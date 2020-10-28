CrowdStrike (CRWD) recently held a product session for its cloud workload offerings. CrowdStrike defines a workload as:

a work function (application or service) processed by a remote server or instance at any given time; it generally has users or applications interacting with it through the Internet. Cloud workloads can range from a web server to a database to a container.

During the session, CrowdStrike estimated the market opportunity. It also broke down its unique approach to cloud security. A new falcon module was introduced. CrowdStrike also shared some of its DevSecOps strategies. While CrowdStrike did not provide financial updates, the market opportunity argument provides some insights into CrowdStrike's future growth forecasts. The monetization and pricing dynamics of cloud workloads also give insights into the margin expansion opportunity. This article breaks down the new insights from the session.

Market Opportunity

So just to put it in perspective, over 1 billion PCs shipped worldwide in the last 4 years. CrowdStrike protects a fraction of those. We've been very successful in this area, but it's still a fraction. And to juxtapose that, we see days where we protect over 1 billion containers daily, which is incredible. - Source - CrowdStrike

Year to date, CrowdStrike has been one of the best-performing stocks in the tech sector. Its innovative approach to endpoint security plays into multiple tailwinds propelling cloud stocks. These tailwinds were further assisted by the effect of the coronavirus on normal business activities. The need to protect remote endpoints and cloud workloads was accelerated as enterprises sought best-of-breed platforms to accelerate their digital transformation projects. CrowdStrike has observed a 14x growth in protections for containers since March 2020. Docker defines a container as:

a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

CrowdStrike also shared a stat of the percent of endpoints residing in public cloud platforms it currently protects. This figure was pegged at over 20%. The speed of app development, fostered by the adoption of DevOps models, means security teams play catch up when incorporating cybersecurity best practices into apps released in production environments. CrowdStrike defines DevOps as:

a combination of tools, practices that together increase an organization's ability to deliver applications and services at high velocity.

The need for a balancing act led to the creation of DevSecOps practices for security and DevOps teams to collaborate to ensure adequate visibility, protection, and adherence to compliance standards.

As we adjust to a new normal, with more distributed teams, team collaboration, and project execution across enterprises will leverage more cloud-based apps. This inevitable reality has driven the adoption of cloud apps and networks.

Most people think of a cloud network as AWS, GCP, or Microsoft Azure. In reality, these are public cloud networks. Enterprises also have private cloud networks mostly in regulated sectors. These cloud networks consist of multiple workstations and servers with varying compute resources, network configuration, and storage capacity. Breakthroughs in virtualization innovation have made it possible to aggregate compute and storage resources into virtual networks to be consumed at scale. The aggregation of these resources forms data centers that also need to be protected. This makes the role of network security players as valid as ever. Each of these workstations and servers is also classed as endpoints. This means they can be protected with endpoint security solutions.

You can't control Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP) using old school, on-premises CMDB tools. - Forrester

Unlike before, setting up a network requires physical firewalls, databases, servers, and storage devices. Today, most enterprises can get all those resources by leveraging PaaS/IaaS resources from GCP, AWS, and Azure. Most of these cloud providers take care of security at the lower layers of the networking model. As we approach the application layer, where network administrators have more control over system configuration, network configuration, app deployment, and the discretion to apply security best practices, a market opportunity is effectively created. This market opportunity is what is called cloud security. CrowdStrike specifically addresses the cloud workload subsegment of the cloud security market. Other segments include cloud access security and the network security market.

Cloud workload security includes the provision of security services for the efficient configuration of cloud resources. It includes the active monitoring and scanning of activities, identities, and access requests. It includes the incorporation of cybersecurity best practices at the app development level and during runtime. It also consists of the application of security to extensible APIs. In short, it includes the protection of everything that can put developers and network administrators in trouble. While cloud platforms include security tools and services in their offerings, leveraging those tools leads to vendor lock-in in which a company's full suite of tech facilities are tied to a single company. This is dangerous.

In estimating the size of the cloud security market, IDC provided an estimate, which I shared in my last thesis. Having worked with some of the top cloud platforms, I can acknowledge the depth of thought and investment plowed into providing security tools and ensuring security best practices.

IDC predicted that "innovation, opportunity, and market demand collide to place hyperscale cloud providers directly and permanently in the security business; by 2025, 9% of their revenue will be attributed to security." IDC's experience at AWS re:Invent reaffirms our belief in the prediction. - Source - IDC

Given their investments in security, public cloud platforms are expected to command some share of the cybersecurity space. This is a given as some enterprises are comfortable acquiring all their tech resources from a single vendor. Others don't feel the need to spend money on extra security features. I expect these enterprises to be mostly concentrated in verticals with weak regulations.

The next section explores some of the cloud security capabilities of the major public cloud platforms.

Alphabet (BeyondCorp and BackStory)

Google (NASDAQ:GOOG)(NASDAQ:GOOGL) has been a big innovator in security. It introduced BeyondCorp, which birthed the Zero Trust trend. BeyondCorp has been adopted internally by Google for almost a decade. It became even more popular with the rise of distributed teams driving the waning popularity of VPNs for accessing enterprise networks and resources from remote locations. BeyondCorp was designed to eliminate the need for VPNs. As the chart above demonstrates, access is granted based on the user's identity and context.

The chart above outlines Google cloud security offerings. It offers most of the security capabilities that are complemented by cybersecurity solution providers. We have cloud IAM for identity and access management, Assured workload which is akin to CrowdStrike's workload offering, multiple offerings for data encryption, and more. Google's data security offerings are so robust that it was ranked as a leader in Forrester's analysis of data security platforms.

Google also has strong capabilities in security analytics and threat intelligence. Chronicle, a security project at Alphabet's Google X division, recently merged with Google Cloud to help protect against malware. Chronicle also benefits from the rich database from the acquisition of VirusTotal. VirusTotal is a large malware database that aggregates data from over 70 antivirus solutions.

Microsoft

Microsoft (MSFT) has broad security capabilities that cut across all facets of the cybersecurity space. Microsoft recently announced new updates to its cloud security solutions under a new brand called Azure defender. Azure defender also includes its XDR capabilities from multi-cloud platforms and hybrid workloads. Azure defender integrates with Microsoft Sentinel, highlighting the reason for its XDR announcement. XDR is about correlating threats from multiple systems to help security operations teams prioritize alerts. Azure Sentinel also connects to Microsoft Defender. The sheer volume of threat telemetry and insights that will be derived from this integration is huge for Microsoft's cloud security posture. Azure defender also includes support for databases, servers, and IoT platforms via the acquisition of CyberX.

Microsoft also has cloud access security capabilities called Microsoft Cloud App Security. This protects access to cloud apps. It also has a cloud security posture management offering called Azure Security Center for visibility, configuration management, and compliance across cloud workloads.

VMware

VMware (VMW) has expanded its cloud security capabilities over the years. This largely derives from the strategic acquisition of CarbonBlack and Octarine. CarbonBlack is an endpoint security platform. Beyond endpoint protection, Carbon Black also gave VMware capabilities in workload security and endpoint management. These add to cloud security capabilities acquired from CloudCoreo. Octarine provides security for Kubernetes systems. Most of these offerings now form a part of what is known today as CloudHealth. CloudHealth supports multiple cloud environments. It provides visibility into cloud workloads, identifies misconfiguration, and helps with compliance.

AWS

Amazon (AMZN) offers tons of security solutions that cover all facets of cybersecurity. The table below gives a summary of its offerings.

Here are some of the cloud security offerings available on AWS.

Amazon GuardDuty: identifies threats by continuously monitoring the network activity, data access patterns, and account behavior within the AWS environment. GuardDuty is integrated with up-to-date threat intelligence feeds from AWS, CrowdStrike, and Proofpoint.

AWS IoT Device Defender continuously audits IoT configurations to ensure that they aren't deviating from security best practices.

AWS Security Hub gives a comprehensive view of security alerts and security posture across AWS accounts

AWS Identity and Access Management (IAM) enables the management of access to AWS services and resources

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of AWS accounts.

The cloud workload protection platform market is expected to grow from an estimated $1.03 billion dollars in 2018 to $2.44 billion by 2023, becoming another major demand area for security solutions supporting emerging cloud workloads. - Gartner

During the session, CrowdStrike tried to estimate the size of the cloud workload market.

CrowdStrike made a compelling case for updating the size of the cloud security market. Firstly, CrowdStrike shared a data point in which Gartner estimated that more than 85% of global organizations would be running some containerized applications in production in the near future. IDC pegged the cloud IT spend for IaaS and PaaS vendors at $106 billion, going to $217 billion in 2023. This means cloud workload security only represents 1.1% of the total estimate. CrowdStrike thinks the real security opportunity represents a 5% to 10% share of the total cloud market. CrowdStrike then used a Gartner estimate of 5.7%, which represents $6.1b today, growing to $12.4b by 2023. Firstly, this argument is right because it comes from one of the fastest innovators in the cybersecurity space. If anyone is going to make that market get to $12b, CrowdStrike is one of the candidates that will immediately jump to your mind. In short, this is CrowdStrike telling us that we should forget what we think because it can push its sales team to make enterprises open their wallet to the tune of $12b. Typical CrowdStrike, I'll say.

If we actually break down the total cloud security market, I believe it includes the purchase of firewalls to protect data centers housing IaaS and PaaS resources. It also includes the deployment of endpoint security solutions on these cloud platforms. It also includes the purchase of cloud access security solutions and secure web gateway offerings. These markets represent a significant and sizable chunk of the $12b opportunity estimated by CrowdStrike. Palo Alto Networks (PANW), the leading cybersecurity platform with capabilities across all cloud security segments, pegged the market opportunity at $6b in 2020, growing to $7b-8b in 2022. Not to sound like a pessimist, I believe most public cloud platforms have actually baked in solid securities policies and protections into their offerings. This reduces the incentives for enterprises to splurge a lot of money on cloud workload offerings. Therefore, while CrowdStrike's conviction in its ability to drive demand for cloud workload security solutions is commendable, I believe the monetizable opportunity that the workload subsegment will take is less. A fair estimate is a third of the new market size, with a third going to cloud access security and web gateways for cloud platforms and another third going to the network and endpoint security protection of data centers. This means workload security is currently worth $2b growing to $4b by 2023.

In summary, I believe the estimate provided by CrowdStrike is bloated because CrowdStrike doesn't offer cloud access security solutions. Also, it doesn't offer network security solutions that protect data centers that house cloud resources. It does provide endpoint security solutions for cloud networks and endpoints.

Business

Product Strategy

A key element of CrowdStrike's product strategy is the company's attention to detail. A lot of cybersecurity players have glossed over opportunities that CrowdStrike has now popularized. The rise of DevSecOps and the opportunity it provides is a trend that has been closely tracked by CrowdStrike. CrowdStrike highlighted the pain that developers face when adopting security best practices during development. Given the rapid pace of product release, it has been a big pain for developers to stay compliant with security regulations.

CrowdStrike offered its solutions, which includes:

Providing best-in-class runtime security protection for all workloads and all workload environments, including containers and protection of the underlying hosts powering the container environment

Providing attack surface monitoring

Providing visibility and alerting into common misconfiguration. Also providing automation of cloud security management via a new module called Falcon Horizon

The pricing model for cloud services is different from more traditional perpetual or annual subscription-based licensing. With cloud services, you'll often find a pricing model that charges by services used or compute consumption, which helps prevent wasteful spending. This model is often referred to as pay-as-you-go - Source - CrowdStrike

Analysts tried to quiz CrowdStrike about its pricing strategy for workloads. This is important to forecast margins trend and the incremental ARR opportunity. CrowdStrike highlighted its server-based pricing model. While millions of containers can be deployed in a network, the compute and storage requirements of a virtual server determines how much CrowdStrike will charge. This is akin to the pricing strategy deployed by public cloud platforms, which is usage-based. CrowdStrike explained that the pricing for workloads and containers is not one to one as endpoints. Since there are more workloads than endpoints, this means the pricing is significantly less.

Competitors

Differentials

Platform business model

I expect CrowdStrike to continue to expand new modules due to its cloud-native design. CrowdStrike also highlighted its support for multiple cloud platforms, which I believe is one of its key differentiating factors. Other factors include its lightweight agent which doesn't affect performance and its protection approach is automated and scalable.

Threat Intelligence/Threat Hunting

I believe CrowdStrike's threat intelligence capabilities remain a key differentiator. This will assist operations teams when performing security audits, breach examination, and security configuration. This will also be supported by its threat hunting capabilities. The capabilities are important for protecting against threats in cloud networks.

Question Callout

The question posed by the analyst from USB helped cut through the technical intricacies of its new capabilities:

I believe the essence of the question above is to understand CrowdStrike's differentiating capabilities as it evolves its Horizon module. The security posture management capability complements its vulnerability management module called Spotlight. CrowdStrike talked about its ability to provide runtime security for ephemeral workloads. CrowdStrike talked about how its innovative deployment of its agents doesn't impede performance. This is enabled and improved by its deep visibility into cloud resources and its ability to leverage insights after these workloads stop running. This made me sit back to think about its runtime security offering. With runtime security, CrowdStrike is challenging vulnerability management players. Most of the leading vulnerability management players have studied this trend long before now, and they've acquired capabilities to achieve competitive parity. These include the likes of Qualys (QLYS) and Rapid7 (RPD).

CrowdStrike reiterated its multi-cloud support and its DevSecOps strategy as the question was initially directed at the CTO. It then delivered the Blitzkrieg when the CEO followed to provide a strong conviction in its strategy. Below is CrowdStrike's answer:

And what we find with existing cloud VM products or endpoint products that are delivered from the cloud, from the VM folks, is that just scanning. They're just looking for things and it takes forever, and it kills the performance of the machine, that just about all the customers that we talk to that have those legacy VM agent technologies, you want to get rid of it because it just destroys the machine

This is what CrowdStrike does best. Identify a new market opportunity, double down on its capabilities while creating more visibility for its product. The answer above draws out the limitations of the techniques deployed by providers of vulnerability scanners while highlighting why CrowdStrike will come out top. While the response is great, I believe competitors are aware of the present situation. Like I asserted earlier, they've also upgraded their tools. Here is CrowdStrike on the impact of its agents on computing resources:

The Falcon sensor's design makes it extremely lightweight (consuming 1% or less of CPU) and unobtrusive: there's no UI, no pop-ups, no reboots, and all updates are performed silently and automatically. - Source - CrowdStrike

Here is Qualys:

The agent is designed to have minimal impact on the system and the network, normally consuming less than 2% of CPU resources with peaks in the range of 5% during normal operation. - Source - Qualys

Rapid7 limits the impact of its agents on disk to 50-100MB. This works out to about 2-3% of disk usage for a cheap 4GB laptop.

Given the current situation, I believe a technical battle is inevitable.

Threats

CrowdStrike isn't the only vendor with cloud security capabilities. The chart above highlights the competitive landscape. Network and endpoint security competitors are moving into the cloud security space. I also expect big tech companies and cloud platforms to actively participate in the cloud security market. Regardless of the level of competition, I expect CrowdStrike's gravitas to drive its market share expansion in the cloud security space.

Valuation

Having reiterated its conviction in capturing more value in the workload security segment, CrowdStrike has improved the market's belief in its monetizable market. By volume, the opportunity to protect ephemeral containers and workloads is huge. However, CrowdStrike did not produce compelling insights into its pricing strategy for the workload market. I don't expect workloads to be priced at the same cadence as endpoints, given their fickle nature.

Going forward, I am more convinced in CrowdStrike's growth story. I am also convinced of its ability to fight for market share. I see the workload market as a big contributor to its net expansion rate as customers shift more workloads to the cloud. The chart below highlights some of the customer consumption trends observed by CrowdStrike.

The ARR expansion opportunity in each scenario highlights the benefit of selling both endpoint and workload security to the same customer. Readers will observe that the web content company and the SaaS company both have 100% of their workloads protected by CrowdStrike. This points to the growing trend in which new startups and businesses leverage cloud platforms to store all their cloud resources. I believe this opportunity is a significant boost to CrowdStrike's growth story. With dollar expansion decelerating to 120% largely due to the law of large numbers, I'll still keep faith in the forward revenue growth forecasts of 30+% in 2021 and 2022. As the chart below depicts, CrowdStrike still fields some of the best SaaS metrics.

The forward growth guidance suggests ARR is going from average to great over the next four quarters. Revenue growth is also impressive despite CrowdStrike growing size. Dollar retention is also being impacted by the law of large numbers. The CAC payback period is the best in class. This derives from the impressive Magic number shared by CrowdStrike in its last conference call. Lastly, CrowdStrike's impressive revenue growth and significantly improved cash flow power its outstanding Rule-of-40 metric.

With these impressive numbers, it is tough to bet against CrowdStrike. CrowdStrike has rewritten the narrative in the endpoint security space despite the level of competition. There doesn't appear to be any serious stumbling block in the short term. For CrowdStrike, it is steady as she goes.

