CrowdStrike: The Future of Cybersecurity
Investment Thesis: The World Economic Forum (WEF) 2020 Global Risk Report reported cyber attacks as a top 10 risk in terms of likelihood and impact. With an expected, 75 billion connected devices by 2025 and 6 billion connected people by 2022 cybercrime will become increasingly more prevalent. CrowdStrike's Falcon platform provides a strong competitive advantage and allows the company to easily expand into markets outside of endpoint/workload protection. These factors fuel an increasing TAM and provide CrowdStrike with significant upside potential.
Cloud Adoption
As a result of the pandemic, we live in a world where societal norms have seen years worth of advancement in a few months. For example, 42% of the US labor force was working from home full time due to the pandemic according to a Stanford study. The U.S. Bureau of Labor Statistics reported that only 7% of civilian workers in the U.S. had the flexibility to "telework" in 2019. This dramatic shift to remote work has resulted in a sudden increase in demand for cloud solutions as organizations look to enhance workforce mobility.
As companies realize the benefits of using cloud solutions it's unlikely they revert to legacy on-premise solutions. According to Salesforce, 94% of businesses claimed to see an improvement in security and 53% saw faster revenue growth than their competitors after switching to the cloud. Cloud solutions also tend to be more cost-effective and improve the scalability of businesses. Proliferating cloud adoption has created gaps in the advancements in cloud solutions and cloud security leaving companies exposed to devastating cyberattacks.
Growing Cyberattack Surface
A report from Cisco states there will be 3x more networked devices on Earth than humans by 2023 and Internet of Things (IoT) devices, any device with the ability to connect to a wireless network and transmit data, will represent 50% of total global devices. Cisco reported 31 billion IoT devices in 2020 and expects the number to increase to 75 billion by 2025. Additionally, 6 billion people are expected to be connected to the internet by 2022 compared to 5 billion people in 2020.
This growing trend in the number of networked devices and people has led to massive amounts of data being generated. Total data stored globally is expected to exceed 200 zettabytes by 2025. Approximately 100 zettabytes of this data are expected to be stored in the cloud. (To put this into perspective, 1 zettabyte = 1 billion terabytes.) An expanding cyber attack surface provides more opportunities for cybercriminals to attempt to access this data and launch cyberattacks. The downside is that as the number of IoT devices increases, so does the number of endpoints cybercriminals can use to access private data and launch cyberattacks.
Source: Cybersecurity Ventures
Cybercrime
Cybercrime is the fastest growing crime in the U.S., and attacks are becoming increasingly more sophisticated and costly for victims. Cybercrime is expected to cost the world $6 trillion annually by 2021 and $10.5 trillion annually by 2025 compared to $3 trillion annually in 2015. This makes cybercrime more costly than natural disasters ($306 billion), more profitable than all global drug trades combined, and the 3rd largest economy behind the U.S. and China.
According to Mastercard, 60% of cyberattacks are directed at small-medium businesses (SMBs), and the average cost of cyberattacks to SMBs was over $2 million. In fact, 60% of small businesses who experience a cyber-attack go out of business within 6 months.
The fastest-growing cybercrime is ransomware, a malware that restricts access to data until a ransom has been paid. It's expected that a business will experience a ransomware attack every 5 seconds by 2021 compared to every 40 seconds in 2016. The cost of ransomware attacks is expected to reach $20 billion by 2021 or 57x more costly than 2015. The cost of ransomware attacks will continue to rise as data continues to become more valuable to organizations and individuals.
Ransomware is only one of the many types of cyber-attacks. Going into detail about each kind isn't the purpose of this article but these statistics should provide insight into how cybercrime will become an increasingly more prevalent issue in the future for individuals, businesses, and governments.
Source: Cybersecurity Ventures
Artificial Intelligence
Cybercriminals and cybersecurity firms are in an arms race to implement artificial intelligence (AI)/machine learning (ML). The implementation of AI/ML allows cybercriminals to create self-learning automated malware attacks that don't require much human oversight and can be launched at scale.
Jack Blount, president, and CEO at Intrusion, Inc. gives a high-level description of how AI/ML-powered cyber-attacks work:
The enemy is now using AI (artificial intelligence) against us. It’s critical for business and government to understand the average cyberattack is not coming from a person at a keyboard — instead it’s coming from an AI algorithm running on a supercomputer and it’s going night and day attacking every IP address it can find on the internet. It doesn’t care if you’re small or big.
As cyber adversaries increase the sophistication of cyber-attacks with the use of AI it's important that companies leverage AI themselves to defend against these attacks.
CrowdStrike
CrowdStrike (CRWD) is a cybersecurity company that leverages AI to proactively search for threats and shut them down before attackers can launch destructive attacks. CrowdStrike prides itself on being the first cloud-native endpoint security platform on the market. However, the company has branched out from securing just endpoints (devices and servers) to securing workloads (virtual, containerized, IoT, mobile, cloud, and data centers). As mentioned above cloud adoption, IoT devices, and the number of people connected to the internet have continued to increase exponentially. This means a greater cyberattack surface for CrowdStrike to protect and therefore an increasing TAM.
Falcon Platform
CrowdStrike's Falcon Platform provides a powerful network effect by leveraging 2 distinct proprietary technologies. Here's how the Falcon Platform works:
Falcon Agent: This single intelligent lightweight agent sits on the endpoint and streams data to Threat Graph to offload computationally intensive tasks to the cloud. The agent provides local detection and prevention capabilities but remains nonintrusive and continues to protect the endpoint even when offline. This means the agent delivers powerful endpoint protection without burdening endpoints with multiple agents and improves end-user productivity. Additionally, the agent can be installed in 30 seconds and doesn't require a reboot. This allows for companies to implement CrowdStrike's services at scale with ease.
Threat Graph: Threat Graph uses AI algorithms to continuously look for malicious activity in the data streamed from the agent. Threat Graph processes and analyzes over 4 trillion events per week (up from 1 trillion per week in 2019) and maintains an index of these events for future use. Threat Graph's AI capabilities allow it to learn from potential attacks and benign behavior. This means as more events are processed by Threat Graph, the AI algorithm's efficacy increases, and the number of false positives decreases. Essentially if one customer experiences an attempted breach Threat Graph will recognize the attempt, learn from it, and protect all other customers using CrowdStrike's services from a similar attack all in real-time. This creates very powerful network effects.
Modules: Crowdstrike currently offers 16 modules that can be added to the Falcon platform that extend the functionality of the platform. These modules span across the following areas: Security & IT Operations, Endpoint Security, Managed Services, Threat Intel, and Identity Protection (through the acquisition of Preempt Security). These modules will be critical for the company to expand outside of strictly endpoint protection.
CrowdStrike Store: Recently, Crowdstrike added the CrowdStrike Store. This is the first open cloud-based application platform for endpoint security. The store provides an ecosystem of trusted third-party applications where developers can utilize data collected by CrowdStrike to write their own programs and expand the functionality of their existing security systems. Customers have the option to purchase products developed by third-party developers within the store.
Source: CrowdStrike Investor Presentation
Professional Services
In addition to the Falcon Platform, CrowdStrike provides its customers with incident response (IR) services and proactive services to organizations experiencing a breach or looking to review their security infrastructure. This a significantly smaller portion of the business representing only 9% of total revenue in FY20.
In 2019, every $1 earned through professional services was converted into $3 of subscription revenue, that number increased to $5 in Q3 FY21. While professional services may be a smaller portion of total revenue it is an important driver to subscription revenue..
Business Model
CrowdStrike's pricing structure is based on per module per endpoint per year. This pricing structure has resulted in strong revenue growth since IPO with 93% YoY growth in FY20 and the CAGR for revenue from FY17 to FY20 is 109%. The company's key growth drivers in the future will be the following:
Expanding the customer base: Penetrating new markets and expanding the customer base will lead to sustained growth in the future. CrowdStrike's go-to-market ((GTM)) strategy involves a direct sales team that focuses on selling subscriptions to the Falcon platform by leveraging a network of sales channels. In the most recent earnings call, Kurtz announced a partnership with EY that has already led to multiple deals and will continue to help facilitate deals with large enterprises.
CrowdStrike reported a record pipeline for Q4 which included large enterprises, mid-market, and commercial accounts.
Currently, CrowdStrike only sells to enterprises. I would like to see them offer a next-gen antivirus (NGAV) solution to individuals in the future.
CrowdStrike also sells its services on the AWS marketplace. This allows customers to purchase and deploy CrowdStrike's solutions through AWS. This has been an important driver for subscription revenue. Partnering with Azure and GCP would be a very effective way to continue expanding its customer base.
Expanding spending among existing customers: CrowdStrike's cloud-native architecture gives it the ability to quickly build and deploy new modules with the data Threat Graph collects and allows for an efficient way to increase existing customer spending. Deploying these cloud modules requires no reboot, no new agent, and can be done in real-time which saves time and money for customers. This allows CrowdStrike to employ a low friction land-and-expand sales strategy to sell modules.
Tap into new markets: CrowdStrike doesn't utilize the full potential of the data collected by Threat Graph. This was one reason for the CrowdStrike Store, it allows third-party developers to leverage CrowdStrike's data in ways they haven't thought of before. When developing the Discovery module for IT operations, it was the customers who told CrowdStrike they had the ability to provide more value to its customers with the data collected from endpoints. CrowdStrike added features by listening to their customers and this resulted in Discovery becoming one of the more popular modules with 45% of the customer base utilizing it as of Q2 FY21.
CrowdStrike began as a cloud-native endpoint protection provider that leveraged AI to create the NGAV. Since its inception in 2011, CrowdStrike has expanded to protecting workloads and has added modules that expand outside of strictly endpoint protection (IT Ops, Threat Intel, Managed Services, and Identity Protection). CrowdStrike's innovation and ability to rapidly bring new modules to the market will continue to increase the TAM.
International Expansion: As of FY20, CrowdStrike reported that the United States represented 74% of total revenue compared to 84% in FY18. CrowdStrike's platform is used by organizations across 176 countries. This indicates CrowdStrike has substantial room to grow abroad.
Only 26% of EU enterprises used cloud computing in 2018. As benefits of cloud computing are realized this number is expected to increase. This will contribute to the attack surface CrowdStrike can protect and the TAM.
CrowdStrike does have a physical presence abroad with support centers for IR services in the UK, France, Germany, Australia, Japan, and India.
Cloud Adoption: Perhaps the most important factor for sustainable growth will be the adoption of cloud computing among all organizations in the future. As discussed above, cloud adoption has increased rapidly due to the pandemic and it's very unlikely organizations revert to on-premise solutions once the pandemic is over.
Rapid cloud adoption has resulted in a gap between the advancement in the cloud infrastructure and IT/Security infrastructure of companies. Gartner expects IT spending to reach $1.3 trillion by 2022.
The global Cloud Security market is expected to reach $68.5bln by 2025 compared to $34.5bln in 2020 (CAGR of 14.7%)
Execution in these areas will be important for the company's future growth. CrowdStrike's strong competitive advantage among its competitors will provide an edge over its competitors as it continues executing its growth strategy.
Moats
Network Effects
Threat Graph provides powerful network effects because it becomes smarter as more data from endpoints is processed. As the customer base increases, the platform will provide more value to each user. This was discussed above.
Counter-Positioning
CrowdStrike was the first to build a cloud-native solution for endpoint/workload protection. This allows CrowdStrike to store high fidelity data in the cloud with Threat Graph, lessening the burden on customers' endpoints. CrowdStrike's intelligent agent automatically filters which data is stored locally and which data is streamed to Threat Graph and does so in a cost-effective manner. This is an important distinction from competitors who typically store data on endpoints and have to manually clear data from endpoints through queries.
The reason a cloud-native environment provides moat for CrowdStrike is that it is difficult for legacy competitors to replicate their solution. CrowdStrike has spent years creating their cloud architecture, their intelligent agent, Threat Graph, collecting data, and building their workflow. This would be very difficult to replicate for companies that still provide legacy on-premise solutions. Even if an incumbent decided to take on the challenge CrowdStrike will only continue to collect more data, improve their solutions, and realize economies of scale through their cloud-scale AI in the time it takes to build a similar competing solution. This approach wouldn't make economic sense for an incumbent.
The durability of this moat will deteriorate over time as new competitors begin to offer similar cloud-native solutions. However, the moat provided by the powerful network effects of Threat Graph will continue to strengthen CrowdStrike's competitive advantage as more data is processed and analyzed. I expect CrowdStrike to leverage its competitive advantages and expand into other areas of cybersecurity outside of endpoint/workload protection.
Financial Performance
CrowdStrike has reported phenomenal growth since its IPO. Revenue growth for FY20 was 93% YoY and 86% YoY in the most recent quarter ((MRQ)). Subscription revenue from the Falcon platform continues to drive revenue representing 91% of total revenue in FY20. Subscription revenue growth was 99% YoY in FY20 and 87% YoY MRQ. Professional Services revenue only represented 9% of total revenue in FY20 but growth has been growing with 48% YoY growth in FY20 and 74% YoY growth MRQ.
Gross margins have continued to improve for the company. CrowdStrike reported a gross margin of 71% in FY20 and 74% MRQ compared to 65% in FY19. The company has yet to report an operating profit on a GAAP-basis. Operating loss for FY20 was -$146.1m representing a -30% EBIT margin. Operating Loss for the MRQ was -$24.2m representing a -10% EBIT margin. These losses aren't concerning as the company continues investment in sales and marketing and R&D to grow the business. Operating margins have also continued to improve as the has the company grown.
The company does report positive operating income on a non-GAAP basis which is primarily driven by the add-back of stock-based compensation (SBC).
CrowdStrike reported its first FCF positive year in FY20 with $12.5m in FCF representing a 2.6% FCF margin. However, FCF excluding SBC was -$67.5m in FY20 representing a -14% FCF margin. MRQ FCF was $76.1m representing a 32.7% FCF margin and excluding SBC FCF was $35.5m representing a 15.3% FCF margin. FCF has continued to improve since FY18 however SBC has been a large component of it. I'd like to see more organic growth in FCF in future periods.
Company-Specific Metrics
CrowdStrike reported 5,431 subscription customers in FY20 representing a 116% YoY increase and reported 8,416 customers in Q3 FY21 representing an 85% YoY increase.
CrowdStrike reports an annual recurring revenue ((ARR)) metric which measures the amount of recurring subscription revenue annually. ARR in FY20 was $600.5m representing a 92% YoY increase and $907.4m MRQ representing an 81% YoY increase.
CrowdStrike reports a dollar-based net retention rate (DBNRR) metric which measures how much each cohort of customers spend year-over-year. DBNRR for FY19 was 147% and for FY20 was 124%. This means existing customers spent 47% more in FY19 than the prior year and 24% more in FY20 than the prior year. Expanding the number of modules offered on the platform will be crucial for maintaining a DBNRR greater than the 120% benchmark set by the company. Gross retention of customers has consistently been 98% since FY19 showing low churn among subscription customers.
Clearly CrowdStrike has seen tremendous growth over the past couple of years. These high levels of growth aren't sustainable for the long-run but if CrowdStrike manages to continue expanding into markets outside of strictly endpoint protection it will increase their TAM and allow CrowdStrike to maintain growth well above its competitors.
Competitive Landscape
The closest competitor to the Falcon platform would be Vmware's, Carbon Black. Carbon Black is a developer of cloud-native endpoint protection and was acquired by VMware (VMW) in October 2019. Carbon Black offers a similar solution to the Falcon platform that involves AI/ML and a proactive approach to endpoint security. However, Carbon Black is only one of the numerous solutions VMware provides. In addition to endpoint security, VMware provides solutions for network and cloud security. VMware is also a much larger company than CrowdStrike with $10.8bln in revenue for the most recent fiscal year.
Palo Alto Networks (PANW) is similar to VMW with solutions for endpoint protection, network security, and cloud security. PANW is a larger competitor as well with $3.4bln in revenue in the most recent fiscal year. PANW offers a similar endpoint protection solution as CrowdStrike as well.
It will be difficult for CrowdStrike to compete against these larger players who already offer similar endpoint protection solutions and solutions outside the realm of endpoint protection. Nevertheless, I think CrowdStrike's ability to extend the functionality of the Falcon platform with the addition of modules is an important differentiator among its competitors. This will allow customers to manage endpoint security, network security, cloud security, and other solutions CrowdStrike develops in a single platform. The modular architecture of the Falcon platform combined with the ease of deploying new agents provides a user experience competitors don't offer.
Valuation
The cybersecurity market has quite a few players that are spread out over different areas of cybersecurity. Zscaler (ZS) and Okta (OKTA) are two cybersecurity companies that have seen similar growth to CrowdStrike in 2020.
Zscaler and Okta provide services related to network security and identity management. Zscaler focuses on providing solutions for workers to securely access private applications and networks which has been crucial in the current work-from-anywhere environment. Okta focuses on identity management by allowing users to access all their applications by signing into the Okta platform as opposed to individually signing in to each application with two-factor authentication. Both companies have partnered with CrowdStrike to enhance their solutions for customers. However, CrowdStrike may be looking to enter into the identity protection market with the recent acquisition of Preempt Security. These companies aren't direct competitors yet as they have long runways ahead of themselves in their respective markets but I think there will eventually be some consolidation among the many players in the market.
Financial performance among all three players has been excellent with strong tailwinds from the pandemic. The key difference is CrowdStrike's annual revenue growth of 93% YoY which is 2x the growth of both Okta and Zscaler. Additionally, Crowdstrike's TTM revenue is similar to Okta and 2x that of Zscaler.
CrowdStrike has struggled to maintain similar gross and operating margins relative to Okta and Zscaler in the past but has seen substantial improvement in margins since FY18.
At first glance, Crowdstrike seems expensive trading at a TEV/Revenue multiple of 36x and at 29x next-twelve months ((NTM)) TEV/Revenue. Given CrowdStrike's growth, strong competitive advantage, and the ability to expand outside of endpoint protection which will increase the TAM, I think CrowdStrike is fairly valued. CrowdStrike is a best-of-breed platform with a high-quality, high-growth business model and that shouldn't be cheap.
Additionally, CrowdStrike is trading at similar valuations to Zscaler and Okta while maintaining 2x the growth of both companies and improving margins. This comparison seems to show either Zscaler and Okta being quite overvalued relative to CrowdStrike or CrowdStrike being significantly undervalued.
Risks
Failure to enter new markets: CrowdStrike's future growth depends heavily on its ability to penetrate markets outside strictly endpoint/workload protection. Expanding to different markets within the overcrowded cybersecurity market will increase competition among CrowdStrike and current players in the market which may adversely affect financial performance.
Failure to expand customer base: CrowdStrike has plenty of room to grow its customer base both globally and within the U.S. This involves continuing to penetrate enterprises of all sizes and possibly offering a solution for individual consumers.
If the company can't successfully enter new markets it will limit the potential to expand its customer base. This would significantly stunt the growth potential of the company and invalidate my thesis.
Breach of or impairment to Falcon platform: If in any situation CrowdStrike's Falcon platform were to be compromised, it would be detrimental to the reputation of the company and its intellectual property.
Governments and enterprises may store highly personal or confidential data and trade secrets that need to be protected at all costs. Any breach under CrowdStrike's guard would likely have many existing customers rethink their relationship with the company. This would invalidate any bull thesis for me because CrowdStrike operates in a highly fragmented market where mistakes like these won't be easy to recover from.
Conclusion
With cybercrime officially being recognized as a major global risk by the WEF, it clearly is not something to be taken lightly. As cloud adoption, IoT devices, and the number of people connected to the internet continues to accelerate so does the cyberattack surface. Cybercriminals are continuing to increase the sophistication of their attacks with the use of AI/ML which makes it difficult for legacy cybersecurity solutions to defend against these attacks. As a result, companies and individuals need an equally sophisticated and powerful cybersecurity solution to protect themselves from these attacks.
CrowdStrike provides exactly this and is in a position to expand further from purely endpoint/workload protection with its ability to rapidly build and deploy modules that extend the functionality of the Falcon platform. If CrowdStrike manages to clear the obstacles it faces as it pursues its growth strategy I think there is room for substantial upside in the future. Currently trading at a $37bln market cap, I expect $60bln+ by 2023 as the cyberattack surface continues to rise exponentially.