CrowdStrike deep dive

CrowdStrike Deep Dive, PART 2


Today was announcement on IPO terms.…

18M shares at $19-$23 = valuation of $3.7B-$4.5B. Expected date around Wed 06/12/19.

They also wrapped up a suit against an independent testing lab, with the lab coming out with an apology retracting its inaccurate test results. More here:…


There have been many threat-prevention SECaaS (Security-as-a-service) IPOs over past year: Tufin (TUFN), Zscaler (ZS), Carbon Black (CBLK) and Tenable (TENB). All of these are competitors w/ mostly overlapping product lines. Another direct competitor is Cylance, bought by BlackBerry in Feb '19 for $1.4B. Then there are the traditional/big players in Symantec, Cisco, McAfee, Sophos, Palo Alto, FireEye and TrendMicro.

As for TAM, the cloud cybersecurity market is $138B this year, and estimated to be $232B by 2022 (CAGR 19% over 3y). There can be many winners. And many losers. [Looking at you, FEYE!] Not only a market with huge competition, it’s an overly risky industry just being in cybersecurity - one breach can seriously impact customer perception. [But I think the risk is mitigated with Saul’s approach: Follow the hypergrowth!]

Quick look at last Q of each of those recent SECaaS IPOs:

  • CBLK Q119 Revenue 56.8M +21%, Cloud Rev +80%, GM 78%
  • TUFN LastQ Revenue 29M +31%, GM 84% (just IPOd)
  • TENB Q119 Revenue 80.3M +36%, GM 85%
  • ZS Q219 Revenue 74.3M +65%^^, GM 80%, NER 118%
  • CRWD LastQ Revenue 72.8M +124%^^, GM 66%, NER 147%, custs +103% (about to IPO)

Market caps? TUFN 800M, CBLK 1.2B, TENB 2.7B, ZS 8.8B. CRWD expects 4.5B at IPO. Market clearly prefers hypergrowth (as do we). ZS has strong accelerating growth. CRWD has even stronger accelerating growth, albeit at lower margins; however a jaw dropping, TWLO-sized $NER of 147% erases any concerns. So no way that market cap stays at $4.5B once public – I wouldn’t be surprised by a double out of the gate in this overzealous IPO environ (bringing it to ZS market cap). [Reminder: ZS rose 104% on IPO day.]

Some prior comments:

Would it be fair to say that Zscaler focuses on hacking and Crowdstrike on viruses?

I have worked with AV in the past and a lot depends on the customer and how much money do they have to spend on a product. … There is no way this company will touch the SMB space with their price per end point. Also they are not the only ones doing crowd source out there. First there are smaller companies like AVG, VirusTotal, PolySwarm… then you have the larger companies like Symantec, Kaspersky, McAfee…

There seems to be some confusion with CrowdStrike’s focus on “next-gen AV”. The IT guy upthread compared it to traditional anti-virus softwares and said it cannot compete in SMB. Sorry, but WRONG. Antivirus & malware is a small part of the problem - these companies focus on THREAT DETECTION and BREACH PROTECTION, INVESTIGATION and MITIGATION. You need to equate CrowdStrike’s product lines with Zscaler, Tenable and Carbon Black, not traditional AV apps. Zscaler’s ZIA directly mentions antivirus and malware detection features.…

The Wikipedia descriptions of both companies mention it:

Zscaler is a global cloud-based information security company that provides Internet security, web security, firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things environments. As of 2015, Zscaler provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing.

CrowdStrike, Inc. is an American cybersecurity technology company based in Sunnyvale, California, and a wholly owned subsidiary of CrowdStrike Holdings, Inc. The company provides endpoint security, threat intelligence, and incident response services to customers in more than 170 countries. … In 2013, the company launched the Falcon software platform, a technology that stops breaches by combining next-generation antivirus, endpoint detection and response, and proactive hunting.

Would you ever say Zscaler can’t get into SMB market against all that AVG, Avast and Norton Antivirus competition? CrowdStrike heavily markets as “next-gen AV” front-and-center, while Zscaler sells themselves as a “Zero Trust cloud firewall”. Don’t let the marketing angles fool you - Crowdstrike directly competes with Zscaler. Both are completely disrupting what is traditionally thought of as AV. So much so that the smarter traditional AV companies like McAfee/Symantec have long ago moved way beyond the little red/yellow boxes and pre-installed AV softwares of the days of old - they are now SECaaS companies as well, providing many of the same services; yet these small upstarts are continuing to succeed and disrupt them further (shown in their hypergrowth, from recurring subscription revenue, coming from more and more customers, each spending more and more over time).


So it’s all about stopping breaches from malicious actors (hack attempts, viruses, malware). The difference is how they go about it.

Zscaler’s focus is being a cloud firewall and secure web gateway with a Zero Trust focus. Their network of 100+ data centers have all customer traffic routed through them (somewhat akin to a VPN), and is a huge differentiator to their platform over the others. In general, I’d say Zscaler is a more advanced product line, with features like SSL introspection being entirely enabled by their VPN-esque data center setup. They claim a peak of 60B transactions a day. They are in the Gartner “Secure Web Gateway” quadrant, where they are a top Leader.…

Gartner defines this as: Secure Web gateway solutions protect Web-surfing PCs from infection and enforce company policies. A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.

But even with a simpler product line, CrowdStrike, and its AI & expert driven threat detection and endpoint protection platform, is doing SOMETHING right with those revenue & customer growth numbers. They claim 91M a minute (meaning ~130B/day). They are in the Gartner “Endpoint Protection Platform” quadrant, where they are top Visionary (nearly Leader).…

Gartner defines that as: An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts. Detection capabilities will vary, but advanced solutions will use multiple detection techniques, ranging from static IOCs to behavioral analysis. The inclusion of artificial intelligence (AI) and human-driven managed services such as managed threat hunting — lowering the barrier to entry for more advanced capabilities — will increase over the next 18 months. Deception capabilities, intended to trick adversaries into revealing their presence by accessing fake services or planted files, or by using planted credentials, are emerging.

Desirable EPP solutions are primarily cloud-managed, allowing the continuous monitoring and collection of activity data, along with the ability to take remote remediation actions, whether the endpoint is on the corporate network or outside of the office. In addition, these solutions are cloud-data-assisted, meaning the endpoint agent does not have to maintain a local database of all known IOCs, but can check a cloud resource to find the latest verdicts on objects that it is unable to classify. Integration with security orchestration, automation and response (SOAR) tools will become increasingly desirable.…

So what’s the difference between those 2 quadrants? EPP is “deployed on endpoint devices” yet is still cloud-driven, while Secure Web Gateway is entirely in the cloud (centralized).

Does that sound like what AVG Antivirus gives you on your laptop behind your traditional firewall? These solutions are a whole new ballgame, with a crowd sourced data pool and advanced AI like IOC and behavioral analysis. [See my prior post if you forgot what IOC means.] I fear that folks really bring their biases from “the way things were back when I was in IT” when they hear terms like “antivirus”. There is a whole new world of threats out there beyond that - nation-state hackers, ransomware, digital wallet theft, social engineering.

Regardless, all these SECaaS companies have a core strength over traditional on-premise networking devices or software – they get a global view into threat detection, not just the on-premise network, and can apply AI and ML analytics over that global view, for the immediate benefit of strengthening their customers’ security. There is NO REASON to have your company be its own oasis for security maintenance and knowledge. I love the cross applicability here - EVERY company out there can and should be using these products (hence the huge TAM). Cloud-enabled SECaaS is the NEW REALITY for enterprise security management. Every company needs security, but those that try to DIY (“do-it-themselves”) are going to have a huge mountain of knowledge they’ll need to become experts in, on a continual basis. Why wouldn’t you outsource for that expertise?

So these two companies are starting with different angles - endpoint protection via installed agent, vs a web gateway handled via “VPN-esque” data centers. CrowdStrike added a huge number of products over the past year, so is moving closer to ZS’s broad array of features. But they are very alike in their end goals.

Both companies provide these SECaaS services:

  • threat prevention
  • intrusion/breach detection
  • antivirus/malware detection
  • ML/AI-driven threat detection
  • vulnerability scanning
  • continuous monitoring
  • incident response
  • data loss prevention
  • device management
  • sandboxing (separate area for testing new files)

Zscaler goes beyond Crowdstrike with these services:

  • access control (cloud firewall)
  • content introspection

One thing Crowdstrike offers over Zscaler:

These are different services from what Okta provides as a IDaaS (Identity Management side of SECaaS), however Okta IS moving into some of these other SECaaS areas. And like Okta with Oktane, these two have major customer-focused annual conferences coming up…

  • Zenith Live 2019 - Zscaler Cloud Summit (9/16-18, Las Vegas)
  • Fal.Con 2019 - CrowdStrike Cybersecurity Conf (11/4-6, San Diego)

Ultimately, ZS is likely the (objectively) more secure and better product (again, SSL introspection is huge, and is entirely possible due to their VPN-like global data centers). But CrowdStrike has double the growth right now off the same revenue base. If they can continue that while raising margins (likely, as they been heavily expanding product line over past 2 years), look out.

long ZS 12%, OKTA 12%