CrowdStrike: Underappreciated Opportunity

Summary

• CrowdStrike is a rapidly growing cybersecurity company with best of breed technology.
• Cloud native enterprise IT security approach with frictionless deployment and a focus on protecting distributed workloads on devices outside the traditional corporate perimeter.
• CrowdStrike’s approach utilizes user data and artificial intelligence to improve threat detection creating network effects in their business.
• CrowdStrike's valuation is high but this reflects their potential to become the leader in a large and growing market with high margins.

The shift from on-premise to cloud computing over the last 15 years has created opportunities for cloud-native vendors to displace traditional enterprise software companies across a range of verticals such as human resources, customer relationship management and cybersecurity. CrowdStrike (NASDAQ:CRWD) is one of the leading providers of cybersecurity services designed for deployment in the cloud with a focus on protecting workloads distributed across a range of endpoints like mobile and IoT devices which lie outside the traditional corporate perimeter.

Their approach utilizes user data and artificial intelligence to detect threats and prevent breaches using an automated approach which could potentially improve with scale as more users are added. CrowdStrike’s best-in-class services along with the potential for improving service quality with scale could result in a sustainable competitive advantage which would more than justify CrowdStrike’s current share price.

Market

The trend towards cloud computing and workforce mobility along with growth in connected devices in recent decades has resulted in a rapid expansion of workloads across endpoints. Devices, applications and data are becoming increasingly distributed and diverse which is making protecting workloads across various endpoints more challenging and this will be exacerbated in coming years with the rise of IoT enabled by 5G networks.

Table 1: Development of Cybersecurity Market

(Source: Created by author based on data from Check Point Software)

The threat posed by cybercrimes is increasing over time, for example security breaches have increased by 67% over the last 5 years. In addition, adversaries are well-organized with access to significant technological and human resource and are becoming more highly trained. Adversaries today range from militaries and intelligence services of well-funded nations to sophisticated criminal organizations who are motivated by financial gains. Breaches may involve theft or holding data hostage in addition to causing disruptions to businesses, which can have a significant financial impact.

Figure 1: New Malicious Programs and Records Stolen in Cyber Attacks

(Source: Palo Alto Networks)

The threat lifecycle begins with an initial exploit to enter a system using malware or a fileless method to penetrate endpoints and establish a foothold inside the corporate perimeter. Adversaries then collect credentials and escalate privileges enabling them to download a more destructive malware program or connect with an external control source which enables the adversary to encrypt, destroy or silently exfiltrate sensitive data. The method of attacking a business can vary significantly making attacks difficult to stop using traditional approaches but the attackers' behavior generally leaves a distinct fingerprint which can be recognised by artificial intelligence.

Figure 2: Threat Lifecycle

(Source: Created by author)

Existing security products have a number of limitations which limits their effectiveness against sophisticated attacks:

• Signature-based Products - Designed to detect attacks that have been previously identified and catalogued but are not capable of preventing unknown threats.
• Malware-focused Machine Learning Products – A malware-centric approach leaves organizations vulnerable to attacks that do not leverage malware. According to data from CrowdStrike’s Threat Graph 40% of detections are not malware-based but instead leverage legitimate tools built into modern operating systems.
• Application Whitelisting Products - Use a permission policy for endpoints in order to allow or prevent processes from executing which requires a complex list of rules to be maintained by IT organizations. To ease the burden of this workload IT organizations often create special exceptions to the whitelist that attackers can leverage. Whitelisting products are also vulnerable to fileless attacks which can exploit legitimate whitelisted applications.
• Network-centric Security Products - Traditional network security vendors have focused on perimeter-based protection, but this approach is becoming less relevant due to the proliferation of endpoints outside the firewall and the increased use of encrypted traffic.
• Bolt-on Cloud Products – On-premise vendors who have introduced cloud offerings are generally unable to offer the benefits of cloud-native products. Their products continue to be siloed, lack integration and possess limited scalability to identify threats across their customer base in real-time.

Legacy vendors generally deploy multiple agents to the endpoint as they layer on a patchwork of additional point product capabilities which burdens endpoints, thereby degrading the end-user experience without providing effective security. The lifecycle costs of traditional solutions also tend to be higher as integrating and maintaining numerous products, data repositories and infrastructure across a highly distributed enterprise environment is resource-intensive.

The Falcon platform provides broad applicability and functionality across security and IT operations allowing CrowdStrike’s current services to address the needs of a number of large markets. These markets are expanding as more workloads are run on endpoints like IoT devices, generating and storing increasing amounts of sensitive, mission-critical data. In addition, CrowdStrike plans to continue leveraging their endpoint data sets to rapidly innovate and create new cloud modules for use cases such as IT configuration management and performance monitoring that could significantly expand their market opportunity over time. For example Palo Alto Networks (PANW) a competing cybersecurity vendor which offers a broader suite of services estimates their total addressable market will be $72.6 billion by 2022.

Table 2: CrowdStrike Estimated Addressable Markets

(Source: Created by author using data from CrowdStrike)

CrowdStrike

CrowdStrike was founded in 2011 on the principle that the future of security would be a scalable cloud-native architecture leveraging AI-driven by user data. CrowdStrike offers their Falcon platform to detect threats and stops breaches using modern technologies such as artificial intelligence, cloud computing and graph databases. The Falcon platform is the first multi-tenant, cloud-native, intelligent security solution capable of protecting workloads across on-premise, virtualized, and cloud-based environments running on a variety of endpoints such as laptops, desktops, servers, virtual machines and IoT devices. The Falcon platform utilizes two tightly integrated proprietary technologies (an intelligent lightweight agent and a dynamic graph database) which contribute to CrowdStrike’s superior product and potentially confer a sustainable competitive advantage.

The intelligent agent utilizes artificial intelligence to automatically and accurately detect threats and breaches which is an approach that can be replicated by competitors. CrowdStrike utilizes user data to improve their AI algorithms though, which means the quality of their product should improve with scale. The agent is lightweight, offloading computationally-intensive tasks to the cloud to reduce the burden on endpoints, while retaining local detection and prevention capabilities that are necessary on the endpoint. The agent is also non-intrusive to the end user and protects the endpoint and tracks activity even when offline.

High-fidelity endpoint data is streamed to the cloud where the Threat Graph provides a simple, flexible and scalable way to model highly interconnected data sets. The Threat Graph processes, correlates, and analyzes events in real-time and maintains an index of these events for future use. The Threat Graph continuously searches for malicious activity by applying graph analytics and AI algorithms to the data streamed from the endpoints.

Graph databases are a relatively new form of storing information which unlike traditional relational databases (rows and columns) is able to capture the relationship between data. For example, a relational database may be suitable for storing information about individuals, but a graph database would be preferable for storing information about individuals and the relationships between them.

Figure 3: Graph and Relational Databases

(Source: Created by author)

While data is often believed to confer companies with a sustainable competitive advantage, this is not always necessarily the case. Data generally has diminishing marginal returns, meaning that companies with access to smaller datasets can potentially catch up to competitors over time, unlike if value were to accumulate linearly or exponentially with the volume of data. In addition, the cost of generating unique data which continues to create value generally increases over time as most new data will simply replicate existing data.

Figure 4: Diminishing Returns from Increased Volumes of Data

(Source: Created by author)

In cybersecurity applications, the nature of threats changes over time meaning that past data becomes stale and access to a constant source of new data is imperative. Although the value of data may not scale exponentially, new data is likely to continue to hold significant value making it more likely that access to the largest dataset will confer a strategic advantage. In addition, cybersecurity applications are also likely to have a long tail of critical data and the ability to collect data from this long tail is likely to confer a strategic competitive advantage.

A crowd-sourced business model is advantageous in this environment as a large amount of data can be generated at low cost. It should be noted that CrowdStrike does not have proprietary access to user data and competitors are able to take a similar approach using their own customers' data provided they can access data which may be siloed on-premises. CrowdStrike must therefore continue to scale its customer base and ensure it has best-in-class machine-learning algorithms.

Data directly impacts the quality of the security services CrowdStrike is able to deliver to customers thereby ensuring the data has significant value. If the Threat Graph discovers something in one customer environment, all customers benefit automatically and in real-time. There is a more direct link between data and service quality than most businesses that claim some sort of data advantage. For instance, Netflix (NFLX) claims a data advantage which is true to the extent that data can improve the quality of their recommendations and guide content acquisition, but data cannot improve the quality of existing content, the most important factor to users.

The crowdsourced-approach to data acquisition along with the continued value of new data, which has a direct impact on the quality of the service delivered creates a potentially powerful network effect in the business. This should attract more users over time resulting in higher gross margins and revenues for CrowdStrike along with lower customer acquisition costs. This also creates the potential for a winner take all or winner take most market where growth should be pursued at any cost to achieve market leadership.

Services

The Falcon platform integrates 10 cloud modules via a SaaS subscription-based model that spans the following categories:

• Endpoint Security - Next-generation antivirus, endpoint detection and response and device control modules combining machine learning and advanced behavioral techniques to defend against malware and malware-free attacks.

• Security and IT Operations - IT hygiene, scanless vulnerability management, a turnkey response and remediation solution as well as a threat-hunting solution that is powered by a team of elite security experts leveraging the Threat Graph.

• Threat Intelligence - Threat research, malware search engine and malware analysis providing automated assistance to review detected threats, conduct malware research and detonate suspicious files securely.

CrowdStrike has also recently launched Falcon for Mobile which is the first enterprise EDR solution for mobile devices. Falcon for Mobile enables security teams to hunt for advanced threats on mobile devices while providing enhanced visibility into malicious, unwanted or accidental access to sensitive corporate data.

CrowdStrike recently launched the CrowdStrike Store, which is an open cloud-based application PaaS for cybersecurity. The CrowdStrike Store aims to create an ecosystem of trusted partners and applications which will give customers a low-friction method of discovering, trying and purchasing applications. The CrowdStrike Store also benefits partners by giving them access to CrowdStrike’s customer base so they can bring new security applications to market. This is an approach that is also being pursued by cloud infrastructure providers like Amazon (AMZN) and Microsoft (MSFT) who have built marketplaces which allow 3^rd party vendors to plug into and extend their infrastructure-as-a-service offerings.

The CrowdStrike Store may be a superior technical solution for customers as 3^rd party vendors can implement their solutions using CrowdStrike’s data and lightweight agent. This gives customers access to multiple endpoint protection solutions without burdening their endpoints. If CrowdStrike is able to become a leader in the endpoint protection market, the CrowdStrike Store could potentially be another source of competitive advantage as cybersecurity vendors are drawn to the store for access to a large customer base and customers are attracted to CrowdStrike for access to leading cybersecurity applications. If the CrowdStrike Store were to become truly successful, it could have the potential to make CrowdStrike a platform in the sense that Bill Gates used the term.

A platform is when the economic value of everybody that uses it, exceeds the value of the company that creates it. Then it’s a platform.

(Source: Bill Gates Stratechery)

While it is easy to envisage the strategic advantage of a store for CrowdStrike in the same vein as the app store was an early differentiator for the iPhone, this will be difficult to achieve as CrowdStrike must successfully balance their own interest with those of their customers and 3^rd party vendors, while continuing to scale their core platform. It is unlikely that direct competitors will use the store but smaller companies with complementary solutions are likely to find the store an attractive proposition.

Figure 5: CrowdStrike Falcon Platform

(Source: Created by author using data from CrowdStrike)

Customers

CrowdStrike is rapidly gaining traction with customers, including with conservative organizations like banks. Their customer base includes 44 of the Fortune 100 and nine of the top 20 major banks. Although CrowdStrike began as a large enterprise solution, the flexibility and scalability of their platform enables them to protect customers of any size helping to drive rapid growth in their customer base.

Figure 6: CrowdStrike Customers

(Source: Created by author using data from CrowdStrike)

CrowdStrike employs a low friction land-and-expand sales strategy helping to accelerate the growth of new customers and expand revenue over time. CrowdStrike’s high net retention rate shows that this strategy is successful and indicates customers are impressed by their services. If CrowdStrike can continue to develop new modules for the Falcon platform and upsell existing customers, this will help to support their high revenue growth rate and should lead to improved profit margins.

Figure 7: CrowdStrike Net Retention Rate

(Source: Created by author using data from CrowdStrike)

Figure 8: Percentage of CrowdStrike Subscribers with 4 or More Modules

(Source: Created by author using data from CrowdStrike)

Financial Analysis

CrowdStrike has achieved rapid revenue growth in recent years, as it has scaled its customer base and increased revenue from existing customers. CrowdStrike’s revenue growth is declining but this is not a major concern given their potential to further increase their customer base and introduce new services.

Figure 9: CrowdStrike Revenue

(Source: Created by author using data from CrowdStrike)

Figure 10: CrowdStrike Revenue Growth

(Source: Created by author using data from CrowdStrike)

CrowdStrike’s gross profit margins are broadly inline with expectations for an enterprise software company. Gross profit margins have been expanding over time which possibly indicates increased pricing power or reduced service delivery costs with scale. In addition, revenue is becoming increasingly dominated by higher-margin subscriptions over time.

Figure 11: CrowdStrike Gross Profit Margins

(Source: Created by author using data from CrowdStrike)

CrowdStrike has exhibited significant operating leverage as a result of higher gross margins and declining operating expenses relative to revenue. As a subscription software business, the burden of sales and marketing expenses are likely to decline significantly as CrowdStrike’s revenue growth declines. CrowdStrike is likely to achieve break-even operating profitability in the next 3-5 years and eventually operating margins of approximately 30% or higher.

Figure 12: CrowdStrike Operating Profit Margins

(Source: Created by author using data from CrowdStrike)

Figure 13: CrowdStrike Operating Expenses

(Source: Created by author using data from CrowdStrike)

Competitors

CrowdStrike operates in a relatively crowded and competitive marketplace but the shift from on-premise to the cloud has allowed them to introduce a market-leading offering. CrowdStrike’s future success is dependent on not only their own ability to continue introducing new market leading services and attracting new customers but the ability of incumbents to pivot to cloud-first offerings. Moving on-premise solutions to the cloud in a patchwork fashion is unlikely to be competitive with truly cloud-native offerings giving CrowdStrike a significant opportunity to disrupt the market. Endpoint security vendors can broadly be grouped into:

• Legacy providers (McAfee, Symantec (NLOK)) who offer traditional anti-virus and signature-based protection
• Alternative providers (Cylance (BB), Carbon Black (VMW)) who offer products based on malware-only or whitelisting techniques
• Network security providers (Palo Alto Networks, FireEye (FEYE)) who are supplementing their core perimeter-based offerings

Figure 14: Gartner Magic Quadrant for Endpoint Protection Platforms

(Source: Microsoft)

Figure 15: IDC MarketScape U.S. Incident Readiness, Response and Resiliency

(Source: CrowdStrike)

CrowdStrike’s competitors are all following a similar strategy and the companies that succeed will need leading technology, effective sales teams which can garner the trust of large clients and the ability to innovate new solutions for the evolving threat landscape. CrowdStrike is rapidly gaining market share although it remains small relative to competitors. Given the large amount of operating leverage inherent in CrowdStrike’s business and the dependence of their product quality on user data, it is imperative that CrowdStrike continues to grow rapidly and take market share from competitors, even if this requires significant investment in R&D and sales and marketing.

Figure 16: Cybersecurity Software Vendor Revenue

(Source: Created by author using data from company reports)

Figure 17: Cybersecurity software vendor revenue growth

(Source: Created by author using data from company reports)

Figure 18: Cybersecurity Software Vendor Operating Profit Margins

(Source: Created by author using data from company reports)

Trend Micro is a traditional leader in cybersecurity and is performing strongly in cloud workload protection. They are in the process of pivoting from an on-premise to a cloud-first business though which creates an opportunity for new entrants. Trend Micro’s current strategy is largely playing catch up to CrowdStrike with a shift to cloud-first and an increased focus on big data, AI and automation.

Figure 19: Trend Micro SaaS Customers

(Source: Created by author using data from Trend Micro)

Check Point Software (CHKP) pioneered the first firewall and has a long track record of leading cybersecurity solutions. Check Point Software is another traditional vendor in the process of adapting to the rise of cloud computing and has made a number of recent acquisitions to strengthen their offerings in security and compliance for the public cloud and machine-learning technology. Check Point offers a range of products and services across areas like network security, threat prevention, cloud security, mobile security and security management.

Palo Alto Networks is a leader in the cybersecurity market which has a broad product portfolio and is growing rapidly. Their strategy has 3 main focuses:

• Enterprise security with the firewall as a platform
• Multi-cloud integrated security solution which protects everything running in the cloud and secures access to the cloud
• Machine learning and automation-driven approach endpoint protection

The trend towards cloud computing and workforce mobility along with growth in connected devices is causing the corporate perimeter to disappear threatening the business of network security-focused vendors like Palo Alto Networks and FireEye. As a result, they are supplementing their core perimeter-based offerings with endpoint security solutions which makes them a competitive threat to CrowdStrike.

Valuation

CrowdStrike trades on a high EV/S multiple relative to its peers but this is reflective of the strength of their technology and strategic vision and their high growth rate. While their EV/S ratio will inevitably continue to decline in coming years as their revenue growth slows, I believe CrowdStrike’s large addressable market and potential for high profit margins will lead to a significantly higher share price.

Figure 20: Cybersecurity Vendor EV/S Ratios

(Source: Created by author using data from Yahoo Finance)

Based on a discounted cash flow analysis, I estimate CrowdStrike’s intrinsic value to be approximately 100 USD per share. To justify this price, CrowdStrike must continue to rapidly expand their customer base, upsell existing customers to multiple modules and build an ecosystem around their CrowdStrike Store. Failure to achieve rapid growth will result in continued losses and allow incumbents to improve their cloud offerings reducing CrowdStrike’s competitive advantage.

Analyst’s Disclosure: I am/we are long CRWD. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Comments

[Value Digger]

CRWD's insiders and venture capitalists have unloaded MILLIONS of shares since last December, when the lockup period expired, according to the filings.

And they keep selling their shares to the inexperienced and/or ignorant investors who swallow "the growth pill" and blindly buy growth at any price, according to the latest filings below:

2020-03-11

CEO Kurtz Sells 64,722 Of CrowdStrike Holdings Inc >CRWD

Dir Sexton Sells 12,500 Of CrowdStrike Holdings Inc >CRWD

Chmn Watzinger Registers 110,000 Of CrowdStrike Holdings Inc >CRWD

2020-03-04

Dir O´Leary Sells 24,000 Of CrowdStrike Holdings Inc >CRWD

[joseph225]

CRWD way overpriced, over hyped and nowhere near a buy. This company is built on a hype. Blackberry is the one that is going to win. With the acquisition of Cylance and AI integrated now into QNX. Blackberry is going to win this race. Crowd has an 11 billion evaluation on less then 500 million in sales, Balckberry has a 2.5 billion evaluation on 1.3 billion in sales and many more verticals where CRWD only has 1 product. CRWD will see this stock below $20 faster then you think. You can buy Blackberry for 4$ and change and CRWD is over $50 for less then half the size of Blackberry, BUY BLACKBERRY!

[rt94103]

Yeah, right...

www.crowdstrike.com/...

[Old+Timing+Man]

No mention of their role in the "DNC hack," FBI investigation, and recent recanting of their "it was Russian state operatives who hacked the..." There's as much risk with this company as there are with companies associated with Peter Strzok's family or the Awan brothers (IMO).

[snowbrick]

Great another conspiracy theorist. Tell me about your cybersecurity credentials how you use them to disprove the findings.

[Value Digger]

Richard Durant, a few more remarks:

1) As noted in my recent CRWD article, cybersecurity is a crowded space where the fierce competition is getting fiercer every year, which is a major headwind for CRWD.

A little perspective here. As of 2018, there were more than 1,200 cybersecurity companies with up to 200 vendors competing in each layer.

Given that the cybersecurity industry currently is at peak SATURATION, large-cap companies can offer a more intrinsic approach to problems.

Therefore, expect to see smaller vendors such as CRWD repeatedly challenged by large players such as Fortinet (FTNT), BlackBerry's (BB) Cylance, VMW's endpoint security company Carbon Black (CBLK) etc. that already own the server endpoints, mobile endpoints or websites.

2) I strongly suggest that you do NOT downplay the relative valuation analysis and the fact that CRWD currently trades about 25 times its revenue (!).

As shown in your charts, Sophos Group (SPHHF) is a leader in cloud-enabled next-generation cybersecurity.

Sophos Group was acquired a few months ago by Thomas Bravo for about 5 times its revenue, as shown in detail in my CRWD article.

Also, RSA (DELL's cybersecurity unit) was sold a few days ago for approximately 2 times its revenue.

3) CRWD's "brain" left the company a few days ago. Dmitri Alpetrovich was the Chief Technology Office and co-Founder.

He has been with CRWD from DAY ONE and he is the guy who has created CRWD's Falcon endpoint product.

This is a key development that has passed unnoticed so far but it will weigh on CRWD sooner or later.

[Value Digger]

Richard Durant,

1) CRWD is the definition of BUBBLE at the current price levels.

And we advise investors NOT to buy growth at any price because every stock has its price.

Specifically, unprofitable CRWD currently trades about 25 times its revenue, which is BY FAR the HIGHEST EV-to-Revenue multiple in the cybersecurity sector.

CRWD's peers trade below 10 times revenue, as shown in detail in our article below.

Also, the suitors have paid from 2 to 8 times the revenue of the takeover targets based on all the recent cybersecurity deals, as shown in detail in our article below:

seekingalpha.com/...

I personally have been 30 years in the stock markets and I have never found that it has paid off to buy growth stocks indiscriminately, regardless of valuation. Lots of investors have made a lot of money over the last years largely thanks to the cheap money from the Fed's QEs, which has made them think that they are knowledgeable investors. They are just extremely lucky.

2) As shown in my article above, many of CRWD's peers are profitable while CRWD is NOT going to be profitable (on a GAAP basis) in the foreseeable future, based on its OWN guidance.

CRWD expects to achieve non-GAAP operating income breakeven in the fourth quarter of fiscal year 2021.

3) CRWD's existing revenue growth YoY is NOT sustainable. Based on its latest reports, deceleration is already here and material deceleration is on the horizon.

CRWD's 80% YoY revenue growth with quarterly revenue at or below $100 million is easy. But 80% revenue growth with quarterly revenue at $300 or $500 million is impossible given also that the cybersecurity competition is fierce and growing.

Specifically, more than 300 cybersecurity startups are created every year, according to Momentum Cyber, an advisory firm focused on the cybersecurity sector below:

www.reuters.com/...

[benyboy]

This 12 Billion valuation scares me. under 500 million a year in revenue? I don't think this is gonna hold up in this market. similar to fire eye- bag holders are gonna dump if the stock drops

[Wildstar]

All of those Crowdstrike Bulls are getting taken to the Woodshed as the Insiders get out while they can still salvage some profit as the market tanks.

[DDBB77]

Yes and even FEYE’s revenue is close to $1b now and only trades at less then 3x revenue, so CRWD 25x is crazy and beyond over valued.

[Emdubya]

Back in the days of the dot-com bubble, every hopeful start-up that was jumping on the band-wagon described itself as "best of breed". Since then, anyone who was around during that time has avoided using that term (along with "robust" and a few others). I've seen it used a couple of times recently; I usually just laugh and move on, but perhaps it's history starting to repeat itself.

[mag1205]

CrowdStrike is getting all the attention but very meager earnings. potential for growth has slowed and will come down much faster. Too many Cyber Security companies competing for current market. CrowdStrike stock is trading almost 30 times its yearly earnings. Can not sustain such hyper valuation.
Cheers.

[Downtown10]

mag1205, I think you mean 30 times sales. Which I agree is far too high in such a competitive environment.

[mag1205]

@Downtown10

yes, you are correct.

[otto1234567890]

Great article, on my radar now for after the Corona hangover

[Ameya Patil]

Fantastic article !

[jims11]

Hi Richard,

Thank you for the article! It contains a lot of useful information and analysis on the market which is great.

My concerns with CRWD is the recent sudden departure of their CTO which was the master mind behind their Falcon technology. The other note is that end point security is not relatively competitive, but extremely competitive market, and was never more than a commodity in the security field. It's good that they are leaders in AI detection, but other security plays are working on similar tech.

The other limitation with CRWD is that they are unable to protect the campus, mission critical devices, or actual data centers. PANW has their own Cortex XDR, in addition to pure perimeter protection for the campus and SASE based solution (competing with ZS also).

I think given the above, I am not sure how much market can CRWD can capture, and if their stock price can reach $100. I personally find NET, FTNT (with some concerns), and OKTA as better security plays, given the extremely competitive market.