- CrowdStrike is a rapidly growing cybersecurity company with best of breed technology.
- Cloud native enterprise IT security approach with frictionless deployment and a focus on protecting distributed workloads on devices outside the traditional corporate perimeter.
- CrowdStrike’s approach utilizes user data and artificial intelligence to improve threat detection creating network effects in their business.
- CrowdStrike's valuation is high but this reflects their potential to become the leader in a large and growing market with high margins.
The shift from on-premise to cloud computing over the last 15 years has created opportunities for cloud-native vendors to displace traditional enterprise software companies across a range of verticals such as human resources, customer relationship management and cybersecurity. CrowdStrike (NASDAQ:CRWD) is one of the leading providers of cybersecurity services designed for deployment in the cloud with a focus on protecting workloads distributed across a range of endpoints like mobile and IoT devices which lie outside the traditional corporate perimeter.
Their approach utilizes user data and artificial intelligence to detect threats and prevent breaches using an automated approach which could potentially improve with scale as more users are added. CrowdStrike’s best-in-class services along with the potential for improving service quality with scale could result in a sustainable competitive advantage which would more than justify CrowdStrike’s current share price.
The trend towards cloud computing and workforce mobility along with growth in connected devices in recent decades has resulted in a rapid expansion of workloads across endpoints. Devices, applications and data are becoming increasingly distributed and diverse which is making protecting workloads across various endpoints more challenging and this will be exacerbated in coming years with the rise of IoT enabled by 5G networks.
Table 1: Development of Cybersecurity Market
(Source: Created by author based on data from Check Point Software)
The threat posed by cybercrimes is increasing over time, for example security breaches have increased by 67% over the last 5 years. In addition, adversaries are well-organized with access to significant technological and human resource and are becoming more highly trained. Adversaries today range from militaries and intelligence services of well-funded nations to sophisticated criminal organizations who are motivated by financial gains. Breaches may involve theft or holding data hostage in addition to causing disruptions to businesses, which can have a significant financial impact.
Figure 1: New Malicious Programs and Records Stolen in Cyber Attacks
(Source: Palo Alto Networks)
The threat lifecycle begins with an initial exploit to enter a system using malware or a fileless method to penetrate endpoints and establish a foothold inside the corporate perimeter. Adversaries then collect credentials and escalate privileges enabling them to download a more destructive malware program or connect with an external control source which enables the adversary to encrypt, destroy or silently exfiltrate sensitive data. The method of attacking a business can vary significantly making attacks difficult to stop using traditional approaches but the attackers' behavior generally leaves a distinct fingerprint which can be recognised by artificial intelligence.
Figure 2: Threat Lifecycle
(Source: Created by author)
Existing security products have a number of limitations which limits their effectiveness against sophisticated attacks:
- Signature-based Products - Designed to detect attacks that have been previously identified and catalogued but are not capable of preventing unknown threats.
- Malware-focused Machine Learning Products – A malware-centric approach leaves organizations vulnerable to attacks that do not leverage malware. According to data from CrowdStrike’s Threat Graph 40% of detections are not malware-based but instead leverage legitimate tools built into modern operating systems.
- Application Whitelisting Products - Use a permission policy for endpoints in order to allow or prevent processes from executing which requires a complex list of rules to be maintained by IT organizations. To ease the burden of this workload IT organizations often create special exceptions to the whitelist that attackers can leverage. Whitelisting products are also vulnerable to fileless attacks which can exploit legitimate whitelisted applications.
- Network-centric Security Products - Traditional network security vendors have focused on perimeter-based protection, but this approach is becoming less relevant due to the proliferation of endpoints outside the firewall and the increased use of encrypted traffic.
- Bolt-on Cloud Products – On-premise vendors who have introduced cloud offerings are generally unable to offer the benefits of cloud-native products. Their products continue to be siloed, lack integration and possess limited scalability to identify threats across their customer base in real-time.
Legacy vendors generally deploy multiple agents to the endpoint as they layer on a patchwork of additional point product capabilities which burdens endpoints, thereby degrading the end-user experience without providing effective security. The lifecycle costs of traditional solutions also tend to be higher as integrating and maintaining numerous products, data repositories and infrastructure across a highly distributed enterprise environment is resource-intensive.
The Falcon platform provides broad applicability and functionality across security and IT operations allowing CrowdStrike’s current services to address the needs of a number of large markets. These markets are expanding as more workloads are run on endpoints like IoT devices, generating and storing increasing amounts of sensitive, mission-critical data. In addition, CrowdStrike plans to continue leveraging their endpoint data sets to rapidly innovate and create new cloud modules for use cases such as IT configuration management and performance monitoring that could significantly expand their market opportunity over time. For example Palo Alto Networks (PANW) a competing cybersecurity vendor which offers a broader suite of services estimates their total addressable market will be $72.6 billion by 2022.
Table 2: CrowdStrike Estimated Addressable Markets
CrowdStrike was founded in 2011 on the principle that the future of security would be a scalable cloud-native architecture leveraging AI-driven by user data. CrowdStrike offers their Falcon platform to detect threats and stops breaches using modern technologies such as artificial intelligence, cloud computing and graph databases. The Falcon platform is the first multi-tenant, cloud-native, intelligent security solution capable of protecting workloads across on-premise, virtualized, and cloud-based environments running on a variety of endpoints such as laptops, desktops, servers, virtual machines and IoT devices. The Falcon platform utilizes two tightly integrated proprietary technologies (an intelligent lightweight agent and a dynamic graph database) which contribute to CrowdStrike’s superior product and potentially confer a sustainable competitive advantage.
The intelligent agent utilizes artificial intelligence to automatically and accurately detect threats and breaches which is an approach that can be replicated by competitors. CrowdStrike utilizes user data to improve their AI algorithms though, which means the quality of their product should improve with scale. The agent is lightweight, offloading computationally-intensive tasks to the cloud to reduce the burden on endpoints, while retaining local detection and prevention capabilities that are necessary on the endpoint. The agent is also non-intrusive to the end user and protects the endpoint and tracks activity even when offline.
High-fidelity endpoint data is streamed to the cloud where the Threat Graph provides a simple, flexible and scalable way to model highly interconnected data sets. The Threat Graph processes, correlates, and analyzes events in real-time and maintains an index of these events for future use. The Threat Graph continuously searches for malicious activity by applying graph analytics and AI algorithms to the data streamed from the endpoints.
Graph databases are a relatively new form of storing information which unlike traditional relational databases (rows and columns) is able to capture the relationship between data. For example, a relational database may be suitable for storing information about individuals, but a graph database would be preferable for storing information about individuals and the relationships between them.
Figure 3: Graph and Relational Databases
(Source: Created by author)
While data is often believed to confer companies with a sustainable competitive advantage, this is not always necessarily the case. Data generally has diminishing marginal returns, meaning that companies with access to smaller datasets can potentially catch up to competitors over time, unlike if value were to accumulate linearly or exponentially with the volume of data. In addition, the cost of generating unique data which continues to create value generally increases over time as most new data will simply replicate existing data.
Figure 4: Diminishing Returns from Increased Volumes of Data
(Source: Created by author)
In cybersecurity applications, the nature of threats changes over time meaning that past data becomes stale and access to a constant source of new data is imperative. Although the value of data may not scale exponentially, new data is likely to continue to hold significant value making it more likely that access to the largest dataset will confer a strategic advantage. In addition, cybersecurity applications are also likely to have a long tail of critical data and the ability to collect data from this long tail is likely to confer a strategic competitive advantage.
A crowd-sourced business model is advantageous in this environment as a large amount of data can be generated at low cost. It should be noted that CrowdStrike does not have proprietary access to user data and competitors are able to take a similar approach using their own customers' data provided they can access data which may be siloed on-premises. CrowdStrike must therefore continue to scale its customer base and ensure it has best-in-class machine-learning algorithms.
Data directly impacts the quality of the security services CrowdStrike is able to deliver to customers thereby ensuring the data has significant value. If the Threat Graph discovers something in one customer environment, all customers benefit automatically and in real-time. There is a more direct link between data and service quality than most businesses that claim some sort of data advantage. For instance, Netflix (NFLX) claims a data advantage which is true to the extent that data can improve the quality of their recommendations and guide content acquisition, but data cannot improve the quality of existing content, the most important factor to users.
The crowdsourced-approach to data acquisition along with the continued value of new data, which has a direct impact on the quality of the service delivered creates a potentially powerful network effect in the business. This should attract more users over time resulting in higher gross margins and revenues for CrowdStrike along with lower customer acquisition costs. This also creates the potential for a winner take all or winner take most market where growth should be pursued at any cost to achieve market leadership.
The Falcon platform integrates 10 cloud modules via a SaaS subscription-based model that spans the following categories:
• Endpoint Security - Next-generation antivirus, endpoint detection and response and device control modules combining machine learning and advanced behavioral techniques to defend against malware and malware-free attacks.
• Security and IT Operations - IT hygiene, scanless vulnerability management, a turnkey response and remediation solution as well as a threat-hunting solution that is powered by a team of elite security experts leveraging the Threat Graph.
• Threat Intelligence - Threat research, malware search engine and malware analysis providing automated assistance to review detected threats, conduct malware research and detonate suspicious files securely.
CrowdStrike has also recently launched Falcon for Mobile which is the first enterprise EDR solution for mobile devices. Falcon for Mobile enables security teams to hunt for advanced threats on mobile devices while providing enhanced visibility into malicious, unwanted or accidental access to sensitive corporate data.
CrowdStrike recently launched the CrowdStrike Store, which is an open cloud-based application PaaS for cybersecurity. The CrowdStrike Store aims to create an ecosystem of trusted partners and applications which will give customers a low-friction method of discovering, trying and purchasing applications. The CrowdStrike Store also benefits partners by giving them access to CrowdStrike’s customer base so they can bring new security applications to market. This is an approach that is also being pursued by cloud infrastructure providers like Amazon (AMZN) and Microsoft (MSFT) who have built marketplaces which allow 3rd party vendors to plug into and extend their infrastructure-as-a-service offerings.
The CrowdStrike Store may be a superior technical solution for customers as 3rd party vendors can implement their solutions using CrowdStrike’s data and lightweight agent. This gives customers access to multiple endpoint protection solutions without burdening their endpoints. If CrowdStrike is able to become a leader in the endpoint protection market, the CrowdStrike Store could potentially be another source of competitive advantage as cybersecurity vendors are drawn to the store for access to a large customer base and customers are attracted to CrowdStrike for access to leading cybersecurity applications. If the CrowdStrike Store were to become truly successful, it could have the potential to make CrowdStrike a platform in the sense that Bill Gates used the term.
A platform is when the economic value of everybody that uses it, exceeds the value of the company that creates it. Then it’s a platform.
(Source: Bill Gates Stratechery)
While it is easy to envisage the strategic advantage of a store for CrowdStrike in the same vein as the app store was an early differentiator for the iPhone, this will be difficult to achieve as CrowdStrike must successfully balance their own interest with those of their customers and 3rd party vendors, while continuing to scale their core platform. It is unlikely that direct competitors will use the store but smaller companies with complementary solutions are likely to find the store an attractive proposition.
Figure 5: CrowdStrike Falcon Platform
CrowdStrike is rapidly gaining traction with customers, including with conservative organizations like banks. Their customer base includes 44 of the Fortune 100 and nine of the top 20 major banks. Although CrowdStrike began as a large enterprise solution, the flexibility and scalability of their platform enables them to protect customers of any size helping to drive rapid growth in their customer base.
Figure 6: CrowdStrike Customers
CrowdStrike employs a low friction land-and-expand sales strategy helping to accelerate the growth of new customers and expand revenue over time. CrowdStrike’s high net retention rate shows that this strategy is successful and indicates customers are impressed by their services. If CrowdStrike can continue to develop new modules for the Falcon platform and upsell existing customers, this will help to support their high revenue growth rate and should lead to improved profit margins.
Figure 7: CrowdStrike Net Retention Rate
Figure 8: Percentage of CrowdStrike Subscribers with 4 or More Modules
CrowdStrike has achieved rapid revenue growth in recent years, as it has scaled its customer base and increased revenue from existing customers. CrowdStrike’s revenue growth is declining but this is not a major concern given their potential to further increase their customer base and introduce new services.
Figure 9: CrowdStrike Revenue
Figure 10: CrowdStrike Revenue Growth
CrowdStrike’s gross profit margins are broadly inline with expectations for an enterprise software company. Gross profit margins have been expanding over time which possibly indicates increased pricing power or reduced service delivery costs with scale. In addition, revenue is becoming increasingly dominated by higher-margin subscriptions over time.
Figure 11: CrowdStrike Gross Profit Margins
CrowdStrike has exhibited significant operating leverage as a result of higher gross margins and declining operating expenses relative to revenue. As a subscription software business, the burden of sales and marketing expenses are likely to decline significantly as CrowdStrike’s revenue growth declines. CrowdStrike is likely to achieve break-even operating profitability in the next 3-5 years and eventually operating margins of approximately 30% or higher.
Figure 12: CrowdStrike Operating Profit Margins
Figure 13: CrowdStrike Operating Expenses
CrowdStrike operates in a relatively crowded and competitive marketplace but the shift from on-premise to the cloud has allowed them to introduce a market-leading offering. CrowdStrike’s future success is dependent on not only their own ability to continue introducing new market leading services and attracting new customers but the ability of incumbents to pivot to cloud-first offerings. Moving on-premise solutions to the cloud in a patchwork fashion is unlikely to be competitive with truly cloud-native offerings giving CrowdStrike a significant opportunity to disrupt the market. Endpoint security vendors can broadly be grouped into:
- Legacy providers (McAfee, Symantec (NLOK)) who offer traditional anti-virus and signature-based protection
- Alternative providers (Cylance (BB), Carbon Black (VMW)) who offer products based on malware-only or whitelisting techniques
- Network security providers (Palo Alto Networks, FireEye (FEYE)) who are supplementing their core perimeter-based offerings
Figure 14: Gartner Magic Quadrant for Endpoint Protection Platforms
Figure 15: IDC MarketScape U.S. Incident Readiness, Response and Resiliency
CrowdStrike’s competitors are all following a similar strategy and the companies that succeed will need leading technology, effective sales teams which can garner the trust of large clients and the ability to innovate new solutions for the evolving threat landscape. CrowdStrike is rapidly gaining market share although it remains small relative to competitors. Given the large amount of operating leverage inherent in CrowdStrike’s business and the dependence of their product quality on user data, it is imperative that CrowdStrike continues to grow rapidly and take market share from competitors, even if this requires significant investment in R&D and sales and marketing.
Figure 16: Cybersecurity Software Vendor Revenue
(Source: Created by author using data from company reports)
Figure 17: Cybersecurity software vendor revenue growth
(Source: Created by author using data from company reports)
Figure 18: Cybersecurity Software Vendor Operating Profit Margins
(Source: Created by author using data from company reports)
Trend Micro is a traditional leader in cybersecurity and is performing strongly in cloud workload protection. They are in the process of pivoting from an on-premise to a cloud-first business though which creates an opportunity for new entrants. Trend Micro’s current strategy is largely playing catch up to CrowdStrike with a shift to cloud-first and an increased focus on big data, AI and automation.
Figure 19: Trend Micro SaaS Customers
(Source: Created by author using data from Trend Micro)
Check Point Software (CHKP) pioneered the first firewall and has a long track record of leading cybersecurity solutions. Check Point Software is another traditional vendor in the process of adapting to the rise of cloud computing and has made a number of recent acquisitions to strengthen their offerings in security and compliance for the public cloud and machine-learning technology. Check Point offers a range of products and services across areas like network security, threat prevention, cloud security, mobile security and security management.
Palo Alto Networks is a leader in the cybersecurity market which has a broad product portfolio and is growing rapidly. Their strategy has 3 main focuses:
- Enterprise security with the firewall as a platform
- Multi-cloud integrated security solution which protects everything running in the cloud and secures access to the cloud
- Machine learning and automation-driven approach endpoint protection
The trend towards cloud computing and workforce mobility along with growth in connected devices is causing the corporate perimeter to disappear threatening the business of network security-focused vendors like Palo Alto Networks and FireEye. As a result, they are supplementing their core perimeter-based offerings with endpoint security solutions which makes them a competitive threat to CrowdStrike.
CrowdStrike trades on a high EV/S multiple relative to its peers but this is reflective of the strength of their technology and strategic vision and their high growth rate. While their EV/S ratio will inevitably continue to decline in coming years as their revenue growth slows, I believe CrowdStrike’s large addressable market and potential for high profit margins will lead to a significantly higher share price.
Figure 20: Cybersecurity Vendor EV/S Ratios
(Source: Created by author using data from Yahoo Finance)
Based on a discounted cash flow analysis, I estimate CrowdStrike’s intrinsic value to be approximately 100 USD per share. To justify this price, CrowdStrike must continue to rapidly expand their customer base, upsell existing customers to multiple modules and build an ecosystem around their CrowdStrike Store. Failure to achieve rapid growth will result in continued losses and allow incumbents to improve their cloud offerings reducing CrowdStrike’s competitive advantage.
This article was written by
Analyst’s Disclosure: I am/we are long CRWD. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.
Seeking Alpha's Disclosure: Past performance is no guarantee of future results. No recommendation or advice is being given as to whether any investment is suitable for a particular investor. Any views or opinions expressed above may not reflect those of Seeking Alpha as a whole. Seeking Alpha is not a licensed securities dealer, broker or US investment adviser or investment bank. Our analysts are third party authors that include both professional investors and individual investors who may not be licensed or certified by any institute or regulatory body.