CrowdStrike deep dive

Well, that S-1 in-depth report and the latest growth numbers sure got me interested in the upcoming CRWD IPO. It went straight from 2nd Tier to 1st Tier interest after diving in a bit more.

Very akin to Zscaler as a cloud-based security company using crowdsourced data and AI for threat detection, but a different technical setup. ZS is priced into stratosphere at 9.5B, while CRWD last privately valued at 3B (sure to be much much more once public). Hope it isn’t all priced in at the start, but I am likely to be an owner regardless after this research. One can only hope Slack’s IPO will distract from CrowdStrike’s.

  • ZS and CRWD have similar revenue (~250M TTM).
  • ZS has better margins (80% vs 66%) and much lower net losses (almost profitable). CRWD has been improving margins, but Pro Svcs is weighing it down. (Counterpoint: Pro Svcs is a huge sales entry point for Falcon Platform.)
  • CRWD has higher rev growth (124% vs 66%).
  • CRWD has huge cust growth (+103%) that are spending more ($NER 147%). Muted $NER of 118% has been my one disappointment with ZS that I’ve griped about before; CRWD is showing way better expansion rates with its modular/tiered pricing, plus having a completely managed service at the top tier.

FYI this company made a name for itself by investigating the Democratic Party cyberattack breach and helped determine it was Russian intelligence.

So here is a deep dive…

CRWD - Crowdstrike

Detailed S-1 Review:…

Pre-IPO details:…


Rev 249.9M 110% !!
Sub Rev 219.4M +137% !!
Pro Svcs Rev 30.4M +16%
Gross Margin 65.1% +1100bps
Loss -140.1M
Adj Loss -115.8M
FCF -65.6M

Latest Q:
Revenue 72.8M +124%, +26% seq !!
ARR 313M +121% !!
Gross Margins 66%
Cash 192M

Custs 2516 +103% !!
ACV (ARR/custs) 124.3K +9%
$NRR 147% ^^ +2800bps (vs 127% last Q)


CrowdStrike is a SECaaS providing cloud-native endpoint protection, that leverages crowdsourced data and cloud analytics to stop threats.

  • Cloud-based architecture - customers can immediately implement & scale. Modular products can be used depending on need, or their managed service.
  • AI over threat detection. Replaces existing anti-virus & malware detection.
  • Internal teams of experts analyzing threat database, and providing services like assessment, proactive checks, incident response.
  • Marketplace to integrate products from partners that extend Falcon platform. Ties directly into to other SECaaS & analytics providers.


  • Enterprise endpoint protection
  • Threat intelligence
  • Security and vulnerability mgmt
  • IT Service mgmt
  • Managed security services
  • processes data from endpoints across all customer base (crowdsourced security)
  • use AI and behavior pattern-matching to stop breaches
  • started w/ focus on large enterprises, now sells to SMBs
  • in 44% of Fortune 100
  • 2/3 of custs <1k empl
  • 23% int’l (+700bps)
  • recent cust onboarded in 1d to protect >100k endpoints
  • internal data showed 40% of detects were exploits in OS (not malware)
  • global TAM expected to be $29.2B by 2021 (ZS said $17.7B TAM at IPO a year ago)
  • last reported private valuation $3.15B

Symantec, Cylance (Blackberry), Cybereason, Carbon Black, Palo Alto, FireEye

ADP, Shutterstock, Pokemon Co, Rackspace, Tribune Media, State of Wyoming, Hubspot, City of San Diego, Hyatt,



Falcon Platform…

2 software components:

  • light-weight endpoint agent: installed on Windows, Mac, Linux systems
  • Threat Graph cloud database: analyzes 1T real-time events/wk
  • 10 cloud modules, all subscription-based
  • 47% of sub custs on >4 modules (+1700bps) !!


  • Indicators of Compromise (IOCs) = The unique characteristics of a breach. Reactive approach. Examples: malware, exploits, attack signatures.

  • Indicators of Attack (IOAs) = A focus on detecting the intent of what an attacker is trying to accomplish. Represents series of actions adversary would take. Proactive approach. Examples: Code execution, persistence, stealth, lateral movements w/in network.


Endpoint Security:

  • Falcon Prevent (Next-Gen Antivirus): comprehensive protection against both malware and fileless attacks; replaces legacy antivirus/malware detection products
  • protects against all threat vectors
  • known malware/ransomware prevention
  • prevent fileless and malware-free attacks
  • ML to detect known/unknown threats with Threat Intel
  • proactive threat hunting, with Indicator of Attack (IOA) detection, to identify and stop attacker behavior
  • full attack visibility (process tree graph)
  • exploit mitigation
  • Falcon Insight EDR (Endpoint Detection and Response): notify customers about endpoint activity in real time
  • real-time monitoring & visibility
  • records all endpoint activities for deeper inspection, historical review
  • immediate response
  • enriched w/ Threat Intel
  • Falcon Device Control: gives admins visibility and granular control of USB peripheral devices

Security and IT Ops:

  • Falcon Overwatch (Threat Hunting): elite team of security experts who utilize the Threat Graph to augment customer’s in-house security
  • proactive threat hunting
  • investigate breaches
  • pinpoint urgent threats
  • guided response
  • premium: escalated notification, access to threat response analyst, quarterly briefings & recommendations
  • Falcon Discover (IT Hygiene): network security monitoring & introspection
  • rogue system/app detection within networks
  • monitors user accounts and sysadmin access
  • password policy enforcement
  • app security hygiene
  • app license management
  • AWS visibility & spend analysis
  • asset inventory
  • Falcon Complete (Turnkey Security): managed service for monitoring, mgmt, response, and remediation

  • Falcon Spotlight (Vulnerability Mgmt): detect vulnerabilities in real time across customer endpoints

Threat Intelligence:

  • Falcon X (Threat Intel): AI over endpoint protection
  • automated analysis of all incidents, speeding up breach response
  • uses AI, ML, IOAs tracking
  • learn from the attacks in your environment; custom IOCs generated from threats detected
  • weekly threat reports
  • premium tier w/ global threat research & analyst reports
  • Falcon Search Engine (Malware Search): search over 300Tb of 400M malwares collected across Falcon, overlaid with Threat Intel data

  • Falcon Sandbox (Malware Analysis): analyze files for malicious behavior in isolated VMs, can integrate into workflows & SIEMs


  • Cybersecurity assessment
  • Proactive checks
  • Pre/Post incident response
  • Compromise assessment


  • CrowdStrike Falcon for Mobile - (coming soon) EDR for mobile devices

  • Falcon on GovCloud - FedRAMP approved gov’t endpoint security, delivered on AWS GovCloud; includes Prevent, Insight and Discover products, plus IR & Proactive services

  • Falcon for Data Centers - secure physical, virtual or cloud/hybrid infrastructure

  • CrowdStrike Store - PaaS store for cybersecurity tools, to sell products from CrowdStrike partners that enhance Falcon Platform and/or utilize same agent

Example apps/partners:

  • User behavior analytics (eg Exabeam)
  • App behavior analytics (eg TrueFort)
  • Attack analysis (eg AttackIQ)
  • Managed security (eg Expel)
  • Incident response (eg Demisto [Palo Alto])
  • Falcon Connect: collection of APIs to interface with Falcon Platform
  • Query API - search IOAs, IOCs, devices & indicators
  • Streaming API - real-time streams for detections & alerts; hook into your SEIM
  • Data Replicator API - pull raw event data
  • Intel API - query indicators, adversaries, reports & tailored intel
  • Threat Graph API - query detection and IOC relationships


Multiple tiers for 5-250 endpoints. Any tier can:
… add optional services
… add optional product Spotlight
… operate in specialized environs (GovCloud, Data Centers)
… add standalone products: Search Engine, Sandbox


Falcon Pro - endpoint protection & threat intelligence.
… includes Prevent & X

Falcon Enterprise - prevents and detects attacks beyond malware, stop breaches, complete visibility.
… adds Insight, Device Control, Overwatch

Falcon Premium - next level breach protection, real-time rogue detection and user monitoring, health checks and quarterly briefings w/ recommendations.
… adds Discover and premium Overwatch

Managed Service:

Falcon Complete - fully managed endpoint protection, delivered as a service by a CrowdStrike team of experts. Backed by $1M coverage to address breaches that occur within protected environ.
… includes Prevent, X, Insight, Discover, premium Overwatch

  • muji
    long ZS

Thank muji,

Date is not set for IPO, but I’m interested. I sold SQ about 3 weeks ago so I’m looking to invest that.

Link from Seeking Alpha:…



Thank you for a wonderful breakdown. The fundamental numbers and growth are very appealing, and I’m curious to what the opening price will be for IPO.

Forgive my ignorance when it comes to this area of technology, but how does Crowdstrike and ZScaler differ? Would it be fair to say that ZScaler focuses on hacking and Crowdstrike on viruses?

Thank you!

1 Like

As an IT guy for almost 20 yrs I have worked in big and small companies doing anything from help desk to being a Systems engineer. I worked through the hard years and the good years. I have worked with AV in the past and a lot depends on the customer and how much money do they have to spend on a product. For larger companies they need easy deployment of the agent, easy updates, lots of custom rules, instant notifications, along with creating a ticket and sending it to your help desk. For smaller companies they are looking for easy install and updates, keeps them safe and is cheap or free.

There is no way this company will touch the SMB space with their price per end point. Also they are not the only ones doing crowd source out there. First there are smaller companies like AVG, VirusTotal, PolySwarm… then you have the larger companies like Symantec, Kaspersky, McAfee… These large Enterprise companies that work with the large AV providers all have dedicated contacts to a Engineer when a virus outbreak occurs and the companies AV admins have ways of submitting what they think might be maleware or virus related files to their AV provider, in turn it is crowdsourced as well.

Pricing per end point and is based on 7,15,30 days of event storage.…
FYI: These events are stored on the local PC by default along with a wealth of other knowledge.

IMHO I just don’t think this AV company is going to come out and disrupt any of the other large AV providers out there. I am not interested in this one but thank you for bringing it to the board.

~ CrazieKids


CrowdStrike Deep Dive, PART 2


Today was announcement on IPO terms.…

18M shares at $19-$23 = valuation of $3.7B-$4.5B. Expected date around Wed 06/12/19.

They also wrapped up a suit against an independent testing lab, with the lab coming out with an apology retracting its inaccurate test results. More here:…


There have been many threat-prevention SECaaS (Security-as-a-service) IPOs over past year: Tufin (TUFN), Zscaler (ZS), Carbon Black (CBLK) and Tenable (TENB). All of these are competitors w/ mostly overlapping product lines. Another direct competitor is Cylance, bought by BlackBerry in Feb '19 for $1.4B. Then there are the traditional/big players in Symantec, Cisco, McAfee, Sophos, Palo Alto, FireEye and TrendMicro.

As for TAM, the cloud cybersecurity market is $138B this year, and estimated to be $232B by 2022 (CAGR 19% over 3y). There can be many winners. And many losers. [Looking at you, FEYE!] Not only a market with huge competition, it’s an overly risky industry just being in cybersecurity - one breach can seriously impact customer perception. [But I think the risk is mitigated with Saul’s approach: Follow the hypergrowth!]

Quick look at last Q of each of those recent SECaaS IPOs:

  • CBLK Q119 Revenue 56.8M +21%, Cloud Rev +80%, GM 78%
  • TUFN LastQ Revenue 29M +31%, GM 84% (just IPOd)
  • TENB Q119 Revenue 80.3M +36%, GM 85%
  • ZS Q219 Revenue 74.3M +65%^^, GM 80%, NER 118%
  • CRWD LastQ Revenue 72.8M +124%^^, GM 66%, NER 147%, custs +103% (about to IPO)

Market caps? TUFN 800M, CBLK 1.2B, TENB 2.7B, ZS 8.8B. CRWD expects 4.5B at IPO. Market clearly prefers hypergrowth (as do we). ZS has strong accelerating growth. CRWD has even stronger accelerating growth, albeit at lower margins; however a jaw dropping, TWLO-sized $NER of 147% erases any concerns. So no way that market cap stays at $4.5B once public – I wouldn’t be surprised by a double out of the gate in this overzealous IPO environ (bringing it to ZS market cap). [Reminder: ZS rose 104% on IPO day.]

Some prior comments:

Would it be fair to say that Zscaler focuses on hacking and Crowdstrike on viruses?

I have worked with AV in the past and a lot depends on the customer and how much money do they have to spend on a product. … There is no way this company will touch the SMB space with their price per end point. Also they are not the only ones doing crowd source out there. First there are smaller companies like AVG, VirusTotal, PolySwarm… then you have the larger companies like Symantec, Kaspersky, McAfee…

There seems to be some confusion with CrowdStrike’s focus on “next-gen AV”. The IT guy upthread compared it to traditional anti-virus softwares and said it cannot compete in SMB. Sorry, but WRONG. Antivirus & malware is a small part of the problem - these companies focus on THREAT DETECTION and BREACH PROTECTION, INVESTIGATION and MITIGATION. You need to equate CrowdStrike’s product lines with Zscaler, Tenable and Carbon Black, not traditional AV apps. Zscaler’s ZIA directly mentions antivirus and malware detection features.…

The Wikipedia descriptions of both companies mention it:

Zscaler is a global cloud-based information security company that provides Internet security, web security, firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things environments. As of 2015, Zscaler provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing.

CrowdStrike, Inc. is an American cybersecurity technology company based in Sunnyvale, California, and a wholly owned subsidiary of CrowdStrike Holdings, Inc. The company provides endpoint security, threat intelligence, and incident response services to customers in more than 170 countries. … In 2013, the company launched the Falcon software platform, a technology that stops breaches by combining next-generation antivirus, endpoint detection and response, and proactive hunting.

Would you ever say Zscaler can’t get into SMB market against all that AVG, Avast and Norton Antivirus competition? CrowdStrike heavily markets as “next-gen AV” front-and-center, while Zscaler sells themselves as a “Zero Trust cloud firewall”. Don’t let the marketing angles fool you - Crowdstrike directly competes with Zscaler. Both are completely disrupting what is traditionally thought of as AV. So much so that the smarter traditional AV companies like McAfee/Symantec have long ago moved way beyond the little red/yellow boxes and pre-installed AV softwares of the days of old - they are now SECaaS companies as well, providing many of the same services; yet these small upstarts are continuing to succeed and disrupt them further (shown in their hypergrowth, from recurring subscription revenue, coming from more and more customers, each spending more and more over time).


So it’s all about stopping breaches from malicious actors (hack attempts, viruses, malware). The difference is how they go about it.

Zscaler’s focus is being a cloud firewall and secure web gateway with a Zero Trust focus. Their network of 100+ data centers have all customer traffic routed through them (somewhat akin to a VPN), and is a huge differentiator to their platform over the others. In general, I’d say Zscaler is a more advanced product line, with features like SSL introspection being entirely enabled by their VPN-esque data center setup. They claim a peak of 60B transactions a day. They are in the Gartner “Secure Web Gateway” quadrant, where they are a top Leader.…

Gartner defines this as: Secure Web gateway solutions protect Web-surfing PCs from infection and enforce company policies. A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.

But even with a simpler product line, CrowdStrike, and its AI & expert driven threat detection and endpoint protection platform, is doing SOMETHING right with those revenue & customer growth numbers. They claim 91M a minute (meaning ~130B/day). They are in the Gartner “Endpoint Protection Platform” quadrant, where they are top Visionary (nearly Leader).…

Gartner defines that as: An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts. Detection capabilities will vary, but advanced solutions will use multiple detection techniques, ranging from static IOCs to behavioral analysis. The inclusion of artificial intelligence (AI) and human-driven managed services such as managed threat hunting — lowering the barrier to entry for more advanced capabilities — will increase over the next 18 months. Deception capabilities, intended to trick adversaries into revealing their presence by accessing fake services or planted files, or by using planted credentials, are emerging.

Desirable EPP solutions are primarily cloud-managed, allowing the continuous monitoring and collection of activity data, along with the ability to take remote remediation actions, whether the endpoint is on the corporate network or outside of the office. In addition, these solutions are cloud-data-assisted, meaning the endpoint agent does not have to maintain a local database of all known IOCs, but can check a cloud resource to find the latest verdicts on objects that it is unable to classify. Integration with security orchestration, automation and response (SOAR) tools will become increasingly desirable.…

So what’s the difference between those 2 quadrants? EPP is “deployed on endpoint devices” yet is still cloud-driven, while Secure Web Gateway is entirely in the cloud (centralized).

Does that sound like what AVG Antivirus gives you on your laptop behind your traditional firewall? These solutions are a whole new ballgame, with a crowd sourced data pool and advanced AI like IOC and behavioral analysis. [See my prior post if you forgot what IOC means.] I fear that folks really bring their biases from “the way things were back when I was in IT” when they hear terms like “antivirus”. There is a whole new world of threats out there beyond that - nation-state hackers, ransomware, digital wallet theft, social engineering.

Regardless, all these SECaaS companies have a core strength over traditional on-premise networking devices or software – they get a global view into threat detection, not just the on-premise network, and can apply AI and ML analytics over that global view, for the immediate benefit of strengthening their customers’ security. There is NO REASON to have your company be its own oasis for security maintenance and knowledge. I love the cross applicability here - EVERY company out there can and should be using these products (hence the huge TAM). Cloud-enabled SECaaS is the NEW REALITY for enterprise security management. Every company needs security, but those that try to DIY (“do-it-themselves”) are going to have a huge mountain of knowledge they’ll need to become experts in, on a continual basis. Why wouldn’t you outsource for that expertise?

So these two companies are starting with different angles - endpoint protection via installed agent, vs a web gateway handled via “VPN-esque” data centers. CrowdStrike added a huge number of products over the past year, so is moving closer to ZS’s broad array of features. But they are very alike in their end goals.

Both companies provide these SECaaS services:

  • threat prevention
  • intrusion/breach detection
  • antivirus/malware detection
  • ML/AI-driven threat detection
  • vulnerability scanning
  • continuous monitoring
  • incident response
  • data loss prevention
  • device management
  • sandboxing (separate area for testing new files)

Zscaler goes beyond Crowdstrike with these services:

  • access control (cloud firewall)
  • content introspection

One thing Crowdstrike offers over Zscaler:

These are different services from what Okta provides as a IDaaS (Identity Management side of SECaaS), however Okta IS moving into some of these other SECaaS areas. And like Okta with Oktane, these two have major customer-focused annual conferences coming up…

  • Zenith Live 2019 - Zscaler Cloud Summit (9/16-18, Las Vegas)
  • Fal.Con 2019 - CrowdStrike Cybersecurity Conf (11/4-6, San Diego)

Ultimately, ZS is likely the (objectively) more secure and better product (again, SSL introspection is huge, and is entirely possible due to their VPN-like global data centers). But CrowdStrike has double the growth right now off the same revenue base. If they can continue that while raising margins (likely, as they been heavily expanding product line over past 2 years), look out.

long ZS 12%, OKTA 12%


Thanks, muji! Great post!

So these two companies are starting with different angles - endpoint protection via installed agent, vs a web gateway handled via “VPN-esque” data centers.

One would think that if the installed agent gets compromised there could be a breach. With millions of installed agents, it seems that it would be be more difficult to defend using a CrowdStrike approach than a Zscaler approacher. I’m by no means an expert and I’m just applying common sense. Is this what you meant when you wrote the following?

Ultimately, ZS is likely the (objectively) more secure and better product (again, SSL introspection is huge, and is entirely possible due to their VPN-like global data centers).