Crowd Struck - Q4 2020 Transcript Summary

Another solid quarter - Crowdstrike reminds us why they are the best investment out there. YoY growth was 74%, and QoQ revenue growth was 14%, which is a bit below average for them, but generally better than most other growth stocks.

–Customer count ticked up 18% QoQ (82% YoY), threat graph processes 5 TRILLION security related events per week, and we got some detail on Humio as well as Preempt, both of which look like will be solid additions to the Crowdstrike arsenal.

–DBNER clocked in at 125%, N Gaap margins at 77%

–George Kurtz goes after Microsoft a few times.

–There is a theme that we’ve seen from Cloudflare to Zscaler and now Crowdstrike about Zerotrust and Sunburst. Effectively Sunburst has amplified the need for Zerotrust solutions, and this will be a long term tail wind for all 3 companies, but all 3 admit the tail wind hasn’t struck yet.

–You might look at guidance and say, 64% YoY is a big step down for a company that typically guides in the 70’s and 80’s. But then, if you look back at Q4 2019, they grew revenues 22% YoY, which was their best quarter as a public company EVER. A very tough compare. So, for sure, percent YoY revenue growth would go down when Q4 2019 is no longer a part of the equation.

CEO/founder George Kurtz Opening Remarks:
Second, as recent events such as the SUNBURST software supply chain attack highlight, stopping a breach is no longer just about protecting endpoints. It also encompasses cloud workload security, and identity protection.

Together, we are building what we believe will be the fastest, most cost efficient, and extensible cloud data platform that will deliver best-in-class visibility for security, as well as observability for IT operations.

We reached a significant new milestone, with ARR surpassing $1 billion, up 75% over last year. We believe this makes us the third fastest cloud-native SaaS company reported to reach $1 billion in ARR following fellow pioneers Salesforce and Zoom. We already talked about Zoom being a CrowdStrike customer, and we are pleased to also add Salesforce to the roster in Q4.

During the quarter, net new subscription customer growth accelerated to 70% year-over-year. We added a record $143 million in net new ARR and achieved 77% subscription revenue growth. We also continued to see rapid module adoption. CrowdStrike subscription customers that have adopted 4 or more modules, 5 or more modules, and 6 or more modules increased to 63%, 47% and 24% respectively.

we added a record 1,480 net new subscription customers in the quarter, and now proudly serve 9,896 subscription customers worldwide

In total for the year, 4,465 net new customers chose Falcon.

Big time customer wins - Pfizer bought 7 modules

Procter & Gamble was attracted to CrowdStrike’s tightly integrated, cloud-native single-agent architecture. Our strategic partnerships with EY and AWS were instrumental in Procter & Gamble choosing CrowdStrike.

I’d also like to highlight a win with a large technology company, where we are replacing SentinelOne. This customer was eager to find a true security partner to protect its endpoints as well as its cloud workloads across both its development and production environments. In addition to efficacy issues, SentinelOne was not a scalable solution, and dramatically degraded performance on the endpoint, causing instability and impacting developer productivity. CrowdStrike was selected given our proven efficacy breadth and depth of the Falcon platform; performance and scalability across operating systems, including Mac and Windows workstations and Linux servers.
ExponentialDave: I like George Kurtz. But I want to point out, the guy is pretty aggressive! It’s uncommon for c-suiters to attack other companies like George does. You should have heard what he said about Microsoft in front of the U.S. senate - George does not hold back and speaks his mind. He also has some choice words for MSFT later in this call which I will not spoil.

After leveraging the Falcon for home use program earlier this year as a new customer, Bank Leumi, a leading bank in Israel, selected CrowdStrike to protect their endpoints and implement a zero trust model to future-proof their security architecture. CrowdStrike was chosen over the competition after determining their solution was unable to adequately protect multiple versions of Windows or match the performance and speed of the Falcon platform. As one of the most respected security organizations operating in both an industry and country that have long been targets for nation-state actors and e-crime, they focused on selecting a new security partner with a modern solution capable of preventing targeted attacks, protecting their active directory, and supporting their remote workers with the scale and performance of the cloud.
ExponentialDave: In case you didn’t read the Zscaler or Cloudflare transcripts, Zero Trust is a common theme between the three of them and a key part of the investment thesis for any modern IT security company.

In fiscal 2021, we gained significant leverage from our partners, growing our partnership count by 85% worldwide and doubling our partner-sourced transactions. Our partnership with AWS is a standout with both partner-influenced deals and transactions fulfilled through the AWS Marketplace growing significantly throughout the year. In fiscal 2021, ending ARR transacted through the AWS Marketplace grew 650% over the last year, and transaction volume grew over 300%.We are also seeing positive momentum from our new alliance with EY , which is already influencing multiple deals as their clients look for modern cloud-native security to enable their digital transformation plans.

Building on the cloud workload module we announced last year, we recently expanded the capabilities to provide customers greater control and visibility from build to run time.The Falcon Cloud Workload Protection module now has the ability to secure applications with the new Falcon container sensor that is uniquely designed to run as an unprivileged container in a pod.

While it is challenging to measure specific pipeline effects events like SUNBURST may have, we do not believe it was a significant contributor to our strong Q4 results. We do believe it has raised awareness at the Board level and will serve as an additional tailwind to the industry over the long term.
ExponentialDave: This is pretty much exactly what we heard from Zscaler and Cloudflare.

Furthermore, we are seeing a crisis of trust within the Microsoft customer base driven by SUNBURST and their more recent zero-day vulnerabilities in Exchange that has been reported to affect 250,000 customers worldwide. Customers are looking to derisk their security architecture by choosing an alternative vendor to Microsoft. Additionally, following the SUNBURST campaign, we have seen customers become increasingly concerned about protecting their cloud directories such as Azure AD.
ExponentialDave: ^^ George going after Microsoft again :slight_smile:

As I communicated to the Senate Intelligence Committee last month, SUNBURST further highlights the importance of a zero trust posture.

With Preempt Security, CrowdStrike is leading the charge in delivering a zero trust solution focused on endpoints and workloads. We believe combining workload security with identity protection is foundational for establishing true zero trust environments. Preempt expands CrowdStrike’s zero trust capabilities and incorporates critical identity behavior data and analysis to help customers fortify their defenses and prevent identity-based attacks and insider threats. Our initial phase of integration of Preempt is on track and targeted for the end of Q1, and we are very encouraged by initial customer response engagement.

All the data we collect is stored in one place, the Threat Graph, where it’s analyzed across our entire customer base, providing real-time protection and community immunity. Today, Threat Graph processes over 5 trillion security-related events per week.

We believe that combining Humio’s data ingestion and analysis engine with the CrowdStrike’s agent technology which provides OS and application process-level telemetry, introspection capabilities and smart filtering, will create a powerful data platform with a new level of speed and efficiency. This can be transformative and provide a fundamental advantage that has the potential to disrupt the log management and observability markets.
ExponentialDave: Do we know any one who does observability? Oh, DataDog. Right

Humio builds on the momentum we have already achieved with Falcon Spotlight and Falcon Discover to grow our total addressable market by solving broader use cases outside of traditional security. On day 1, Humio broadens our reach into the log management market. This market alone is forecasted to be $4.9 billion in 2023 based upon IDC estimates, and that does not include any potential adjacencies, such as the massive observability market.

Looking forward, we have even greater plans for this new CrowdStrike business unit. While it will take some time and investment to deliver this powerful combination to the market, we believe it has the potential to open up massive new TAM for CrowdStrike, provide a runway for growth well into the future, and ultimately create another line of business on par with our security business.

In fiscal year 2021, we delivered 82% revenue growth, 7% operating margin, and $293 million in free cash flow or 33% of revenue. We are exiting the year with a record fourth quarter, which includes record subscription gross margin at the high end of our target model and record free cash flow of $97 million.

In the fourth quarter, we delivered 75% ARR growth year-over-year to reach $1.05 billion. Rapid new customer acquisition as well as expansion business within existing customers drove substantial growth in the quarter, once again resulting in another quarter of record net new ARR, which came in at $142.7 million. Excluding the acquired net new ARR reported in Q3, net new ARR grew approximately 30% quarter-over-quarter, which is an increase from the trend we saw last year.

Our gross retention rate remains high and best in class at 98% at year-end. Our dollar-based net retention rate exceeded the 120% benchmark throughout the year. Net retention increased to 125% as of the end of FY '21, up from 124% at the end of FY '20. For the interim FY '21 quarters, net retention was 128% in Q3, 131% in Q2, and 126% in Q1. Moving to the P&L. Total revenue grew 74% over Q4 of last year to reach $264.9 million. Subscription revenue grew 77% over Q4 of last year to reach $244.7 million.

In terms of our geographic performance in Q4, we continue to see strong growth in the U.S. as well as international markets. Approximately 71% of fourth quarter revenue was derived from customers in the U.S.; 14% from Europe, Middle East and Africa markets; 10% from Asia Pacific; and 5% from other markets

Growing our international business is a key component to our plan to sustain growth over the long term. We were pleased to see our investments in these markets deliver in fiscal 2021, with EMEA posting 84% growth and APAC revenue more than doubling at 113% over last year.

Fourth quarter non-GAAP gross margin improved to a record 77%, a 380 basis point increase from Q4 of last year. Our non-GAAP subscription gross margin increased to 80% compared with 77% in Q4 of last year.

Total non-GAAP operating expenses in the fourth quarter were $170.3 million or 64% of revenue versus $118.4 million last year or 78% of revenue.
ExponentialDave: Excellent scaling!

Scaling our business efficiently remains a top priority, which is why we intensely focus on our unit economics, including Magic Number. In Q4, we ended with a Magic Number of 1.3, which remains very high

Fourth quarter non-GAAP operating income was a record $34.4 million, and operating margin improved 17 percentage points over Q4 of last year to reach 13%. Q4 represents our ninth consecutive quarter of improving non-GAAP operating performance on both a dollar and margin basis.

Non-GAAP net income in Q4 was $31.2 million or $0.13 on a diluted per share basis

Cash and cash equivalents totaled approximately $1.9 billion. Our cash balance reflects approximately $740 million in net proceeds from the $750 million senior unsecured notes issued in January.

Cash flow from operations in the fourth quarter grew to $114.5 million**, and free cash flow increased to $97.4 million**, setting new records for both measures.

With respect to net new ARR, as is typical for software companies and similar to last year, we expect to see seasonality as we move from Q4 to Q1.

Our guidance includes the impact of our recent acquisition of Humio, which closed on March 5, 2021. We currently expect the acquired net new ARR contribution from Humio to be approximately $2 million in the first quarter.

We funded the cash portion of the Humio acquisition with cash on hand. The $352 million cash payment, net of cash acquired, will be reflected in our Q1 FY '22 cash balance.

For the first quarter of FY '22, we expect total revenue to be in the range of $287.8 million to $292.1 million, reflecting a year-over-year growth rate of 62% to 64%, with subscription revenue being the dominant driver of growth. We expect non-GAAP income from operations to be in the range of $18.5 million to $21.7 million and non-GAAP net income to be in the range of $10.8 million to $13.9 million.

For the full fiscal year 2022, we currently expect total revenue to be in the range of $1,310.4 million to $1,320.7 million, reflecting a growth rate of 50% to 51% over the prior fiscal year. Non-GAAP income from operations is expected to be between $94.8 million and $102.5 million. We expect fiscal 2022 non-GAAP net income to be between $63.8 million and $71.4 million.

Analyst Q & A

Saket Kalia

Got it. That’s really helpful. Burt, maybe for you for my follow-up, understanding we don’t guide to ARR for next year, maybe one component of that, that I wanted to zero in on is that ARR per customer. Obviously, a tough metric to forecast because there are just so many different drivers inside of it. But as you look forward just broad brush, how do you think about that ARR per customer sort of trending in fiscal '22? And what are going to be some of the puts and takes to that?

Burt Podbere

Saket, great question, great to hear your voice. So when we think about ARR per customer, you can see that there’s a mix shift that is happening. I mean that’s evidenced by the accelerated growth we saw in net new logos, and that was really driven by the mid-market and SMB space. And as a reminder, when you think about our ARR per customer across the board, accounts are expanding, and that’s evidenced by our 125% net retention rate. And then finally when you think about the overall success of our net new logos and the velocity that we’re seeing with respect to our net new logos, you’re seeing that we’re able to sell to customers large and small. And getting great satisfaction from our customers…

Sterling Auty

Appreciate the disclosure on the sales through AWS, but I’m just wondering if you can, either quantitatively or qualitatively, give us a sense of what percent of the net new ARR in the quarter or even the year actually came from protecting cloud workloads? Just so we can get a sense of that use case for end point versus traditional ones.

Burt Podbere

Sterling, it’s Burt, still – very, very good question. So remember I think that first of all, we feel that it was a strong quarter through AWS marketplace. I think it’s growing into a really meaningful number. I think that one of the things you want to really put into perspective is that we’re probably one of the most transactioned ISVs on the marketplace. And I think the key is that we’re seeing good pull for our new cloud modules. George talked about how many containers we secure, and it’s a big number. And I think that when you combine that with almost more than 20% of our servers we protect are in the cloud, I think that you’re starting to put the picture together.
ExponentialDave: Analyst asks a good question but Burt sort of dodges it.

The better news is that we still have the greenfield opportunity with respect to protecting cloud workloads. And we’re really, really ahead of anybody else that’s out there in the marketplace. The marketplace is really a great vehicle for transacting business with both large and small customers. And George often talks about the speed in terms of how we close the process with AWS. I think that with respect to their governing contracts or their global contracts, I think that this has been a real advantage for us. If both the buyer and seller agree to this standard contract, that just speeds up the process by 80%. At the end of the day, companies want our tech, and they’re buying it through the Marketplace as one avenue. So we see this as, again I want to highlight, we see this as a greenfield opportunity for us.
ExponentialDave:Greenfield opportunity is the best opportunity. We see it with Datadog. Separately, he goes on to tell us that, not only does AWS help them land the deal, but it also cuts down substantially on time spent on contracts.

Sterling Auty

And then just the other question on Humio, George, when you think about XDR, how would you kind of characterize any differences between XDR and [SIM]? Is this kind of the first step? Or do you see those as the same opportunity? So in other words, are you going to become more of a full-blown SIM provider over time?

George Kurtz

Well, I think you have to look at the outcome. The outcome is to find advanced threats. And you don’t want to create just bigger needle stacks, right? You want to be able to find those nuggets that are out there. You want to leverage the vast artificial intelligence technologies that we’ve built. And we’ve been, even prior to Humio, I mean we’ve built a lot of technology, which would be XDR-like in terms of looking at different network flows and connectivities. So we feel really good about the technology. We’ve looked at just about everything else that’s out there, and we were just blown away about how fast the technology works, index-free ingestion and what it’s going to bring.

ExponentialDave: Pretty sure the transcript says “SIM” but means “SIEM”, security information and event management. Anyway, it does seem like they may become a full blown SIEM over time. Good question.

Burt: (with respect to humio on gross margin)…Yes, it’s a good question, Fatima. I think that to George’s point, I mean we’re already in a good spot with respect to our subscription gross margin. There’s going to be a little help with respect to Humio. And so we do anticipate an opportunity for increased margin expansion due to that, but also due to other things like more modules that we’re going to add to our platform and more optimization.

Fatima Boolani

Fair enough. And Burt, since I have you, just with respect to the remarks George made around ARR in the script where there might be some spillover into the first fiscal quarter. Can you just reconcile that and some of the large deal momentum you saw in this quarter, versus some of the seasonality expectations that you pointed us towards for fiscal '22? That would be really helpful.

Burt Podbere

Sure. First, let me comment on seasonality. So I think that we typically see seasonality in our business in ARR. And we saw last year, or similar to last year, we saw a dip from Q4 to Q1. And I think that’s going to be the case again. The good news is again, there were no outsized deals in the quarter. We had a lot of large deals. And so that was beneficial for us when we think about our ability to continue to land many large deals.

Brian Essex

Got it. That’s super helpful. And maybe as a follow-up, you mentioned in your prepared remarks a crisis of trust within the Microsoft customer base. Could you provide a little bit of context around that? I mean is it strictly with regard to endpoint? Or do you see that across identity management, e-mail with the recent Exchange server? I mean how pervasive do you think it is? And how might that affect not just your business, but others across the ecosystem?

George Kurtz

I think it’s across the board. We’re seeing it. We’re hearing it from CISOs. We’re hearing it from CIOs. Boards are concerned. When you look at the latest breaches around Sunburts and you look at the Exchange zero-day vulnerabilities, just about every incident response we do involves Microsoft technology. So obviously we’re focused on being able to protect it, but there’s a lot of customers that are looking at this and saying, “Hey, we need to derisk our environment, and we need another provider.” The proverbial, “I don’t want the fox guarding the henhouse.” And I think just over the last couple of months has really highlighted the risk in using sort of a monoculture for both security and operating systems.
ExponentialDave: George skewers Microsoft - the new guard comes for the old guard.

Andrew Nowinski

Congrats on the consistently strong execution, which is not easy in this environment. So I wanted to start with a question on a win you mentioned in your prepared remarks at Salesforce. Was the incumbent vendor that you displaced a legacy or a next-gen provider? And why did they select CrowdStrike?

George Kurtz

So thanks, Andy. It was a next-gen vendor. One has been making a lot of noise in the investment community. And they chose us because of the scalable platform, low impact, and efficacy. And I think that’s across the board, that’s what we’re seeing, whether it’s a next-gen vendor or whether it’s an incumbent vendor, is the ease of use, time to value is incredible. We’ve done some massive financial services companies, and it’s been the smoothest rollout that they’ve seen. It just works, and the amount of visibility that we have is it’s unbelievable compared to our competitors. So a lot of things may sound and seem the same, but when you actually get into the technology and platform, this was built to scale. And we’ve pioneered a lot of these technologies over time. Others have tried to copy us, but a bad copy is still a copy.

Andrew Nowinski

Okay. And then maybe just a follow-up as it relates to the legacy vendors that you compete against, I’d imagine the sale of the McAfee enterprise business is a potential churn event for their customers. So just wondering if you could comment on that? And then what inning do you think you’re in with regard to taking share from Symantec?

George Kurtz

Well, yes, maybe I’ll start with the later one – the latter one. We still are taking share. Just how the sales tactics work and how the renewals work, it’s really a great opportunity for us to continue to take share from Symantec. And I think that sort of play is again we’ll continue with McAfee in the enterprise business. Whenever you see a disruption between owners, and particularly if it’s a financial sponsor, we believe and I think that’s been proven over time, you’re not going to see a lot of innovation on the R&D side. And again, you’re starting with an architecture that’s just legacy. So there’s a lot of work that would have to be done, and we think it’s a great opportunity for us to continue to take share in that area.

Alex Henderson

I wanted to talk a little bit about the metrics around the pipeline. You stated that you saw a record pipeline. I think you’re clearly seeing record deal sizes. Can you talk a little bit about some of the metrics around time to close deals? Are you seeing any change in that time line? And what does the time to first upsell look like? And then in that context, as you are now at the end of the year and looking into the new year, can you give us some sense of what your expectations are around the sales staff build to drive that pipeline over the course of the new fiscal year?

George Kurtz

Yes. It’s George. Thanks for the question. So we don’t normally give the stats out, and candidly it’s difficult to give you something that’s consistent. You look at an incident response engagement, it could be a week for a massive enterprise deal. You look at some of the other big financial services, it could be 6 months, and everything in between. So I think what’s consistent is that when we get into a proof of value, we’re winning it. People are seeing the ease of use. It’s super easy to deploy. So we can get it out there very quickly, and that does accelerate the sales cycle. I talked about the threat environment being the worst that I’ve ever seen. And certainly the heightened awareness around that from Boards wanted to make sure they had things locked down. So overall, it’s very variable, but I think we’ve done a good job of consistently proving value to our customers, consolidating agents, proving a real ROI. Sometimes, it’s a 30 to 6-month payback on our technology as we rip out other technologies that are there.

And in terms of module expansion, as we talked about in the past, we’ve got in-app trials. We’ve got a lot of customers trying new modules even if they didn’t buy them and then self-selecting, saying, “Hey, I want that.” And that obviously makes for very efficient sales model.

Gray Powell

Congratulations on the quarter. So I think in the prepared remarks, you mentioned that you did not see SolarWinds as a material driver to ARR in Q4. But I do think that everyone probably agrees that there should be a tailwind of growth in the EDR space from the breach in 2021. So I guess how should we think about that this year? And then beyond just EDR, what modules do you see the SolarWinds breach driving the most incremental demand for?

George Kurtz

Sure. So we certainly see it as a sustainable tailwind. When you look at what happened, I mean this particular event was probably the most significant I’ve seen in almost 30 years in my security career. So that’s going to drive a long-term trend in terms of customers that want better technologies that want greater visibility that drive EDR and XDR. So that’s all good, and we see that. When you look at the modules that we think could really benefit something like our zero trust and really our Preempt technology, we talked about identity being incredibly important. Obviously, you have EDR and there’s a lot of technologies that find bad things. But identity is a big element of protecting organizations, both on-prem and in the cloud. And I couldn’t think of a more well-timed acquisition than Preempt because of what’s happening right now. So we’ve got – there’s in a conversation we’re having with a large enterprise. It doesn’t involve identity, specifically, again, where we operate on the endpoints and workloads, and zero trust again on the endpoints and the workloads.


Today, Threat Graph processes over 5 trillion security-related events per week.

That works out to a little over 8 million events processed per second. I wonder how much computing power it takes to process an event.