Updated: Sep 3
Join our free [Telegram Channel] to get the latest updates.
CRWD is the pioneer of cloud-delivered endpoint protection
Signature Falcon Platform is lightweight, integrated and powered by a proprietary Threat Graph
Lucrative subscription revenues grew at an impressive 4-year CAGR of 102% till FY21
New subscribers grew 30% YOY in FY21 due to its first-mover advantage and aggressive marketing
Low churn rates of 2% are underpinned by network effects and its modular-based ecosystem
Expanding TAM in adjacent industries and international markets sustains long-term growth
CrowdStrike ($CRWD) is the pioneer of cloud-delivered endpoint protection for client devices like laptops, desktops, and mobile devices. Founded in 2011 and listed in 2019, it has been riding on the rapidly expanding threat of cybercrimes, which are expected to cost the world a massive $10.5T by 2025. It spans across 176 territories and has acquired more than 9,986 subscribers globally.
CRWD’s signature solution, the Falcon Platform, is underpinned by 3 propositions:
Cloud delivered, making it single and lightweight
Threat Graph, which analyses, correlates and provides real-time visibility over more than 30B events daily
Integration of next generation anti-virus (NGAV), endpoint detection & response (EDR), and 24/7 hunting service into a single ecosystem, which provides stronger endpoint protection
Historically speaking, CRWD has also constantly evolved its products to stay on top of heightened competition and the growing sophistication of cyber attacks. It branched out into threat intelligence in 2012, EDR in 2013, IT hygiene in 2017, and branded itself as the first cloud platform for endpoint security in 2019.
As of FY21, the Falcon Platform offers 4 endpoint protection bundles and 19 individual, modular-based solutions. Both are delivered through the Software-as-a-Service (SaaS) model, which broadly secure:
Central Enterprise Networks
Endpoint Protection Industry
Endpoint refers to client devices like laptops, desktops, mobile devices, which are remotely connected to a network. Network, on the other hand, refers to the connections between linked devices that enable digital communication.
Both client endpoints and central networks need to be secured against cyber attacks, which increased by 600% since the pandemic and are broadly underpinned by 2 technologies:
1) Ransomware - software that blocks computer access until money is paid
2) Malware - software intentionally designed to cause damage, which come in a variety of forms like worms, virus, trojans, exploits and fileless malware (view table below)
Why pay attention?
To summarise the troves of articles online, the rise of endpoint protection (instead of networks) has been broadly driven by 2 factors: the evolution of 1) cybersecurity targets and 2) malicious software itself.
1) Targets - more security breaches are coming in through endpoints instead of networks due to:
More endpoint vulnerabilities - accelerated by the advent of bring-your-own device (BYOD) policies, where employees connect their personal devices to organisational networks to enhance workplace flexibility
Widening network security perimeters - facilitated by work-from-home (WFH) or work-on-the-go trends
2) Malware - becoming more sophisticated due to the proliferation of unknown threats like fileless attacks, which soared by nearly 900% YoY during the pandemic and comprised 30% of all malware attacks in 2020. This has made previous malware security solutions like Legacy AV (Anti-Virus), which detects threats through known signatures, increasingly obsolete, giving rise to a new signature-less solution like next-generation antivirus (NGAV).
For key differences between the 2 softwares:
Overview of Falcon
Broadly speaking, CRWD sells 4 endpoint protection (EP) bundles that cluster groups of cloud-based solutions. All solutions are made available on the Falcon platform, which is built on a modular-based architecture. This enables customers to conveniently choose between 19 cloud-based solutions, organised into 4 pillars, in order to extend their existing EP bundles.
Among its network of solutions, the foundational module that is packaged in all bundles is the Falcon Prevent, CrowdStrike’s signature NGAV technology.
Falcon’s Endpoint Protection Bundles
Falcon’s bundles are priced per endpoint and per month, and broadly comprise of:
Falcon Pro ($8.99) - integrates next generation anti-virus (NGAV) with threat intelligence, an alert triage platform which determines the severity of alerts.
Falcon Enterprise ($15.99) - same as Falcon Pro, but with the integration of endpoint detection & response (EDR) and threat hunting
Falcon Premium ($18.99) - same as Falcon Enterprise, but with the addition of IT hygiene
Falcon Complete (no fixed price) - comprises of all modules provided through a delivery-as-a-service model, where CRWD oversees the entire onboarding, maintenance and remediation process for clients
Notably, even for the cheapest option, Falcon Pro, the annual price is over $100 per endpoint, which is significantly higher than most SAAS competitors which charge half that amount for introductory products, according to Gartner. This signals CRWD’s pricing power in the competitive cybersecurity space, undergirded by an extensive network of individual modular solutions.
Falcon’s 4 most penetrated modules are the NGAV, EDR, threat hunting and IT hygiene solutions, which are explained in the table below:
CRWD exists in the growing cybersecurity market, which was valued at USD$163.7B in FY20 by Grandview Research and is expected to expand at an 8-year CAGR of 10.9%.
Industry growth has been broadly driven by:
1) Digitisation - due to the emergence of Internet of Things (IOT), which has enhanced connectivity and heightened the world’s reliance on data
2) Cyberattacks - due to growing frequency, intensity & sophistication of cybercrimes to monetise the above data growth, with cybercrime expected to cost $6T globally in FY21.
3) Gross underpreparedness of organisations, with over 50% of firms lacking appropriate security management systems according to Accenture’s FY21 report.
Together, this has prompted both enterprises & governments alike to fortify their in-house security infrastructures and reform cybersecurity policies, creating significant monetisation opportunities for cybersecurity providers.
The endpoint security market is highly crowded, with CRWD having to compete against 3 fronts:
1) Incumbents in anti-virus market - legacy players with signature-based legacy AV
2) Next-generation endpoint security providers - newer entrants with signature-less NGAV
3) Platform plays - network security providers who supplement core perimeter-based products with additional endpoint security solutions
Zooming into competitive dynamics,
1) Legacy incumbents (17%) - using the top 3 giants as a proxy, the incumbents’ endpoint security market share has more than halved since FY18 (view graph below), with Symantec experiencing the steepest decline at 5.5 percentage points. This has been driven by the rise of next generation players, which offer signature-less NGAV to drive more advanced, contextually-driven protection against unknown threats.
2) Next Generation and Platform Plays - using the 5 largest modern providers as measurements, the revenue growth of endpoint providers doubled that of the endpoint security market since FY18 (specifically for VMware Carbon Black, BlackBerry Cylance, and Palo Alto Networks). This growth has been led by CRWD, whose ranking jumped to second and gained 3.4 percentage points of market share in FY20 (view graph above).
However, despite this segment growth, the market is highly concentrated with similar cloud-based, AI-driven business models.
From the table below, I pinned CRWD against competitors based on its customers, where I outlined the entire user journey from deployment, protection, to scalability of its clients’ security infrastructure platform.
First, CRWD’s key differentiators are in:
1) Deployment & Scalability - CRWD is the first cloud-native application, enabling more seamless deployment (higher speed & time to value) & expansion (scalability with minimal endpoint performance impact). This eclipses traditional on-site appliances that adopt hardware-driven models, namely hybrid providers (Cylance, SentinelOne, Cybereason) and platform plays, which deploy legacy applications onto cloud (view table below for details.
2) Additional features - CRWD offers more advanced features at a premium, compared to:
Platform plays - Palo Alto’s Prisma & Corex are mere cloud-based extensions of its key firewall product, making it less endpoint comprehensive than Falcon’s cloud native suite of solutions
VMWare Carbon Black - lacks advanced threat hunting features compared to Falcon’s 24/7 hunting platform (view picture below for details)
1) SentinelOne - business model is most similar to CRWD in terms of integrating detection (EDR) and threat hunting onto cloud, with the key difference lying in its wholly automated solution.
While CRWD has substantially higher revenue & cost margins all across the board, SentinelOne’s rapid sales growth may be a potential disruptor to CRWD. For instance, SentinelOne’s revenue growth surged by 100% in FY21, exceeding even CRWD’s high YOY increase of 75%. Its subscriber base of 4,700, was also just slightly less than half of CRWD’s 11,420 subscribers.
2) Microsoft - within the NGAV space, its market share (7.5% in FY20) was second only to CRWD. It also has the widest client access, given that the Defender is built into Windows 10 and Microsoft expand access to macOS, Android and Linux in 2020.
However, despite its behemoth status, Microsoft has substantially lower security protection than CRWD, with a ranking of 13 in the MITRE Adversary Emulation, an annual cybersecurity assessment test that measures EDR detection capabilities against simulated threats (view table below). This is corroborated by its high susceptibility to breaches, as evident from the recent Solarwinds attacks and Microsoft Exchange breaches.
However, CRWD underperforms in the domains of:
1) Customer satisfaction - Comparing net promoter scores, a common SAAS metric for customer satisfaction and revenue potential, CRWD comes in at 3rd place and lags behind SentinelOne and Cybereason.
Yet, on a broader level, CRWD’s promoter score of 83 is still intrinsically healthy, highlighting the overall stickiness of its modular-based ecosystem.
2) Infrastructure protection - Based on MITRE Adversary Emulation, CRWD came in at 10th place, as compared to Palo Alto which has consistently stayed on top of the pack for the last 3 years (view table below). Compared to CRWD which specialises in cloud-native solutions, Palo Alto’s strong security results were driven by its triple support ecosystem, which comprises network (Strata), cloud-native (Prisma) and AI-powered threat detection platforms (Coretex).
While network plays have consistently topped 3rd party independent tests, CRWD’s annual churn rates of 2% in FY21 are still intrinsically low. This implies that, barring any major breaches of the Falcon Platform, existing subscribers are still likely to stick with CRWD even if rival providers theoretically offer better endpoint protection.
Lucrative Subscription Revenues
CRWD’s grew its overall revenues by 74% YOY to $264.9M in FY21. This was driven by its:
1) Subscriptions (92% of revenue) - split into 4 bundles, namely Falcon Pro, Falcon Enterprise, Falcon Premium & Falcon Complete
2) Professional services (8% of revenue) - niche services responding to imminent threats, such as malware analysis, forensic analysis, and strategic advisory. As CRWD’s subscriber base increased, services mix has been steadily declining from 28.2% (as % of revenue) in FY17 to 8% in FY21.
CRWD is enjoying hyper-growth within its subscription-based model, with levers measured by:
Annual recurring revenue - increased by 75% YOY to $1,050M in FY21
Annual subscribers - increased by 82% YOY to 9,986 customers in FY21
This was driven by thematic plays, namely:
Increased demand for endpoint security during WFH in COVID-19
Higher prevalence and sophistication of cybersecurity attacks during COVID-19. For instance, the FBI reported 300% increase in US cybercrimes since the pandemic began.
Subscriber Acquisition & Net Dollar Retention
To ensure that the subscription spike during COVID-19 was not an anomaly, I further measured annual recurring revenue using 1) acquisition and 2) retention levels.
Overall, subscription revenues are evenly distributed between new subscribers (33% of revenue), existing subscribers (36% of revenue), and additional purchases of endpoint modules (31% of revenue).
While CRWD rapidly acquired subscribers at an impressive 4-year CAGR of 116.5% (as of FY21), revenue mix from new subscribers steadily shrunk from 74% in FY17 to 30% in FY21, suggesting a slowdown in subscriber growth.
However, slowing customer acquisition has been offset by the expanding pool of revenue from existing subscribers’ renewal, with existing revenue mix increasing from 14% in FY17 to 36% in FY21.
This has been underpinned by high retention rates:
1) Gross retention rates - 98% in FY21, with meagrely low churn rates of 2% a testament to the stickiness of CRWD’s modular-based solution and higher pricing power among endpoint providers.
2) Net dollar retention rates - 125% in FY21, highlighting CRWD’s effectiveness in extracting value from subscribers by cross-selling additional endpoint modules and increasing ARPU (average revenue per user).
This is corroborated by the steadily increasing revenue from additional endpoints/modules since FY18, with YOY growth consistently above 100% till $249M in FY21. Furthermore, % of subscribers with >4 modules also doubled from 30% in FY18 to 63% in FY21.
In my opinion, the strong correlation between modules and subscribers with multiple purchases is possibly driven by the ease of deployment of CRWD’s cloud-native platform and the convenience of total cost of ownership, which consequently enhances platform usage and retains more customers.
Hence, given the lucrativeness of subscription-based models and CRWD’s high retention rates, its organic growth is highly driven by 1) customer acquisition and 2) additional endpoint modules to expand ARPU.
High Gross Margins
Notably, CRWD’s gross margins also doubled from 35.5% in FY17 to 74% in FY21. CRWD’s subscription cost of revenues are mainly driven by:
1) Hosting costs of the Falcon platform in data centers & software amortisation
2) Stock-based compensation expense (SBC), as a tool to incentivise employees
Including SBC, COGS as % of subscription revenue has been steadily decreasing from 64.3% in FY17 to 23.0% in FY21, suggesting:
1) Scalability of the Falcon Platform in supporting new subscribers and more endpoints from existing subscribers, while ensuring that incremental costs from powering new cloud modules and storing additional data are kept to a minimum
2) Lucrativeness of Falcon’s ARPU strategy in selling additional cloud modules to drive subscriber value, which carry higher gross margins
In contrast, SentinelOne’s gross margins declined from 61% in FY20 to 58% in FY21 due to the expansion of its Singularity Platform. Since both CRWD and SentinelOne account for costs similarly, the latter’s lower margins are likely due to SentinelOne’s new entrant status, meaning it has significantly less pricing power than CRWD.
In the long run, we think CRWD’s margins are likely to increase even further, with management raising its 2025 target for gross margins from 80% to 82% in June’s earnings call.
Increasing Net Margins
Despite CRWD’s net losses, its EBIT and net margins have been steadily increasing, with EBIT margins improving tremendously from -171.7% in FY17 to -10.6% in FY21.
These expenses have mainly originated from sales & marketing (54.4% in FY21), with research and development costs trailing far behind at 29.1%. Notably, employee-related expenses (salaries, bonuses, commissions) are the most significant cost drivers according to management.
High Sales Efficiency
Given CRWD’s heavy reliance on customer acquisition, I thought it worth to dive into its marketing strategy, which mostly involves a direct sales team selling subscriptions to its channel partners (75% of revenues). Promotions have mainly manifested through:
1) 15-day free trial access to Falcon Prevent (FY17). This enables customers to install all Falcon modules, which reduces friction for customers and increases the likelihood that they would eventually purchase additional modules.
2) Expansion of free trial to AWS Marketplace (FY18)
3) CrowdStrike Store (FY19) - PAAS based-platform for cybersecurity, where CRWD leveraged on its network of channel vendors to create a win-win solution for its ecosystem of stakeholders. The platform gives customers purchase access to third party applications to extend the Falcon platform, as well as leverage on Falcon’s application programming interface (API) to develop their own software on the Developer Portal.
4) Expansion of alliances with identity providers, business consulting firms, and AWS Marketplace, where CRWD tapped on their customers to cross-sell the Falcon Platform (FY20)
Despite increased marketing expenses, CRWD’s GTM (go-to-market) strategy has been extremely successful, as shown from its LTV: CAC ratio* which had been steadily increasing till FY20. Even with the slight dip in FY21 due to higher marketing costs, CRWD still maintained a high ratio of 19.7.
Overall, this high ROI on marketing points to a strong focus on unit economics. As CRWD ramps up expansion, it is possible that it would benefit from economies of scale and increase operating leverage to become profitable soon.