My crowdstrike (CRWD) notes

I had started putting this together mostly for myself but we were on vacation so instead I went and did vacation things. I noticed bits and pieces of this have been posted already but I think some of this is new. I won’t go over much of the numbers since that has already been covered.

crowdstrike technology and business model
I invested in crwd at the IPO for the growth and as I have learned more I’m more optomistic about the company because of their base technology which is substantially different than other endpoint solutions that I am aware of. They are a true native cloud based data collection and action agent that can be generalized to many different scenarios. Endpoint protection and response is what they have started with. You can think of crowdstrike’s lightweight agent as half, and their “threat graph” as the other half. Lets cover the agent first.

The agent is able to do two main things. Scan a computer at a very detailed level and upload that data. The other half of the agent is that it is able to ACT on the computer. The agent gets instructions and its intelligence from the Threat graph which is the second part.

The “Threat Graph” gathers all the data from all the endpoints and decides what is a problem and what isn’t. Their database can analyze and correlate over 1 trillion events a week in real time. The cool part about this is if some malware is detected on 1 computer in Singapore then all endpoints covered by crowdstrike are instantly protected. The power of their system is just down right incredible.

The other cool part is once they have the data from an endpoint it can be used not only for next gen antivirus but also for configuration management, IT operations (both are new modules being developed) and anything else someone can think of such as APM , performance management, etc etc. Crowdstrike’s core technology is incredibly versatile and they are leveraging it by offering 3rd party applications developers access to it. Salesforce has done something similar, (crowdstrike has said they want to be the salesforce of security) but honestly crowdstrike’s technology should allow them to expand beyond just security. If an app on their platform does well then they can just buy it and incorporate it into the core product just like salesforce has done.

Crowdstrike grew their Threat Graph on 3rd party cloud providers which was relatively expensive and the reason their subscription gross margin last year was 62%. CRWD is in the process of moving to colocation data centers and away from cloud providers which has resulted in their gross margin increasing to 72% this quarter. Their long term gross margin target is 75-80%.

Business and Selected Financials
Others covered this. I just wanted to point out a few things.

They didn’t post a dollar based net retention rate. In their s-1 they were humming along at a DNRR of about 120% and then jumped to 147%. The scuttlebut on the street is that amazon massively increased their spend with CRWD which caused that quarters DNRR to jump to 147% In the CC their CEO said that large orders can cause fluctuations quarter to quarter. My guess is the DNRR is less than 147% this quarter but as they said above 120%.

Part of crwd’s upsell is to sell additional modules to endpoint customers. These modules are essential free from a margin standpoint as CRWD has already collected the data and spent the computation power analyzing it so each additional module increases their gross margins. Last year 47% of people had 4 modules or more. This quarter the number is higher but they didn’t give it. My guess is barely higher to functional equivalent.

CRWD points out ARR (annual recurring revenue) as a key metric. They calculate it as if everyone with a contract renewed their contract at their previous rate. Personally I think it is kind of a crummy “key metric” because it doesn’t take into account churn or upsell. I’d rather they gave us DNRR every quarter …and my wish upon wish is if they would give us churn. ARR grew 114%.

One of the more incredible numbers is 543 new customers so from 2500 to 3kish. They now cover 400k endpoints!!!

Operating leverage improved alot, opex 93% of revenue compared to 126% of revenue, up from 62 to 72%. CFFO was positive 1.4 million

About 10% of CRWD’s revenue is professional revenue for things like incident response and proactive services. Gross margin is about 50% but each dollar spent in professional services brings in 3 dollars of ARR from new customers

Shares outstanding of 205 million

Conference call
“’…you are guiding way higher than we thought. If I put $103 million or $104 million in revenues, I don’t get minus $0.23, I get deeper loss. So, that means your margin assumptions are better than what we’re expecting. Can you elaborate on gross and OpEx – gross margin and OpEx assumptions for next quarter? Thanks.”

Answer was basically a run around where they hemmed and hawed about being prudent. I.e. maybe sandbagging a bit.

“are you seeing Windows 10 adoption as an opportunity as customers reevaluate endpoint security, and are you seeing more interest for Microsoft Defender APT?”

anytime you have a transition between Windows 7 and Windows 10, an operating system change, there’s always an opportunity for us to get built into the overall going damages……So, in a heterogeneous environment, companies want coverage not only for Microsoft 10 but they also want it for Linux and Mac and other devices.
My take: an enterprise can use crowdstrike and protect EVERYTHING…or use microsoft defender for their windows machines and something else for other things…If I were an enterprise I’d go with one product.

Question about modules and uptake
majority of our new customers are buying more than one, more than two of our modules, actually, the majority are buying three …….So, for us, as we think about bringing more modules to the marketplace, we would expect that to grow

Question about competition and disruption.
Salesforce Siebel analogy that you just can’t take something that started on-premise and try to jam it into a cloud and call it cloud native. So, in our mind it’s a difficult thing to do…….And, more importantly, anyone coming into the space would really have a low margins and has to go through a painful process of margin migration upwards. “

Question about customer adds
hat we’re seeing, again, is the recognition in the marketplace, whether it’s analyst recognition, whether it’s the single agent cloud architecture, the adoption of new cloud module, the adoption of workloads where customers are looking for something that’s simple, give you time to value and just works. I think, we’ve done a good job in the free trials. We continue to see a lot of momentum where customers are coming in and very easily and quickly seeing the value of our technology that we can convert that with a very robust inside sales team. So, we see a lot of momentum in that space. And I think it’s just a recognition that traditional legacy players are not really capable of dealing with advanced threats.

Question about “fossilized vendor solutions “ and symantec (lol poor symantec, getting hosed by crowdstrike in the endpoint market and zscaler in the network security market…plus they couldn’t even sell themselves to broadcom)

Well, any of the legacy vendors we continue to take share from, and again, I think, it’s a recognition of customers that are trying to transition to a true cloud architecture.

Question about splunk and threat graph

This broad relationship is really just for presentation purposes. So, the graph database, the collection everything is all our technology. And threat hunters tend to like to hunting back and search around. So, we use Splunk, which you’re very familiar with as a presentation layer. And that’s the extent of it. So, it’s not really used for anything other than that.

My Take
Excellent quarter with lots of promise. Revenue growth was amazing, operational leverage increase was great. I wish they hadn’t played coy with DNRR and module adoption. I thought the conference call was really good but I must admit to being a little wary of management since they only showed us numbers that were borderline amazing. I’m sure DNRR dropped from last quarters 147%, I’d much rather they tell us that than hide it.

Crowdstrike is expensive, I bought my initial position at an EV/S of 43 at a price of 57.5. They popped up as high as an EV/S of 61 and now after this earnings release they are sitting at an EV/S of 55. If they grow their revenue 90% this year (guiding for 75%) they will be sitting at an EV/S around 29 not counting dilution. I’ll take that as I think crowdstrike can get near 90% growth and they will probably be improving their operational leverage quite a bit in that time. CRWD has a couple of large markets that they can grow into. I think they will be much larger in the future. Would I buy now? Probably, but I have a pretty solid position. I’d definitely buy if the market pulls back.

Best,
Ethan

I wish they hadn’t played coy with DNRR and module adoption. I thought the conference call was really good but I must admit to being a little wary of management since they only showed us numbers that were borderline amazing. I’m sure DNRR dropped from last quarters 147%, I’d much rather they tell us that than hide it.

Great post, Ethan!

DNRR for the April quarter was reported in May in the S-1A to be between 137 and 141. So a slight decline from the January number.

Chris

The agent is able to do two main things. Scan a computer at a very detailed level and upload that data. The other half of the agent is that it is able to ACT on the computer. The agent gets instructions and its intelligence from the Threat graph which is the second part.

The “Threat Graph” gathers all the data from all the endpoints and decides what is a problem and what isn’t. Their database can analyze and correlate over 1 trillion events a week in real time. The cool part about this is if some malware is detected on 1 computer in Singapore then all endpoints covered by crowdstrike are instantly protected. The power of their system is just down right incredible.

Thanks so much Ethan, the cool part about your post is that it’s the first time I’ve seen a coherent explanation of what the agent does and what the Threat Graph does… And what the whole thing does! Wonderful post!
Thanks again,
Saul

Crowdstrike is an excellent example of the new way of building a software business and the power of cloud by allowing massive scalability. Think about the absolute growth numbers seen here. 400k endpoints. Adding 500 customers in a quarter, about 8 per day. The computing power and amount of data flowing must be hard to imagine.

How would that have played out before AWS? The capital required, amortization, depreciation, technical expertise, hiring, real estate, etc. Building of a business the traditional way would have taken a decade to get to this scale.

Now, we see the app economy where Crowdstrike business core is the anti-virus, security. The rest is added as needed and expensed based on usage. They start with AWS for cloud computing and storage, pull in other software as needed. One question on the call was about Splunk, they basically use it for visualization, is what I gathered. The model now being proven they can begin working on margin improvement by collocation as mentioned up thread. To be added in time, other apps using the same model but inserting themselves on Crowdstrike as a platform and using Crowdstrike just as Crowdstrike uses Splunk or AWS. Becoming a platform is the key in the next phase of growth.

I haven’t seen mention of what database they are using. I hope it’s elastic or mongo for my portfolio sake. If they are moving away from AWS, it will likely be one or the other.

It’s incredible the power of an idea in this landscape. If you can create a differentiated core software, there are all these other applications you can pull in as needed and begin scaling with little friction.

What is the next space to be disrupted using cloud-native?

https://www.marketwatch.com/story/crowdstrike-stock-rallies-….

more customers are becoming more frustrated with legacy security platforms, George Kurtz, CrowdStrike co-founder and CEO, told MarketWatch in an interview.
“The legacy technologies are just failing, continuing to fail, and as they talk about new releases coming out, they’re just really not giving anything that even remotely resembles a cloud-native architecture,” Kurtz said.

It looks like security is in the midst of a transformation. Out with the old ,in with the new. Though this does not seem a “winner take all” field, I am confused about the roles of the several companies owned by many here such as OKTa and ZS, how they all fit together for companies ready to ditch legacy security methods.

Though this does not seem a “winner take all” field, I am confused about the roles of the several companies owned by many here such as OKTa and ZS, how they all fit together for companies ready to ditch legacy security methods.

Mauser,
Gauchochris started me on this analogy and I’ll extend it here a little bit. If you think of a country as our thing to secure, ZS is like a border patrol agent, OKTA more similar to a passport issuer. Extending that analogy out then I would say EDR(CRWD) would be your FBI/(some surveillance and enforcement), SIEM (system wide data collection and monitoring) would be the NSA. ESTC is trying to get into the SIEM and EDR world. CRWD is the leader in the EDR world but I’d guess will start encroaching on the SIEM world. You can see there are many different approaches to “Security”. All of which are important. Currently there is no one Security company that addresses the whole market. Mcafee, Symantec try but you can tell by the Crowdstrike, Zscaler, and OKTA’s of the world that the incumbents are losing.

Out of our companies the only ones that are competitors are ESTC and CRWD. Otherwise each are just a piece of the security pie.

best,
Ethan

It may not be a winner take all field, but like Okta, the large customer base allows Crowdstrike to see threats at one customer and adjust instantl to the threat among all the other customers it has. The bigger the customer “crowdsourcing” base, the more superior the product. This is the exact same place bing that OKTa says gives it an advantage at zero trust.

As a security professional who works day in, day out with end point protection vendors, I admire Crowdstrike as both a product and as a business. They have shown themselves to be a good investment up to now, better than I expected actually. But let’s not get carried away by the technology itself or the value of the “cloud native” approach which is not unique to Crowdstrike in any way.

“their base technology … is substantially different than other endpoint solutions”

Uh, no. Bottom line, end point protection is a commodity, a check box in a CISO’s defense in depth playbook that every organization will purchase. Whether it is signature based or heuristic/AI/machine-learning based, it is the same concept as numerous highly capable competitors are providing. I’m not talking about dinosaurs like Symantec, but other leaders like Carbon Black, Cylance, Cisco AMP, etc, etc. At the end of the day, purchase of Crowdstrike (or any other end point protection vendor) is “compliance”; it is in no way going to eliminate non-endpoint protection security costs or otherwise “transform” the security practices of an organization.

“Their database can analyze and correlate over 1 trillion events a week in real time”

For reference, Microsoft Azure processes over 7 trillion security events a day. Crowdstrike’s numbers are impressive but pale before the top tier cloud providers as one would expect.

I don’t want to sound like I’m knocking Crowdstrike. Their product is excellent and their business and marketing is equally excellent as can clearly be seen. I would just make the suggestion to evaluate the company more based on their business prowess than on their supposed technological advantages. So far they have shown that this may be a good bet.

RuMORDeN-

Thanks for your thoughts on Crowdstrike.

What do you think is their competitive advantage? They are growing at 100%, way more than the competition, so they clearly have some competitive advantage.

Thanks,
Jim

Jimb05,

I don’t presume to have done nearly the research on that question as others on this board, so my thoughts constitute mere speculation but they they would be:

-Crowdstrike is still reaping a free marketing bonanza from their forensic work on the 2016 Democratic Party hack. I personally began receiving sales calls from them after that and I can only assume that they astutely recognized that was the time to put the petal to the metal in sales and marketing. This article hints at a 475% subscription gain in the following year which seems to have barely slowed down. https://www.forbes.com/sites/samarmarwan/2017/07/11/crowdstr…

-Since even before that time period there has been a security “gold rush” corresponding to the rise of organized crime and nation state hacking which has lifted all boats. Look at Cisco, Fortinet, Palo Alto, Zscaler and so on for evidence of that.

-Endpoint security has until recently been dominated by ossified dinosaurs (Symantec, McAfee) and political casualties (Kaspersky)so the field is open for disruption.

-Timing of their IPO could obviously not have been more favorable.

I don’t doubt that Crowdstrike’s tech is equal to or marginally better than other leaders in this space, but as far as competitive advantage, this seems to lie on the management and business side. I know that is not much of an answer, but even as a tech guy, I find myself much more interested in the business of Crowdstrike than the tech.

There is a Malcolm Gladwell book called Blink, about how you can intuitively grasp things, before - or even without - knowing why.

Saul saw SHOP posters on the subway in NY, which seemed rather desparate. He blinked (although of course backed up by lots of research, this re-inforced his long held opinion.)

re CRWD,I give you this (try not to blink)

https://www.youtube.com/watch?time_continue=148&v=z-Sqt-…

What kind if narcissistic egomaniac spends his shareholders’ money making a vanity video (of a “sport” which a 350 pound teenager could probably pay better, if only he had the money.)

ZS CEO, by way of contrast, started a bunch of companies, (I think all were successfully sold or acquired), after coming to the US - as I recall - as a relatively destitute immigrant. I may be mis-remembering, but I think from some tiny town in India.

And ZS is the company he finally wants to make big.

That’s a guy I trust (perhaps wrongly picking him as a way of comparison, as in the same general field as ).

I don’t trust a guy who makes vanity videos about race car driving, on his investor’s dime (or $350,000, or whatever he paid for it.)

658 views! Whoo hoo. How much is that a view? (Well, what’s it to Speedy Gonzales, it’s not his money.)

Just my few cents.

Concentrated portfolio, concentrated portfolio, concentrated portfolio…om…

“I find myself much more interested in the business of Crowdstrike than the tech.”

So if there is no tech moat with any of these cloud security names, basing the only difference on marketing and managements ability to promote, spend and sell, is there a clear conclusion that there really is no investable moat? Is this a race to spend the most to sell the most?

Might be a good time to reassess this security sector and the risk reward of holding names like ZS.

Or is the pie so incredibly large that the space can have many big winners.

I would not necessarily extrapolate this discussion to all of cloud security. My thoughts at least are limited to endpoint protection which is what CrowdStrike provides.

That being said, security products do have a stickiness about them mostly proportional to their complexity. Endpoint protection is one of the least complex to provision/deprovision/migrate. However, because of the relationship of security to compliance, inertia tends to be amplified.

I have my thoughts on CRWD’s valuation, but the endpoint protection market does suddenly look competitive given the weakness of large players lately.

I am confused about the roles of the several companies owned by many here such as OKTa and ZS, how they all fit together for companies ready to ditch legacy security methods.

Well, you are in luck. All I can say is… COMING SOON to a board near you.

Also, good insights from you RumorDen as an EPP user, and I appreciate the view. You are right in that the SaaS cloud native benefits and ML capabilities are appearing in all the competition too. One has to watch the numbers, not the tech prowess.

-muji

ZS is like a border patrol agent

I don’t follow. It’s not “border” because ZScaler looks at everything everyone says to one another, even within the company. Remember, there’s no more company intranet - it’s all on the internet. Even if you’re using SSL to communicate, ZScaler is looking at the content (see https://help.zscaler.com/zia/about-ssl-inspection for instance).

ZScaler is like a benign “Big Brother” that looks at everything everyone says to one another and makes sure that they’re not saying anything bad.

I don’t follow. It’s not “border” because ZScaler looks at everything everyone says to one another, even within the company.

Smorgasbord1, I was attempting to give a very very simple framework for people to start thinking about these companies, nothing more. Of course, ZScaler is much more than a border patrol agent since in the Zscaler world there are no real borders but zscaler inserts itself between the movement of information, sort of like a border patrol agent does the movement of people between countries. Like I said, basic at best, same with the other analogies.

@RuMORDeN I read your post with great interest and have begun formulating my reply. Life has just been busy busy but I look forward to picking your brain.

best
-ethan

This is how the CEO answered the competitive advantage question from an analyst in their last quarterly conf. call. The company seems to have some moats around technology, scalability, modularity, and business edge. On the top of that, the company is really a platform company, which intends to grow beyond security and provides additional benefits to easy IT management.

Gur Talpaz
Great. Thanks for taking my questions. And congrats on a strong start here as a public company. I’ll keep it to one for you, George. You alluded to this in prepared remarks, but I was hoping you could extrapolate a little bit. How difficult would it be for someone to effectively replicate your cloud architecture with your single lightweight agent, I mean to come in today and try to do what you do, how much would have to go in to ultimately replicate your strategy and your go to market?

George Kurtz

1. Well, there’s a lot of core IP that we’ve built into the technology. And we started in 2011, as the first cloud native endpoint security vendor. And obviously, there’s a lot of lessons learned between now and then.
2. I think, there’s key elements that we have that we don’t – number one is the single lightweight agent doesn’t require reboots. That really helps time to value and adoption.
3. I think number two is the proprietary graph database that we’ve built with our time dimension to it, very hard to replicate at scale. We didn’t pick an open source technology because it just didn’t scale to what we needed, we didn’t have some of the elements.
4. And then the modular framework, to be able to add modules and use at scale, it’s just really, really hard thing to do. And, you have a lot of folks that talk about cloud, but the reality is, is cloud managed and is cloud native. And you really have to start from a single sheet of paper. I don’t think, it’s any different than the Salesforce Siebel analogy that you just can’t take something that started on-premise and try to jam it into a cloud and call it cloud native. So, in our mind it’s a difficult thing to do.
5. And, more importantly, anyone coming into the space would really have a low margins and has to go through a painful process of margin migration upwards. Obviously, you’ve seen we’ve gone through this, but a lot of it really is based upon the core IP that we’ve built, which is very unique.
6. And the data maybe is the last piece that I’ll say is, once you collect that amount of data, it keeps building on each other – on itself, I should say. And again, that becomes a very hard thing to replicate the sheer amount of trillions of events that we collect each week.

It absolutely could be me, but: I do not see anything in that response that is materially beyond boilerplate cloud architecture CEO speak, or provides any differentiator from ZScaler’s capabilities or architecture.