It’s been an interesting month in the cybersecurity space. The sector has been somewhat less affected by budget tightening these past twenty-four months and at the same time has benefitted from AI tailwinds. But in the past several weeks we’ve seen some separation in key highflying cybersecurity names. Specifically, Palo Alto shocked the street last month with a $600M billings forecast surprise and sounded the alarm that there were cracks in its consolidation execution. This dragged down other consolidation players in sympathy, namely CrowdStrike and Zscaler. But our research shows that the dynamics facing these three companies are quite different. Of particular note, CrowdStrike’s earnings print highlights the company’s impressive momentum while recent negativity around Zscaler is a bit of a head scratcher for us, which we’ll try to explain.
In this Breaking Analysis we take a more narrow look at the information security space and dig deeper into the continued success of CrowdStrike. With recent survey data from ETR, we continue to advance our premise that platforms beat products and we identify several levers that are powering CrowdStrike’s path to $5B by FY 2026 and to $10B by the end of the decade.
Four Months of Divergence
Since early 2022 and into most of 2023, CrowdStrike, Zscaler and Palo Alto Networks all exhibited fairly high quality performance, trading in a similar pattern (notwithstanding a couple of speed bumps early last year for Zscaler). As well, through the second half of 2023 they significantly outperformed the Nasdaq as shown in the orange line above. In fact on February 15th, the week before Palo Alto’s earnings, CrowdStrike was trading at 157% above its March 8th 2022 level. Zscaler was up 120% and Palo was up 95%, while the Nasdaq was up only 37%.
Palo Alto’s Reduced Outlook Shocks the Street
On February 20th after the close, Palo Alto announced its earnings. While it beat expectations, investors, normally used to Palo’s consistent and predictable performance, heard about a delayed or perhaps lost government contract that took down FY ’24 billings guidance by $600M at both ends of the previous guide range. This will directly hit the income statement going forward and not surprisingly took the stock down more than 100 points.
You can see in the corrected Tweet above, the day after the earnings print, this billings shortfall was part of the guide and not the current quarter. Thunderdome is the Defense Information Systems Agency, or DISA’s, zero trust network architecture project. Palo had re-allocated significant resources to the project given the likely event that it would get the deal. But as we’ve seen with other large government contracts like JEDI, things can change quickly.
So we wanted to understand what the spending data was telling us. The chart above from ETR shows Net Score or spending momentum on the vertical axis and Pervasion or account penetration in more than 1,700 respondent accounts. This is the cybersecurity sector and we’ve cherrypicked some of our favorite names and several that compete with CrowdStrike, Palo Alto Networks and Zscaler.
Broader Security Market Feeling the Macro Pinch
What’s interesting if you look at a basket of cybersecurity stocks such as those in the BUG ETF, you’ll actually see, unlike CrowdStrike, Zscaler and Palo Alto, the broader group has actually traded much more closely with the Nasdaq and fell behind after the Palo Alto earnings announcement. And you can see by the squiggly lines on the chart above, the entire group, including our three consolidators, has been pushed down since January 2022, the beginning of the time series shown.
The one exception is Microsoft which continues to be ubiquitous as the “good enough” security company. Many will say good enough is not good enough in cybersecurity and the Russian hack that infiltrated Microsoft’s own internal systems should cause concern for its external customers.
The point is in looking at this data we thought maybe the combination of AI sucking up budget and continued macro headwinds will have an impact on the entire sector, including highfliers like CrowdStrike and Zscaler. But we wanted to keep digging.
Spending “Fatigue” Sends a Shock to the System
The other major topic on the Palo Alto call and in subsequent discussions at various financial conferences, were comments from Palo Alto’s CEO, Nikesh Arora.
The part that is new, despite the many demand drivers we’re seeing, we’re beginning to notice customers are facing spending fatigue in cybersecurity.
-Nikesh Arora, CEO Palo Alto Networks; 2/20/24
Now we have some other data that we’re showing above that tells the story in a bit more detail from the customer angle – a CISO at a midsized services company speaking on an ETR roundtable hosted by Erik Bradley.
The pain points that I’ve had with Palo have always been, once they figure out what to sell you, they’ll try to figure out how to sell you more…And what you buy from Palo for two or three years is fine, and then all of a sudden now you got to spend more to get kind of where you were. They’ve done that over and over again, and I think people are quite honestly just tired of that.
-VP IT & CISO Midsize Firm 2/16/24
The other bombshell from Palo Alto’s earnings was that spending fatigue was making it difficult for Palo to convert customers to its full platform. The problem they cited is that customers have existing licenses for legacy point products that haven’t expired and/or they’re not willing to risk taking on all the modules in a consolidation play at once. So Palo began offering free trials to bridge customers as these licenses expire and to give time for the customer to absorb the budget hit.
This introduces an entirely new dynamic for Palo where the timing of consolidation revenue is a function of existing license expiry, customer absorption capacity for new modules, the complexity of onboarding those modules and the overall impact all this has on conversion from free to paid.
Consolidation is Waning Across IT – What Does it Mean for Cyber?
Of course free trials are not a new tactic but it is a recently new dynamic that we wanted to investigate more deeply.
The graphic above shows the percent of more than 300 customers actively cutting budget that said consolidating redundant vendors was the primary means of cutting costs. Note the steep decline from 36% of customers in January 2023, down to 12% one year later.
You can see in the Tweet that this doesn’t necessarily mean CrowdStrike and Zscaler will be hit in a similar way because their history is much different from Palo Alto. Palo started as a hardware company, pivoted to software and has entered many new markets by stitching together numerous acquisitions. Very successfully by the way, but definitely a heavier transformation challenge than CrowdStrike and Zscaler. Those two companies are also very acquisitive but they had a much less complicated path to the cloud than did Palo Alto, which struggled with its cloud transformation as we reported earlier this decade.
Zscaler Beats, Raises and the Stock Drops
We were watching these trends closely and waiting for ZS and CrowdStrike to announce earnings. Zscaler announced earnings on the last day of February and despite a strong print the stock has been under pressure. Was it spending fatigue? Evidently not as CEO Jay Chaudhry explained:
We really do not see any cyber spending fatigue among our customers. In fact many of the CIOs that told me that cyber is a priority for spend. But they do have ELA fatigue because a lot of stuff has been becoming shelf wear and it’s being scrutinized. Regarding free stuff, many vendors have been trying to give it away for a while and we have been successfully winning against this strategy for a long time.
– Jay Chaudhry, CEO Zscaler.
So why was the stock under pressure? Analysts cited concerns about billings being below the high end of the range, guidance was back loaded and concerns related to difficult compares in the back half. As well, Zscaler is really the only pure play vendor in the SASE space. SASE stands for secure access service edge and is a capability that converges network and security as a service. It includes SD-WAN and cloud native security functions like gateways, brokers, firewalls as-a-service and is part of a comprehensive zero-trust network access framework.
Zscaler signaled that it is spending aggressively on go to market to secure a moat as a pure play in the field. While the company is increasingly relying on larger deals to hit its targets, generally, we like this type of capital allocation because it will pay dividends down the road. But Wall Street is cutting estimates as a result of these factors and that is what we think is pressuring the stock.
At least that’s the explanation that makes sense to us. But we always like when a company has conviction and invests in R&D and go to market expansion.
Then CrowdStrike Announced
The analyst community was eagerly anticipating CrowdStrike’s earnings and wow did they get a gift.
$3.44B ARR, 34% YoY growth.
Improved operating margins and FCF margins and an impressive 66 in the rule of 40 calculation – i.e. FCF margin + Growth.
True Platform Expansion Beyond Endpoint
The metric that is getting investors excited about CrowdStrike is its expansion beyond core endpoint.
Twenty-five percent of its $850M Q4 ending ARR, came from modules outside of endpoint. That’s double the non-endpoint ARR year over year. Specifically cloud, identity and next gen SIEM were the areas the company cited contributing the most to this growth. The company’s goal is that by the end of the decade, the non-endpoint parts of CrowdStrike’s business will comprise half of a $10B ARR.
This is the power of a platform. CrowdStrike’s CFO said that new customers are averaging almost five modules when they come on the platform as new customers. With the number of customers deploying 5, 6, 7 and 8 or more modules growing consistently.
CEO George Kurtz is fond of saying these three businesses, cloud, identity and next gen SIEM are each, in and of themselves, IPO-able. Impressive.
George Kurtz Seizes the Moment
Now if you know George Kurtz, and we’ve gotten to know him a bit over the last few years, he doesn’t miss a chance to cross the finish line first. Here’s what he said on the earnings call.
…what organizations inevitably realize is that vendor lock-in leads to deployment difficulties, skyrocketing costs, and subpar cybersecurity.
The outcome is shelfware and sunk costs. ELA and bundling addiction become the only way to coax customers into purchasing non-integrated point products. If the organization trapped in these fragmented pseudo platforms riddled with bolt-on point products that are the ones suffering from fatigue.
–George Kurtz, CrowdStrike CEO 3/5/24
Dell Deal Starting to Produce Results for SMB
One other nugget from CrowdStrike’s quarter is the deal with Dell targeting SMBs. CrowdStrike said that its Dell partnership has produced $50 million of total deal value. While not a lot this is early days. Dell is standardizing on CrowdStrike Falcon to build its MDR services for small and midsized customers. MDR stands for managed detection and response.
There’s a neat capability in the ETR data set that allows us to investigate the overlap in Dell accounts with CrowdStrike.
The chart above shows 314 Dell accounts, and you can see we’ve selected its PC products (this deal was done between Daniel Bernard, CrowdStrike’s Chief Business Officer, and Sam Burd, Dell’s President of CSG i.e. the PC group). It shows Net Score or spending momentum on the vertical axis and CrowdStrike’s Overlap in those 314 Dell accounts on the horizontal plane. This is only SMB accounts.
You can see we’ve plotted the trajectory over the past two years. And it tells an interesting story. Specifically CrowdStrike back in 2022 had 30 Dell SMB accounts or a 15% overlap in the data set with a very robust Net Score of 67%. Remember anything over 40% is considered highly elevated. But two things happened over the course of two years:
- CrowdStrike’s Net Score in these accounts plummeted, signaling to us a problem. The metric bottomed late last year. Perhaps SMBs found it too complicated to deploy and manage their own CrowdStrike instances. Or maybe they felt the price was too high. But clearly something needed to change. These two companies got together last year and;
- The second change is CrowdStrike’s penetration went from 30 Dell SMB accounts to 73 with 23% overlap, up from 15%. And a Net Score. And while CrowdStrike’s Net Score in Dell SMB accounts went from 67% – or 11 points above the CrowdStrike survey average – to 38% – or 10 points below CrowdStrike’s average – it tells us that the company took action to solve whatever problem it was facing and is now in a much stronger position to compete in the SMB space.
We see significant upside here.
Why CrowdStrike is Thriving
Let’s wrap by looking at some of the critical success factors that are powering CrowdStrike’s outstanding execution.
First of all, they’re a true platform company. We’ve said many times, platforms beat products. CrowdStrike’s platform comprises a single lightweight agent and it’s same agent for all the modules, they’ve also got agentless capabilities.
This enables them to create a unified data model and a single platform, not a collection of modules that have been bolted together. For years, CrowdStrike has leveraged advanced knowledge graphs and purpose-built data stores, which apply very nicely in security.
This high quality data supports the company’s AI strategy and will affect their entire business. Many companies today are “AI washing.” CrowdStrike is not one of them. They’ve been in the AI space for over a decade. We reported on this a couple of quarters ago, showing their AI journey since 2011 – and we think it’s legit.
CrowdStrike is founder-led, and very much mission-driven. We’ve talked about the importance of founder-led companies before. You think about Dell Technologies, you think about Oracle, these are mission-driven companies. Of course, CrowdStrike’s mission is to stop the breach, which is aspirational and virtually impossible. But that’s the mindset – move faster because the adversary is compressing the time to get in, take valuable assets and get out.
CrowdStrike is cloud native. They really pivoted heavily to the cloud at a point where that was not as much of a heavy lift as it was for Palo Alto, for example. Of course, Zscaler has always been in the cloud, but CrowdStrike made those investments early on because they saw the opportunity in cloud.
As well, as we pointed out with the ETR data, we see significant upside in SMB with the Dell relationship. This is important because SMBs need help and don’t have the resources to defend themselves adequately. And Dell knows how to help SMBs at a value price points.
CrowdStrike saw the clear opportunity to bring security to the cloud. We haven’t talked in-depth about AI but CrowdStrike is a true AI practitioner – as are many cyber firms by the way – but CrowdStrike has real AI chops and has begun shipping its Charlotte Gen AI, which we believe will transform the security analyst experience.
CrowdStrike is executing on a true platform play better than any firm in the cyber space in our view. It’s main competitor is Microsoft and by all accounts the company has a superior offering. That said, some customers tell us they’re priced out of CrowdStrike and they are forced to go with good enough. But in cyber, more than any other market, the ROI is much less a function of the CAPEX and OPEX costs. While vital to any ROI calculation the value of cybersecurity is a reduction in risk and corollary expected loss in revenue, cost and reputation. If a company can also lower the cost of cybersecurity through consolidation, such as CrowdStrike (and Zscaler) are effectively doing then that is an added bonus and frees up more investment dollars.
With cyber threats continuing to escalate and the probability of a breach is now near 100%. Reducing the impact of a breach by either stopping the breach -CrowdStrike’s stated mission- or responding as fast as possible, are the key drivers of ROI and generally organizations will find it’s worth every penny.
Keep in Touch
Thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.
Remember we publish each week on theCUBE Research and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.
