CrowdStrike Holdings, Inc. (NASDAQ:CRWD) Q3 2022 Results Conference Call December 1, 2021 5:00 PM ET
Maria Riley - Senior Director of Investor Relations
George Kurtz - Co-Founder, President, Chief Executive Officer & Director
Burt Podbere - Chief Financial Officer
Conference Call Participants
Saket Kalia - Barclays Capital
Sterling Auty - JPMorgan
Alexander Henderson - Needham
Joe Gallo - Jeffries
Matt Hedberg - RBC Capital Markets
Roger Boyd - UBS
Brian Essex - Goldman Sachs
Justin Roach - Rob Owens
Jonathan Ruykhaver - Baird
Patrick Colville - Deutsche Bank
Strecker Backe - Wolfe Research
Shaul Eyal - Cowen Company
Gray Powell - BTIG
Thank you for standing by, and welcome to the CrowdStrike Holdings, Inc. Q3 2022 Financial Results Conference Call. At this time, all participants are in a listen-only mode. After the speakers' presentation, there will be a question-and-answer session. [Operator Instructions] As a reminder, today's conference call is being recorded.
I would now like to turn the conference to your host, Ms. Maria Riley, Vice President of Investor Relations. Please go ahead.
Good afternoon and thank you for your participation today. With me on the call are George Kurtz, President and Chief Executive Officer and Co-Founder of CrowdStrike; and Burt Podbere, Chief Financial Officer.
Before we get started, I would like to note that certain statements made during this conference call that are not historical facts, including those regarding our future plans, objectives, growth and expected performance, including our outlook for the fourth quarter and fiscal year 2022 are forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995.
These forward-looking statements represent our outlook only as of the date of this call. While we believe any forward-looking statements we make are reasonable, actual results could differ materially because the statements are based on current expectations and are subject to risks and uncertainties. We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events or otherwise.
Further information on these and other factors that could affect the Company's financial results is included in filings we make with the SEC from time to time, including the section titled Risk Factors in the Company's quarterly and annual reports that we file with the SEC.
Additionally, unless otherwise stated, excluding revenue, all financial measures included on this call will be non-GAAP. A discussion of why we use non-GAAP financial measures and a reconciliation schedule showing GAAP versus non-GAAP results is currently available in our press release, which may be found on our Investor Relations website at ir.crowdstrike.com or on our Form 8-K filed with the SEC today.
With that, I will turn the call over to George to begin.
Thank you, Maria, and thank you all for joining us. I will start today's call by summarizing three key points. First, we delivered an outstanding third quarter headlined by an acceleration in net new ARR growth, strong execution across the market, from large enterprises to small businesses and expansion within the U.S. federal government. Second, we are seeing an inflection in new products with growing demand for our identity protection and Zero Trust, Humio and cloud security modules. And third, the competitive and pricing environment remains favorable to CrowdStrike. We continue to expand our lead over legacy and next-gen vendors because of our scalability, efficacy and differentiated offerings such as Falcon Complete.
Now let's discuss our results and get into the topics in more detail. We delivered a robust third quarter with net new ARR growth accelerating and ending ARR growing 67% to surpass the $1.5 billion milestone. We added $170 million in net new ARR, which was ahead of our expectations and gained over 1,600 net new subscription customers for the second consecutive quarter. We proudly serve 14,687 subscription customers. In addition to accelerating net new ARR growth, we delivered record bottom line results and free cash flow reaching a new high watermark of $124 million.
In the third quarter, we saw broad-based strength in multiple areas of the business and among SMB mid-market and large enterprises. Our outstanding results this quarter reflect continued strong customer adoption of our core products, growing success with our newer product initiatives, including identity protection, log management and cloud and our growing leadership in the market with a continued groundswell of customers turning to CrowdStrike as their trusted platform of record with our 21 modules.
We also gained significant momentum and delivered a record quarter in the public sector, including wins with educational institutions, states and local governments and the U.S. federal government. Our performance on this front is highlighted by a large win with CISA, the Cybersecurity and Infrastructure Security Agency, to secure a significant portion of endpoints and workloads for multiple federal agencies as they operationalize the White House executive order to improve the nation's cyber resiliency.
This win represents the culmination of our dedication and hard work over the course of several years on our public sector strategy and government certifications. We believe this significant win will create new opportunities and unlock additional business within the massive U.S. federal government. For additional information, please visit my new post to the CrowdStrike blog.
Moving to the competitive environment. We continue to believe we have a significant technology lead with no competitor matching our scalability, performance, ease of use and commitment to customers. I could not be more excited by our opportunity, which has continued to grow. This quarter, our win rates increased across the board, and we saw a record number of wins against both legacy and next-gen vendors with SMB, mid-market and large enterprise customers.
We also landed a record number of wins and displacements over a recently public next-gen vendor, SentinelOne. To be clear, we define a displacement as removing an incumbent's product and replacing it with Falcon.
Let me share a recent example with one of the largest nonprofit hospital systems in the U.S. which had initially chosen the recently public next-gen vendor based on price and promised features that were never delivered. Just a few months into their multiyear contract with the other vendor, this organization realized the product fail to scale, cause major performance issues, prohibited critical processes from functioning properly and drove significant friction within the organization and its subsidiaries.
That is when they turned to CrowdStrike, purchased multiple modules in a multimillion dollar ARR deal and realized immediate improvement, gaining up to 30% performance increase on their servers alone and greater efficacy without intrusive false positive.
Another marquee win this quarter included Qualtrics, a leader in experience management. Customer focus and trust are key parts of Qualtrics' DNA. Therefore, it was critical for them to adopt best-of-breed security capable of fortifying their entire estate of traditional endpoints and cloud workloads without sacrificing end-user experience. Qualtrics moved off the next-gen endpoint security provider to Falcon in order to have a single solution that can be easily deployed and scaled along with their fast-growing business. We look forward to continuing our relationship with Qualtrics as their trusted security partner.
We continue to see success winning new customers among our larger competitors as well. Take for example a leading health care system that was using a combination of two legacy vendors, Microsoft and Symantec when it was hit with a massive ransomware attack that disrupted their business. This organization turned to CrowdStrike's renowned incident response services team to remediate the breach. They also came to realize that while Microsoft attempts to check most of the boxes on paper and appeal to the CFO office, in reality, when every second counts, they needed CrowdStrike and standardized on Falcon Complete.
With our leading technology, unmatched platform and adversary-focused approach to stopping breaches, we continue to eclipse our competitors and extend our leadership, which was once again recognized by industry analysts and third-party testing agencies, including IDC which named CrowdStrike, a leader in IDC Marketscape worldwide modern endpoint security for enterprise 2021 vendor assessment. Enterprise Management Associates, EMA granted Humio their top three award in log management and observability. Humio was recognized for its index research and its ability to ingest structured and unstructured data at real time and at scale.
Last month, SE Labs recognized CrowdStrike as the best endpoint detection and response product for the second year in a row. And just this week, CrowdStrike earned the highest rating in the October 2021 Gartner Pure Insights Voice of the Customer for endpoint protection platforms.
Cyber adversaries are increasingly attempting to accomplish their objectives without using malware. As we cited in our 2021 Threat Hunting report, based on recent customer data indexed by Threat Graph, 68% of detections analyzed were not malware-based. This is why companies need to employ a holistic breach provision strategy rather than overly relying on malware prevention regardless if it's legacy or next gen. This increasing trend in the adversary landscape is driving a generational shift to Zero Trust technologies, including CrowdStrike Falcon.
We are seeing this trend play out in our modular adoption metrics which have continued to increase. Our module adoption rates demonstrate the flywheel effect of our platform in motion with subscription customers that have adopted four or more modules, five or more modules and six or more modules increasing to 68%, 55% and 32%, respectively, in the third quarter. We believe high adoption rates of our modules drive high retention rates and reflect our growing position as the trusted platform of record with the average number of modules per customer also increasing quarter after quarter.
Our results have proven quarter after quarter that transformational differentiation built into the Falcon platform continues its technology dominance over legacy and next-gen vendors alike, delivering strong results in the field. On the cloud front, our footprint continues to grow even faster than our overall server endpoint growth with over 25% of the servers we protect now in the public cloud.
CrowdStrike has redefined the approach to cloud security. With Falcon Horizon, we are selling into and enabling DevOps teams to improve decision-making and innovate faster. Falcon Horizon is API-driven and agentless, enabling customers to scan configurations and workloads across multiple cloud environments. Falcon Horizon provides continuous control plane threat detection and machine learning and indicator of attack detection as well as guided remediation for all cloud accounts, services and users across the cloud estate.
During the quarter, we extended Falcon Horizon to support Google Cloud environments now supporting the three largest clouds. We also deepened our partnership with AWS with new features that work hand-in-hand with services from AWS to further protect customers from growing ransomware threats and increasingly complex cyber attacks.
Moving to the partner front. As our leadership in the market increases, our partnerships grow and deepen with large name brand system integrators, VARs and MSSPs alike, building revenue streams for their businesses with Falcon. The third quarter was a breakout quarter for our MSSP ecosystem with our MSSP business growing more than 30% quarter-over-quarter and triple digits year-over-year.
We also expanded our relationship with Google by joining their Work Safer program, which is designed to protect organizations, including small businesses, enterprises and public sector institutions against modern cyber attacks.
Just as we usher the industry into a new era when we launched EDR and pioneered Zero Trust for the endpoint with deep visibility, we are leading the industry forward and once again, redefining security by focusing on the greatest source of enterprise risk and friction.
Unlike any other competitor in the market today, our identity protection modules give customers the ability to prevent the spread of ransomware and stop lateral movement when credentials are stolen. This is a major advantage to winning deals in the field and increasing deal size. The third quarter marks the one-year anniversary of our acquisition of Preempt. And in this one quarter alone, we generated quarter included AIA Insurance, one of the largest public insurers in the Asia Pacific region; multiple major airlines; and a Fortune 100 manufacturer.
CrowdStrike already natively enforces Zero Trust protection at the device layer and the identity layer. By harnessing technology from our recent acquisition of SecureCircle, we plan to take data protection to a new level by enforcing Zero Trust at the data layer. Legacy point products like DLP are aging, brittle, prone to false positives and require a high reliance on human intervention. Based on IDC estimates, we believe the market for DLP and related technologies to be approximately $3 billion in calendar year 2022. Our innovative approach to data protection will put power back into the hands of customers without changing the way users work.
Moreover, after we combine SecureCircle's technology with CrowdStrike Zero Trust modules, customers will gain even more fine grain visibility and control as well as continuous risk monitoring to detect and respond to threats, whether they manifest as a device, identity or data layer. While the acquisition just closed and it will take some time to integrate into the Falcon platform, we have already received a tremendous response from customers that would like to replace their legacy DLP products from the likes of Symantec with Falcon's data protection module delivered through our single lightweight agent.
CrowdStrike is the only platform in the market to connect the machine to identity and to data. It has been an unparalleled year of innovation at CrowdStrike. At this year's Falcon User Conference, we showcased our thought leadership, newest innovations and continued commitment to providing customers gold standard protection to stay ahead of adversaries today and in the future.
Our new Falcon XDR module headlined the event. Falcon XDR leverages the technology we acquired from Humio and extends CrowdStrike's industry-leading endpoint detection and response capabilities to deliver real-time detection and automated response across the entire security stack.
We also launched the Crowd XDR Alliance, which is a groundbreaking partnership with industry leaders including Google Cloud, Okta, ServiceNow, Zscaler, Proofpoint and Mimecast, among others. We invite you to learn more about XDR and our other new capabilities as well as here discussions with our partners, AWS and Accenture, and our customer Zoom by tuning into our Falcon Investor Briefing, which is accessible on our Investor Relations website.
Turning to Humio. Q3 was a record quarter, and we see increasing momentum in the log management space that has exceeded our expectations. In addition to the seven-figure new customer land with the DevOps team of a financial services company, we mentioned on our last call, Humio wins in the third quarter included a Fortune 150 food brand, a leading European cloud-based e-commerce platform company and Mimecast, a leader in cloud-based e-mail management and security and a CrowdStrike technology partner.
We are also seeing strong uptake for our recently announced Humio Community Edition, which gives users 16 gigabytes of streaming data ingestion per day with seven-day retention for free. In less than six weeks since our launch, we have already reached 100% of our six-month customer registration goal. Humio's log management platform is unmatched in speed, performance and storage ability. Humio Community Edition offers customers unprecedented access to best-in-class log management that they won't see anywhere else. We expect this program to be a strong avenue for lead generation as customers experience the power of Humio.
Before closing, I would like to announce that we are promoting Jim Seidel to Chief Sales Officer, and he will be responsible for global sales. Jim has been with CrowdStrike for over eight years. And for the past five years, he has done an outstanding job leading our Americas sales team, our largest region and contributor to United States revenue, which accounts for 73% of our total revenue.
During Jim's tenure, Americas revenue has grown significantly and exceeded my expectations quarter after quarter. And for the past four months, while Mike Carpenter was on leave to welcome the arrival of his child, Jim has served as acting Head of Global Sales and Field Operations. And true to form, as you can see from the results we published today, Jim delivered an exceptional third quarter on a global basis.
Mike is transitioning to an advisory role until his departure from the Company to spend more time with his family. We are very grateful to Mike for his years of service and contributions to building a world-class sales organization. Mike, it has been a great partnership, and I can't thank you enough. We wish you all the best.
In closing, we delivered an outstanding third quarter that can be characterized by phenomenal execution across the board and accelerated net new ARR growth. We continue to see a very favorable competitive environment today and into the future. We continue to expand our leadership and rapidly innovate as we once again redefine security.
Looking forward, I could not be more excited about our future opportunities for growth. We have built a best in SaaS platform that not only significantly expands our reach beyond the core endpoint market, but also unifies the opportunity across cloud security, log management and identity protection.
We see a long runway ahead in displacing legacy and next-gen point product vendors. And the fourth quarter is off to a great start, it already includes a notable land with one of the world's largest financial institutions.
With that, I will turn the call over to Burt to discuss our financial results in more detail.
Thank you, George, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers, except revenue mentioned during my remarks today, are non-GAAP.
We once again delivered exceptional results. In addition to strong growth at scale with accelerated net new ARR growth, we continue to maintain very high unit economics, drive leverage and generate strong operating and free cash flow. We also continued to perform at a high level well in excess of the SaaS industry's Rule of 40 benchmark, achieving a Rule of 77 and when calculated on a free cash flow basis, a Rule of 96 at scale with over $1.5 billion in ARR.
We believe our continued outstanding execution speaks to our ability to rapidly and efficiently scale across the business, our customer first and mission-driven culture and our highly differentiated platform, all of which we believe set us apart from others in the market and are difficult to replicate.
Demand in the quarter was broad-based and well balanced fueled by strength in multiple areas of the business as we expanded our leadership across the market from large enterprises to small businesses. We once again ended the quarter with our strongest pipeline to date, which we believe indicates a strong foundation for future growth.
In the quarter, we delivered 67% ARR growth year-over-year to exceed $1.51 billion, a new milestone. Rapid new customer acquisition as well as expansion business within existing customers fueled an acceleration in net new ARR growth on both an organic and as-reported basis. Net new ARR grew 55% on an organic basis and 46% on a reported basis to reach a new all-time high of $170.0 million, with no outsized contribution from any one deal.
It was a standout quarter for large deals as we derived a record amount of net new ARR from million-dollar deals. We believe this reflects our continued leadership in the enterprise segment, expanding deal sizes and the pricing leverage attributable to our distinct product differentiation.
As George mentioned, we signed a large deal with CISA in the quarter, which will make the U.S. federal government one of our top customers. However, given this win covers multiple agencies, each with their own deployment schedules, the contribution to net new ARR was not notable in Q3, and we will see it steadily fold into ARR over the coming quarters.
Our dollar-based net retention rate was once again above our benchmark. Our gross retention rate remained consistently high with prior quarters, and contraction and churn decreased on both a dollar basis and percent of ARR.
Moving to the P&L. Total revenue grew 63% over Q3 of last year to reach $380.1 million. Subscription revenue grew 67% over Q3 of last year to reach $357.0 million. Professional services revenue was $23.0 million, setting a new record for the fifth consecutive quarter and representing 22% year-over-year growth. The geographic mix of third quarter revenue consisted of approximately 73% from the U.S.; 13% from Europe, Middle East and Africa; 10% from the Asia Pacific region; and approximately 4% from other markets.
Third quarter non-GAAP gross margin was 76%, consistent with Q3 of last year. Our non-GAAP subscription gross margin was 79% and in line with Q3 of last year. We continue to be pleased with our strong subscription gross margin performance as we continue to invest for growing demand.
As planned, we continued investing aggressively in our business during the quarter, including increasing investments in new technologies, international geographies and marketing programs while driving increased operating profit.
Total non-GAAP operating expenses in the third quarter were approximately $239.0 million or 63% of revenue versus $157.0 million last year or 68% of revenue. We believe the investments we are making today will lead to sustained growth over the long term and maintain our pole position as the trusted security partner of choice.
In Q3, we ended with a magic number of 1.3 as we continue to ramp investments to capture more of the market opportunity at hand and expand globally. Our continued exceptional unit economics speaks to the efficiency of our go-to-market engine and our ability to rapidly onboard and support customers of all sizes. We also believe that a magic number of 1.3 continues to indicate that we should increase investments even more given the massive market opportunity.
Third quarter non-GAAP operating income grew 168% year-over-year to reach a record $50.7 million, and operating margin improved five percentage points over Q3 of last year to exceed 13%. Non-GAAP net income attributable to CrowdStrike in Q3 was $41.1 million or $0.17 on a diluted per share basis. Our weighted average common shares used to calculate third quarter non-GAAP EPS attributable to CrowdStrike was on a diluted basis and totaled approximately 239 million shares.
We ended the third quarter with a strong balance sheet. Cash and cash equivalents increased to approximately $1.91 billion. Cash flow from operations in the third quarter was $159.1 million, and free cash flow grew to a new record of $123.5 million or 32% of revenue.
Before we move to guidance, I'd like to cover a few modeling notes. First, while we do not specifically guide to ending or net new ARR, we continue to expect seasonality in net new ARR to be less pronounced relative to prior years as we move from Q3 into Q4, given our steady climb at a much higher scale in recent quarters and outstanding performance throughout this fiscal year.
Our guidance includes the impact of our recent acquisition of SecureCircle, which closed on Monday. We currently expect the acquired net new ARR contribution from SecureCircle to be less than $1 million in the fourth quarter. Additionally, the $70 million IP transfer tax expenses related to the Humio acquisition will be reflected in the fourth quarter, which will impact operating and free cash flow results. Lastly, we funded the acquisition of SecureCircle, with cash. The approximately $61 million cash payment, net of cash acquired, will be reflected in our Q4 cash balance.
Moving to our guidance. We remain optimistic about the demand for our offerings, record pipeline and the powerful secular trends fueling our growth. Given the growth drivers of our business as well as our exceptional third quarter performance and momentum into the fourth quarter, we are once again raising our guidance for the fiscal year 2022.
For the fourth quarter of FY '22, we expect total revenue to be in the range of $406.5 million to $412.3 million, reflecting a year-over-year growth rate of 53% to 56%, with subscription revenue being the dominant driver of growth. We expect non-GAAP income from operations to be in the range of $55.2 million to $59.5 million and non-GAAP net income attributable to CrowdStrike to be in the range of $45.2 million to $49.4 million. We expect diluted non-GAAP net income per share attributable to CrowdStrike to be in the range of $0.19 to $0.21, utilizing a weighted average share count of 241 million shares on a diluted basis.
For the full fiscal year 2022, we currently expect total revenue to be in the range of $1,427.1 million to $1,432.9 million, reflecting a growth rate of 63% to 64% over the prior fiscal year. Non-GAAP income from operations is expected to be between $171.0 million and $175.3 million. We expect fiscal 2022 non-GAAP net income attributable to CrowdStrike to be between $135.4 million and $139.7 million. Utilizing 238 million weighted average shares on a diluted basis, we expect non-GAAP net income per share attributable to CrowdStrike to be in the range of $0.57 to $0.59.
George and I will now take your questions.
[Operator Instructions] Our first question comes from Saket Kalia of Barclays Capital. Your line is open.
Yes. Burt, maybe I'll start with you, just to sort of knock this out first. I was wondering if you could speak to the pricing environment a little bit and whether you feel like competitors are having an impact here with potentially lower price strategies. Does that make sense?
It's a good question. But in regards to pricing and it's been the same way for quite some time, discounting has remained consistent with prior quarters. And I think it highlights the differentiation of our platform and the value we bring to customers.
We talk about value selling for quite some time. So it's allowing customers to center on us and take off other vendors, and that allows us to offer our customers lower total cost of ownership. And that really matters. In terms of the platform, I'll turn it over to George to talk a little bit about that.
As Burt said, a big part of what we're doing is being able to consolidate other vendors. Agent consolidation, agent fatigue is a big issue that's out there. And obviously, we have a broad platform that's differentiated and works, and that's the key aspect of the platform that it actually works.
And you've seen in the transcript that there was a large nonprofit hospital that went with a next-gen vendor on price and two months later was back with us and deploying because it didn't work. And I think that's a big part of it.
You also have to look at things like identity, look at things like Falcon Complete. These are truly differentiated services. And when you look at the breadth of what we're doing, obviously, we're way more than just an endpoint company when you look at what we're focused on and the value we're delivering, and that's how we continue to win and drive the right pricing for us and obviously, good value for our customers.
That makes a lot of sense. George, maybe just a follow-up for you. Congrats on the CISA contract. I was wondering if you could just dig into that just one level deeper and maybe talk a little bit more broadly, but how much opportunity you feel like CrowdStrike has within the federal government on the whole?
Sure. Well, we're really proud of that win. And I think it really is a signature win given the directives that came out of the U.S. government. We're certainly proud to protect the U.S. government. When you look at Falcon as a whole in the platform, it was tailor-made to help protect the government an adversary focused approach using next-gen technologies, AI powered, very broad in what we're doing.
And again, at the end of the day, our goal is to stop breaches. Again, a truly differentiated offering that we have is our intelligence. Most vendors don't have what we have, certainly not the next-gen vendors, and that's a key aspect of what we do and part of the whole data element to CrowdStrike.
So we're excited about this win. We believe it is a big opportunity for us. Obviously, we've got this win, but there's more expansion capabilities and can protect the U.S. government as well as many governments around the world.
Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open.
Just one question from my side. Can you give us a sense of what percentage of the net new ARR that you added in the quarter really came from protecting cloud workloads? And how does that compare to what it looked like maybe a year ago?
I'll start. Sterling, so when we think about our Cloud Workload Protection, so right now, what we can tell you is that it's growing, it's continuing to grow, and we've seen growth in the amount of opportunities that are available to us in the cloud. Right now, we -- what we do talk about is the fact that 25% of our servers that we protect are in the cloud. So that's just giving you an indication of where we're going. Maybe George has a couple of other comments on that.
Yes. And the 25% is up as we've talked about in prior calls. So when we think about Cloud Workload Protection or cloud security has two pieces to it, and we have both. One is workload protection, and that is really runtime protection visibility across virtual environments, containers, et cetera.
The second one is Cloud Security Posture Management, if you will, Falcon Horizon, which we continue to really drive innovation through, and that's an agentless technology that ties into many of the APIs as a cloud provider.
So now we cover all three cloud providers. It drives a lot of value very quickly. And again, we have a unique offering because it combines the visibility from an API perspective with runtime protection with a lot -- which is differentiated from a lot of the other competitors, including the private companies that are out there.
So we feel really good about it, and we continue to drive and sell into the DevOps space. And I think we've really honed our skills in being able to sell value into that space and get people up to speed without a lot of friction.
[Operator Instructions] Our next question comes from Alexander Henderson, Needham. Your line is open.
Spectacular results again. I wanted to get a little bit clearer on the concept of XDR. It seems to me that you guys have been pigeonholed by many people as an endpoint company, but you're really a platform. And to the extent that, that platform allows you to then extend into other niches that have historically been seen as separate end markets, a lot of the companies that are in those end markets have turned around and redefined themselves as XDR realizing that they needed to be a platform. But taking the term XDR and plugged in front of the, say, SIEM companies product does not make it a platform.
So can you talk a little bit about that flood that's out there and whether that confusion is spreading to any of your customers or whether they see through that issue and understand the importance of the expense of the platform and the breadth of your product line?
Well, thanks, Alex. It's a great question. And I think if folks are looking at us as just an endpoint company, pigeonholed endpoint company, they're really missing the big picture. I mean that's as simple as I could say it.
We've proven that we are a platform company, as I said before, the sales force of Security 21 modules. You can look at the attach rates. And when you talk to customers and if folks really do their homework, and they talk to customers, they will see the value, and they see how we're consolidating there.
So when we think about XDR, you have to start with the best EDR in the market, which is ours. It's been validated by Gartner and others and IDC, I mean, down the list. And the extension of EDR is XDR, right? And as a company who pretty much pioneered cloud-delivered endpoint security with Threat Graph and the massive data moat that we have by combining that with some of the technology we acquired from Humio and our Threat Graph.
I think we're in a unique position to be able to drive additional threat detection outcomes as well as the declaration of the threat narrative, right, the attack narrative. And that's independent of Humio as a stand-alone log management observability platform.
So we're really driving a lot of innovation in this area. And to your point, if you are just kind of a SIEM vendor now trying to glom on to XDR as an acronym, it's not going to work. You have to start with the best EDR in the world. And in my opinion, that's CrowdStrike.
Thank you. Our next question is from Brent Thiel of Jeffries. Your line is open.
You have Joe on for Brent. I really appreciate the question. Burt, can you just walk through the puts and takes of margin? I think guidance implied 150 points of contraction in that 4Q. Is that acquisition-related travel investment? And then, maybe just how we should think about leverage going forward on an annual basis?
Yes. So first, let me start with operating margin in total. So we're really proud of where we came in this quarter, over 13%. And a lot of that is attributable, obviously, to the unit economics that we were able to garner certainly on the sales side. So whether you pick magic number or you pick Rule of 40 that we talked about in the prepared remarks, that's driving a lot of that operating margin.
When we think about the future, I think about a few things. One is that we have opportunity starting at the gross margin level. I think that we -- not long ago, I raised the long-term range of our gross margin expansion capabilities and opportunities, and I think that we have an opportunity to do that, and we're investing to do that.
And then as you go down the rest of the P&L, I think that as we continue to grow in scale, we're looking for opportunities to continue to leverage our strong model. But at the same time, we want to invest aggressively. We're not going to move away from that strategy.
And then in R&D, I think in investing in innovation is key and core to who we are. So I think that we're going to continue to keep our eye on that and invest in exactly what I talked about to be able to go after that massive opportunity that we see ahead of us. So that's how we think about it.
Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open.
George, FileVantage for file integrity monitoring, it looks like a great addition to the platform. Can you talk about sort of what customers are saying? I know it was just launched, but sort of why is that such an important piece of a CISO sort of like data security fabric in sort of this new post-COVID world?
Yes. Thanks, Matt. It's a good question, and we're excited about this technology. And again, it goes to our strategy of consolidating agents and getting rid of other technologies that are costly and complex and weigh the system down.
When you think about FIM, it's pure and simple compliance requirement. When you think about things like PCI and in the financial services industry, you have to understand what files change and who changed them and implement controls around that. So we've been able to do a lot of that for a long time.
We've enhanced some features, put it into a module. And it's been extremely well received because it is literally a check box for just about any company that's out there, given the current regulatory frameworks and the various standards that exist.
Thank you. Our next question comes from Roger Boyd of UBS. Your line is open.
A follow-up on the CISA contract. Can you talk a little more about the selection process here, how competitive it was? And really, the role -- you mentioned threat intelligence, but the role that that an incident response played in helping achieve this, especially if the federal government gets more collaborative through programs like JCDC.
Yes. Anything in the federal government is competitive, as you know. Just -- that's by design, that's the way to do it and certainly believe in great partnership with them, and we believe it's a great technology choice and a proven technology choice and something that I've been saying for a long time that the government needs. So we're excited about the early partnership here.
And when you think about threat intelligence, again, having a very unique group, there's maybe one other company that has an intelligence capability as robust as ours. And they're not in the endpoint security space anymore. So from my perspective, it drives value, not only for the U.S. government, but it really is a differentiator across all of our customers, right?
We understand what the adversary is doing. We understand how to identify these sort of attacks. We program that into our AI technologies. And again, taking an adversary-focused approach is important to stopping breaches. And then you combine that with other services that we have and some of the managed services, again, very differentiated and I think going to be a great outcome for the government.
Thank you. Our next question comes from Brian Essex of Goldman Sachs. Your line is open.
Maybe George, if I could just have us unpack the new logo adds a little bit, it looks like a nice increase in new ARR. It looks like the landed cost of the logos that you added were a bit higher. Was it better strength from upmarket a little bit? Was it better, I guess, breadth of sale into the pipeline? Maybe if you could help us understand a little bit behind the drivers and what drove kind of the larger average customer ARR in the quarter.
Brian, it's Burt. I'll take that one. So first, we're really pleased with the Yes, no problem. We are very pleased with the net new logo adds in the quarter. It's also, I think, the fact that we were able to show acceleration in net new ARR was a big deal for us. Over 1,600 new logos, that's the second time we hit that high watermark, again, really excited about the performance on the net logos.
In terms of where they came in on, I think that we had exceptional performance across the board. If I was to kind of highlight anything in particular, we saw some strength in the enterprise and the mid-market as well as MSSP. And so when you put that all together, along with some of the prepared remarks on the increase in the $1 million deals, you were able to see the performance that we were able to put on the board.
And remember, I talked about the fact that we had no outside or no oversized or outside deals that contributed to this quarter. And that's the -- that, again, talks to the strength of the platform and the broad-based success that we had this quarter.
Thank you. Our next question comes from Rob Owens of Piper Sandler. Your line is open.
This is Justin Roach on for Rob. Just wanted to follow up around the cloud security solutions like your CSPM and CWP. Have you guys seen any increase in competitive pressures in this area, given the number of players coming out it from both the network and the endpoint side? Or do you guys still view this as a largely greenfield opportunity?
I think it's a largely greenfield opportunity. Obviously, you have a lot of early-stage companies out there, but this is so early in the life cycle, and it's a massive opportunity for all the players that are out there.
We think we're in a great position because a lot of the players actually don't have the run time protection, which is important. You have to tie those two together. It just -- it isn't just about connecting, getting information from APIs, right? And although we do that in a differentiated way because we've basically ported some of our indicator of attack technology across that agentless technology, tying them together, I think, is really important for customers.
A lot of these big wins involve cloud wins. Burt talked about the number of servers that we have. So tying together CSPM with Cloud Workload Protection and things even like vulnerability management, we have that technology. Yes, it works against desktops, but we can be inserted in the CICD pipeline. We can look for vulnerabilities that are in images, we can prevent them from being deployed. So these are all key elements of creating a technology that's widely adopted by DevOps.
Thank you. Our next question comes from Jonathan Ruykhaver of Baird. Your line is open.
Congrats on that strong execution. You've talked about the benefits of Humio as it relates to data ingestion and just the additive nature to Threat Graph and obviously, the push into a broader XDR use case. And George, you touched on this in your comments, but just wondered if you could talk a little bit more what you see around the log management observability use case and how you see that contributing to the overall platform near term and longer term?
Well, we've had some big wins this past quarter with Humio, even outside security. Certainly, security is a use case, but observability and telemetry, it really is a telemetry platform. And if you think about today's environment, all the various technologies out there, all the information they're gathering, you have to have a telemetry platform like Humio to make sense of it all at scale.
So, it's been an amazing opportunity for us since acquiring the Company. I think we underappreciated what a huge opportunity is out there, particularly a lot of dissatisfaction with current vendors, and how open people are to wanting to switch into a technology like Humio. We've got a lot of customers that we're working with right now. And I see that, as I said before, really as a shining star, as a massive business opportunity and revenue driver for us in the future.
When you say that, is that including Falcon XDR? Is that more on the log management and observability use case?
Well, it's a good question. Falcon XDR is going to give you essentially a threat detection outcome and some visibility into an attack scenario that starts beyond the endpoint. When you think about a Humio, you can log everything. You can store it pretty much forever. You can connect it to whatever you want to connect it to, and you can drive observability information from things that are outside just core security, things like connecting it to your HR system, to your performance management systems, to all the various workflows in your environment. That's not the use case of XDR. Security use cases XDR and Humio goes way beyond that.
Thank you. Our next question comes from Patrick Colville of Deutsche Bank. Your line is open.
Can you just talk about partnerships? I mean, you hopefully shared a statistic in the kind of opening remarks around, if I'm not mistaken, 30% sequential growth in partner-sourced deals. I guess, is that right? I'm just hoping to understand that the kind of partnership dynamic. And I guess the reason I ask because I know that some of the investors have a concern that other next-gen EDR vendors are more partner-friendly. So kind of any color you can give around CrowdStrike and partnerships and kind of try to quantify the trend you're seeing there would be very helpful.
Sure. Sure. Let me just clarify to be very specific. It was 30% quarter-over-quarter on MSSP growth and triple digits year-over-year. So we're extremely partner-friendly. I think there's a lot of noise in the system, and people probably should talk to some of the larger partners that are out there because that's where we are sourcing our business from.
Our partner opportunities are up. Our partners are making a lot of money jointly with us. And our goal is to be a partner-first company. So -- and that's what we've done. We've been very consistent with that. And as you said, it's -- and you rightly point out a lot of FUD that's in the environment.
Thank you. Our next question comes from Josh Tilton of Wolfe Research. Your line is open.
This is Strecker on for Josh. I just have one for Burt. So you mentioned the net new seasonality -- net new ARR seasonality will be less pronounced, and that makes sense. But as we start to model next year and the net new ARR seasonality, I'm not looking for guidance, but is there any -- is there a year we should look to as framework? This year, we had a sequential increase from 4Q to 1Q. We're not expecting that again. But just any color or goalpost you provide looking out to next year will be very helpful.
Sure. So first, let me start with that Q4 is off to a great start. We've got the record pipeline, record momentum, and we already landed a notable financial large financial -- global financial institution, so off to a great start in Q4.
But again, we're coming off of a record Q3 at $170 million net new ARR super proud of that record and obviously really strong throughout this year. So when you -- when we look at comps, obviously, my comments are more to the fact that when we guide and we're guiding to revenue, we don't guide to running the tables.
We guide to what we know, not to what we don't know. And so that comment just wanted to put everything into perspective for us. The numbers are getting bigger and bigger, and that's great for us. But as you know, when you think about the law of large numbers, then you're going to have -- and you don't guide to running the tables, that's why I put that comment in there.
Thank you. Our next question comes from Mike Walkley of Canaccord Genuity. Your line is open.
This is Daniel on for Mike. So the prepared remarks, you noted that your identity modules generated more net new ARR than Preempt did previously while they were stand-alone. Are there any notable customer segments you're seeing the strength in? Or was the demand pretty broad-based across the board?
Demand is broad-based across the board, and it really hit an inflection point. We've seen massive growth in it, as we said, more than all Preempt that they had as a stand-alone company. And the thing is we took the time and effort to do the integration right. Customers see the value of a single integrated agent. They understand that identity is critical to security. And we're the Company that's putting together runtime protection visibility with identity. And now with data protection, it's that triumvirate, that three-legged stool, and customers love it.
So we've seen some massive wins in retail, in financial services, in manufacturing. It is a massive problem across the board for any company. And as we pointed out, over 60% of the breaches don't even use malware. They're using things like identity, which when you look at the Sunburst attack from last year, obviously, that was a key contributor. So people are looking to shore that up. And it's actually a key element to stopping ransomware, above and beyond any malware prevention that's out there. So customers understand the value of it, and they understand that we have another stone, and it's been a big driver for us.
Thank you. Our next question comes from Shaul Eyal of Cowen Company. Your line is open.
Congrats on the quarterly results and guidance. George, I know there was a prior question about partnerships. My question is actually about the alliances that CrowdStrike has been leading and joining over the course of the past, I think 12 to 18 months, give or take. Is that beginning to have some impact on revenue and on net new customer additions, specifically in light of the fact that you have been adding 1,600 customers two quarters in your row now?
It's Burt. Can you just repeat the main bulk of your question because it got garbled a little bit? Your line is open.
Sure. Sure. Apologies. A question about alliances that you've been leading joining over the past 12, 18 months, is that, Burt, beginning to have some impact on revenue and net new customer additions. I'm asking, specifically given the 1,600 customers additions over the course of the past two quarters, now acting in a row.
Well, it has. And when you look at some of the companies that we've talked about in the past, I mean, there's a lot. I'm sure I can't single everyone out, but I think Zscaler is a good example. You look at that partnership, you look at what we're doing, what they're doing on the network side, the integrations that we're able to share data, what we're doing with -- from an XDR perspective, and it makes sense.
We're pulling them into deals. They're pulling us into deals, and we're meeting in the field and adding value to the customers and obviously gaining a lot of traction with those customers. And that's just one example. We're doing that across the board in our technology alliance partnerships.
Thank you. And our last question comes from Gray Powell with BTIG. Your line is open.
Great. So yes, I know you've talked about how you're more of a platform company than just an endpoint provider, but I'm going to ask an endpoint question, if that's okay. So just high level, the last two years in the endpoint space, it's just been really strong. I'd call it almost like a near perfect storm. How do you feel about the demand environment for the market as a whole, looking into next year just on a relative basis? Like do you think 2022 would be the same, better or worse than 2021 for the market?
I see it extremely strong. And when you look at the market in its totality, right, you have things like cloud adoption, cloud expansion, massive opportunity, and we've proven that with servers and what we're doing there.
When you look at the legacy players that are out there, the replacements, the Symantecs, the McAfees, Microsofts, et cetera, massive opportunity for us, that's a long tail. You don't do that in one year. So we see that as a big driver for next year.
And as I pointed out, even -- I mean, it's a smaller base, but even the next-gen players, we see those as opportunities as customers get dissatisfied as I pointed out with some of the players that are out there.
So -- and you got to bifurcate a bit into pure endpoint and cloud, and I see both as massive opportunities because, again, if you look at our overall customer count, it's fantastic, but it's still small in the grand scheme of customers that are out there. And there's still a lot of legacy technologies that are out there that are and will be displaced.
Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to George Kurtz for any closing remarks.
I want to thank all of you for your time today, and we certainly appreciate your interest and look forward to seeing you virtually at our upcoming investor events.
Thanks again. Be safe, and we'll see you soon.
Ladies and gentlemen, this does conclude today's conference. Thank you all for participating. You may now disconnect. Have a great day.