Crowdstrike protecting a billion containers

At the 12-minute mark in this interview with Crowdstrike CEO George Kurtz, he makes a remarkable statement. Traditionally, when you think of endpoint protection, you think of just PCs and servers. But the endpoints protected by Crowdstrike also include containers and IOT devices. I’ll explain what containers are later in this message. The important point is that Crowdstrike’s Falcon platform already protects 1 billion containers. According to Kurtz, even that number is a small fraction of the total number of endpoints that they could potentially protect, so there’s a huge runway ahead.

The half-hour interview starts at the 5:25 mark at Josh Brown’s podcast at…

In case you don’t have time to listen to it, here are my key takeaways:

  • When Crowdstrike was founded, nobody else was providing security as a cloud-delivered service. Kurtz wanted to build the “Salesforce of Security”.

  • Their ARR (Annual Recurring Revenue) has grown to $900 million, but the TAM is 32 billion. So they’re just getting started on a gigantic addressable market.

  • They have a SWAT team that customers in distress call when they become victims of major hacks or ransomware. Brand new customers generally sign up for the monthly subscription service for on-going protection after the SWAT team remediates the problem. Professional service fees charged for the remediation make up only 10% of CRWD’s revenue, but that SWAT team acts like a lead gen for the annually recurring revenue. Brilliant!

  • Why is Falcon taking so much market share? The security industry was focused on removing malware. Crowdstrike turned this model on its head. They reasoned, why not focus on preventing the malware from getting in in the first place? Nobody was doing that.

  • They built a system that prevents malware using Artificial Intelligence (AI) and Machine Learning (ML). At the center of it is a threat graph that runs in the cloud. Just like LinkedIn has a social graph of who you’re connected to, the threat graph represents various “attack chains” that link together the events in a cyber-attack. This gigantic threat graph database informs the AI / ML model that continuously improves the threat detection and prevention.

  • The beauty of this system is that any new customer who signs up for Falcon automatically gets all the protection benefits of everything the threat graph has already learned from attacks on other customers!

  • The system is easy to get up and running. Whereas, with traditional systems, you may need to install, say, a dozen software agents, with Falcon, you only need to install 2 agents in the same situation. All the complexity of evaluating threats is in the cloud, so the agent is relatively lightweight and fast.

  • They charge customers according to how many modules they sign up for. Each module delivers a separate feature, like anti-virus or IT hygiene (OS patching). The platform sells itself. 61% of their customers have 4 or more modules, 44% have 5 or more, and 22% have 6 or more. They had 10 modules when they went public, they have 16 modules now, and are focused on creating more.

  • They handle 4 trillion attack events per week. Each day they handle more events than Twitter has tweets over an entire year!


For non-technical folks, a container is a software package that contains an environment that makes an application portable across machines that are as different as MacBooks and Linux servers. Use of containers to build apps is growing exponentially. Software developers use them if they need an off-the-shelf package (like a Wordpress site) and also if they want to build applications on their laptop, and not have any surprises when it gets deployed to a Linux server on premises or in the cloud.


Excellent takeaways from the interview. I wish I could give you a bunch of recs. The takeaways point a very convincing story.

CRWD is now my second largest position behind TSLA