Crowdstrike $CRWD Q2 FY22 Earnings Teardown
- $337.7M revenue (+70% YoY)
- $150.6M net new ARR
- $1.34B ending ARR (+70% YoY)
- $35.3M Non-GAAP operating income (10.4% margin)
- $73.6M FCF (21% margin)
- 13,080 subscription customers (+81% YoY, +14.5% QoQ)
- 1.4 Magic Number
Q3 FY22 Financial Guidance:
- $358.0M - $365.3M revenue
- $29.4M - $34.7M Non-GAAP operating income
FY22 Financial Guidance
- $1.39B - $1.409B revenue
- $138.5M - $152.1M Non-GAAP operating income
Crowdstrike is a $1.34B ARR company growing 70% YoY, making it one of the fastest-growing SaaS companies among all B2B SaaS companies. The company reports 21% FCF margins in the most recent quarter with $1.6B+ cash on its balance sheet. Crowdstike continues to have great net retention with 120%+ NDR showcasing its ability to further expand within its enterprise customer base. CRWD currently trades at 39.6x EV/Run rate and what we estimate to be roughly 33.7x NTM revenue. Crowdstrike’s business continues to massively benefit from COVID-19 as ongoing digital transformations and cybersecurity threats have left companies scrambling to secure endpoints for various business operations. Additionally, legacy providers continue to be disrupted by CRWD’s superior and industry-defining product offerings that continually improve with scale. Crowdstrike has capitalized substantially during this period of increased focus on IT security services and is clearly becoming the go-to provider in this space through rapid product development, strategic partnerships, and acquisitions.
Company Overview: Crowdstrike's platform protects customers from breaches.
Crowdstrike's Falcon Platform is a SaaS-based security offering for next-generation endpoint protection that detects, prevents, and responds to attacks. The company's cloud & AI approach is in contrast to on-prem endpoint security solutions or primarily rules-based and signature-based anti-virus companies like Symantec and McAfee.
Falcon, Crowdstrike's platform, is a single lightweight agent that installs on the customer's endpoint that feeds data into Crowdstrike's cloud-based database called Threat Graph. By leveraging the cloud, Falcon is able to continually collect, process, and analyze threats across all customer endpoints in real-time. As there's more data that's fed into Falcon, there is more data to train Crowdstrike's AI models with, increasing the overall efficacy of Falcon and ensuring protection for all Crowdstrike customers.
Why CRWD wins:
1. Best-in-class and category-defining product. CRWD’s product is light-weight, scalable, and cloud-first.
Customers can easily and remotely deploy, manage, and protect workloads at scale. Speed of deployment and time to value were critical factors for customers' purchasing decisions as having to reboot their complex network of systems have kept organizations from moving to a modern architecture sooner. Crowdstrike's threat graph creates a data moat, if malware is detected on any endpoint, then all endpoints are protected in real-time because the Falcon platform improves and trains on each event. Endpoint security also generally has high switching costs and the improved product helps increase barriers to entry.
- Once again Crowdstrike’s platform takes the leader position in the 2021 Magic Quadrant for Endpoint Protection platforms and also leads the pack in the completeness of vision. Crowdstrike is definitely the category-defining product and it will continue to grow market share as it increases its security stack.
- Customer testimonials highlight that they chose the Falcon platform because of their digital transformation initiative to increase efficiency, enhance visibility, improve performance at scale, and consolidate agents across their environment.
- As a pioneer in EDR, Crowdstrike has spent the last decade building upon rich endpoint data by adding more network visibility and telemetry from all workloads, regardless if they are on-premise, in the cloud, or deployed in containers. All the data they collect is stored in one place, the Threat Graph, where it's analyzed across the entire customer base, providing network effects that promote real-time protection and community immunity.
- By streaming the telemetry to the cloud with their proprietary smart filtering, Crowdstrike has a fundamental time and performance advantage over most vendors. Today, Threat Graph processes approximately 1 trillion security-related events per day.
"The lessons learned from recent attacks emphasized that a breach involves more than just malware, which is why companies need to employ a holistic breach prevention strategy rather than overly relying on malware prevention, regardless if it's legacy or next-gen. As I've said before, nearly every breach you have ever heard of had two things in common, the victims had both a firewall and an antivirus solution, which is why we built the Falcon platform from the ground up to stop breaches and not just prevent malware."
2. Frictionless GTM strategy
In addition to CRWD’s best-in-class sales team, a key pillar of their strategy to efficiently grow market share and leadership is to expand routes to market through their partner ecosystem, trial-to-pay platform, and CRWD store.
- Crowdstrike has gained significant leverage from partners, citing that partner-sourced ending ARR nearly doubled year over year. Management cites Telefonica Tech as a new key partner that will bring the Falcon platform to Telefonica's NextDefense MDR customers across Europe as well as North and South America. Another key partner is Horizon whose embracing Crowdstrike's Falcon platform in its business security portfolio for manage, detection, response, and CRM services.
- Management noted that Crowdstrike is probably one of the most transaction-ed ISVs on the marketplace. Kurtz cites that they're extremely good pull for the new cloud modules with Falcon Complete and Spotlight leading the way.
3. Consolidating the market to become the "Gorilla" in security:
- Crowdstrike aims to become a category-defining cloud company, joining the likes of Salesforce, ServiceNow, Workday as one of the dominant end-to-end SaaS vendors. They've done this by focusing and planting a ubiquitous presence with endpoint security and then moving further up the stack from there.
"I think when customers are looking for, you know, that Salesforce of security, they're coming to CrowdStrike fully integrated, covering multiple operating systems, and, you know, again, focusing on stopping breaches." - Chief Executive Officer and Co-Founder George Kurtz
- The Preempt and Humio acquisitions demonstrate Crowdstrike's opportunism and aggressiveness with offering a complete vertically integrated solution. With the Preempt acquisition, CRWD now delivers a modern approach to securing identity. With the Humio acquisition, Crowdstrike has a log management tool focused on SIEM. CRWD can now dump all the data they collect into Humio and no longer rely on Splunk for log management services. Management has indicated that network scanning is another massive avenue to further monetize their existing customer base and land new customers.
- Crowdstrike has shown the ability to standalone against the major cloud providers and they've shown incredible ability to both build organically and buy growth inorganically. This allows their already incredible unit economics to expand as they continue to run up the score on other security vendors. Crowdstrike’s cloud-first platform improves unit economics relative to competitors like SentinelOne that offer hybrid and on-prem solutions that eat into margins.
Market Opportunity: Crowdstrike has shown amazing ability to increase their TAM over time as they expanded into other verticals of security.
CRWD’s current market alone is forecasted to be $4.9 billion in 2023 based upon IDC estimates. Management continues to indicate that there is still a massive customer base to tap into with legacy competitors having over 100,000 customers compared to Crowdstrike's 13,080 customers. And that does not include any potential adjacencies, such as the massive observability market. Looking forward, management cited greater plans for new CrowdStrike business units. While it will take some time and investment to deliver this powerful combination to the market, we believe it has the potential to open up massive new TAM for CrowdStrike, provide a runway for growth well into the future, and ultimately create another line of business on par with the security business.
Q2 FY22 Earnings Takeaways
1. Continued execution in upselling/cross-selling new modules driven by rapid product development and platform completeness
- Crowdstrike notes that subscription customers that have adopted 4 or more modules, 5 or more modules, and 6 or more modules have increased to 66%, 53%, and 29% respectively. As the number of modules adopted increases, CRWD continues to expand its moat from a product and total cost perspective. Within the next year or so, it's reasonable to expect they will again change the KPIs to subscription customers that have adopted 5 or more modules, 6 or more modules, and 7 or modules.
- Management highlights a few newer modules that have had phenomenal adoption including Falcon Complete, CRWD's turnkey manage, detection, and response subscription as well as Flacon Spotlight which provides real-time vulnerability assessment. Kurtz notes that the Falcon Complete customer base has grown approximately 2.5 times year over year while the Falcon Spotlight offering has become a strategic module during the sales process with over 150% growth year over year.
The Fal.Con cybersecurity conference is next week so look out for the introduction of even more modules with a particular focus on XDR capabilities.
But what we can tell you is that, you know, we're landing with more modules, you know, in the SMB all the way up to enterprise. You know, you can refer to George's comments about that one deal that had 11 modules. And so, we're seeing more and more of that. And that's also evidence and as you look at the adoption rates of our modules. You know, every quarter that we talk about adoption rates, they keep going up. You know, and I think that's a testament to the strength of the platform. It talks to the fact that more and more customers want to buy our platform as opposed to point solutions. - CFO Burt Podbere
One of our largest enterprise customers is a Falcon Complete customer because the economics are so good for them. You know, when you look at -- again, getting back to automation. The automation we've built in is second to none in how we operate the service. When you look at that, we can really drive the cost down for our customers and provide a very high touch engagement with them, which is what they were looking for. - CEO Geroge Kurtz
2. CRWD is increasingly becoming the de-facto platform in the security space as it continues to consolidate market share through SMB penetration and ongoing cybersecurity secular tailwinds
- CRWD remains the industry disruptor and on the right side of change through its cloud-first model that is focused on zero-trust solutions for endpoints and workloads. Management continues to indicate the greenfield opportunity left in the security space by highlighting the international expansion opportunity. Kurtz notes that Crowdstrike will continue to expand its partner network internationally which will lead to effective TAM penetration and reduced customer acquistion costs.
- SMB adoption is accelerating led by Falcon Complete as well the frictionless onboarding process where customers can transition from trial customers to paying customers easily. Falcon Complete has really resonated with downmarket customers with small cybersecurity teams as CRWD fills the skills gap and does all the heavy lifting.
- Management continues to emphasize that the number of cybersecurity attacks continues to increase with vulnerabilities like Microsoft PrintNightmare and the Kaseya breach being catastrophic for customers. The Spotlight product was able to provide real-time visibility into PrintNightmare exposure without deploying new agents or scanning, showcasing the power of the Falcon platform.
And again, remember, we don't do the network scanning piece. We think that's big to monetize. And what customers are looking for, and we highlighted this with the PrintNightmare vulnerability that Microsoft had, they want push button results instantly, which we give them. And now, using AI, we can actually prioritize what vulnerabilities are most likely to be exploited, which really helps the IT ops team. - CEO George Kurtz
I still think we're in the early innings. Again, if you look at our customer count versus McAfee or Symantec or Trend, you know, it's, again, impressive for a younger company but still pales in comparison to all the customers that they have. So, it's an ongoing effort. It's a multiyear effort. You know, lots of tailwinds there for us. And that's -- you know, that's in the enterprise. And when you get down to the SMBs, the mid-market, you got a ton of other players that are out there. Too many to mention here. So, that's always going to be an ongoing opportunity for us. And in my opinion, it's still very early innings. And I know that from the big deals that we're doing, and, you know, the McAfee, the Symantec replacements. - CEO George Kurtz
3. Competition concerns with Microsoft and SentinelOne are overdrawn and Humio acquisition provides additional product differentiation
- CRWD is becoming the "Salesforce of security" by offering the best-in-class integrated services that cover multiple operating systems and various IT infrastructure designs.
- CTOs continue to be vocal against monocultures and putting all their eggs in one basket which should provide an advantage to CRWD given that Microsoft services are used by most corporations already. A customer win with a Fortune 500 company demonstrates this as it highlights the immediate ROI and overall cost-effectiveness of the Falcon platform in comparison to Microsoft's offering. Microsoft will continue to get customer wins due to its world-beating distribution engine, but in the security space, the best-in-class offerings will win long-term.
And Humio is -- you know, again, it's just been a shining star for us. There hasn't been a customer or prospect that I talk to that haven't been, you know, extremely impressed with the capabilities there. So, we'll be leveraging that as, you know, part of integrations for the store, and I think, you know, we're still in the early innings there. - George Kurtz
But if you look under the covers, we have more automation by far than any other competitor, including S-One. I mean, that's how we get the scale. That's why the product is easily deployed. That's why, you know, we can drive cost out of the customer base because it does it automatically. When you look at the totality of all the services, again, we're focused on stopping breaches, not just -- you know, we didn't come from a malware product that we tried to bolt on other pieces. We built this from the ground up. - CEO George Kurtz
Read more about Crowdstrike vs SentinelOne in Jon Ma's from July!
CRWD started off in endpoint security but has shown its ability to enter ancillary markets and grow market share through organic and inorganic growth. I still strongly believe in Crowdstrike’s ability to increase market share from incumbent legacy on-prem providers through its best-in-class product offering, effective GTM strategy, and effective acquisition strategy. Microsoft poses the largest threat to Crowdstrike with its massive distribution channel and its massive $20B 5-year commitment to security, but with such a massive addressable market Crowdstrike and differentiated offering with Humio, it will still enjoy a massive growth runaway. With an estimated 2025 ARR of $4B+ and a 40% long-term free cash flow margin, Crowdstrike is poised to be a $100B company very soon and build off its outperformance the last few years. However, CRWD is currently pricy trading at an almost 40x EV/Run Rate multiple.
That's it for this week. As always, don’t hesitate to shoot over a message for any feedback or if you’d just like to chat!