George Kurtz is pumped up…and why not? CrowdStrike’s business appears to be on a fast track and entering a new phase of growth, despite the difficult macro and elongated sales cycles. The company’s products are considered best in class, its business is growing steadily and an improved profitability and cash flow outlook had investors excited, at least up until this week. A still challenging environment and a rich 13X revenue multiple perhaps led to some profit taking, but Gen AI could be the next catalyst for the company. In the race to close the SecOps staffing gap, CrowdStrike has what appears to be a strong play with a natural language-based intelligent assistant known as Charlotte AI.
In this Breaking Analysis we update our scenario on security leader CrowdStrike. We’ll review the company’s recent progress, share survey data that shows where it is strong and where there may be icebergs ahead. And we’ll preview Fal.Con 2023 which takes place next week in Las Vegas.
2H 2023 – Good for Cybersecurity Platform Plays
This year has seen ups and downs for CrowdStrike and the cyber industry in general.
Above is a YTD chart of some cyber-related data points showing the performance of Palo Alto Networks, CrowdStrike, Zscaler, the Nasdaq and the BUG cybersecurity ETF. As you can see the sector is not immune to tech headwinds as the BUG is performing below the Nasdaq. But there are definitely some bright spots with the likes of Palo, CrowdStrike and ZS, which are outperforming the Nasdaq this year by a decent margin. Those three are playing the consolidation game effectively while many others are losing share.
Generally these platform plays, of which CrowdStrike is one of the more prominent, are winning and the leaders are expanding their total available markets with new modules and participating at the periphery of certain adjacencies – e.g. observability.
As we hear at every conference this year, Gen AI will be a hot topic at Fal.Con with the company expected to announce pricing for its Charlotte AI intelligent SoC assistant. Charlotte is one of the first examples of gen AI specifically for security use cases and was on display at Black Hat this past August. CrowdStrike was one of the few companies actually showing a real demo vs. vaporware at Black Hat and we’re eager to see more at the upcoming conference.
CrowdStrike’s Journey to Become a Generational Platform
In a Breaking Analysis last year we put forth our thesis as to how and why CrowdStrike would become an enduring company. Despite a few potholes in the road, generally CrowdStrike is on track and continues to execute as we expected.
Let’s review the recent performance of CrowdStrike.
We consulted with SiliconANGLE’s lead cybersecurity journalist David Strom to get his take on CrowdStrike. He as well is positive on the company and points out that the Falcon platform has succeeded at both integrating dozens of modules and importantly, understanding how those modules map to a customer’s skill sets. And moreover how the data collected by Falcon’s lightweight agent is shared across teams.
Strom correctly points out that CrowdStrike was early getting into cloud-based security – perhaps a bit late on protecting containers – but catching up fast with a dynamic analysis tool for containers.
As we’ve shared previously, CrowdStrike combines both an agent and agentless approach and is generally considered leading edge. As a point of comparison, red hot emerging security company Wiz, which CEO George Kurtz called out on the last earnings call, is generally viewed as having a better dashboard and UX but its agentless architecture doesn’t have the data richness of CrowdStrike. This is just one example of the many tradeoffs that users face in evaluating platforms but generally CrowdStrike is seen as being capable of handling many different security situations, a key criterion for today’s CNAAP players.
But as Strom points out “there’s still room for improvement” for all vendors in the space.
Below is a snapshot of CrowdStrike’s financial performance.
Its ARR is up $790 million since last year at this time. That’s a 37% year on year growth.
Subscription customers with five plus modules grew 63% versus 59% last year.
We saw a big jump in free cash flow margin, up from single digits a year ago to 26% last quarter.
And then rule of 63 i.e, free cash flow margin plus revenue growth. That’s quite impressive, although down from an unsustainable 84% y/y.
Year on year subscription revenue growth was 36% (not shown) versus 60% last year.
The street, given this stellar performance and relatively easy compare, wanted more aggressive guidance. But for reasons that we’ll cite in a moment, we think CrowdStrike’s caution is prudent.
There’s no Compression Algo for Experience
At the recent Goldman Sachs Communacopia & Technology Conference CEO George Kurtz invoked Andy Jassy’s famous line, “there’s no compression algorithm for experience.”
With all the AI-washing going on in the market, extracting the signal from the noise becomes even more important for customers. CrowdStrike has a long history in AI and will make its case at Fal.Con 2023.
Above is CrowdStrike’s attempt to underscore its history in AI. Now you may say, it’s easy to create a slide like this after the AI shot heard ‘round the world last November. But the fact is, CrowdStrike has been deep in AI for a decade plus. The callout on Charlotte AI is new however and we believe we’re entering a new era where technology will truly begin to attack the number one problem faced by SecOps teams…lack of deep talent. Estimates indicate there are 3.5 million* unfilled security jobs today and the vision is AI can begin to close that gap.
*[Note: There is an error in the video below in which this figure is incorrectly cited at 3K].
Unpacking CrowdStrike’s Customer Spending Profile
Let’s get into some of the ETR data and look at CrowdStrike’s spending performance and the breakdown of ETR’s proprietary Net Score methodology.
Above we show data from the 422 CrowdStrike customers in the survey of 1,700+ IT decision makers. Focus on the July23 bar. Note that the October survey is in the field so we have to block it out. We have early results and we’ll talk about that in a moment but focus on July.
The lime green at 12% is the percent customers that are new adds. You can see it’s been compressing steadily over the last several quarters. The forest green, at a healthy 41%, is spending is increasing by 6% or more. Note it is down from earlier highs. The gray at 48% is flat spending (+/- 5%) and you can see the big uptick there. The the pink is spending down 6% or worse and the red is defections or churn. Note that the red is also compressing which is a healthy sign of retention.
Subtract the reds from the greens and you get Net Score which is shown on that blue line at 48%. It’s on a downward trajectory, however notice the red dotted line at 40%. That indicates a highly elevated spending momentum level and CrowdStrike is well above that.
The yellow line represents presence or pervasiveness in the dataset and it’s calculated by taking that CrowdStrike N of 422 and dividing it by the total N in the survey and then tracking that in a time series. And you can see CrowdStrike is gaining share in the dataset quite strongly.
The one caution is we took a glimpse at the survey that’s in the field now and there’s definitely is some slowing overall and specifically within small and mid-sized businesses.
Momentum in the Global 2000 Powers CrowdStrike
CrowdStrike appears to be performing extremely well in the G2000. Cutting ETR data we see below the same Net Score granularity in a time series but only for 109 G2000 customers in the survey. The story is impressive.
Look what happens to Net Score – it jumps from 48% in the previous chart to 61% in the G2000. Note the very steady increase in Global 2000 spending velocity since the Oct22 survey. And also note the much rise in the shape of the yellow curve, which is a representation of pervasion inside the dataset.
The latter (yellow line) data point is a strong indication that CrowdStrike is a consolidator and gaining share with larger customers.
Peer Performance for Cybersecurity Companies in the G2000
Let’s test this assertion a bit further. Below we show CrowdStrike’s peer performance within the Global 2000. The survey captures 430 G2000 customers in the security sector. Remember there are 109 CrowdStrike accounts in that cut. So it’s a pretty good representation.
On the vertical axis is Net Score or spending momentum, which we explained earlier. On the horizontal axis is that N in the dataset and the overlap with all these companies. The plot position is determined by the N and Net Score for each firm.
The following key points are noteworthy:
- The squiggly line is CrowdStrike’s performance over the last several quarters. Notice its net score on the vertical axis has held steadily but as we saw that steep yellow line in the previous chart, a big uptick in pervasiveness in the sector. ,
- This is another indicator CrowdStrike is gaining share relative to peers and is its consolidation play is working.
- You’d likely see something similar for Palo Alto Networks and Zscaler we’ll leave that detail for another Breaking Analysis.
CrowdStrike CEO Competitive Callouts
The other call outs on this chart are Microsoft, SentinelOne and Wiz. George Kurtz mentioned each of these companies on the last earnings call in a competitive context. Citing the high expense and lack of security focus for Microsoft overall, throwing FUD at SentinelOne with regards to the rumors of it going to private equity and a competitive win against Wiz. He also called out an Arctic Wolf takeout (not shown in this cut).
In regards to Microsoft, they’re clearly CrowdStrike’s largest competitor, while the others are independent pure play cybersecurity firms. Microsoft is ubiquitous and can’t be ignored. The simple takeaway is CrowdStrike must move faster, build better, more comprehensive products and move faster than Microsoft. As well, it is a horizontal platform that works across clouds and on-prem environments.
The most impressive data points on Microsoft are that it has a huge market presence in security and yet its momentum is, like CrowdStrike, Zscaler and Okta, above that 40% mark. Palo Alto as well is prominent and close to the 40% line. The point is Microsoft is big and has momentum in cyber and can’t be ignored. This is particularly important as it relates to the SMB market, an area that has seen some headwinds for CrowdStrike and one we cited earlier as a sector of concern.
Overlap Between Microsoft and CrowdStrike Accounts & the Importance of Dell as a Partner
Next we want to look at the overlap of 422 CrowdStrike accounts with Microsoft. Below we show the same vertical axis i.e. Net Score and the presence in the dataset in the horizontal axis. Microsoft is such a big competitor to CrowdStrike and, notably, George Kurtz commented on the last earnings call that there was a big overlap between CrowdStrike customers and Microsoft accounts.
What we show above is 422 CrowdStrike accounts and the overlap with some of its competitors and some of its partners.
Here are the key points:
- In the ETR dataset, 79% of those 422 CrowdStrike accounts are running Microsoft security software. It’s not surprising that Microsoft has such a huge presence inside of CrowdStrike accounts but it’s meaningful.
- Zscaler, Okta are partners with CrowdStrike and are sponsors of the Fal.Con Conference, so we placed them for reference.
- Palo Alto Networks has a broad agenda and has grown via acquisition in many areas that overlap with CrowdStrike. They’re a larger company and they’ve got a bigger presence. They don’t have the spending velocity but as you saw in the earlier chart their stock is doing very well this year.
- You can see Wiz, Tanium, SentinelOne i.e. some of the companies that compete as endpoint players.
CrowdStrike in Microsoft Accounts
Notice the insert tex. Within the ETR dataset, the CrowdStrike overlap in Microsoft accounts is 25%. We’re not showing the graphic but if you flipped it, in other words, if you ran across tab on over 1,000 Microsoft security accounts in the dataset, 25% would also have CrowdStrike. Now you might say, “Wow, that’s a lot lower than the overlap on the reverse, 79% Microsoft overlap,” but 25%, it’s pretty high. That 25% of the Microsoft security accounts also have CrowdStrike says that customers are looking for more. Or perhaps its a consolidation opportunity for CrowdStrike as it’s scope transcends Azure.
The point is this data further supports Kurtz’ assertion.
The Importance of Dell as a Partner
The second bullet above shows the CrowdStrike overlap in Dell accounts at 28%, and the Dell overlap in CrowdStrike accounts is around 38%. So in other words, in these 422 CrowdStrike accounts, 38% of them have Dell and then when you flip that 28% of Dell accounts have CrowdStrike.
Why do we call that out?
- If there’s some softness in SMB, Dell can help.
- While there’s significant overlap, it represents upsell opportunities for Dell and CrowdStrike.
- As well, there’s plenty of greenfield Dell accounts that don’t have CrowdStrike and Dell can package in CrowdStrike as part of larger bundled deals, in its services engagements and also through its channel partners – VARs, SIs and MSSPs.
Dell is one of three top level partners at Fal.Con this year and is a key channel lever for CrowdStrike.
Highlights to Watch for at Fal.Con 2023
Fal.Con is a multi-day event at Caesar’s Palace, which ironically got hacked last week along with the MGM. theCUBE is going to be there as we were last week at the SAS Explore event, which didn’t have serious disruptions. The situation at Caesar’s could be more challenging but we’ll see.
Regardless, we’ll be listening to and analyzing keynotes from George Kurtz, the CISOs of Intel and Mattel and practitioners from Liberty Mutual and Salesforce. It looks like the event is going to be significantly larger this year – perhaps 60% bigger.
A main focus will be on Charlotte AI and its pricing. we’re really interested to see how CrowdStrike prices its Gen AI tool. Will it be value-based pricing – i.e. make a case of, “Hey look how much time we’re saving you and what that’s worth in terms of staffing.” But again, it can’t be so expensive that it’s prohibitive to people adopting, especially in the context of Microsoft and OpenAI. So they’re going to have to balance this while still aligning with their margin model. The key will be the degree to which Charlotte will be integrated into the Falcon platform. We expect to see broad integration over time but more narrow out of the gate.
The fourth bullet above, expanding the Falcon platform . We’re going to hear a lot about its many modules that run in the cloud – i.e. Falcon in the cloud. CrowdStrike was a first mover in cloud as we said at the top. They also protect identity as an endpoint and then LogScale going after all that mess of logs and that’s another growing business for CrowdStrike. One of the things George Kurtz said, which was quite interesting, is that each of these businesses – Cloud, Identify and LogScale is IPO-able in and of itself. So put that together in a single platform, inject AI throughout and you’ve got a pretty hot company right now.
The last bullet is, last year at Falcon 2022, we said one of the things we want to see from CrowdStrike is ecosystem expansion. And we’re starting to see that. AWS, was there last year, but other partners are leaning in. We talked about Dell but also Intel, CloudFlare, Mandiant, Zscaler and 70 plus sponsors at the event. That is a nice expansion and we expect significant momentum from that ecosystem. If you’re going to be a platform play, you got to have ecosystems. The hallmark of a cloud company is ecosystem energy and flywheel from partnerships – we’ll be analyzing that and speaking with joint customers.
If you’re at the Fal.Con conference this week, stop by theCUBE and catch our two days of coverage. We’re covering a simultaneous cybersecurity event at Mandiant by the way – John Furrier will be in DC so if you’re there come see us.
As always we’ll be reporting, analyzing and bringing the best guests and hope to see you there or online.
Keep in Touch
Many thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
Watch the full video analysis:
Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.
Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.