CrowdStrike: Eating Microsoft's Lunch

Summary

• CrowdStrike dominates the Endpoint Security market with several key competitive advantages.
• CrowdStrike outperforms its largest rival, Microsoft, on a host of metrics.
• The company’s expansion down-market and into new verticals should continue to propel growth for the next decade.
• Industry leadership, exploding growth, significant operating leverage, and a hefty balance sheet help justify CRWD’s premium valuation.

Sundry Photography

Investment Thesis

Cybersecurity is arguably one of the most attractive markets for investment over the next decade, driven by massive tailwinds in data and cloud computing. CrowdStrike (NASDAQ:CRWD) redefined the market with its innovative Falcon platform in the 2010's and now holds a leading share of 17.7%. When stacked up against its largest rival, Microsoft (NASDAQ:MSFT), CrowdStrike outperforms in virtually every category. Continued product development and the leveraging of existing competitive advantages solidifies CRWD as the best play within cybersecurity. Huge growth and improving operating performance make the stock's premium price worth it in my view.

CrowdStrike's Competitive Advantages

The crux of CrowdStrike's competitive edge is its product innovation. The company's core cybersecurity offering is CrowdStrike Falcon, which more narrowly is focused on Endpoint protection (physical devices connected to a network). Falcon disrupted traditional cybersecurity norms in two key areas: use of AI-based (Artificial Intelligence) technology and cloud-native architecture, as highlighted in their S-1 filing. Previously leading firms like McAfee, Symantec, and even Microsoft were outpaced by CrowdStrike as they continued to rely on signature-based and on-premise solutions. CrowdStrike's focus on endpoint and the cloud has paid off. According to the company's threat report, 80% of breaches start at the endpoint and cloud exploitation has increased 95%. This makes sense given 94% of businesses utilize cloud services in some capacity and the persistence of remote work in many organizations.

Many of the legacy cybersecurity players still heavily rely on signature-based methods, which focus on identifying patterns or 'signatures' of malware viruses. The problem is, 71% of attacks are now malware free. Not only has Falcon's AI-based tech been shown to be more efficacious, as we will see, but it has enabled CrowdStrike to build up a massive store of unique data. The company's AI or Machine Learning ('ML') model trains itself on first- and third-party data of all breaches, attacks, or instances. Each occurrence learned results in an improved model, able to better predict and defend against future attacks. Falcon has a 99% detection coverage, able to report 75 out of 76 adversarial techniques measured in the MITRE ATT&CK evaluation. This ever-growing store of data and strong product quality gives CRWD an edge.

CrowdStrike has led the market for several years with a 2022 share of 17.7%. The company's customer retention numbers clearly exhibit a product and scale advantage. Here is some evidence to prove it:

• Exceeded 120% dollar-based net revenue retention rate every quarter since 2018
• Total subscriptions customer base (94% of revenues) has grown at a 5-yr CAGR of 79%
• 5 years ago, had only 400 customers with greater than $60k ARR, now a customer needs to spend more than $1M in ARR to be considered top 400
• 556 of the global 2000, 271 of the Fortune 500, and 15 of the top 20 U.S. Banks are customers

Another interesting fact is that in 2023, two executives from SentinelOne (S) left to join CrowdStrike's team, further highlighting their strategic edge against not only legacy firms Next-gen players as well.

CrowdStrike vs Microsoft

Microsoft Security does near $20B in revenue (10% of MSFT's total revenue) but only part of that encompasses Endpoint protection, Microsoft Defender for Endpoint. Microsoft comes in second with a 16.4% share in Endpoint Protection. Microsoft is CrowdStrike's largest threat, clearly exhibited by management's rhetoric this year. The executive team has made it a point to cite several customer case studies of converts switching from Microsoft to CrowdStrike. They've also released statistics alluding to their superior product and customer satisfaction. Here are a few that were mentioned:

• 8/10 times when an enterprise customer tests, they choose CWRD over MSFT
• CRWD has less complexity with only 1 agent and console, MSFT having up to 9 with multiple agents
• CRWD has a lower 'TCO' or total cost of ownership
• Microsoft Windows represents 95% of the compromised endpoints CRWD remediates
• When CRWD's incident response team investigates a MSFT customer that has been breached, 75% of the time MSFT Defender has been bypassed

Claims from management should be taken with a grain of salt as they are biased against competitors. Though I cannot prove the claims made, when looking at third-party comparisons, CrowdStrike's claims may carry some water.

I specifically looked at 3 independent comparisons from two highly reputable companies: Gartner and G2. The first study is Gartner's Magic Quadrant for Endpoint Protection Platforms. This study highlights the strengths and cautions of each company and showcases a scatterplot of the industry based on completeness of vision and ability to execute. As you can see, CRWD and MSFT are fairly neck and neck:

Gartner

Microsoft had strengths in market understanding, overall viability, surface management, log storage, and others with cautions in having numerous packaging and licensing permutations (more complexity), needing more experienced security staff, and lack of support for older OS's. CrowdStrike had strengths in market understanding, innovation, customer experience, overall viability, and product expansion with cautions in higher pricing, though they've been more aggressive with smaller customers, less coverage in a few areas, and a more immature XDR (Extended detection and response) approach than others.

Next, I looked at G2's direct comparison of CRWD Falcon and MSFT Defender. Here is a quick summary:

• CRWD rated higher overall with 4.7 stars (212 reviews), MSFT 4.4 stars (180 reviews)
• 56% CRWD reviews being Enterprises and 38% of MSFT reviews Mid-Market customers
• Users preferred CRWD, saying it met their needs better, had better quality of ongoing support, and featured more updates and product roadmaps
• CRWD beat MSFT in every single ratings category measured
• MSFT beat CRWD in a more features categories but both were comparable

Lastly, I reviewed Gartner's Peer Insights comparison. CrowdStrike handily outperforms Microsoft in this comparison with 4.8 stars (900 ratings) vs 4.4 stars (1351 ratings) and 97% willing to recommend CRWD vs only 78% willing to recommend MSFT. Additionally, CrowdStrike beats Microsoft in every category measured including overall capability, evaluation & contracting, integration & deployment, and service & support.

Each of these comparisons further support my view of CrowdStrike taking the cake within Endpoint protection. I believe Microsoft has advantages in other areas of security like log and surface management. They also will continue to be a threat just given the company's sheer size and resources. $20B in revenue, a large customer base, tons of cash for research & development, and being one of the frontrunners in the AI race are all reasons to respect Microsoft as a competitor. They even recently committed to a 250k headcount in Microsoft Security by 2025. Nonetheless, CrowdStrike's innovation and customer leadership, combined with their ability to navigate the industry and retain market share, makes them the clear winner in my view.

Growth Potential

Not only has CrowdStrike defended its market leadership, it also grew its share 3.8% in 2022. The company is not slowing down when it comes to driving growth. Firstly, the top 10 legacy (largely signature-based) vendors control 46.7% of the market, a healthy chunk for CrowdStrike to chew away at. In 2022, they added 6,694 customers representing growth of 41%. What's even more compelling is both existing and new customers are showing rapid module adoption within CrowdStrike's platform. CrowdStrike Falcon started with 1 module and has grown to 23 as the company innovated. In 2018, the average module count of new customers was 2. Now in FY 2023, the average was 4.8, proving the company's ability to cross-sell. Cross-selling to existing customers alone is a huge opportunity:

April 2023 Investor Briefing

A few new verticals also look to contribute to CRWD's continued growth. The company has a strategic focus on small-to-medium ('SMB') companies, international expansion, and other product segments. Customers under $100k in ARR grew 82% in FY23 with an average of 4.7 modules adopted. Strategic partnerships with Dell, AWS, and others should help propel lead generation in this segment. International revenue grew 57% YoY in Q4. And Emerging products via product development and acquisitions revenue grew 116% in Q4 FY23.

Operating Performance, Risks, & Valuation

The past few years have been characterized by growth and investment for CrowdStrike. But recently, management has shifted its focus to growth and profitability at scale. Gross margins have always been strong in the upper 70s but were weighed down slightly by lower margins of acquired companies last quarter. Operating expenses remain elevated at 81% of revenues (down from 83%) mainly due to a 46% increase in headcount. This is in contrast to many tech firms cutting headcount and is indicative of a healthy demand outlook. Operating margins are still negative but improving with potential operating leverage ahead.

The company reports a strong free cash flow margin upwards of 30% or $676M but this includes stock-based compensation of $526M. Though high 'SBC' makes sense given CrowdStrike's success, this doesn't represent free cash flow and presents dilution risk to shareholders. Additional operating and business risks are dilution risks with recent share issuances and the broader macroeconomy. Management touched on macro in the Q4 earnings call, highlighting the 'mission-critical' nature of cybersecurity and the durability they've seen against price increases and budget cuts. The company's massive cash position of $2.7B and low debt-to-capital near 30% allows for greater resistance against macro and operational risks.

The biggest risk for shareholders in my view relates to valuation. CRWD has historically traded at a premium. Its 3-year average forward EV/Rev is an astonishing 26x. Currently, that multiple sits at about 11x. Comparing forward EV/Rev and forward revenue growth to peers, CRWD looks a bit more reasonable.

Author, data from Seeking Alpha

Looking at a reverse DCF, the current stock price has high expectations baked in for CrowdStrike. To justify the current price, CrowdStrike would need to grow revenues at 38% annually for 10 years, achieve an average EBIT margin of 22%, and grow free cash flow at a terminal rate of 5%. Additional assumptions are shown below:

Author

I view CRWD as a long-term Buy given the tremendous business quality & competitive moat, huge growth potential, and improving fundamentals but caution investors regarding the stock's premium price.

Analyst’s Disclosure: I/we have a beneficial long position in the shares of CRWD either through stock ownership, options, or other derivatives. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Comments

[combatcorpsmanVN]

Why do Marketing majors always feel compelled to include "finance" in their resume? LOL - come on guys -- have some confidence.

[techdood]

Written by a Crowdstrike business dev rep on their lunch break. Looking at IT as a silo, sure this boat floats but it's no more buoyant than MSFT's Defender (which happens to be a destroyer in a larger fleet); look at how MSFT tackles business problems and crowdstrike's value is paltry.

[combatcorpsmanVN]

@techdood amen -- MSFT more like an Aircraft Carrier.

[combatcorpsmanVN]

Ai is the poison pill for CRWD -- not so with MSFT. The answer as to why requires some Research -- no free lunch -- do some work and see why MSFT knows.

[Tippsology]

@combatcorpsmanVN please explain? Because companies like CRWD and SentinelOne have integrated AI for several years to help their hunting efforts. People are acting like AI is a new thing all of the sudden. It has been utilized and improving for years.

[combatcorpsmanVN]

@Tippsology LOL - a little work doesn't kill a person. Agree, Ai has been around for decades.

[StateStreetBoston]

Can CRWD and MSFT run side by side for greater endpoint protection? I own a lot of shares in CRWD and have been very happy but if MFST bundles their offer it will concern me.

[Tippsology]

@StateStreetBoston you could run Falcon and Defender in the same enviro but I don’t know why a business would want to do that. CRWD wins on the MDR front. MSFT isn’t close to that level yet, nor am I sure they want to be. Defender and Azure Sentinel while looping in a SOC to manage the environment. CRWD brings it all together under one roof. But again, for those business that already pay for M365 E3 or higher…bye bye CRWD.

There is room for both companies to thrive. The other players should worry.

[StateStreetBoston]

@Tippsology thank you

[DChemistruck]

@Tippsology Microsoft's Defender Experts for XDR covers EDR, ITDR, Email/Teams/SaaS attacks. While Microsoft doesn't offer MDR, MXDR is more comprehensive at detecting multi-stage attacks that extend beyond just the endpoint.

Furthermore, you can shift your end-user SOAR to Microsoft's XDR platform without needing a SIEM. This means Indicators of Compromise can lockout devices/users before an attacker even finishes running a script. Whereas CrowdStrike uses Humio/Splunk for a traditional SOAR built on top of a SIEM because CRWD doesn't own a first-party Identity Provider and needs to rely on telemetry from other vendors, which introduces delays into event correlation.

Compared to Microsoft's solution, which runs entirely on Azure and benefits from the increased performance being able to use Microsoft's fiber-optic network to transmit logs for correlation without having to traverse the (slower) open internet, CrowdStrike will always experience network delays due to their multi-vendor XDR approach.

[JCC2015]

But $CRWD is nowhere in the very import EPP security aka $BB

[podniem]

Looking at 2 year charts, stock is recovering but it’s still in the lower beakers, even though evaluation is high
Why is that? PANW had much better recovery, it pulled back but shares continue to go up
Does anyone know why?
Potentially expenses….

[birder]

I very recently began a position in CRWD. It is already up 32%. I wish I had bought 5x as much.

[Tippsology]

You info is not exactly accurate. You aren’t factoring in how MSFT includes Defender in with their M365 E3 and higher plans. TCO easily surpasses the very expensive CRWD. Also, more business already integrated or close to pivoting to M356 level licensing are dropping their EDR incumbents and moving to Defender. The space is crowded, but rapidly shifting.

[Taylor Irwin]

@Tippsology I was quoting management’s claims here, not attributing them as true or false

[Comic123]

@Tippsology at the risk of being off topic, is there a realistic chance Microsoft acquires Tanium? Any thoughts greatly appreciated.

[Tippsology]

@Comic123 I think there is a real risk MSFT scoops up any up and coming MDR player in the market. They see security as a key future. And MSFT likes to bolt on rather than creat ;-)

[Seeburto]

Confirmation bias accepted.

[Erick The Tech Bull]

Outstanding corp. will surpass PANW as the Premier Cloud Security service. Currently holding calls with a strike price on $165. Have owned since Jan 2021

[hurricane85]

It seems very highly priced at the moment at ~12x sales, doesn’t it?

[bluescorpion0]

at $160 I see only return-free risk for the next decade for crwd

[PDXGuy]

Wish the ER would be jaw dropping one and lead to $200 next week 🤞. Hope they shall give a excellent forward guidance and forecast.

[motto5448]

If Mr Softy wanted that end market it would and could squash crowdstrike like a cockaroach

[brf69]

@motto5448 The customer service from Crowdstrike wins the space.

[Think Forward]

@motto5448 it's odd that you used that analogy since cochroaches have been on earth since before dinosaurs. Perhaps CRWD will also thrive...the corporate landscape is full of failed giants that have tried to be good at too may things all at the same time.

[TomKahlschlag]

@Think Forward Microsoft did fail in the past, and revived itself. In my opinion, the company has learnt from it.