Well, that S-1 in-depth report and the latest growth numbers sure got me interested in the upcoming CRWD IPO. It went straight from 2nd Tier to 1st Tier interest after diving in a bit more.
Very akin to Zscaler as a cloud-based security company using crowdsourced data and AI for threat detection, but a different technical setup. ZS is priced into stratosphere at 9.5B, while CRWD last privately valued at 3B (sure to be much much more once public). Hope it isn’t all priced in at the start, but I am likely to be an owner regardless after this research. One can only hope Slack’s IPO will distract from CrowdStrike’s.
- ZS and CRWD have similar revenue (~250M TTM).
- ZS has better margins (80% vs 66%) and much lower net losses (almost profitable). CRWD has been improving margins, but Pro Svcs is weighing it down. (Counterpoint: Pro Svcs is a huge sales entry point for Falcon Platform.)
- CRWD has higher rev growth (124% vs 66%).
- CRWD has huge cust growth (+103%) that are spending more ($NER 147%). Muted $NER of 118% has been my one disappointment with ZS that I’ve griped about before; CRWD is showing way better expansion rates with its modular/tiered pricing, plus having a completely managed service at the top tier.
FYI this company made a name for itself by investigating the Democratic Party cyberattack breach and helped determine it was Russian intelligence.
So here is a deep dive…
CRWD - Crowdstrike
Detailed S-1 Review: https://medium.com/@alexfclayton/crowdstrike-ipo-s-1-breakdo…
Pre-IPO details: https://discussion.fool.com/impressive-s-1-137-subscription-grow…
Website: https://www.crowdstrike.com
FY19:
Rev 249.9M 110% !!
Sub Rev 219.4M +137% !!
Pro Svcs Rev 30.4M +16%
Gross Margin 65.1% +1100bps
Loss -140.1M
Adj Loss -115.8M
FCF -65.6M
Latest Q:
Revenue 72.8M +124%, +26% seq !!
ARR 313M +121% !!
Gross Margins 66%
Cash 192M
Custs 2516 +103% !!
ACV (ARR/custs) 124.3K +9%
$NRR 147% ^^ +2800bps (vs 127% last Q)
OVERVIEW
CrowdStrike is a SECaaS providing cloud-native endpoint protection, that leverages crowdsourced data and cloud analytics to stop threats.
- Cloud-based architecture - customers can immediately implement & scale. Modular products can be used depending on need, or their managed service.
- AI over threat detection. Replaces existing anti-virus & malware detection.
- Internal teams of experts analyzing threat database, and providing services like assessment, proactive checks, incident response.
- Marketplace to integrate products from partners that extend Falcon platform. Ties directly into to other SECaaS & analytics providers.
Areas:
- Enterprise endpoint protection
- Threat intelligence
- Security and vulnerability mgmt
- IT Service mgmt
- Managed security services
- processes data from endpoints across all customer base (crowdsourced security)
- use AI and behavior pattern-matching to stop breaches
- started w/ focus on large enterprises, now sells to SMBs
- in 44% of Fortune 100
- 2/3 of custs <1k empl
- 23% int’l (+700bps)
- recent cust onboarded in 1d to protect >100k endpoints
- internal data showed 40% of detects were exploits in OS (not malware)
- global TAM expected to be $29.2B by 2021 (ZS said $17.7B TAM at IPO a year ago)
- last reported private valuation $3.15B
Competitors:
Symantec, Cylance (Blackberry), Cybereason, Carbon Black, Palo Alto, FireEye
Customers:
ADP, Shutterstock, Pokemon Co, Rackspace, Tribune Media, State of Wyoming, Hubspot, City of San Diego, Hyatt,
Accolades:
-
SC Magazine Awards 2017: Best Behavior Analytics/Enterprise Threat Detection (cybersecurity magazine)
https://www.crowdstrike.com/blog/crowdstrike-wins-sc-magazin… -
Gartner Magic Quadrant 2018 Top “Visionary” for Endpoint Protection
https://crowdstrike.lookbookhq.com/gartner-mq-epp-2018-cs/ga…
PLATFORM
Falcon Platform
https://www.crowdstrike.com/endpoint-security-products/falco…
2 software components:
- light-weight endpoint agent: installed on Windows, Mac, Linux systems
- Threat Graph cloud database: analyzes 1T real-time events/wk
- 10 cloud modules, all subscription-based
- 47% of sub custs on >4 modules (+1700bps) !!
Terms:
https://www.crowdstrike.com/blog/indicators-attack-vs-indica…
-
Indicators of Compromise (IOCs) = The unique characteristics of a breach. Reactive approach. Examples: malware, exploits, attack signatures.
-
Indicators of Attack (IOAs) = A focus on detecting the intent of what an attacker is trying to accomplish. Represents series of actions adversary would take. Proactive approach. Examples: Code execution, persistence, stealth, lateral movements w/in network.
PRODUCT MODULES
Endpoint Security:
- Falcon Prevent (Next-Gen Antivirus): comprehensive protection against both malware and fileless attacks; replaces legacy antivirus/malware detection products
- protects against all threat vectors
- known malware/ransomware prevention
- prevent fileless and malware-free attacks
- ML to detect known/unknown threats with Threat Intel
- proactive threat hunting, with Indicator of Attack (IOA) detection, to identify and stop attacker behavior
- full attack visibility (process tree graph)
- exploit mitigation
- Falcon Insight EDR (Endpoint Detection and Response): notify customers about endpoint activity in real time
- real-time monitoring & visibility
- records all endpoint activities for deeper inspection, historical review
- immediate response
- enriched w/ Threat Intel
- Falcon Device Control: gives admins visibility and granular control of USB peripheral devices
Security and IT Ops:
- Falcon Overwatch (Threat Hunting): elite team of security experts who utilize the Threat Graph to augment customer’s in-house security
- proactive threat hunting
- investigate breaches
- pinpoint urgent threats
- guided response
- premium: escalated notification, access to threat response analyst, quarterly briefings & recommendations
- Falcon Discover (IT Hygiene): network security monitoring & introspection
- rogue system/app detection within networks
- monitors user accounts and sysadmin access
- password policy enforcement
- app security hygiene
- app license management
- AWS visibility & spend analysis
- asset inventory
-
Falcon Complete (Turnkey Security): managed service for monitoring, mgmt, response, and remediation
-
Falcon Spotlight (Vulnerability Mgmt): detect vulnerabilities in real time across customer endpoints
Threat Intelligence:
- Falcon X (Threat Intel): AI over endpoint protection
- automated analysis of all incidents, speeding up breach response
- uses AI, ML, IOAs tracking
- learn from the attacks in your environment; custom IOCs generated from threats detected
- weekly threat reports
- premium tier w/ global threat research & analyst reports
-
Falcon Search Engine (Malware Search): search over 300Tb of 400M malwares collected across Falcon, overlaid with Threat Intel data
-
Falcon Sandbox (Malware Analysis): analyze files for malicious behavior in isolated VMs, can integrate into workflows & SIEMs
Services:
- Cybersecurity assessment
- Proactive checks
- Pre/Post incident response
- Compromise assessment
Other:
-
CrowdStrike Falcon for Mobile - (coming soon) EDR for mobile devices
-
Falcon on GovCloud - FedRAMP approved gov’t endpoint security, delivered on AWS GovCloud; includes Prevent, Insight and Discover products, plus IR & Proactive services
-
Falcon for Data Centers - secure physical, virtual or cloud/hybrid infrastructure
-
CrowdStrike Store - PaaS store for cybersecurity tools, to sell products from CrowdStrike partners that enhance Falcon Platform and/or utilize same agent
Example apps/partners:
- User behavior analytics (eg Exabeam)
- App behavior analytics (eg TrueFort)
- Attack analysis (eg AttackIQ)
- Managed security (eg Expel)
- Incident response (eg Demisto [Palo Alto])
- Falcon Connect: collection of APIs to interface with Falcon Platform
- Query API - search IOAs, IOCs, devices & indicators
- Streaming API - real-time streams for detections & alerts; hook into your SEIM
- Data Replicator API - pull raw event data
- Intel API - query indicators, adversaries, reports & tailored intel
- Threat Graph API - query detection and IOC relationships
PRICING
Multiple tiers for 5-250 endpoints. Any tier can:
… add optional services
… add optional product Spotlight
… operate in specialized environs (GovCloud, Data Centers)
… add standalone products: Search Engine, Sandbox
Tiers:
Falcon Pro - endpoint protection & threat intelligence.
… includes Prevent & X
$7/endpoint/mo
Falcon Enterprise - prevents and detects attacks beyond malware, stop breaches, complete visibility.
… adds Insight, Device Control, Overwatch
$15/endpoint/mo
Falcon Premium - next level breach protection, real-time rogue detection and user monitoring, health checks and quarterly briefings w/ recommendations.
… adds Discover and premium Overwatch
$18/endpoint/mo
Managed Service:
Falcon Complete - fully managed endpoint protection, delivered as a service by a CrowdStrike team of experts. Backed by $1M coverage to address breaches that occur within protected environ.
… includes Prevent, X, Insight, Discover, premium Overwatch
- muji
long ZS