identity, and cloud security now accounting for more than a third of ARR, CrowdStrike has transitioned from an endpoint leader to a true platform consolidator.
At Fal.Con 2025, investors should look for proof points around Flex becoming the default model, the removal of customer care program headwinds, clarity on FY27 ARR growth, new offerings that improve the SOC analyst experience and evidence that AI-led innovation is extending the company’s moat. Finally, look for signs that ecosystem leverage and partner expansion further validate CrowdStrike’s path to $10B in ARR by FY31.
The bottom line: CrowdStrike is navigating through choppy waters with resilience and exceptional leadership. The platform is sticky, the innovation engine is intact, and the company continues to be one of the firms that defines the direction of enterprise security. The central question is not whether CrowdStrike is a best-of-breed player – it clearly is — but whether the market will continue to reward its platform premium as growth normalizes and competition intensifies. In our view, the evidence supports that premium, provided execution stays on track.
