Crowdstrike Q2'FY2021 Earnings - Teardown

Crowdstrike (CRWD) Earnings Summary

Historical Financials | Press Release | Earnings Transcript | Earnings Presentation

I separate this teardown into three parts: 1) company overview; 2) earnings highlights; 3) updated thesis on CRWD and outlook

Q2 FY21 Highlights

Summary: Crowdstrike is $790 ARR growing 87% YoY and 15% QoQ, which makes it the 2nd fastest growing SaaS company among all B2B SaaS companies (behind Zoom). Crowdstrike posted 16% FCF margins in the most recent quarter with $1B+ cash on its balance sheet. CRWD has good net retention with 120+% NDR and ~98% Gross Retention. Business trades for 32-34x ARR and what we estimate to be roughly 20-22x NTM ARR. The business is benefiting from COVID-19 as companies are scrambling to secure endpoints for WFH and legacy providers are being disrupted by Crowdstrike's superior product.

I. Company Overview:

Crowdstrike's platform protects customers from breaches.

Their Falcon Platform is a SaaS based security offering for next-generation endpoint protection that detects, prevents, and responds to attacks. The company's cloud & AI approach is in contrast to on-prem endpoint security solutions or primarily rules-based and signature-based anti-virus companies like Symantec and McAfee.

Falcon is a single lightweight agent that installs on the customer's endpoint that feeds data into Crowdstrike's cloud-based database called Threat Graph. By leveraging the cloud, Falcon is able to continually collect, process, and analyze threats across all customer's endpoints in real-time. As there's more data that's fed into Falcon, there is more data to train Crowdstrike's AI models with, increasing the overall efficacy of Falcon.

Why Crowdstrike wins:

  • Cloud-based: offload compute to the cloud with easy access to data and their lightweight agent (deployed in seconds) does not require reboot unlike most competitors.
  • Scale: an enterprise customer recently deployed the Falcon Platform to 100K+ endpoints globally in 24 hours (from S-1).
  • Speed: customers can easily and remotely deploy, manage, and protect workloads at scale. Speed of deployment and time to value were critical factors for customers' purchasing decision as having to reboot their complex network of systems have kept organizations from moving to a modern architecture sooner.
  • Security effectiveness: is directly related to the quantity and quality of data collected, and the ability to analyze it in real time.
  • Cloud is eating software: Crowdstrike (and SentinelOne) are replacing a lot of legacy on-prem solutions.
  • Moat: Crowdstrike's threat graph creates a data moat, if malware is detected on any endpoint, then all endpoints are protected in real-time because the Falcon platform improves and trains on each event. Endpoint security also generally has high switching costs and the improved product helps increase barriers to entry.

Business model & strategy

How CRWD stacks up vs. other B2B SaaS
  • Pricing: Crowdstrike typically sells 1 year subscriptions to Falcon platform and cloud-modules are priced per-endpoint and per-module.
  • GTM: Crowdstrike has a low-friction GTM strategy that involves both a direct sales team and channel partners. Starting December 2017, Crowdstrike started to offer a low-touch/low-sales solution in the form of a 15-day free trial access to their next-generation anti-virus module and also making it easy to download Crowdstrike from AWS's marketplace. The goal was to expand outside of just enterprises and to also capture the small and medium business market which is a growth opportunity for the company.
  • Customers: ended Q2 with 7230, growing 91% yoy and 15.5% qoq. Crowdstrike has a well-diversified customer base primarily selling to larger enterprises.

Competitive Landscape

Crowdstrike's competitive landscape & customers
CRWD vs. Public Comps' top 10 SaaS 

II. Earnings Highlights:

Accomplishments & notes this quarter

  • Set a record for net new ARR with over $100M added in the quarter
  • Subscription revenue grew 89% yoy.
  • Added record net new subscription customers of 969 (qoq growth rate accelerated)
  • Closed the second-largest deal in the company history, which was sourced, trialed, and closed remotely
  • Won Zoom's business (maybe the same as above?)
  • Generated positive non-GAAP operating income for the 2nd consecutive quarter.
  • R&D expense (25% of revenues) accelerated, adding 10M qoq and was previously 23% of revenues.
  • Percentage of all subscription customers with 4+ modules increased to 57% and those with 5+ modules increased to 39% (55% and 35% in Q1 respectively).
  • Magic number increased to 1.3, the highest ever in company history!
  • FCF margin (16.3%) is increasing yoy but declined from the past two quarters due to the past two quarters (33% and 49%) being inflated by deferred change in net working capital.

III. Updated Thesis

1. Mission-critical product will allow investors to demand a lower free cash flow yield, and thus higher FCF multiple.

Amidst COVID-19, Crowdstrike continues to demonstrate the narrative that its mission-critical:  this leads to highly predictable revenues and cash flows, because of low churn on its recurring revenue base, which gives investors greater confidence in its cash flows, allowing them to demand a lower free cash flow yield, and thus higher FCF multiples. In this interest rate environment, I estimate investors demand ~2.5% FCF yield, translating to a 40x FCF multiple.

a. Revolving window of threats as work environments adjust are proving end-point security's mission-criticality:

  • In Q4FY20: Management touched on how "adversaries were preying on enterprises with phishing campaigns as more and more works began working from home."
  • In Q2FY21: Management mentioned that they saw a "154% increase in distinct and sophisticated intrusions, stopped 41,000 potential breaches, which is more than all of last year, and we have seen a sharp increase in e-crime with 27 different industry verticals falling victim to criminally motivated intrusions, which is more than double in the same period last year."
  • WFH trends: WFH entails access to sensitive data from unsecure WiFi networks, more devices (personal) accessing company data — personal devices will need to have the same level of security as a company-owned device, and companies will also need to consider the privacy implications of employee-owned devices connecting to a business network. CRWD charges customers additional revenue per-endpoint.
  • Exceptionally consistently low churn:

b. Market consolidation:

  • Fundamentally, businesses prefer fewer software offerings: Crowdstrike’s breadth of offerings represent a single security vendor choice for large enterprise companies. In offering different editions, CrowdStrike is attempting to compete with the different threat protection strategies implemented by various competitors. This allows them to sell to a larger audience & expands optionality for customers who want various services. There are 255 endpoint security vendors listed in the directory portion of Security Yearbook 2020 that comprises, but Crowdstrike's breadth of offerings through their modules separate them from the rest of the pack.
  • Superior product drives market consolidation: cybersecurity is driven by innovation, channel development, and customer growth. Crowdstrike builds and feeds off their own positive feedback loop better than anyone else. The Falcon AI platform needs to accumulate more and more training data to improve its logic and deliver the most accurate predictions and fewest false-positives. Whereas, most companies have already built-in flaws from their historic positioning in on-premise or designs around their database or designs of the endpoint agents.
  • Broadcom's acquisition of Symantec left customers under-serviced and Crowdstrike was the largest beneficiary. Symantec is abandoning all but its most profitable 2000 customers, leaving over 100,000 Symantec customers looking for alternatives. When given the choice, many customers are choosing Crowdstrike.
  • Disruption from acquisitions in the endpoint space: Symantec (bought by Broadcom), Carbon Black (bought by VMWare), Endgame (bought by Elastic), and others. I see this disruption from both larger struggling endpoint providers being bought and smaller players being pushed out, and there’s a massive opportunity for CrowdStrike to continue to steal market share and further penetrate TAM.

c. Accelerated removal of barriers to adoption have increased TAM:

  • CRWD is winning customers traditionally averse to offloading data to the cloud: Management mentioned they won major customers in the financial services and healthcare industry this past quarter. In order to adapt to the new realities of a work-from-anywhere model, they embraced cloud, accelerated their digital transformation plans, and in the process realized they also needed to transform their security architecture and gain visibility into their endpoints. looking to free themselves from their hodgepodge of legacy solutions and move on to a single platform that could be easily and rapidly deployed globally.
  • CRWD is winning budget-constrained customers in severely impacted industries: Management mentioned adding an airline business that was under immense budget constraint this past quarter. They were frequently being attacked by adversaries and the security team was frustrated and fed up with the inability of their patchwork of legacy and next-gen vendors to keep up. As a result, they were spending a lot of money on services to supplement their fragile security tools.
  • On-prem legacy providers are being displaced and losing market share: FireEye (FEYE) still relies on its hardware appliances, which require heavy human presence and involvement to manufacture, ship, sell, and deploy. Products like Nexpose from Rapid7 (RPD), Nessus from Tenable, (TENB) and Qualys Guard from Qualys (QLYS) are not all-encompassing and will have to revamp their go-to-market branding to compete as they are largely vulnerability assessment tools. CRWD has developed a new technology, partially based on AI and statistical analysis that is both more effective and much easier to deploy than most of the end-point security alternatives. The companies against which CrowdStrike competes most often (Symantec and McAfee) have simply under-invested in this technology and are being displaced.

2. Management's heightened focus on sales efficiency and self-service product proves successful and continues to demonstrate CRWD's path to profitability.

a. Management is sales efficiency-focused and executes well.

  • Management uses Magic Number as a key performance indicator: CRWD is one of the few SaaS companies I've seen that include this metric in their earnings presentations.
  • Sales cycles are incredibly short contrary to other enterprise software offerings: one of the biggest pain points for customers migrating to the cloud is disruption of business activity, Crowdstrike's ability to close $100k+ deals within weeks is astounding and a testament of great marketing and execution.
  • Crowdstrike has consistently lowered its payback period:

b. Land and expand strategy & Marketplace Integrations have less friction

  • Trial-to-pay and in-app module are effective: CrowdStrike highlighted trial-to-pay and in-app module trialing as two areas where they have made adoption increasingly frictionless for new and existing customers. The frictionless ability to test out new modules has been a crucial contributor to customer conversion.
  • Upsell/cross-sell of existing customers is effective: Crowdstrike often acquires customers with one module and customers will purchase additional modules over time. Management's benchmark of 120% net dollar retention is a good indicator of how strong of a runway they anticipate cross-selling of additional modules. This also helps improve gross margins (as we've seen consistently over the last few years) because additional modules leverage the same endpoint data and contribute near 100% margin, while also lowering the portion of total revenue contributed from overwatch (manual searching and detection of threats).
CRWD began reporting numbers for 5+ modules in Q3 FY20, but has noted its acceleration since 2018. Management didn't report exact numbers of % of customers using 4+ modules in the Q2, Q3, Q4 FY20 earnings but noted it was above 50%.
  • Marketplace integrations are efficient: CRWD integrates with AWS marketplace in Store. Crowdstrike has metered billing, so it makes it super easy for customers to be able to implement and use it and get billed appropriately. In Q4FY20, the AWS marketplace integration cut sales cycles down by almost 50% and from an ARR perspective, CRWD grew 32% qoq with their AWS marketplace deal.

3. Crowdstrike is still an under-monetized platform, and has significant market opportunity from its existing customer base, and serviceable obtainable market.

I believe that Crowdstrike has enormous pricing power over its customers, and over-time, its customers will be less sensitive to price changes given 1) the strong, immediate ROI CRWD delivers; 2) the consolidation of this market; 3) IT budgets expanding

  • IT budget expansion – customers are more willing to pay more: CIOs are looking forward, not backwards. They want cloud platforms that are agile, easy to deploy, easy to manage even if their security teams are working remotely. As such, today's refresh is all about digital transformation and eliminating their reliance on complex and fragile legacy technologies. Digitalization trends have prompted IT budgets to expand, and cybersecurity is a major beneficiary. Great quote from CEO George Kurtz: "regardless of the spending environment cybersecurity is not a discretionary purchase for organizations. Cybersecurity is mission critical to both the public and private sector. Endpoint or workload security is also essential to protecting a remote workforce".
  • ACVs have been on a decline recently, because of customer growth acceleration:
  • Crowdstrike's core product improves over time: the Falcon platform improves with the volume of data it has. All the data it collects is stored in one place, the threat graph, where it's analyzed almost instantaneously across the entire customer base, providing real-time protection and community immunity. This allows them to continuously improve their accuracy and build upon the positive feedback loop.
  • Crowdstrike has a clear and definable market: I like that Crowdstrike notes the Fortune 100, top 20 banks, and global 100 in its earnings presentation.

Outlook: updated valuation & thoughts on next quarter

5-yr valuation projection for CRWD using EV/ARR and FCF multiples, sanity checked by LT EV/FCF valuation assuming business is in "steady state" at that given point in time. I believe there's compelling variant perception in my estimates of revenue relative to sell-side consensus.

I tried to be as reasonably accurate in my projections. Since service revenue is fairly unpredictable given COVID-19 and the uncertainty around WFH, I'm using an EV/ARR projection and sanity checking ARR by looking at ARPA and net dollar retention.

Projecting Revenues

  • I project out revenue two different ways and aimed to get a delta of 0 between the two methods to confirm their accuracy using the KPIs (ARPA, customer growth, and net dollar retention).
  • In method 1, I grow customer net adds (growing about 14% qoq and tapers to 5% qoq) and ARPA (which goes from 109k -> 127k during my projection period).
  • In method 2, I estimate net dollar retention, starting from 121% in Q3FY21 and taper down to 115% in 2025. The difference between Total ARR and revenue from the cohort that existed a year ago times the net dollar retention makes the "new ARR" from customers obtained in the past year. Dividing this amount by the number of customers obtained in the past year gives new customer ARPA, which grows from ~$73k to ~$90k in the last projection quarter.

Since I converged the two methods of projecting revenue with reasonable assumptions to zero delta, it gives me confidence in the accuracy of my projections.

Valuation

  • I look at three cases for valuation: EV/ARR multiple (which I use for the price targets), EV/FCF based on a target FCF yield in that given year, and LT EV/FCF.
  • For LT EV/FCF I estimated Crowdstrike's target FCF margin using the guide management provided:
Long-term margins for Crowdstrike
  • As explained in thesis #1: based on the mission-criticality of CRWD, combined with the high predictability given the exceptionally low churn, and this interest rate environment, I believe investors will demand ~2.5% FCF yield, translating to a 40x FCF multiple which I used in the LT target.
  • Based on the LT target, for the EV/FCF case, I chose a slightly lower target FCF yield in 2025 for CRWD, since FCF is still growing very fast ~77% yoy.
  • I hoped to use FCF multiples to provide greater insight on appropriate EV/ARR multiples to use, but also sanity checked EV/ARR multiples with peers growing ARR at similar rates.

Outlook for Q3:

Looking ahead at next quarter, I still believe Q3 will be a signficant market-share grabbing opportunity for Crowdstrike as on-prem solutions continue to get displaced by next-gen cloud providers. Category leaders are benefiting disproportionately from having better unit economics as markets were more fragmented in the past -- and as we saw in this quarter, net customer adds accelerated. I estimate CRWD adds ~1100 customers, ARPA remains relatively flat, and net dollar retention remains above the 120% benchmark.

Historical guidance and beat % for every public quarter, my guess for Q3 in red.

Looking at some of their historical guides and beats, I estimate CRWD's revenue to be ~225M in Q3.