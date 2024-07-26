Guido Mieth/DigitalVision via Getty Images

Investment thesis

I'm upgrading CrowdStrike Holdings, Inc. (NASDAQ:CRWD) from a buy to a strong buy in light of last Friday's events and the pullback that followed. The stock was down over 14% on Friday and has been down around 17% since. I last wrote on CrowdStrike early this month with a positive thesis, arguing that "CrowdStrike stock will see more upside due to its strategic position in the cybersecurity space amid the AI moment through its AI-native Falcon Flex subscription model" and increased eight or more module deals. The stock underperforms the S&P 500 by ~32% since my initiating with a buy. I stand behind my positive thesis on CrowdStrike, despite investor panic that caused the stock to trade off.

I continue to see more upside for CrowdStrike as a leader in endpoint security going into 2025. In my opinion, the stock presents a very attractive buying opportunity after the massive pullback since Friday that deflated some AI-led positives priced into the stock. CrowdStrike is down over 31% over the last month versus the S&P500, down 0.39%. The company has a firm footing in the cybersecurity space, and I see more upside after the events of Friday, which I'll get to shortly, subside.

What Happened: Technical Lens

Based on CrowdStrike's Preliminary Post Incident Review, the following is what happened on July 19th.

Part of the company's regular operations is to release a "content configuration update for Windows sensor" for the Falcon platform

The Rapid Response Content uses a highly optimized engine and is stored in a "proprietary file that contains configuration data" meaning it's not a code nor a "kernel driver."

The problematic Rapid Response Content configuration update contained an "undetected error" and crashed over 8.5 Windows-run devices.

Three rounds of testing were performed starting February 28th, 2024, and all the IPC Templates "performed as expected in production."

On July 19th, two IPC Template Instances were added, and a bug in the content validator for one of them caused the BSOD (Windows operating system crash), hence resulting in a worldwide outage.

The aftermath

The entire world awoke to a bitter taste in its mouth called the "Blue Screen of Death," and CrowdStrike is to blame. Through a post on X, CrowdStrike CEO George Kurtz said the outage was not a "cyberattack" but a "defect found in a single content update for Windows hosts," affecting over 8.5 million Windows devices. From what we know now, the issue was because of CrowrdStrike's Falcon, where a "bug" in the Content Validator didn't get flagged despite "containing problematic content data," causing a worldwide disruption in several key sectors (airlines, healthcare, banking). The issue was resolved for the most part later on Friday, but numerous companies required manual work to reboot their systems, and others dealt with backlogs after the fact. The incident had such a wide scale that, on Monday, the U.S. House of Representatives Homeland Security Committee wrote to CEO Kurtz and asked him to testify; the letter read that while the congressional panel is appreciative of CrowdStrike's response, "some have claimed [this] is the largest IT outage in history." For me, this showcases how embedded CrowdStike's products are in the global community.

This was less of a positive for others, as the Insured losses from the event are expected to be around $540 million-$1.08 billion for Fortune 500 companies. Parametrix CEO Jonatan Hatzor said the crash was the biggest "accumulation event we ever saw in cyber insurance" and that it "traveled very fast and was very global." As for the global financial losses, Hatzor said they are estimated to be around $15 billion.

Elon Musk posted on X that CrowdStrike has been "deleted from all our systems, so no rollouts," but according to trusted sources, numerous employees in a couple of states were sent home early on Friday, and staff received notice that systems were impacted. I believe this is just another add fuel to the fire situation; Musk didn't go into specifics regarding what part of his operations doesn't use CrowdStrike anymore and hence inflated investor panic.

But the glass is half-full on this side. In my opinion, CrowdStrike's response and the steps it took after the fact, through supporting partners and customers and implementing new software resiliency and testing procedures, show that the company is ready to face unexpected and unprecedented errors. I know it was no joke, and the extent of the damage is significant, but management's disciplined execution after the fact reflects how well-equipped CrowdStrike is to be at the center of a worldwide outage. The company already came up with a post-incident strategy to ensure this is the first and last time:

The company is improving the Rapid Response Content testing by using five more testing types: local developer testing, content update, and rollback testing, stress testing, fuzzing and fault ejection, stability testing, and content interface testing.

CrowdStrike will also add validation checks to "guard against this type of problematic content from being deployed in the future" and improve its error handling.

The company will also implement a "staggered deployment strategy for Rapid Response Content," improve monitoring, give customers more control, and provide update details through release notes.

Lastly, CrowdStrike will allow independent third-party validations.

Seeing as this was a "bug" and not a cyberattack, I think everyone was worried about the wrong incident; with that being said, I believe Okta's October breach last year warranted a bigger reaction. The world is on edge with increased cybercrime over the last few years, and I wrote about this in my Okta, Inc. (OKTA) article. I think this awoke a fear we all share amid a fast-changing industry; all this should be less about CrowdStrike and more about how "disruptive and malicious and widespread cyberattack could be."

What's next?

But then again, a company with such operational excellence and healthy fundamentals should recover; I see this as merely market chatter, and I expect CrowdStrike to have minimal downside in the long term. The panic will be over before we know it, and I advise investors to buy the dip.

I stick with my thesis and expect to see "net retention rates growth and top-line beating expectations for FY25, driven by new customers and multiple module deals combining eight or more modules." CrowdStrike is instrumental to many businesses globally. SentinelOne, Inc. (S) stock soared in reaction to the outage, and people assumed I would be the next CrowdStrike; I'm not too worried about that happening. On the contrary, I see this as another marker of CrowdStrike's global and vital position in the cybersecurity sector. With Falcon, I don't see anyone dethroning CrowdStrike as a leader in end-point security.