UPDATED 11:14 EDT / SEPTEMBER 17 2022

SECURITY

How CrowdStrike plans to become a generational platform

In just over 10 years, CrowdStrike Holdings Inc. has become a leading independent security firm. It has more than $2 billion in annual recurring revenue, nearly 60% annual recurring revenue growth, a roughly $40 billion market capitalization, very high retention and a path to $5 billion in revenue by mid-decade. The company has joined Palo Alto Networks Inc. as a gold-standard pure-play cybersecurity firm.

It has achieved this lofty status with an architecture that enables it to go beyond point products. Combine this with outstanding go-to-market efforts, solid financial execution, some sharp acquisitions and an ever-increasing total available market, and you have the formula for a great company.

In this Breaking Analysis and ahead of Fal.Con, CrowdStrike’s user conference in Las Vegas Sept. 19-21, we take a deeper look into the company, its performance, its platform and customer survey data from our partner Enterprise Technology Research.

Is the security sector really insulated from macro headwinds?

The general consensus is that spending on cyber is nondiscretionary and has held up better than other technology sectors. Although this is generally true, as the data above shows, it’s nuanced. Let’s explore that a bit.

The chart above shows year-to-date data comparing the stock performance of CrowdStrike to Palo Alto Networks, the BUG ETF (a cyber index), the Nasdaq and SentinelOne Inc., a relatively new entrant into the public markets. As you can see, the security sector, as evidenced by the orange line, is holding up better than the overall Nasdaq, which is off 28% year-to-date. Palo Alto has held up the best – being off only about 4% year-to-date, whereas CrowdStrike is off in the double digits this year – but up from its lows this past May.

CrowdStrike had a nice beat and raise on Aug. 30, but the stock didn’t respond well initially. We asked Breaking Analysis contributor Chip Symington, former managing director for institutional trading for Piper Jaffray, for his technical take on CrowdStrike and the sector generally.

He stated the following:

CrowdStrike has bounced around for the last three months in its current range. Cyber stocks have held up better than the rest of the market and now might be a good time to take a shot. But I’m cautious. Fedex’s warning today of a global recession is cause for concern. Maybe some of these quality cyber stocks like Palo Alto, CrowdStrike and Zscaler will outperform in a recession, but that play is not for the faint of heart. In fact, it’s feeling like a longer, more drawn-out tech downturn than many had hoped… perhaps as much as 12 to 18 months of trading in a range with sellers still in control.

In terms of cyber spending being nondiscretionary, we’d argue it’s less discretionary than other information technology sectors, but chief information security officers still don’t have an open wallet. We’ve seen spending momentum decelerate throughout this year in all sectors, including cyber. On its most recent earnings call, CrowdStrike itself cited increased scrutiny on spending that has elongated certain sales cycles for the company.

The bottom line is we expect security to remain a No. 1 priority for chief information officers and a firm such as CrowdStrike, which is a platform play, could benefit in the mid-term as we believe it is in a strong position to consolidate point products.

Early going in the CrowdStrike journey

Independent of the stock price, George Kurtz, chief executive of CrowdStrike, is running his company through a marathon, not a sprint. The company’s key performance indicators are setting it up well for the future. Despite macro headwinds, CrowdStrike is executing extremely well.

The company is free cash flow positive and is in the black with an operating profit on non-generally accepted accounting principles. Yet it is growing ARR at nearly 60%. Snowflake Inc. CEO Frank Slootman uses the term “inherent profitability,” meaning that a company could drive more profits if it wanted to dial down expenses – especially on sales and marketing costs. But that would be a mistake for a company such as CrowdStrike. Although it has an impressive nearly 20,000 customers, there are hundreds of thousands it could penetrate. So like Snowflake and Slootman, Kurtz is not taking his foot off the gas.

CrowdStrike’s platform is its secret weapon

The fundamental strength and secret sauce of CrowdStrike is its architecture and platform shown above. Let’s take a deeper look.

CrowdStrike believes that the unstoppable breach is a myth. CISOs don’t agree, of course, but that is CrowdStrike’s point of view. The company is on a mission to consolidate the patchwork of point solutions in the security market. It’s doing so by introducing modules that go beyond narrow point products. CrowdStrike has more than 20 modules that span a range of capabilities, as shown in the slide above.

There are a few critical aspects of the CrowdStrike architecture that bear mentioning.

The agent/sensor

CrowdStrike’s lightweight agent is fundamental. We’re used to thinking agentless is good and agents are bad because they have to be managed. But in this case, a powerful but small, easy-to-install and unobtrusive agent is advantageous because it supports multiple CrowdStrike modules and can support massive scale.

Everything in the cloud

The second key point is CrowdStrike, from the beginning, has been dogmatic about getting all telemetry data into the cloud so it can be analyzed. The more agents CrowdStrike installations around the world, the more data it has access to and the better its intelligence. Few companies have access to more data – except perhaps Microsoft Inc. given its scale and size.

Threat graph

CrowdStrike has developed a purpose-built threat graph and analytics platform that allows it to quickly ingest, in near real time, key telemetry data and detect not only known malware – that’s pretty straightforward – but using machine intelligence, unknown malware and other potentially malicious behavior using indicators of attack or IoAs.

Scaling new products and modules beyond endpoint

This past quarter, CrowdStrike reported that ARR from newer products was $219 million, or about 10% of total ARR. This emerging segment is becoming a meaningful component of CrowdStrike’s business and is a key to consolidating the installed base of point products in the market. These new modules include Falcon Discover, which keeps track of systems, application usage and user accounts; Spotlight, which highlights vulnerabilities; and Identity Protection, designed to monitor and protect against identify attacks. CrowdStrike’s identity module came from the $96 million acquisition of Preempt Security Inc. in 2020.

The $219 million figure also includes Humio Inc., a company CrowdStrike bought for $400 million in early 2021. It’s the company’s Splunk Inc. killer and will serve as CrowdStrike’s observability platform. Observability is one of the hottest and increasingly crowded markets. Dozens of companies, including Splunk, Datadog Inc. and Elastic NV are going after the opportunity. By bundling the capability into Falcon, CrowdStrike’s hope is to provide better scale with its cloud architecture, simplify the deployment and management of the system and feed more data into its platform.

CrowdStrike’s three-pronged approach

CrowdStrike combines three “superpowers” in its platform:

  • AV: Next-generation antivirus – meaning it’s a software-as-a-service-based solution and can do fast lookups to telemetry data in the cloud leveraging CrowdStrike’s proprietary threat graph;
  • EDR: Best-in-class endpoint detection and response. CrowdStrike sends all endpoint activity to the cloud and can process the data in near real time. CrowdStrike EDR allows you to search data history and it partners with threat intelligence platforms that push data into the CrowdStrike cloud, which increase its intelligence. CrowdStrike EDR has containment capabilities to fence off compromised systems.
  • Managed hunting: CrowdStrike has a world-class managed hunting team. Like many firms, CrowdStrike has a crack group of experts watching for threats. CrowdStrike’s advantage is the amount of data and near real time capabilities of its architecture.

By choosing to be 100% cloud-based, CrowdStrike leverages all the advantages of the cloud and doesn’t fork its data set. The more agents or sensors CrowdStrike customers install, the better information CrowdStrike has to support its customers and the virtuous cycle continues.

Customer survey data shows CrowdStrike leads its peers in spending momentum

Let’s now dig into some of the survey data and take a look at what ETR respondents are saying about the spending momentum for CrowdStrike in context to its peers.

Above we show a very recent data set that ETR’s Erik Bradley shared with us. It’s an XY graph with Net Score or Spending momentum on the vertical axis and the Overlap or pervasiveness in the survey on the X axis. The dotted line at 40% indicates an elevated level of spending velocity. Note the CrowdStrike progression since the pandemic started (the squiggly lines).

The two notable points are: 1) CrowdStrike has remained consistently above the 40% mark; and 2) It has made notable progress to the right, consistently increasing its share over a two-year period.

The other callout here is Microsoft in the upper right. As usual Microsoft is a dominant player and as referenced earlier has massive scale and quality telemetry data. Unlike Amazon Web Services Inc., Microsoft is a direct competitor of CrowdStrike’s. Microsoft strength is Azure. CrowdStrike’s opportunity is to deliver a more inclusive offering beyond Microsoft’s installed base.

The security sector remains strong, with lots of players hovering around the 40% line. Cybersecurity has a large and expanding total addressable market with many point tools that CrowdStrike is well-positioned to consolidate.

Spending spotlight on endpoint players

Below is a more narrow view of that same XY graph.

It takes out Microsoft to normalize the data set a bit, and compares a number of firms that specialize in endpoint along with CrowdStrike – such as Tanium Inc., which also has a lightweight agent and appears to be doing well; SentinelOne; Carbon Black, which VMware Inc. bought for about $2 billion; and Cylance Inc. – the Blackberry pivot. We’ve also included Palo Alto and Cisco Systems Inc. because they are major players with a big presence in security, they compete with CrowdStrike, and are both going after extended detection and response or XDR, which we’ll review in a moment.

The net takeaway is you can see how CrowdStrike looms large with a higher Net Score and a steady posture on the X axis. The table insert informs the position of the plots. CrowdStrike is well ahead on Net Score and its N in the data set is meaningful and continues to grow.

XDR: buzzword or the next big thing?

Let’s now take a quick look at XDR. It’s considered a bit of a buzzword, but CrowdStrike is taking the mantle and trying to own the category in our view – a natural evolution of endpoint detection and response, or EDR.

In a recent ETR roundtable hosted by our colleague Erik Bradley, the sentiment among several CISOs is that existing SIEM – security information and event management platforms – are inadequate. And some see XDR as a replacement for – or at least a strong complement to – SIEM.

If the regulatory requirement isn’t there, I absolutely will get rid of my SIEM.

CISOs want a single view of their data. They want help prioritizing potentially high impact breaches. They want to automate the low-level stuff – because sometimes too much information becomes information overload – and they want to consolidate platforms. They have too many dashboards, too many stovepipes, difficulty scaling and inconsistent telemetry data.

CrowdStrike, we feel, is in a good position to continue to gain share and disrupt this market as a natural progression of EDR.

Fal.Con preview

Here are some of the things theCUBE will be looking for next week when theCUBE is at Fal.Con, CrowdStrike’s user conference.

 

We’ll be there for two days at the Aria in Vegas. In addition to CrowdStrike’s CEO, we’ll hear from government cyber experts – always at security conferences – and the CEO of Mandiant Inc. Google just closed its $5 billion acquisition of Mandiant, a threat intelligence expert and consultant.

We expect an intense focus on the Falcon platform at the event, and you’ll see CrowdStrike educating the audience on its modules and how to take advantage of its capabilities beyond endpoints, with an emphasis on consolidating tools.

We’ll also be watching for the ecosystem conversations. We saw at re:Inforce that CrowdStrike and Okta Inc. were presenting together to show how these companies’ products complement each other in the market. We expect more clarity on how CrowdStrike’s partnerships are evolving. Its intent is to consolidate point tools which means its total available market expansion strategy will naturally encroach on others in the industry. So the company must carefully choose its parters and its partners will be somewhat cautious.

A generational company must have a strong ecosystem. CrowdStrike’s is evolving and our belief is it has some work to do to create a stronger partner flywheel – and we’re eager to dig into that next week.

So if you’re at the event, please do stop by and say hello to theCUBE.

Keep in touch

Thanks to Chip Symington and Erik Bradley for their contributions to this episode of Breaking Analysis. Alex Myerson and Ken Shiffman are on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advance viewing of what’s published in Breaking Analysis.

Image: Sundry Photography/Adobe Stock

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU