Flavors of Security - CrowdStrike

CrowdStrike (CRWD) = Endpoint Protection (Device)

Platform: Falcon Platform https://www.crowdstrike.com/endpoint-security-products/falco…
Ecosystem: CrowdStrike Store https://www.crowdstrike.com/endpoint-security-products/crowd…
Partners: https://www.crowdstrike.com/partners/technology-partners/

Flavors of Security:

  • Current: EPP/EDR, MDR
  • Next wave: ?

Massive Tailwinds:
^ Mobile workforce
^ Growth of mobile devices and BYOD policies
^ IoT devices
^ ML/AI-driven Security

Differentiators:

  • Cloud-based – no appliance or infrastructure needed. Infinite scale, unlimited capacity.
  • Platform w/ incremental add-ons, and a partner ecosystem accessed through an app store.
  • Strong adoption of ML/AI internally, labeling themselves as “AI Powered”. Heavy focus on “crowdsourcing” of threat detection, which means they run their ML/AI driven threat detection over the entirety of their customer base.
  • Ease of install and use. Multiple layers of product & engagement levels available. Ancillary services like DF/IR available as needed.

Platform capabilities:

Protection: EPP, MDR, Sandbox, NGAV
Prevention: EDR, UEBA, NTA, IDS
Response: DF/IR

Products:
== Endpoint Security

Other Environments:

  • Falcon on GovCloud - FedRAMP approved cloud offering
  • Falcon for Data Centers - bring Falcon platform on-premise

Subscription Levels:

  • Falcon Pro - base level with Prevent (EPP) and X (ML/AI)
  • Falcon Enterprise - … plus Insight (EDR), Device Control, Overwatch (MDR)
  • Falcon Premium - … plus Discover (network & usage tracking for admins)
  • Falcon Complete - all-in-one package with a dedicated team of MDR experts called “Complete Team” available 24x7x365 https://www.crowdstrike.com/endpoint-security-products/falco… an EPPaaS for those who don’t want to manage devices themselves

Services:

Partner program: CrowdStrike Elevate https://www.crowdstrike.com/crowdstrike-elevate-partner-prog…

  • Falcon Connect API = enables partner integration https://www.crowdstrike.com/endpoint-security-products/falco…
  • Falcon Orchestrator = open-source tool built on Connect API to automate workflows and SOAR integrations into actions for DF/IR, forensics, monitoring and alerts
  • Falcon Streaming API = enables SIEM integration

Partners:

Magic Quadrants:
EPP - https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=19…

Competitors:
EPP - Symantec, Sophos, Trend Micro, Microsoft, Kaspersky, Blackberry/Cylance, VMWare/Carbon Black, Elastic/Endgame, McAfee, Cisco, Palo Alto, Fortinet, FireEye
EDR - VMWare/Carbon Black, Cisco, Check Point, Blackberry/Cylance, Microsoft, McAfee, Sophos, Elastic/Endgame
MDR - FireEye, Rapid7, Cisco

Gardner customer reviews:
EPP - https://www.gartner.com/reviews/market/endpoint-protection-p…
EDR - https://www.gartner.com/reviews/market/endpoint-detection-an…
MDR - https://www.gartner.com/reviews/market/managed-detection-and…
Security consulting - https://www.gartner.com/reviews/market/security-consulting-s…

Background:

My CrowdStrike Deep Dive, May 2019
https://discussion.fool.com/crowdstrike-deep-dive-34213712.aspx
https://discussion.fool.com/crowdstrike-deep-dive-part-2-ipo-det…

Thoughts:

CrowdStrike hit the market with a bang, IPOing to a massive valuation right out of the gate, then rose quickly. The share price definitely got ahead of itself, which is why I only owned a nibble from the IPO. But those heady times have ended, as over last 2 months it has been halved from its top, as the SaaS bloodbath took a big toll and as political winds are swirling around it again.

As a reminder, EPP is the endpoint protection (device), and EDR is the continual monitoring of those endpoints, typically with NTA (network) and UEBA (user behavior) analysis to detect threats. Being cloud-based is the massive trend in EPP, as that allows maximum visibility across devices (whether it is located on-premise, cloud or mobile); Gartner predicts that cloud EPP will grow from 20% of new deals to 95% by 2025.

Crowdstrike is very hands on. It starts with their installed agent, whose simplicity gets high marks in reviews. But this isn’t set and forget – their services are very proactive. You don’t use their wide array of services piecemeal - you buy a certain subscription level (Pro, Enterprise, Premium, Complete), which encircles a widening pool of ancillary services and engagement levels. For the most turnkey package, a customer can sign up for Falcon Complete, which provides it all as a complete “EPPaaS” service that they will manage for you. As an example of how proactive their services can get, you can get Falcon Overwatch as a network traffic analysis service over the entirety of your endpoints. At Enterprise pricing tier, you get the standard level of Overwatch, which just gives you a limited MDR service with email alerts. At Premium pricing tier, it gives you a full MDR service, with escalated notices, access to a response analyst, and quarterly briefings. https://www.crowdstrike.com/wp-content/brochures/OverWatch_T…

Unlike Zscaler, their marketing is crystal clear about what services engage at what pricing tier, and link to detailed pages per feature. Their pricing is clear, and is per-endpoint. It’s very easy to get started using their service, and you can try it for free for 15 days to evaluate their service. After I signed up, a sales rep contacted me, and was very engaged.

As another reminder, DF/IR means forensics and response consulting services. Outside of their SaaS platform, you can engage their DF/IR services at any time for researching and handling a breach, or investigating your current security posture.

CEO on Q220 Earnings Q&A: “If you look at network data, I think the value of endpoint data is much higher than network data. Network data you’ve got to shift through, you’ve got to look at flows and at a high level. You have to understand what’s happening with encrypted traffic and a lot of the attacks - it’s very difficult to piece together what happened just with network flows. And that’s why customers are demanding visibility on the endpoint. With our system, they can tell them that the process exactly what is happening across a fleet of hundreds or thousands of computers, which you would never be able to do with a network products and network data. So again, network data can be valuable in certain areas, but we believe there is an exponential difference in the value of endpoint data.”

Fast forward a month, however, and Crowdstrike has subsequently partnered with Zscaler – so they are providing the endpoint protection of the device itself, and letting Zscaler protect the traffic. Their threat detection systems will integrate together. Sounds like a potent one-two punch.

On a different angle, CEO on the last earnings call mentioned that AWS is contributing a heavy influx of new endpoints. It seems AWS has put a focus on Crowdstrike as their recommended provider for Endpoint Detection on their AWS Marketplace “Solution” pages. https://aws.amazon.com/marketplace/solutions/migration/endpo…

Going forward, it is difficult for me to envision other ancillary angles from here. So I am not sure what will drive growth here beyond EPP. We’ll have to watch and see if Crowdstrike is a one-trick pony that we can ride until the hypergrowth soon stops, or if they will have other waves of revenue from future ancillary services (like Okta and Zscaler are doing quite adeptly). The Zscaler partnership is a good sign that they will not pursue security over the network traffic, only the device itself.

But, oh my… there are a LOT of endpoints out there… and growing.

Gartner just put out a new report comparing EPP platforms across different customer profiles. CrowdStrike did very well in their ratings, being in the top 3 regardless. But it was the clear winner for cutting-edge companies (Type A), second place for stay-current (Type B), and third place for cost-conscious ones.

Strengths:

  • A leader in Endpoint Protection Magic Quadrant. Their ML/AI driven cloud-based platform seems clearly above the rest. Forester just made them “Top Ranked”. https://www.crowdstrike.com/blog/crowdstrike-named-leader-fo…

  • Fully managed service with Incident Response and MDR. The notoriety from their investigations of high profile breaches has lead to new customers.

  • Lots of competitors that are trying to buy their way into this market. Competition is even getting bought out by VMWare, Blackberry, and Elastic. Crowdstrike has the benefit of being SOLELY focused on endpoint security.

  • Customer growth is INSANE. +24% customers in ONE QUARTER. Companies are flocking to Crowdstrike’s solution. Easy to get started; the simplicity of their installed endpoint agent gets very high marks from customers.

  • Heavy CARTA focus. The entire premise of their platform is using ML/AI to detect patterns on endpoints across the entirety of their customer base, and using behavior-based analysis to detect malicious activity (instead of being signature-based).

  • Has a very rich partner connectivity platform called Falcon Connect. Very strong on partner integration, with a wide set of APIs to integrate various aspects - in particular orchestration, monitoring & alerting. Not that many partners yet, but the new partnership with Zscaler shows that they are focused on being a part of a more complete solution.

Concerns:

  • EPP is nowhere near as embedded a service as Okta or Zscaler, and can typically be swapped out easily for a competing solution. The hypergrowth and high $NER points to it being sticky, even after factoring in the competitiveness of EPP market. However, it makes me have a more critical eye on them than Okta and Zscaler, which are way more deeply embedded in IT workflows.

  • Not ideal for non-internet connected devices. But that is pretty much the only down-side to being cloud-based.

  • I don’t see what is going to power their next wave of growth, but it seems of little consequence… EPP/EDR is the hottest topic in cybersecurity (see all the acquisitions in this space), and they are at the top with ~100% sub rev growth. The current wave is going very strong.

  • AWS and Google are cloud partners, but not Azure. Falcon supports Azure endpoints, but Microsoft isn’t a partner like the other 2. Perhaps it is due to Microsoft being a EPP competitor (though only on Windows systems).

ADD’L READING:

DarkReading - Consolidation in crowded EPP market
https://www.darkreading.com/endpoint/in-a-crowded-endpoint-s…

Gardner - Critical Capabilities for Endpoint Protection Platforms
https://www.gartner.com/doc/reprints?id=1-1X9L7P3G&ct=19…

  • muji
    long CRWD
72 Likes

Great evaluation muji. I for one am not a buyer of this stock. I just retired from FireEye where I worked for the last 7 years on network and email malware detection. Even though the endpoint was not in my bally-wig, I have a working knowledge and am familiar with the FireEye endpoint solution (a top 10 MQ provider). The problem with the endpoint market segment is not slow growth, but how to win the customer. There are over 200 vendors selling endpoint agents around the world. Dislodging customers from their agents that reside on thousands of machines is a logistical challenge for any salesman and IT person to overcome. So customers do not easily walk away from their vendor especially with technologies that most of them do not understand and cannot distinguish. Consolidation of endpoint vendors is sure to happen big time with the next economic contraction. CRWD has been making good gains truly. But at the end of the day, there is always a new malware attack trick and new solution. It is an arms race. I do not see the CRWD cloud based management console as any big advantage. It is easy to move on premise management software into the cloud, it just is harder to optimize it to be profitable (multi-tenant) in the cloud.

I am not shorting CRWD but have seriously considered it when it was higher. I just cannot estimate when their growth will hit the wall so I do not want to bet on it. Perhaps CRWD can be one of the consolidators with their big bank account of IPO cash. So maybe they can continue to grow. But I will not bet on it.

-zane

34 Likes

Iamnzane -

The problem with the endpoint market segment is not slow growth, but how to win the customer. There are over 200 vendors selling endpoint agents around the world. Dislodging customers from their agents that reside on thousands of machines is a logistical challenge for any salesman and IT person to overcome.

Great to have someone w your background speak re: CRWD. But the numbers are speaking loudly and differently from what you state ---- stats like CRWDs 4561 customers, 772 net new subscription customers this quarter, 730 last quarter, 97% increase YoY in ARR, 120% Net Retention rate, etc.,

As far as vendors pitching endpoint. Customers are doing these implementations on their own. And are increasing scope w CRWD. Related datapoint from the latest earnings transcript:

During the sales process, this customer deployed Falcon on over 15,000 endpoints over a weekend, where it had taken one of the incumbent vendors one year to reach a similar level. After seeing how quick and easy it was deploying scale with [ph] the Falcon platform across their environment, they increased the scope of the deployments to include servers, significantly increasing the overall deployment to well over 100,000 endpoints and workloads. The CISO at this new CrowdStrike customer estimated that by replacing the software, hardware and labor costs associated with these other vendors, they will attain a compelling ROI in less than eight months.

CRWD is different than other EPP solutions. Yes it has competition ---- but not as much as you think. And the numbers are speaking very loudly…

What am I missing?

Thank you.

Jay

18 Likes

Jay,

I’m with you on this one - the fact that FireEye is having a hard time w/ new customer acquisition (1,095 new customers over the last 4 quarters, page 7 https://investors.fireeye.com/static-files/3637ff35-36d5-477…) and CrowdStrike is seeing them roll in alongside increased operating leverage is a clear sign of strength for CRWD.

Zane’s info FireEye’s MQ position is inaccurate as the most recent Gartner report had FireEye outside of the top 10 providers: they were the 15th ranked endpoint company (https://www.gartner.com/doc/reprints?id=1-1OCAOB9I&ct=19…), below 5 others in the “Niche Player” category, noting that “FireEye has yet to offer a cloud-native multitenant SaaS offering, lagging some key competitors in the EPP market.” This was actually an improvement over their prior year ranking (https://news.sophos.com/nl-nl/2018/02/06/45899/), where they were 2nd to last of all companies rated by Gartner.

Last quarter FireEye reported $550M in ARR (less than half of which was cloud subscription revenue), up just 5% YOY from $522M. CrowdStrike reported $501.7M in ARR, up 97% YOY from $255M. Even if CrowdStrike’s growth were to slow significantly over the next year or two, it would still be in an entirely different league than FireEye.

With CRWD, there seems to be much consternation over the number of vendors with endpoint solutions and the supposed lack of any discernible competitive moats / differentiation. However in my view this runs contrary to the reality that Symantec, McAfee, and Trend Micro have all been dominant endpoint players & maintained significant worldwide market share for the past 8-12 years or so - their successes would seem to indicate it is possible to build a sustainable business in the endpoint space once you reach a certain size & scale. Based on CRWD’s revenue growth, they seem to be taking market share from other vendors quite quickly, and based on their march towards profitability, quite efficiently as well.

To Zane’s other point - it appears that consolidation of endpoint vendors is already happening, and based on the conference call this is contributing to the impressive growth. In the last year Cylance (previously viewed as a major competitor, last Q 13% rev growth and 99% net retention rate - https://www.fool.com/investing/2019/12/24/why-blackberry-fis…), Endgame (acquired by Elastic), Carbon Black (also viewed as a major next gen player, acquired by VMWare), and Symantec (previous legacy market leader acquired by Broadcom) have all been scooped up - I view these changes as a sign of CrowdStrike’s strength and success in the marketplace, not of impending doom :slight_smile:

respectfully,
amy

36 Likes

Amy, thanks for the thought provoking post. I respectfully ask your opinion on the following issue:
You wrote: “Endgame (acquired by Elastic), Carbon Black (also viewed as a major next gen player, acquired by VMWare), and Symantec (previous legacy market leader acquired by Broadcom) have all been scooped up - I view these changes as a sign of CrowdStrike’s strength and success in the marketplace, not of impending doom :)”

If these potential competitors are being bought by larger, better financed players then would it not stand to reason they would not dissolve them rather they would use their resources to improve, market better, and use their existing sales force to get them into their existing base of loyal customers?

Does the geo political issues facing Crowdstrike potentially limit their future ability to sell into the government market?

Symantec was purchased by Broadcom. Broadcom is a hardware company with a reputation for not investing in R&D but bleeding companies dry. The only reason they acquired Symantec was the price and the fact they can no longer acquire hardware companies due to the Chinese government blocking their acquisitions.

Carbon black is a weak competitor in comparison to CRWD and Them getting acquired does not make them better. The only issue is dell possibly ending their partnership with CRWD due to VMW owning carbon black. But the dell partnership is not a significant portion of their sales.

Endgame is not a concern as a competitor due to their small size. And Elastic acquiring them does not strengthen them. Crowdstrike spends more on R&D on security than does ESTC as a whole. The gap will continue to widen.

A focused company dedicated to its main line will beat a division of a much larger unfocused company a good portion of the time. It’s why Eric Yuan started Zoom because Cisco would not devote resources to WebEx.

As far as geopolitical risks all I’m going to say is it does not concern me. Nobody is investigating them for corruption other than a certain high ranking official going off the inaccurate idea that a rich Ukrainian owns them. I’ll leave it at that.

18 Likes

Jay,
I can’t argue with the CRWD numbers as they are unbelievable. And numbers speak louder than words. Sorry I just do not see the moat around the castle. So I’ll sit this one out. But best luck to all the other fools and I’ll watch CRWD with interest, just not as an investor. There are plenty of other fool stocks that compel me. best!

-zane

4 Likes

“I can’t argue with the CRWD numbers as they are unbelievable. And numbers speak louder than words. Sorry I just do not see the moat around the castle. So I’ll sit this one out. But best luck to all the other fools and I’ll watch CRWD with interest, just not as an investor.”

I always thought that in general that a moat existed in security and that it was the number of threats known and how soon they are known from when they are 0-days. Plenty of great companies with great tech, but matching data against the same generic IOC feeds. I thought that the Mandiant acquisition was strong from that perspective (as well as getting the reverse engineering team), as was iSIGHT. I liked Rapid7 for similar reasons but could never get away from thinking they were really just some bells and whistles on metasploit.

Mandia has done pretty well with the hand he was dealt. I think of DeWalt when people talk about CEOs of Saul-stocks going on CNBC and showing a bunch of confidence.

What do you think of Splunk, if you don’t mind me asking? As far as I can tell they have miles of lead on ESTC/Endgame and Datadog on their SIEM products.

1 Like