The CrowdStrike (CRWD) Falcon platform uses big data and artificial intelligence to address the cybersecurity needs of a digitized world, focusing specifically on the protection of endpoint devices, which are multiplying rapidly. For this reason, CrowdStrike is an excellent long-term investment.
My investment thesis is summarized in these three points:
1. CrowdStrike’s product addresses an enormous and growing market opportunity. CrowdStrike’s TAM is estimated to reach $32 billion by 2022 – 49x trailing twelve-month revenue.
2. CrowdStrike’s Falcon platform benefits from a strong network effect and high switching costs. Dollar-based net retention has exceeded 100% since 2016.
3. CrowdStrike’s financial performance has been stellar in recent years. Since 2017, revenue has grown at 98% annually, while customers have grown at 102% per year.
CrowdStrike Business Overview
The CrowdStrike Falcon Platform is a cybersecurity solution focused on the protection of endpoints. Endpoints include things like laptops, desktops, mobile devices, IoT devices, servers, virtual machines, and data centers.
CrowdStrike Falcon is a combination of two proprietary technologies: (1) Intelligent Lightweight Sensor and (2) Threat Graph.
- Intelligent Lightweight Sensor: This is downloaded onto the endpoint, providing detection and prevention capabilities. The agent is ‘lightweight’ because it offloads heavy computing to the cloud-based Threat Graph, while retaining the ability to process data, employ machine learning, and protect the endpoint even when the device is offline.
- Threat Graph: This is a cloud-based graph database that employs artificial intelligence and behavioral algorithms to analyze data streamed by the Lightweight Sensor. Users have access to real-time visibility and insights, within the scope of their subscription, through the CrowdStrike platform user interface.
This approach – using a device-based Lightweight Sensor and a cloud-based Threat Graph – means CrowdStrike can crowdsource enormous amounts of data, then run artificial intelligence algorithms and behavioral analytics against that data to gather insights, all without burdening endpoints. This is a benefit over legacy solutions, where the data is often stored and processed on the endpoint, consuming a significant amount of CPU overhead in the process. By comparison, CrowdStrike’s Lightweight Sensor takes up roughly 20MB of space and uses less than 1% of CPU overhead.
Additionally, compared to on-premise solutions, CrowdStrike also offers cost advantages. According to internal estimates, CrowdStrike’s cloud-based Threat Graph lowers the total cost of ownership of endpoint protection by 7.5x.
In summary, CrowdStrike’s Falcon platform is more effective and more efficient than legacy solutions, due to its ability to leverage cloud-scale data and AI to identify threats. This is complemented by the fact that CrowdStrike uses IOCs and machine learning to detect both known and unknown malware, and IOA to identify more sophisticated threats. By comparison, legacy solutions tend to focus on IOC (signatures), which means these solutions are only proficient in identifying known malware, and only if the software has been recently updated. Additionally, legacy solutions often burden the endpoint by processing and storing data on the device.
CrowdStrike Falcon Platform:
CrowdStrike’s Falcon Platform is divided into three different segments: endpoint security, security & IT operations, and threat intelligence. And each segment is further divided into different software applications (modules), all of which leverage the Lightweight Sensor and the Threat Graph to protect endpoints. The graphic below depicts the entire Falcon Platform, from the device-based Lightweight Sensor, to the cloud-based Threat Graph, to the various software modules.
Source: CrowdStrike Investor Presentation (September 2020).
CrowdStrike’s SaaS business model allows customers to subscribe to various software modules. Clients who wish to self-manage their endpoint security have three options: Falcon Pro, Falcon Enterprise, or Falcon Premium.
A fourth option exists for clients who want a fully-managed, turnkey solution to endpoint security: Falcon Complete. With this option, CrowdStrike’s team of experts assumes full responsibility for managing a client’s endpoint protection. Falcon Complete comes with a $1 million breach prevention warranty.
While CrowdStrike currently offers a total of 11 different software modules, I will focus on 5 of these, as they represent the core of CrowdStrike’s endpoint protection strategy: Falcon Prevent, Falcon Insight, Falcon Discover, Falcon OverWatch, and FalconX.
1. Falcon Prevent: Next-generation antivirus (NGAV) software, designed to replace legacy antivirus solutions. This product is the preventative portion of endpoint security. Falcon Prevent uses machine learning to identify both known and unknown malware, even when the device is offline. Falcon Prevent also uses behavior-based indicators of attack (IOA), rather than solely focusing on indicators of compromise (IOC) like signatures, to identify more sophisticated threats, such as ransomware and malware-free attacks. For these reasons, Falcon Prevent distinguishes itself as a more effective, less intrusive option compared to legacy solutions.
2. Falcon Insight: Endpoint detection and response (EDR) software, designed to augment Falcon Prevent. Inevitably, some threats will slip through the antivirus defense. In these cases, EDR software is critical. Falcon Insight continuously monitors all endpoints, analyzes data in real-time, and automatically identifies threats. This data is streamed to the CrowdStrike platform, where threats are intelligently prioritized, enabling security teams to rapidly investigate and respond to alerts.
3. Falcon Discover: IT Hygiene software, designed for real-time monitoring of application and account usage. This enables IT and security teams to see who is on their network at all times, what devices they are using, and what applications they are running. Falcon Discover alerts teams to the use of unauthorized systems or applications.
4. Falcon OverWatch: This is a managed threat hunting service, delivered by a team of cybersecurity experts that continuously hunt, investigate, and advise clients on sophisticated threats. This service is designed to augment a customer’s internal cybersecurity team, reducing internal personnel costs. By involving highly trained experts, Falcon OverWatch helps detected the stealthiest, most advanced attacks.
5. FalconX: Threat intelligence software, designed to automate the investigation of incidents and enable faster response times to breaches, especially for teams that lack the time or expertise to completely manage their own cybersecurity efforts. Whereas NGAV and EDR solutions indicate what is happening on an endpoint, FalconX provides deeper insight-the “who, why, and how” behind the attack. This allows customers to approach security proactively, rather than reactively. For example, if an IOC is detected, FalconX provides customized IOC from the same malware family to protect against related attacks. Additionally, this service includes real-time threat alerts and expert analysis from CrowdStrike’s intelligence team.
In CrowdStrike’s S-1, management points to three forces driving the need for endpoint security: (1) cloud computing, (2) remote workforces, and (3) the growth in connected devices. These three factors have resulted in the expansion of workloads across an array of endpoints.
According to Cisco’s (CSCO) Annual Internet Report, the number of connected devices will reach 29.3 billion in 2023, up from 18.4 billion in 2018. This means the number of connected devices is growing at ~10% per year. This proliferation means more sensitive data is stored across more endpoints. It also means the number of attack surfaces is increasing, and these surfaces need to be protected.
In September 2020, CrowdStrike updated its total addressable market estimate to $32 billion by 2022, representing a 9% CAGR. According to CrowdStrike’s S-1, the majority of their market opportunity is derived from managed security solutions, such as Falcon OverWatch and Falcon Complete.
CrowdStrike is executing on this market opportunity. In 2019, the company was named a leader in the Gartner Magic Quadrant for Endpoint Protection Platforms for the third consecutive year.
Additionally, the very nature of CrowdStrike’s platform creates a strong network effect. As more endpoint data is gathered, there is more information with which to train the AI-powered Threat Graph, which makes the Threat Graph more intelligent. This means that each new customer benefits from all existing customers and vice versa because each customer represents another source of data.
But CrowdStrike has another competitive advantage: high switching costs. Once a customer is using CrowdStrike’s platform, switching to another provider would not only be inconvenient, but costly in terms of time and money. More importantly, the switching costs associated with CrowdStrike’s platform are increasing. CEO George Kurtz spoke to this in the Q2’20 earnings call, stating that dollar-based net retention remained above 120%-this indicates that existing customers are spending more each year. George Kurtz further elaborated on this point, saying:
This quarter, the percentage of all subscription customers with four more modules increased to 57% and those with five or more modules increased to 39%.
This is further evidence of increasing switching costs. A customer using only one module may find it relatively easy to switch providers. But for customers using multiple modules, switching to a different provider would be a more difficult process. In other words, switching costs increase as customers purchase more modules.
Before proceeding, I would like to note that CrowdStrike refers to the current year as fiscal 2021. In this article, I reference the actual year-for instance, Q1’20 refers to the first quarter of 2020, which CrowdStrike refers to as Q1’21.
CrowdStrike has grown rapidly in recent years. Since 2017, its customer base has increased at 102% per year. This is shown in the graph below:
Source: Created by the author using data from CrowdStrike Investor Relations.
Despite the global pandemic, CrowdStrike’s strong customer growth has continued into 2020. In Q1 and Q2, customer growth measured 105% and 91% YoY, respectively.
This rapid growth in customers has translated into rapid growth in revenue. Since 2017, CrowdStrike’s revenue has grown at 98% per year. This is shown in the graph below:
Source: Created by the author using data from CrowdStrike Investor Relations.
CrowdStrike’s strong growth has continued into 2020. In Q1 and Q2, they reported revenue growth of 85% and 84% YoY, respectively.
Additionally, gross margins have been expanding, increasing from 54% (2017) to 71% (2019). This trend has also continued into 2020, as gross margins reached 72.7% in the most recent quarter. This margin expansion is a direct result of CrowdStrike’s highly efficient SaaS business model.
Despite tremendous sales growth and high gross margins, CrowdStrike is not currently profitable. At this point, management is focused on growing the business and expanding the customer base, which is logical given the market opportunity. But with gross margins over 70% and revenue growing at over 80% per year, the company has the potential to be exceptionally profitable in the future.
CrowdStrike’s balance sheet is in excellent shape, with over $1 billion in cash and equivalents compared to just $44.8 million in long-term lease liabilities, giving a debt-to-equity ratio of 0.06x.
Likewise, the cash flow statement looks stronger each quarter. CrowdStrike has now posted positive operating cash flow for four consecutive quarters. And in Q2’20, free cash flow reached $177 million, marking significant growth over the $12.5 million reported in Q4’19.
In summary, excluding the lack of profits, CrowdStrike’s financial statements look superb.
Risk & Valuation:
For an unprofitable company, CrowdStrike trades at an exceptionally high valuation.
As indicated above, CrowdStrike currently trades at over 43x sales, much higher than the S&P 500 average of 2.5x. While this is not abnormal in today’s market, investors should not become complacent regarding these metrics. When investing in a company like CrowdStrike, it is important to remember that the slightest bit of bad news could cut the stock by 20% or more.
Having said that, I don’t think the current valuation should dissuade potential investors. If CrowdStrike’s revenue growth remains above 80% over the next four quarters, the PS ratio will fall into the mid-20s (if the price doesn’t change). Still high, but not as outrageous. But that sentiment is predicated on the notion that CrowdStrike will continue to grow quickly.
If revenue or customer growth should suddenly decelerate, especially in response to a highly publicized breach, that would be much more problematic for investors.
In today’s digitized world, the number of devices is growing quickly, at ~10% per year. Not only that, but more companies are utilizing cloud computing solutions and more employees are working remotely. This means more sensitive data is being accessed by an increasing number of vulnerable endpoints, each of which represents a potential attack surface. And that’s where CrowdStrike’s Falcon platform works.
CrowdStrike Falcon leverages big data and artificial intelligence to protect these endpoints, creating a strong network effect and high switching costs in the process. As a result, CrowdStrike’s customer base has grown at 102% per year since 2017, and revenue has grown at 98% per year over the same time period.
But the market opportunity is massive, and CrowdStrike has only realized a small portion of its potential value. For this reason, CrowdStrike is an excellent long-term investment.
Disclosure: I am/we are long CRWD. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.