Weekly Dashboard 3/19/2021: CRWD Q4 FY21 Earnings Teardown

Crowdstrike (CRWD) Q4FY21 Earnings Teardown.

Weekly Dashboard 3/19/2021: CRWD Q4 FY21 Earnings Teardown

Crowdstrike (CRWD) Q4FY21 Earnings

Historical Financials | Press Release | Earnings Transcript | Earnings Presentation


Crowdstrike is $1.05B ARR growing 75% YoY and 16% QoQ, which makes it the 2nd fastest growing SaaS company among all B2B SaaS companies (behind Zoom). Crowdstrike posted 37% FCF margins in the most recent quarter with $1B+ cash on its balance sheet. CRWD has good net retention with 125% NDR and 98% Gross Retention. CRWD trades for 39x ARR and what we estimate to be roughly 25-27x NTM ARR. The business has benefited dramatically from COVID-19 as companies are scrambling to secure endpoints for WFH and legacy providers are being disrupted by Crowdstrike's superior product. Crowdstrike has shown to be incredibly opportunistic during this period, amidst notable security attacks, and is becoming the clear dominant platform in this space through product execution and acquisition.

From Q4FY21 earnings call presentation

Company Overview:

Crowdstrike's platform protects customers from breaches.

Their Falcon Platform is a SaaS based security offering for next-generation endpoint protection that detects, prevents, and responds to attacks. The company's cloud & AI approach is in contrast to on-prem endpoint security solutions or primarily rules-based and signature-based anti-virus companies like Symantec and McAfee.

Falcon, Crowdstrike's platform, is a single lightweight agent that installs on the customer's endpoint that feeds data into Crowdstrike's cloud-based database called Threat Graph. By leveraging the cloud, Falcon is able to continually collect, process, and analyze threats across all customer's endpoints in real-time. As there's more data that's fed into Falcon, there is more data to train Crowdstrike's AI models with, increasing the overall efficacy of Falcon.

Why CRWD wins:

1. Best-in-class product:

CRWD's product is light-weight, scalable, and cloud-first. Customers can easily and remotely deploy, manage, and protect workloads at scale. Speed of deployment and time to value were critical factors for customers' purchasing decision as having to reboot their complex network of systems have kept organizations from moving to a modern architecture sooner. Crowdstrike's threat graph creates a data moat, if malware is detected on any endpoint, then all endpoints are protected in real-time because the Falcon platform improves and trains on each event. Endpoint security also generally has high switching costs and the improved product helps increase barriers to entry.

  • Customer testimonials highlight that they chose the Falcon platform because for their digital transformation initiative to increase efficiency, enhance visibility, improve performance at scale, and consolidate agents across their environment.
From Q4FY21 earnings call presentation.
  • As a pioneer in EDR, Crowdstrike has spent the last decade building upon rich endpoint data by adding more network visibility and telemetry from all workloads, regardless if they are on-premise, in the cloud, or deployed in container. All the data they collect is stored in one place, the Threat Graph, where it's analyzed across the entire customer base, providing real-time protection and community immunity.
  • By streaming the telemetry to the cloud with their proprietary smart filtering, Crowdstrike has a fundamental time and performance advantage over most vendors. Today, Threat Graph processes over 5 trillion security-related events per week.

2. Frictionless GTM strategy

In addition to CRWD's best-in-class sales team, a key pillar of their strategy to efficiently grow market share and leadership is to expand routes to market through their partner ecosystem, trial-to-pay platform, and Crowdstrike store.

  • Crowdstrike has gained significant leverage from partners, growing partnership count by 85% worldwide and doubling their partner-sourced transactions. The partnership with AWS is a standout with both partner-influenced deals and transactions fulfilled through the AWS Marketplace growing significantly throughout the year. In fiscal 2021, ending ARR transacted through the AWS Marketplace grew 650% over the last year, and transaction volume grew over 300%.
  • Management noted that Crowdstrike is probably one of the most transaction-ed ISVs on the marketplace. Kurtz cited that they're seeing good pull for the new cloud modules.
  • Management believes they still have vast greenfield opportunity with respect to protecting cloud workloads. And that Crowdstrike is "really, really ahead of anybody else that's out there in the marketplace".

Crowdstrike's dominance of the marketplace is a key reason they boast one of the most sales-efficient growth strategies among all B2B SaaS.

CRWD LTM Payback Period benchmarked vs. other high growth SaaS

3. Consolidating the market to become the "Gorilla" in security:

  • Crowdstrike aims to become a category-defining cloud company, joining the likes of Salesforce, ServiceNow, Workday as one of the dominant end-to-end SaaS vendors. They've done this by focusing and planting a ubiquitous presence with endpoint security and then moving further up the stack from there.
  • The Preempt and Humio acquisitions demonstrate Crowdstrike's opportunism and aggressiveness with offering a complete solution. With the preempt acquisition, CRWD now delivers modern approach to securing identity. With the Humio acquisition, Crowdstrike now has a log management tool focused on SIEM. CRWD can now dump all the data they collect into Humio and no longer rely on Splunk (which they had a deep partnership with before).
  • Crowdstrike has shown the ability to standalone against the major cloud providers and they've shown incredible ability to both build organically and buy growth inorganically. This allows their already incredible unit economics to expand as they continue to run up the score on other security vendors.

Market Opportunity

This market alone is forecasted to be $4.9 billion in 2023 based upon IDC estimates. And that does not include any potential adjacencies, such as the massive observability market. Looking forward, management cited greater plans new CrowdStrike business units. While it will take some time and investment to deliver this powerful combination to the market, we believe it has the potential to open up massive new TAM for CrowdStrike, provide a runway for growth well into the future, and ultimately create another line of business on par with the security business.

Cloud IT and Security spend from Q4FY21 earnings call slides
TAM estimates for Crowdstrike from Q4FY21 earnings call slides

Crowdstrike has shown amazing ability to increase their TAM over time as they expanded into other verticals of security.

CRWD benchmarked vs. top 10 SaaS via Public Comps as of market close 3/19/2021

Q4 Highlights

  • Short term catalysts: recent events such as the SUNBURST software supply chain attack demonstrated that stopping the breach is no longer just about protecting endpoints. It also encompasses cloud workload security and identity protection.
  • Acquisitions: CRWD made key acquisitions in Preempt and Humio, a key part of CRWD strategy to consolidate all pillars of security onto its platform and continue to drive long term growth.
  • ARR milestone: surpassed $1B, and growing +75% YoY!
  • Accelerated adoption: Crowdstrike added a record 1,480 net new subscription customers in the quarter and now 9,896 subscription customers worldwide. Net new subscription customer growth accelerated to 70% YoY. Over the past year, Crowdstrike added 4,465 net new customers.
  • Added marque customers: Salesforce, Pfizer, Procter & Gamble.

Takeaways from Q4FY21

1. SUNBURST attacks represented an additional tailwind to the industry over the long-term.

  • The SUNBURST attacks raised awareness at the board level and serve as an additional tailwind to the industry over the long term. Following the SUNBURST campaign, Crowdstrike's management highlighted the fact that customers were becoming increasingly concerned about protecting their cloud directories such as Azure AD. This is driving interest for identity protection technologies such as CRWD's zero trust offerings derived from their acquisition of Preempt. SUNBURST further highlights the importance of a zero-trust posture. Organizations need to incorporate new security protections focused on authentication in order to significantly reduce or prevent lateral movement and privilege escalation during a compromise.
  • This also catalyzed a crisis of trust within the Microsoft customer base driven by SUNBURST and their more recent zero-day vulnerabilities in Exchange that has been reported to affect 250,000 customers worldwide. Customers are looking to derisk their security architecture by choosing an alternative vendor to Microsoft.
  • In response to this, Crowdstrike released one of the new capabilities in Falcon Horizon, their Cloud Security Posture Management solution, which now provides end-to-end visibility to Azure AD. This is an important tool to quickly identify privileged permissions and misconfigurations in Azure AD, which is notoriously difficult to administer and protect. Securing this threat vector can help limit attacks like SUNBURST. SUNBURST highlights the urgent need for organizations to modernize and transform their security. It should serve as a wake-up call to organizations that rely on legacy technology because legacy tech is no match for today's adversaries.
"You know, I think it's across the board. We're seeing it. We're hearing it from CISOs. We're hearing it from CIOs. Boards are concerned. When you look at the latest breaches around SUNBURST and you look at the Exchange zero-day vulnerabilities, just about every incident response we do involves Microsoft technology. So obviously we're focused on being able to protect it, but there's a lot of customers that are looking at this and saying, "Hey, we need to derisk our environment, and we need another provider." The proverbial, "I don't want the fox guarding the henhouse." And I think just over the last couple of months has really highlighted the risk in using sort of a monoculture for both security and operating systems." - George Kurtz -- President, Chief Executive Officer, Co-Founder.

2. Upselling/cross selling of existing modules has executed efficiently.

  • Management has done a great job of being able to cross-sell Crowdstrike's products. The introduction of Horizon is a perfect opportunity for Crowdstrike to cross-sell into those cloud workloads, which, as management pointed out in the past, has become increasingly important for all companies as they digitally transform. Management mentioned that it's been very well received so far by customers, and they've gotten some nice traction with it.
  • Crowdstrike posted 125% net retention in this quarter (improvement from 124% a year ago).
  • Crowdstrike subscription customers that have adopted four or more modules, five or more modules, and six or more modules increased to 63%, 47%, and 24%, respectively.

Interesting to note that management only recently broke out the % of customers using 6+ modules last quarter, and % of customers using 5+ models a little over a year ago.

From Q4FY21 earnings call presentation

Crowdstrike continues to boast incredible unit economics and sales efficiency.

3. Crowdstrike continues to displace and gain market share from legacy vendors.

  • Organizations around the world are shedding legacy and inferior next-gen security technologies and accelerating their move to modern cloud-native technologies to meet the demands of today's threat landscape, future-proof their security architecture and adopt a zero-trust security model. Crowdstrike's go-to-market strategy is executing on all fronts to capitalize on the strong secular tailwinds and opportunities in the market.
  • Its been a year since management first spoke of the opportunity they had from Symantec's acquisition by Broadcom. Management noted that customers felt unserviced and were left unsatisfactory. Management touched that they continue to take share from Symantec and still believe its an opportunity ahead. This quarter, management noted something similar highlighting the McAfee enterprise business as a potential churn event for their customers.
"Just how the sales tactics work and how the renewals work, it's really a great opportunity for us to continue to take share from Symantec. And I think that sort of play is again we'll continue with McAfee in the enterprise business. And whenever you see a disruption between owners, and particularly if it's a financial sponsor, we believe and I think that's been proven over time, you're not going to see a lot of innovation on the R&D side. And again, you're starting with an architecture that's just legacy. So there's a lot of work that would have to be done, and we think it's a great opportunity for us to continue to take share in that area."

4. Crowdstrike continues to consolidate the security market and will likely end up being the dominant player for years to come.

  • With Preempt Security, CrowdStrike is leading the charge in delivering a zero-trust solution focused on endpoints and workloads. Combining workload security with identity protection is foundational for establishing true zero-trust environments. Preempt expands CrowdStrike's zero-trust capabilities and incorporates critical identity behavior data and analysis to help customers fortify their defenses and prevent identity-based attacks and insider threats.

5. Humio acquisition is underappreciated and represents a critical inflection point as CRWD consolidates SIEM and log management onto its platform.

  • Whether customers are looking to secure traditional endpoints or cloud workloads, visibility and data are vital. Security efficacy is directly related to the quantity and quality of data collected and the ability to analyze it in real time. CrowdStrike has the opportunity to be a key beneficiary as companies look to transform and bolster their security defenses in order to stay ahead of adversary advancements. Their pole position in the market is further strengthened with Humio, a leading provider of high-performance cloud log management and observability technology acquired in February.
  • With Humio, Crowdstrike enters the SIEM space and is now redefining next-gen XDR through a platform that spans endpoints, identities, applications, the network edge, and the cloud. CrowdStrike is building a unified data layer to power the next generation of enterprise security and IT. Humio provides the ability to expand the data lake and solve more security and non-security use cases in real time. Introducing index-free data ingestion when applied to security use cases is incredibly powerful as it allows users to query the data in real time as it's being ingested. Additionally, Humio's capabilities will be built into the fabric of Falcon OverWatch, complete and threat intelligence modules, as well as their professional services offerings, providing CrowdStrike with a greater time advantage over competitors.
  • Combining Humio's data ingestion and analysis engine with the CrowdStrike agent technology provides OS- and application process-level telemetry, introspection capabilities, and smart filtering. This creates a powerful data platform with a new level of speed and efficiency. The product is differentiated because of its ability to compress data is without actually having to rehydrate it (in-memory). So users can search all the information even in a very compressed format, which is very unique in the industry.
  • Humio's strength is in its flexible architecture and data models – it's different than others where you can operate it from the cloud. As the location of data becomes increasingly agnostic, Humio becomes more relevant because when you combine it with Crowdstrike's agent, the agent is more than just a forwarder of data. It's a very intelligent agent that does introspection, the system call analysis, provides information, observability information that can be extremely valuable to IT departments, again outside of security.