CrowdStrike Is Hard To Beat; Buy Shares Opportunistically
Summary
- CrowdStrike remains one of our favorite next-gen endpoint security players in the industry. It is disrupting multiple segments such as vulnerability management, next-gen antivirus, and incident response.
- The company continues to use its platform to move into adjacent areas such as Cloud protection. Cloud workload protection should become a significant growth driver in 2021 and beyond.
- CrowdStrike continues to erect significant barriers to entry for competitors by displacing incumbents and foreclosing opportunities to others. We expect CrowdStrike to be a dominant player for many years.
- CRWD is usurping the leadership from FireEye in the incident response business. The incident response business should see robust growth in 2021 driven by the Solarwinds hack.
- We expect the valuation to remain lofty for the foreseeable future, and we would be buying shares opportunistically on dips and over time.
CrowdStrike (NASDAQ:CRWD) remains one of our favorite mid-cap technology stocks and is a buy. CrowdStrike has one of the most sophisticated and robust next-generation security platforms in the industry today. CrowdStrike's Falcon cloud platform detects threats and stops breaches by applying modern technologies such as AI, Machine Learning, and Graph databases to crowdsourced data. Endpoints (laptops, desktops, servers, containers, and virtual machines (VMS)) are the most attacked vectors in an enterprise, given that they contain highly valuable corporate data. CrowdStrike is frequently called to remediate breaches and is the vendor of last resort. Following the Solarwinds hack, the company has been hired by Solarwinds to remediate the breach, and CrowdStrike is also on a retainer for several affected companies. Given CrowdStrike's compelling technology and first-mover advantage, we expect the company to post robust growth for many years to come. Therefore, we would be looking to stay invested in CrowdStrike.
Following the SolarWinds (SWI) hack, the National Security Agency (NSA) recommended companies that use SolarWinds Orion product to harden and secure their endpoints and keep systems patched and software updated. Given this recommendation, we believe many enterprises that use Orion Software will move Vulnerability Management solutions, Endpoint Detection and Response (EDR) solutions, Next-gen antivirus solutions to the top of their IT budgets in 2021. To prevent breaches and to take steps to protect themselves proactively, many companies will also want to deploy solutions that monitor threat intel and forensics. We expect CrowdStrike to benefit from this increased spending on security solutions, given its platform is one of the most effective in the industry (according to Gartner). Despite being one of the most expensive names in our coverage universe, we recommend investors take a position opportunistically. We would be buying shares opportunistically, given our belief, CrowdStrike is the best name to own for endpoints.
What is likely to drive revenue growth in 2021 and beyond
We believe CrowdStrike's growth will be driven in 2021 and beyond by the following:
- Rapidly expanding customer base and maintaining high retention rates
- Higher levels of security spending due to SolarWinds hack, digital transformation, and movement of applications to the cloud
- Displacement of incumbents such as Symantec (AVGO), McAfee (MCFE), Trend Micro (OTCPK:TMICY), and Sophos (SOPH)
- Upselling more modules to existing customers (Currently 17 modules in all)
- International expansion
Rapidly expanding customer base
CrowdStrike mainly services large enterprises and governments worldwide. The company has 8,416 customers, including 11 of the top 20 banks, 40 of the leading global 100 companies, and over 49% of fortune 100 firms and government agencies. At the end of 3Q21, the company grew customers 85% Y/Y. We expect CrowdStrike to rapidly expand its install base by displacing incumbents such as Symantec, McAfee, Trend Micro, and a host of other traditional antivirus vendors. The following chart illustrates the rapidly expanding customer base of CrowdStrike
Source: CrowdStrike presentation
Cloud workloads to drive growth
According to the company, CrowdStrike is expanding from traditional endpoints to protecting cloud workloads. The company believes that its kernel-based lightweight agent is a competitive advantage that is hard to overcome by any new vendors. To address cloud-based endpoints, the company has three modules – Cloud Runtime Protection, Cloud Discovery, and Cloud Security Posture Management. At the Goldman Sachs conference, CEO George Kurtz noted that protecting cloud workloads is a greenfield opportunity. He also stated that only 0.9% of the security budget is used in protecting cloud workloads. However, he believes that it could increase 10x over the next few years, given the rash of workloads moving to the cloud. More importantly, CrowdStrike believes it has one of the best products in the industry to address cloud workloads. The following chart illustrates Cloud workload TAM.
Source: CrowdStrike presentation
Competitive advantage is hard to beat
We believe CrowdStrike has a deep and compelling moat that will be very hard for any new entrant or existing on-premises legacy players such as McAfee, Symantec, Kaspersky, and Trend Micro to upend. To begin with, CrowdStrike's graph database and its lightweight agent underpin all products. Lightweight agents gather threat data from the endpoints and beam it up to the cloud to be stored in a graph database. The graph database correlates some 4 trillion security events per week from millions of sensors that are deployed worldwide. New entrants starting from scratch would need years of R&D effort to build a comparable graph database that is super fast and can handle the real-time analysis of data at scale. New entrants would need to create a software stack that is deployable in a distributed and multi-tenant architecture to rival CrowdStrike's offerings. Deploying a globally distributed cloud solution requires experience and expertise to make the solution work optimally. Therefore, we believe any new entrant will face serious challenges building solutions that rival CrowdStrike's offerings in the near-term (for at least five years). More importantly, CrowdStrike has patented its threat graph and lightweight agent technologies, preventing any copycats from getting to market quickly. The following chart illustrates the Falcon Platform Architecture depicting the cloud modules, lightweight agent, and the threat graph database.
Source: CrowdStrike presentation
More importantly, CrowdStrike's integrated product offering, which extends beyond endpoint into Vulnerability Management and other adjacencies, makes the products sticky and difficult to replace for any entrant. The company has an impressive 98% gross annual renewal rates with impressive 120%+ net dollar retention rates.
Source: CrowdStrike presentation
On the other hand, signature-based antivirus software offerings are almost entirely ineffective against next-generation threats and zero-day attacks. Therefore, we believe incumbents with signature-based solutions will face an uphill task to retrofit their solutions for the cloud age. CrowdStrike continues to execute well with its technology roadmap and remains the defacto next-generation leader in the space. The following images illustrate the changing dynamics within the endpoint security landscape.

Source: IDC/Gartner data
Highly predictable revenue model
CrowdStrike uses a 100% subscription model for its software that is billed annually in advance. Typically contract lengths are in the 1-to-3 years range. Given that 100% of revenue is ratable (subscription revenue), according to our estimate, we believe CrowdStrike effectively locks in more than 90%+ of its revenue at the beginning of the quarter. Combined with the best in class revenue retention (132% average dollar-based retention rate over last four quarters), low churn (lower than 2% range according to our estimate), revenue visibility is high, reducing the risk for negative revenue and earnings surprises.
The company also continues to upsell more modules as well as selling agents to new IPs within a customer. The company sells 17 different modules in total spanning Cloud Security (Runtime protection, discovery and posture management), Endpoint Security (Next Gen Antivirus, Endpoint Detection and Response (EDR), Device Control, Firewall Management), Security & IT Operations (Threat Hunting, IT Hygiene, Turnkey Security, Vulnerability Management), and Threat Intelligence (Threat Intel, Malware Search and Malware Analysis).
High predictability of revenue also means that positive surprises should be capped. Therefore, a highly predictable revenue model provides support for the stock, but outperformance from current levels is very difficult. The following chart illustrates module adoption within CrowdStrike's install base.

Source: CrowdStrike presentation
Valuation
When valuing CrowdStrike, we use EV/Sales as the primary valuation metric. Given that many of the companies in the peer group are currently in transition to a SaaS/Subscription revenue model or not sufficiently profitable, EV/Sales makes the comparisons meaningful. During acquisitions, one of the primary metrics used to evaluate takeout price remains EV/Sales. EV/Sales makes it easier to compare with historical takeout multiples.
CRWD is currently trading at 30.9x EV/C2022 sales, well above our SaaS/Subscription peer group average of 15.9x. CRWD is growing significantly faster than the peer group. CRWD is expected to grow at 31%, while the peer group is expected to grow at 18%. The following charts illustrate the valuation of the SaaS and the Security peer groups.
Source: Author based on Refinitiv data
Risks to owning CrowdStrike
- CrowdStrike is one of the most expensive stocks in our coverage universe. In the event of a market sell-off, we believe CrowdStrike will likely decline more than the market.
- Given CrowdStrike's lofty valuation, one of the main risks quarter-to-quarter is the high expectations the company faces. Every time the company beats estimates, investors expect even better results in the next quarter. This expectations game could get very challenging eventually, and the company will be unable to meet investor expectations, leading to a sell-off.
- CrowdStrike is a volatile stock in our coverage universe. CrowdStrike price movements can be fairly dramatic both on the upside as well as on the downside.
- CrowdStrike faces intense competition from both traditional players and from newer emerging players such as SentinelOne, Tanium, etc. CrowdStrike competes mainly with Broadcom (AVGO) owned Symantec, Microsoft (MSFT), McAfee, Palo Alto Networks (PANW), VMware (VMW), and BlackBerry (BB) in the traditional EDR markets. However, CrowdStrike also competes with Tenable, Qualys, and Rapid7 in the traditional vulnerability management space. In the workload/application protection space, the competition is emerging and is evolving rapidly as players such as Zscaler, PaloAlto Networks, VMware, and a host of other players vying for the same market.
- VMware, PaloAlto Networks, Microsoft, and Broadcom have deep pockets and could use their balance sheets to buy the business, which could be troublesome for CrowdStrike over the longer term.
- Over the last few years, CrowdStrike and other security companies benefited from an elevated level of spending due to DX and WFH. If spending focus by customers wanes, we believe CrowdStrike's share performance could be negatively impacted.
- Finally, there may be other risks that are less likely to occur, in our view, or which we may not be able to anticipate currently.
What to do with the stock
We are bullish on CrowdStrike's fundamentals and believe CrowdStrike is very hard to beat for any legacy players such as Symantec (Broadcom) and McAfee and next-generation players such as SentinelOne. Per Refinitiv data, out of the 19 analysts covering the stock, 16 are a buy, and the remaining are hold rated. The sentiment continues to improve for the stock since its IPO in 2019. The average PT now is $214, and the median is $205. CrowdStrike is currently trading at around $224. Since the company reported results in early December, the stock is up 58%, while Nasdaq is up only about 10%, and S&P is up about 5%.

Following the SolarWinds hack, we expect CrowdStrike to report a solid quarter in 4Q as many enterprises impacted by the hack purchased the company's offerings. We expect the demand for CrowdStrike's products to remain robust throughout 2021.
We expect CrowdStrike to continue to grow for the next several years, given that DX and Zero Trust Security is still in the early innings. On top of it, CrowdStrike is one of the two vendors, along with FireEye, on retainer to mitigate security breaches. CrowdStrike remains the go-to player in the Solarwinds hack remediation, as FireEye itself has been breached. Given our belief that CrowdStrike will remain a core technology to secure endpoints and applications, we will be buying shares opportunistically and in small increments while accumulating a decent position over time. We believe this is one of those companies in the tech universe that will remain the industry leader for the foreseeable future. Hence we recommend investors stick to the name through thick and thin.
This article was written by
Analyst’s Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.
Seeking Alpha's Disclosure: Past performance is no guarantee of future results. No recommendation or advice is being given as to whether any investment is suitable for a particular investor. Any views or opinions expressed above may not reflect those of Seeking Alpha as a whole. Seeking Alpha is not a licensed securities dealer, broker or US investment adviser or investment bank. Our analysts are third party authors that include both professional investors and individual investors who may not be licensed or certified by any institute or regulatory body.



