In just over ten years, CrowdStrike has become a leading independent security firm. It has more than $2B in annual recurring revenue, nearly 60% ARR growth, a roughly $40B market capitalization, very high retention and a path to $5B in revenue by mid-decade. The company has joined Palo Alto Networks as a gold standard pure play cyber firm.

It has achieved this lofty status with an architecture that enables it to go beyond point product. Combine this with outstanding go to market, solid financial execution, some sharp acquisitions and an ever-increasing total available market and you have the formula for a great company.

In this Breaking Analysis and ahead of Fal.Con, CrowdStrike’s user conference, we take a deeper look into the company, its performance, its platform and customer survey data from our partner ETR.

Is the Security Sector Really Insulated from Macro Headwinds?

The general consensus is that spending on cyber is non-discretionary and has held up better than other technology sectors. While this is generally true, as the data above shows, it’s nuanced. Let’s explore that a bit.

The chart above shows YTD data comparing the stock performance of CrowdStrike to Palo Alto Networks, the BUG ETF (a cyber index), the Nasdaq and SentinelOne, a relatively new entrant into the public markets. As you can see the security sector, as evidenced by the orange line, is holding up better than the overall Nasdaq which is off 28% YTD. Palo Alto has held up the best – being off only around 4% YTD, whereas CrowdStrike is off in the double digits this year – but up from its lows this past May. 

CrowdStrike had a nice beat and raise on 8/30 but the stock didn’t respond well initially. We asked Breaking Analysis contributor Chip Symington for his technical take on CrowdStrike and the sector generally.

He stated the following:

CrowdStrike has bounced around for the last three months in its current range. Cyber stocks have held up better than the rest of the market and now might be a good time to take a shot. But I’m cautious. Fedex’s warning today of a global recession is cause for concern. Maybe some of these quality cyber stocks like Palo Alto, CrowdStrike & Zscaler will outperform in a recession, but that play is not for the faint of heart. In fact it’s feeling like a longer, more drawn out tech downturn than many had hoped…perhaps as much as 12-18 months of trading in a range with sellers still in control. 

-Chip Symington, former Managing Director, Institutional Trading, Piper Jaffray

In terms of cyber spending being non discretionary, we’d argue it’s less discretionary than other IT sectors, but CISOs still don’t have an open wallet. We’ve seen spending momentum decelerate throughout this year in all sectors, including Cyber. On its most recent earnings call, CrowdStrike itself cited increased scrutiny on spending which has elongated certain sales cycles for the company.

The bottom line is we expect security to remain a #1 priority for CIOs and a firm like CrowdStrike, which is a platform play, could benefit in the mid-term as we believe it is in a strong position to consolidate point products.  

Early Going in the CrowdStrike Journey

Independent of the stock price, George Kurtz, CEO of CrowdStrike is running his company through a marathon, not a sprint. The company’s key performance indicators are setting it up well for the future. Despite macro headwinds, CrowdStrike is executing extremely well.

The company is free cash flow positive and is in the black on a Non-GAAP operating profit. Yet it is growing ARR at nearly 60%. Frank Slootman uses the term “inherent profitability,” meaning that a company could drive more profits if it wanted to dial down expenses – especially on sales and marketing costs. But that would be a mistake for a company like CrowdStrike. While it has an impressive nearly 20,000 customers, there are hundreds of thousands it could penetrate. So like Snowflake and Slootman, Kurtz is not taking his foot off the gas. 

CrowdStrike’s Platform is its Secret Weapon

The fundamental strength and secret sauce of CrowdStrike is its architecture and platform shown above. Let’s take a deeper look. 

CrowdStrike believes that the unstoppable breach is a myth. CISOs don’t agree of course but that is CrowdStrike’s point of view. The company is on a mission to consolidate the patchwork of point solutions in the security space. It’s doing so by introducing modules that go beyond narrow point products. CrowdStrike has more than 20 modules that span a range of capabilities as shown in the slide above. 

There are a few critical aspects of the CrowdStrike architecture that bear mentioning.

The Agent/Sensor

CrowdStrike’s lightweight agent is fundamental. We’re used to thinking agentless is good and agents are bad because they have to be managed. But in this case, a powerful but small, easy to install and unobtrusive agent is advantageous because it supports multiple CrowdStrike modules and can support massive scale. 

Everything in the Cloud

The second key point is CrowdStrike, from the beginning, has been dogmatic about getting all telemetry data into the cloud so it can be analyzed. The more agents CrowdStrike installs around the world, the more data it has access to and the better its intelligence. Few companies have access to more data – perhaps Microsoft given its scale and size is an exception. 

Threat Graph

CrowdStrike has developed a purpose-built threat graph and analytics platform that allows it to quickly ingest, in near real time, key telemetry data and detect not only known malware – that’s pretty straight forward – but using machine intelligence, unknown malware and other potentially malicious behavior using indicators of attack (IoAs).

Scaling New Products & Modules Beyond Endpoint 

This past quarter, CrowdStrike reported that ARR from newer products was $219M or around 10% of total ARR. This emerging segment is becoming a meaningful component of CrowdStrike’s business and is a key to consolidating the installed base of point products in the market. These new modules include Falcon Discover, which keeps track of systems, application usage and user accounts; Spotlight, which highlights vulnerabilities; and Identity Protection, designed to monitor and protect against identify attacks. CrowdStrike’s identity module came from the $96M acquisition of Preempt in 2020.

The $219M figure also includes Humio, a company CrowdStrike bought for $400M in early 2021. It’s the company’s Splunk killer and will serve as CrowdStrike’s observability platform. Observability is one of the hottest and increasingly crowded spaces. Dozens of companies, including Splunk, Datadog and Elastic are going after the opportunity. By bundling the capability into Falcon, CrowdStrike’s hope is to provide better scale with its cloud architecture, simplify the deployment and management of the system and feed more data into its platform. 

CrowdStrike’s Three-Pronged Approach

CrowdStrike combines three “superpowers” in its platform: 

  • AV – Next generation antivirus – meaning it’s a SaaS based solution and can do fast lookups to telemetry data in the cloud leveraging CrowdStrike’s proprietary threat graph;
  • EDR – Best in class EDR (endpoint detection and response). CrowdStrike sends all endpoint activity to the cloud and can process the data in near real time. CrowdStrike EDR allows you to search data history and it partners with threat intelligence platforms who push data into the CrowdStrike cloud, which increase its intelligence. CrowdStrike EDR has containment capabilities to fence off compromised systems.
  • Managed Hunting – CrowdStrike has a world class managed hunting team. Like many firms, CrowdStrike has a crack group of experts watching for threats. CrowdStrike’s advantage is the amount of data and near real time capabilities of its architecture. 

By choosing to be 100% cloud-based, CrowdStrike leverages all the advantages of the cloud and doesn’t fork its data set. The more agents / sensors CrowdStrike customers install, the better information CrowdStrike has to support its customers and the virtuous cycle continues. 

Customer Survey Data Shows CrowdStrike Leads its Peers in Spending Momentum

Let’s now dig into some of the survey data and take a look at what ETR respondents are saying about the spending momentum for CrowdStrike in context to its peers.

Above we show a very recent data set that ETR’s Erik Bradley shared with us. It’s an XY graph with Net Score or Spending momentum on the vertical axis and the Overlap or pervasiveness in the survey on the X axis. The dotted line at 40% indicates an elevated level of spending velocity. Note the CrowdStrike progression since the pandemic started (the squiggly lines).

The two notable points are: 1) CrowdStrike has remained consistently above the 40% mark; and 2) It has made notable progress to the right, consistently increasing its share over a two year period. 

The other callout here is Microsoft in the upper right. As usual Microsoft is a dominant player and as referenced earlier has massive scale and quality telemetry data. Unlike AWS, Microsoft is a direct competitor of CrowdStrike’s. Microsoft strength is its  with Azure. CrowdStrike’s opportunity is to deliver a more inclusive offering beyond Microsoft’s installed base. 

The security sector remains strong with lots of players hovering around the 40% line. Cybersecurity has a large and expanding TAM with many point tools that CrowdStrike is well-positioned to consolidate. 

Spending Spotlight on Endpoint Players

Below is a more narrow view of that same XY graph.

It takes out Microsoft to normalize the data set a bit. And compares a number of firms that specialize in endpoint along with CrowdStrike – such as Tanium, which also has a lightweight agent and appears to be doing well. SentinelOne. Carbon Black which VMware bought for around $2B and Cylance – the Blackberry pivot. We’ve also included Palo Alto and Cisco because they are major players with a big presence in security, they compete with CrowdStrike and are both going after XDR which we’ll review in a moment. 

The net takeaway is you can see how CrowdStrike looms large with a higher Net Score and a steady posture on the X axis. The table insert informs the position of the plots. CrowdStrike is well ahead on Net Score and its N in the data set is meaningful and continues to grow. 

XDR – Buzzword or the Next Big Thing?

Let’s now take a quick look at XDR – Extended Detection and Response. XDR is considered a bit of a buzzword but CrowdStrike is taking the mantle and trying to own the category in our view – a natural evolution of endpoint detection and response – EDR.

In a recent ETR roundtable hosted by our colleague Erik Bradley, the sentiment among several CISOs is that existing SIEM – security information and event management platforms – are inadequate. And some see XDR as a replacement for – or at least a strong complement to – SIEM. 

If the regulatory requirement isn’t there, I absolutely will get rid of my SIEM.

CISOs want a single view of their data. They want help prioritizing potentially high impact breaches. They want to automate the low level stuff – because sometimes too much information becomes information overload – and they want to consolidate platforms. They have too many dashboards, too many stovepipes, difficulty scaling, and inconsistent telemetry data. 

CrowdStrike we feel is in a good position to continue to gain share and disrupt this space as a natural progression of EDR.  

Fal.Con Preview

Here are some of the things theCUBE will be looking for next week when theCUBE is at Fal.Con, CrowdStrike’s user conference. 

 

We’ll be there for 2 days at the Aria in Vegas. In addition to CrowdStrike’s CEO, we’ll hear from government cyber experts – always at security conferences – and the CEO of Mandiant. Google just closed its $5B+ acquisition of Mandiant, a threat intelligence expert and consultant. 

We expect an intense focus on the Falcon platform at the event and you’ll see CrowdStrike educating the audience on its modules and how to take advantage of its capabilities beyond endpoint with an emphasis on consolidating tools. 

We’ll also be watching for the ecosystem conversations. We saw at re:Inforce, CrowdStrike and Okta were presenting together to show how these companies’ products complement each other in the market. We expect more clarity on how CrowdStrike’s partnerships are evolving. Its intent is to consolidate point tools which means its TAM expansion strategy will naturally encroach on others in the industry. So the company must carefully choose its parters and its partners will be somewhat cautious. 

A generational company must have a strong ecosystem. CrowdStrike’s is evolving and our belief is it has some work to do to create a stronger partner flywheel – and we’re eager to dig into that next week. 

So if you’re at the event please do stop by and say hello to theCUBE. 

Keep in Touch

Thanks to Chip Symington and Erik Bradley for their contributions to this episode of Breaking Analysis. Alex Myerson and Ken Shiffman are on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.

Watch the full video analysis:

Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.