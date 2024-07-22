da-kuk

CrowdStrike’s (CRWD) recent update failure was one of the most damaging IT incidents in history. While the early consensus appears to have been to buy the dip, this incident will have serious repercussions that aren’t currently reflected in CrowdStrike’s share price. While CrowdStrike could be an attractive short over the next 1-2 years, this is risky due to the strength of the company.

A better way to profit from the market’s under reaction to the incident could be a long position in SentinelOne (NYSE:S). While SentinelOne’s business has performed reasonably well since the company went public in 2021, the stock has struggled due to a combination of a high initial valuation and SentinelOne’s uncertain competitive positioning long term. If SentinelOne can capitalize on the CrowdStrike incident, this could change, as SentinelOne’s growth could accelerate while investor perception of the company’s long-term viability improves.

I previously suggested that CrowdStrike's valuation was stretched, making the stock vulnerable to any weakness. While I didn't foresee this type of stumble, CrowdStrike is now down over 20% and is still valued at a significant premium to peers.

I also suggested that SentinelOne still needed more scale to remain relevant as the cybersecurity market consolidates. CrowdStrike's mistake should be supportive of SentinelOne's growth over the next 12 months and could improve investor perception of the company relative to CrowdStrike, helping to reduce its valuation discount.

The Incident

The outage occurred after CrowdStrike released a sensor configuration update for Windows systems. This update created a logic error, resulting in a system crash and blue screen on impacted devices. Mac and Linux systems were not impacted. While this may not seem like a particularly large issue, it was exacerbated by the fact that it caused the complete failure of all impacted devices at the same time. A resolution also requires devices to be rebooted in safe mode so that the responsible file can be deleted, something that generally must be performed manually. For devices using Bitlocker encryption, users must also have the Bitlocker backup key for every affected machine.

Microsoft (MSFT) has now released a recovery tool to ease the burden of remediating the issue. This tool creates a bootable USB drive, which makes the recovery process less manual and doesn’t require admin rights.

In some ways, the incident could be considered relatively minor for CrowdStrike. It was a bad mistake, but isn’t indicative of a systemic issue. It is also something that can likely be resolved through a process change. The issue was caught fairly quickly and CrowdStrike provided a fix, but this is little consolation for customers left having to manually fix every affected device.

The Impact

The outage has affected an estimated 8.5 million Windows devices, making it one of the largest cyber events ever. In comparison, the WannaCry attack impacted an estimated 300,000 computers and caused around $4 billion in losses. Given that manual interventions have been required, just the direct cost of resolving the issue is likely to be in the hundreds of millions of dollars. Indirect costs for customers are likely to extend into the tens of billions of dollars, due to the widespread service outages caused.

CrowdStrike's liability is currently unclear but is widely expected to be limited as the company's contracts generally appear to limit potential losses to the contract value of the affected service. There is a risk that CrowdStrike’s liability extends beyond this, given the severity of the incident and the fact it should not have happened in the first place though. Even if CrowdStrike doesn’t end up having to make significant payments, it will likely face elevated legal expenses for an extended period of time as impacted parties seek recompense.

Insurance could also come into play but given the nature of the incident, it is not clear whether CrowdStrike or its customers are covered. Beazley, the Lloyd's of London insurer, suffered a significant share price decline on Friday, indicating investors expect at least some insurance coverage. Beazley provides insurance against business interruption and cybersecurity attacks.

Looking beyond the immediate impact of the event, there will likely be downstream consequences for CrowdStrike, and the cybersecurity market more broadly. CrowdStrike will lose customers, and it will likely be a non-negligible number of customers. This is going to be exacerbated by the fact that CrowdStrike's entire customer base has been deeply impacted at the same time. CrowdStrike will be overwhelmed by customer inquiries and will likely only be able to respond to a fraction of these in a timely manner.

While CrowdStrike is a solid company with a strong competitive position, its products aren't overly sticky, meaning customers can quite easily change vendors. This varies across the customer base, though. CrowdStrike now offers a broad portfolio of solutions, and customers that have adopted multiple modules are much less likely to churn.

CrowdStrike will also need to provide a meaningful percentage of its customer base with discounts or credits to prevent them from churning. This could be particularly problematic given that companies like Palo Alto Networks (PANW) have already been creating pricing pressure in the market. These discounts will likely weigh on growth, margins and cash flows in the coming years.

CrowdStrike will also likely face issues with its sales force. CrowdStrike's products have always been best in class, and likely a fairly easy sell for its sales force. Customers will now be demanding discounts and far more favorable deal terms. Deal cycles will also likely lengthen significantly as potential customers scrutinize CrowdStrike more closely. Sales personnel will therefore be left working harder for less compensation. This could result in increased employee turnover, with better performing sales personnel likely to be targeted by competitors.

The immediate impact will be on CrowdStrike’s customer base and net customer additions. Given that the incident occurred late in CrowdStrike's second quarter, the real impact won't be seen until Q3. Revenue growth and margins will likely be incrementally negatively affected as renewals roll through the customer base.

Longer term, there could also be regulatory changes or a shift in buyer behavior. The outage has garnered significant government attention globally, and in time, there will be inquiries. There is probably a desire for there to be less concentration in the endpoint protection market, although this may be hard to implement.

Many investors believe that the incident will halt the shift towards platformization given the risk of relying on a single vendor. While I understand this argument, the response to an incident caused by updating an agent on the endpoint isn’t likely to be introducing a number of agents to provide services currently provided by a single agent.

The Opportunity

CrowdStrike's failure has created an enormous opportunity for competitors due to its dominance of the market. Assuming CrowdStrike loses customers or finds it more difficult to attract new customers, competitors could benefit. Directionally, I believe the initial share price movements of the companies affected were correct, although I think that SentinelOne's stock should probably have moved higher, while CrowdStrike should have dropped more.

It is hard to see Microsoft benefitting given its involvement in the event. Palo Alto will likely be a winner, but its Cortex service will only appeal to a fraction of customers due to its costs. Palo Alto is also a large company, meaning any tailwind will likely be modest. SentinelOne on the other hand is relatively small and has an offering which is comparable to and competitive with CrowdStrike’s. If it gains even a few percentage points of market share, it will materially accelerate the company's growth. This is important as SentinelOne needs scale to drive profitability and improve investor perception of its viability as a standalone company.

Conclusion

There is a tendency to buy the dip, particularly with a high-quality company like CrowdStrike. This has generally worked in recent years and was my first thought when this incident occurred. It should be recognized that this is potentially a different situation, though, due to both the scale of the outage and CrowdStrike’s high valuation. The dip only really takes CrowdStrike’s share price back to early 2024 levels, and it could be argued that the stock is still overvalued, independent of the security incident.

Even with a fairly modest amount of churn and a small decline in win rates, CrowdStrike's revenue growth rate could gravitate towards 20% over the next 1-2 years. If this occurs, the company's revenue multiple will be unsustainably high, meaning the stock could drop back to something like $150-200/share. It is easy to forget that CrowdStrike was at these levels less than 12 months ago, prior to any service quality issues.

If CrowdStrike loses several percentage points of market share, SentinelOne’s revenue growth could accelerate by something like 10-20% over the next few years, making its stock look even more undervalued. If nothing else, CrowdStrike no longer looks invincible, which should be supportive of SentinelOne's valuation.