Sundry Photography
I last wrote about CrowdStrike (NASDAQ:CRWD) on November 4, 2021. I recommended a buy on the eve of the Federal Reserve raising interest rates across 2022. The stock declined like virtually every cloud and SaaS stock over the last two years and has only recently recovered from the decline to reach the breakeven point from when I initially recommended it. As I draft this article, the stock is up 0.74% versus the S&P 500, rising 2.31% over the same period.
One reason I decided to revisit CrowdStrike is because I recently authored an article about Palo Alto Networks (PANW) that included a quote from Palo Alto’s CEO Chief Executive Officer (“CEO”) Nikesh Arora where he said at a recent UBS Technology Conference:
So, if you think about it 5 years ago, there were north of 10 players in the endpoint space. Some of them are sort of naturally attriting. Some of them are up for sale, some of them being shut down. So, there’s a lot of movement. I think we’re down to 4 or 5 real contenders in that space. I think we probably end up with 2 or 3 as it starts to consolidate around AI plus soft management plus sort of the endpoint capability. It’s not hard to figure out who those 3 are likely to be.
Source: UBS Technology Conference Seeking Alpha Transcript.
That “AI plus soft management plus endpoint capability market” that the Palo Alto CEO speaks of, CrowdStrike management calls the AI-native Security Platform market, which they believe will be a $100 billion market by the end of 2024 and grow at a Compound Annual Growth Rate of 25.74% to a $225 billion market by 2028. At the end of the third quarter, CrowdStrike had generated $2.84 billion in 12-month trailing (“TTM”) revenue, meaning it had penetrated only 2.8% and 1.13% of its 2024 and 2028 addressable market, respectively.
CrowdStrike Investor Presentation
I believe CrowdStrike will be one of the two or three left standing in the AI-Native Security Platform market over the next several years as the cybersecurity industry consolidates. While I might have been wrong in the short term to recommend the stock several years ago, right before the Federal Reserve started raising interest rates, I still believe the stock will be a long-term winner.
Although CrowdStrike was not the first to develop a cloud cybersecurity solution, its Falcon platform was one of the first effective cloud-native security platforms, especially regarding endpoint security. The company has one powerful secular trend in its favor. The adoption of cloud computing, edge computing, the Internet of Things, and remote work is a colossal tailwind driving companies to adopt next-generation security solutions like the Falcon platform. An additional factor in its favor is that the platform approach to security has become very popular, as organizations have found that they could lower their total cost of ownership by consolidating many security functions onto one platform compared to using various point solutions from multiple vendors.
This article will discuss customers’ rapid adoption of the Falcon platform, its first-mover advantages, whether the company has a moat and the strength of those moats, its fundamentals, risks, and valuation, and why I consider this company a buy.
The Falcon platform
CrowdStrike launched Falcon in 2013 to solve the rising need for a product designed for threats that evaded the technology of older antivirus products and security solutions. These older solutions used signatures of known types of viruses and malware to detect attacks. The problem is that hackers increasingly use zero-day attacks, which are vulnerabilities within the software or the operating system that developers have yet to find or patch. Antivirus products that use signatures to identify malware are impotent in a Zero Day attack since they don’t have the signatures for the previously unknown attack. CrowdStrike management says they invented a new cybersecurity category that it called the “Security Cloud,” which is more capable of dealing with modern-day hacker strategies, which it described in its Annual Report:
We believe our approach has defined a new category called the Security Cloud, which has the power to transform the cybersecurity industry the same way the cloud has transformed the customer relationship management, human resources, and service management industries. Using cloud-scale AI [Artificial Intelligence], our Security Cloud enriches and correlates trillions of cybersecurity events per week with indicators of attack, threat intelligence, and enterprise data (including data from across endpoints, workloads, identities, IT assets and configurations) to create actionable information, identify shifts in adversary tactics and automatically detect and prevent threats in real-time across our customer base. The more data that is fed into our Falcon platform, the more intelligent our Security Cloud becomes, and the more our customers benefit, creating a powerful network effect that increases the overall value we provide.
Source: CrowdStrike 2022 10-K
The Falcon platform is an XDR (Extended Detection and Response) solution. Gartner (IT) defines XDR as a “unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” An XDR, or in this case, Falcon platform, collects security and operational data from clients’ emails, networks, endpoints, and cloud workloads and stores the data in CrowdStrike’s Security Cloud. The company uses “Graph Technology,” which is the brain that learns from the data stored in the Security Cloud. The Falcon platform has the following three “Graphs” for accomplishing specific tasks:
- Threat Graph acts as the brains behind the Falcon platform’s ability to identify and automatically stop cyber threats across CrowdStrike’s customer base in real-time.
- Intel Graph acts like an Intelligence Officer by collecting data on hackers’ latest tactics, tricks, and tools and can tell users what threats they are most likely to face. The company maps out attacks using the MITRE ATT&CK framework, which acts like a dictionary of cyberattacks.
- Asset Graph maps out and tracks all an organization’s devices, users, accounts, apps, cloud services, and other computing assets, giving security professionals a better overall view to make higher quality decisions about where to prioritize defending an organization’s cyber assets
The following image shows an XDR architecture of ingesting data, using analytics to detect threats, and quickly respond.
CrowdStrike website
The Falcon platform was not born an XDR solution, but CrowdStrike built it into one over time. The following image shows the timeline of CrowdStrike building out its Falcon platform’s capabilities over time:
CrowdStrike Investor Presentation
Today, ten years after CrowdStrike released Falcon, it consists of 23 cloud modules, which a customer could choose to buy in five bundles. The platform has gained significant traction in the market. Chief Analyst at Canalys recently stated, “CrowdStrike is outgrowing the overall cybersecurity market.” The platform has won multiple awards from several research and advisory companies, including Gartner, Forrester Research (FORR), International Data Corporation, and Frost & Sullivan. The platform has also achieved some of the top scores from third-party cybersecurity test companies, including AV-TEST, MITRE, and SE LABS. CrowdStrike also claimed in its third quarter 2023 earnings release that it “Became the first cybersecurity independent software vendor (“ISV”) founded for the cloud to exceed $1 billion of software sales through AWS Marketplace.“
CrowdStrike’s business is growing like a weed. Annual Recurring Revenue (“ARR”) grew 35% year-over-year to a record $3.15 billion. On the third quarter earnings call, CrowdStrike CEO George Kurtz said, “CrowdStrike is the fastest and only pure-play cyber security software vendor in history to achieve this [$3 billion] milestone.” In addition, the company accelerated its net new ARR to 13% while operating at scale. When ARR is growing and net ARR is accelerating, it often indicates increasing adoption of the company’s subscription-based services, potentially leading to increased revenue growth. When investors see net ARR accelerating, they can become more confident in the company’s future revenue growth potential and more willing to buy or hold the stock at higher valuations. The stock has risen around 33% from when it reported earnings on November 28, 2023, to the closing price on January 10, 2024; one reason might be investors’ positive reaction to these ARR numbers.
The company is an early innovator in cloud-based cybersecurity
CrowdStrike didn’t invent the idea of using the cloud for cybersecurity, nor did it create the XDR category. However, it was among the first to recognize cloud-native security’s potential for real-time data analysis and threat intelligence. The company was an early innovator in cloud-based cybersecurity, and its Falcon platform heavily influenced the evolution and adoption of XDR. As a result, it gained a head start on some of its competitors in data collection and the design of Artificial Intelligence (“AI”) algorithms to detect malware, exploits, zero days, code injection attacks, and hard-to-detect breach methods like identity-based attacks.
Using AI for cybersecurity is not novel. According to this article, researchers have dabbled with using Machine Learning, a form of AI, in internet security since the 80s. Some companies that used AI early on were on-prem security solutions with bolted-on cloud products. CrowdStrike stated the issue that these traditional security solutions had in its 10-K:
On-premise products are siloed, lack integration, and have limited ability to collect, process, and analyze vast amounts of data—attributes that are required to be effective in today’s increasingly dynamic threat landscape. Meanwhile, these solutions often require more agents on the endpoint as new capabilities are patchworked together, which can have a dramatic negative impact on user performance.
Source: CrowdStrike 10-K
Other companies like Cylance, which BlackBerry (BB) now owns, claimed to be the first to use AI in the cloud. However, Cylance initially focused on stopping malware, and CrowdStrike focused on preventing breaches, which may be why CrowdStrike first rose to prominence. Organizations were interested in more than containing malware; they wanted to stop breaches. CrowdStrike might be the first company that effectively combined cloud-native use with AI to detect, analyze, and respond to breaches at a speed customers were happy with. CrowdStrike states an additional advantage in its 10-K, “While AI is revolutionizing many technology fields, including cybersecurity solutions, to be truly effective, algorithms that enable AI depend on the quality and volume of data that trains them and the selection of the right differentiating features from that data.” As one of the most advanced and fastest-growing cybersecurity companies in AI dedicated to stopping breaches, it developed an initial data advantage over other players, and it may have been the first to discover some of the differentiating factors that go into detecting data breaches, allowing it to develop the most effective algorithms.
CrowdStrike is an aptly named company. It crowdsources high-fidelity data from its customers. Each new customer who joins the company and contributes to the Security Cloud gives the platform more data to improve the service. The company states it gains a network effect with each new user in its 10-K:
Our crowdsourced data enables every customer to benefit from contributing to the Security Cloud. As more high fidelity data is fed into our Security Cloud, our AI models continue to train and improve, increasing the overall efficacy of the Falcon platform This creates a powerful network effect that is a key differentiator in our efforts to gain more customers. The Threat Graph is able to contextualize and turn this data into action, automatically delivering protection to every customer.
Source: CrowdStrike 10-K
Some investors believe that the company’s data collection head start and the network effect in its ongoing data collection efforts could give CrowdStrike a data advantage that will be difficult for competitors to catch up to quickly. One additional competitive advantage that CrowdStrike potentially has is a switching cost advantage. Theoretically, the more modules a customer buys on the Falcon platform, the more invested that customer becomes in the platform and the more costly it becomes to leave.
CrowdStrike Investor Presentation.
Historically, CrowdStrike delivered a gross retention rate (“GRR)” in the high 90s, meaning the service is extraordinarily sticky and may be evidence that the company’s networking and switching cost advantages are solid. The last time the Chief Financial Officer (“CFO”) Burt Podbere highlighted the GRR number on an earnings call was in the fourth quarter of the fiscal year (“FY”) 2023 when he said the number came in at 98%. In the third quarter FY 2024 earnings call, Podbere merely said that GRR was “strong.”
The company has solid fundamentals
CrowdStrike produced robust revenue growth of 35% to $786 million. During the quarter, 93% of total revenue was subscription revenue. Investors tend to award higher valuations to subscription-based revenue over one-time sales because it is a predictable and recurring revenue stream, making it easier to estimate future free cash flow (“FCF”).
CrowdStrike Investor Presentation
CrowdStrike recorded GAAP (Generally Accepted Accounting Principles) gross margins of around 75%, up from 200 basis points in the previous year’s comparable quarter. Non-GAAP gross margins were 78%, up 300 basis points from the prior year’s comparable quarter. A typical GAAP gross margin for a SaaS (software-as-a-service) business like CrowdStrike is 75%.
CrowdStrike Investor Presentation
Since it is the largest portion of revenue, subscription gross margin is a critical metric to follow. The subscription gross margin was 78% on a GAAP basis and 80% on a non-GAAP basis.
CrowdStrike’s largest operating expense is Sales and Marketing (S&M), which the company continues to bring lower. Third quarter FY 2024 S&M as a percentage of revenue was 36% versus 41% in the previous year’s quarter on a GAAP basis and 31% versus 34% on a non-GAAP basis. Research and Development (R&D) as a percentage of revenue was slightly lower year-over-year. GAAP R&D came in at 25% in the third quarter versus 27% in the previous year’s quarter. Third quarter non-GAAP R&D was 18% versus 19% in last year’s comparable quarter. Lastly, in the third quarter, General and Administrative (G&A) was only 13% as a percentage of revenue on a GAAP basis and 6% on a non-GAAP basis, both numbers down 100 basis points from last year’s quarter. As a result of lower operating expenses, the company achieved higher operating profitability. The third-quarter FY 2024 GAAP and non-GAAP operating margins were 0.40% and 22%, respectively. These numbers were up from third-quarter FY 2023 GAAP and non-GAAP operating margins of -10 and 15%, respectively. So, a possible additional reason the stock has increased since the company released these earnings is that it is rapidly growing more profitable while still having solid top-line growth potential.
CrowdStrike Investor Presentation
CrowdStrike recorded GAAP earnings-per-share of $0.11, its third consecutive quarter of GAAP profitability.
CrowdStrike produced a quarterly FCF of $239.60 million at an FCF margin of 30.48% and a 12-month trailing FCF of $864.02 million at an FCF margin of 30.33%.
CrowdStrike ended its third quarter FY 2023 with $3.16 billion in cash and short-term investments against $752.12 million in long-term debt. As of the end of October 2023, the company had a quick ratio of 1.74, a sign that it could pay its liabilities over the next year, and a debt-to-equity ratio of 0.39, a sign that it is in a great financial position.
The following image shows CrowdStrike’s long-term financial goals on a non-GAAP basis.
CrowdStrike Investor Presentation.
CrowdStrike’s operating expenses were all in the targeted range in the third quarter. The company’s subscription gross margin, operating margin, and FCF margin all have room for improvement to reach the above operational goals.
A few risks
A few years ago, CrowdStrike regularly included the company’s GRR, net retention, and baseline net retention number of 120% in its Investor Presentations and highlighted the exact numbers in earnings calls. Over the last year, though, management has become increasingly vague about those numbers. For instance, in the third quarter FY 2024 earning call, CFO Burt Podbere said, “Our dollar-based net retention rate was slightly below our benchmark in Q3, as the mix of net new ARR from new customers has remained above our expectations and we continue to land bigger deals.” While I don’t think anything nefarious is going on because larger deals and an accelerating net new ARR can negatively impact net retention. However, it can be irritating when management highlights GRR and net retention rates in good times but fails to highlight the exact numbers when the cloud market slows.
Another factor you should consider is the strength of CrowdStrike’s competitive advantages. While CrowdStrike possesses extensive data on cybersecurity threats, it may not give the company as much of a long-term competitive advantage as investors expect. Increased data sharing occurring on platforms like Snowflake (SNOW) could enable CrowdStrike’s competitors to pool data and close the gap in both quality and quantity of data, weakening the advantages CrowdStrike gains through its network effect. Additionally, open-source initiatives like MITRE ATT&CK, Secure Yeti, Cyber Threat Intelligence, and other threat intelligence sources could help competitors catch up by providing valuable data to companies that may not have as sophisticated a data collection operation as CrowdStrike.
Competitors
The cybersecurity market is intensely competitive. CrowdStrike faces numerous competitors capable of developing innovative solutions that could present companies with compelling alternatives, even if switching costs exist. CrowdStrike’s competitors come from the following broad categories:
- Traditional Endpoint Security Vendors: These companies started in on-prem environments focused on preventing malware but have increasingly shifted towards cloud-based solutions focused on preventing breaches. These companies include Trend Micro (OTCPK:TMICF) (OTCPK:TMICF), Broadcom’s (AVGO) Symantec Enterprise Business, VMware’s (VMW) Carbon Black, and McAfee.
- Traditional Network Security Vendors: The companies in this category mainly focused on networking solutions, firewalls, and intrusion detection systems in the past. These companies have increasingly broadened their focus into cloud-based solutions and endpoint detection. A few examples of companies in this category are Cisco Systems (CSCO), Fortinet (FTNT), and Palo Alto Networks ((PANW)).
- Next-Generation Security Vendors: These vendors either come to market or evolve into companies that offer security features beyond the traditional antivirus solutions. Next-generation security features include EDR (Endpoint Detection and Response), XDR, Zero Trust Security, IAM (Identity and Access Management), SIEM (Security Information and Event Management), and Threat Intelligence Platforms. Some companies in this category include Blackberry (Cylance), Cloudflare (NET), SentinelOne (S), TEHTRIS, and Cranium AI.
Suppose you believe what Palo Alto Networks CEO Nikesh Arora says about the company’s capabilities. In that case, his company may have already made serious strides in catching up to CrowdStrike’s data advantages if the following comment he made at the UBS Technology Conference is valid:
We have on a daily basis, we ingest five petabytes of data. We have one exabyte of security data stored in Google Cloud. We are the largest storers, if that’s a word, of security data in the world. Not only that, we’re the largest storage in Google Cloud of any company in the world, after Google. And we only have 35 customers running our XSIAM products so far. We want to have hundreds of them getting there.
Source: UBS Technology Conference Seeking Alpha Transcript.
If Palo Alto can wield data for breach protection and other security functions effectively, CrowdStrike could have a battle on its hands. Palo Alto already beat CrowdStrike to the punch by introducing an XDR product in 2019, while CrowdStrike released its first XDR product in 2021. So, although CrowdStrike’s competitive advantages may be formidable, other companies could close the data gap and introduce advanced features before CrowdStrike. Whichever company innovates and develops the most advanced features that customers like should be the ultimate winner. If the Palo Alto CEO is correct in his past statement that the industry will consolidate down to two or three players, I think CrowdStrike and Palo Alto will be two of those players. Another company to watch out for is Cloudflare. Although Cloudflare has a content delivery network background and its approach to security differs, potential customers with limited funds could choose Cloudflare’s Zero Trust and SASE solution over CrowdStrike’s platform, depending on their needs.
Should you buy it?
Seeking Alpha’s quant rates the stock’s valuation as a D-. The stock has a price-to-sales ratio of 23.70, which is elevated compared to the internet software P/S ratio of 7.63 and system and application software P/S ratio of 10.39. Considering the company only recently achieved GAAP profitability, it is susceptible to corrections if revenue growth slows or it fails to meet analysts’ expectations. Based on traditional valuation metrics, the market may have overvalued CrowdStrike. After the stock’s most recent higher post-earnings run, Seeking Alpha Analysts have collectively pushed the rating back to Hold.
Let’s look at a reverse discounted cash flow model to see what growth rates the current stock price implies.
Reverse DCF
|
The third quarter of FY 2024 reported Free Cash Flow TTM (Trailing 12 months in millions) |
$864 |
| Terminal growth rate | 2% |
| Discount Rate | 10% |
| Years 1 – 10 growth rate | 27.2% |
| Current Stock Price (January 12, 2024, closing price) | $283.35 |
| Terminal FCF value | $9.772 billion |
| Discounted Terminal Value | $47.094 billion |
Over the next ten years, the implied 27.2% FCF growth rate is aggressive. Right now, CrowdStrike has an FCF margin of 30%. CrowdStrike lists an FCF margin of 34% to 38% in its target operating model. Assuming it reaches those FCF margin targets, the current stock price implies FCF growth of 24% over the next ten years at a 38% FCF margin and a 25.2% FCF growth rate over the next ten years at a 35% FCF margin. I believe the company’s target FCF margins and the implied growth rates are doable, considering the company’s leadership position in the cybersecurity industry and the size of the opportunity ahead.
Since the cybersecurity industry has a reputation for upstarts disrupting the established players, risk-averse investors should avoid CrowdStrike. However, I believe this stock is ideal for aggressive growth investors interested in AI, as cybersecurity might become one the best use cases for AI, especially as bad actors increasingly use AI to breach networks. I rate the stock a Buy for aggressive growth investors.
