Sundry Photography
CrowdStrike: A less emotional reaction to a “messy” quarter
CrowdStrike (NASDAQ:CRWD) reported its earnings a little more than a week ago. While the earnings themselves were more than satisfactory, the guidance was judged wanting, the company’s calculated bookings were below expectations, and net new ARR was less than expected. The result of all of that was that the shares plunged 14% on the day after the earnings release. Was the guidance that bad? Objectively, and in context, not really. Does the current outlook mean that estimates of the company’s likely 3-year CAGR should be reduced? No, not at all. Is CrowdStrike losing its competitive position? The opposite is true. Is the company’s sales execution machine sputtering and in need of retooling? There is no evidence of that. And is endpoint security no longer a priority amongst IT users? Hard to imagine.
CrowdStrike shares have been viewed as a safe haven investment by investors. Prior to the earnings release, the shares, while still down more than 30% over the past year, had outperformed most other IT equities. Now with the shares having fallen by 41% in the last 12 months, the relative share price performance advantage is gone. While it is always difficult to explain share price movements, even in retrospect, I believe that the shock of seeing the company reduce its revenue forecast, for whatever reason, and by however much, and within whatever context, obviously caused traders, as opposed to investors, to sell the shares, somewhat indiscriminately. And that is where I come in. Just in terms of context, I own a fairly sizeable position in CRWD shares and have done so for some time now-almost 4 years. I sold some shares a couple of years ago when they spiked and will now be buying back the shares I sold.
There will be many readers and some commentators at this point who will be thinking and writing that CrowdStrike’s outlook and its valuation is simply approaching “normal” levels and that it is no bargain at this point. And there will be other readers who focus on the company’s share-based compensation (SBC) expense which was 23% of revenue through 9 months, compared to 21% of revenues in the year earlier period. In the quarter SBC expense was $140 million, up by 7% sequentially while revenues rose by 8% sequentially, so just a glimmering of relief in terms of the SBC expense ratio so far.
I have stated on many occasions that the SBC percentage has never been and is currently not correlated with valuation. In the years in which I worked as essentially a consultant to institutional investors, after the FASB mandated the release of GAAP earnings, not a single client ever expressed to me any specific concern about SBC. I don’t pretend I know all or even a preponderance of institutions who invest in high growth IT names, and how they regard SBC at this point; I have and will continue to look at SBC only as it creates dilution. In the case of CrowdStrike specifically, weighted average shares increased by 1.1 million sequentially to 233.8 million, or 0.5% as reported. To account for the potential conversion of CrowdStrike’s convertible debt, I use 245 million weighted shares, 2% above company guidance to account for dilution over the next 12 months in all of the valuation calculations I make.
That said, if SBC is a focus of a reader, then it is unlikely that my poor words will persuade those focused on that metric to consider the shares, either now or the future.
Should investors buy CrowdStrike shares now? One of the best informed analysts in the space, Alex Henderson of Needham, says the shares are in the penalty box through the end of the year. That is probably not the bravest call in the world with the end of the year just 25 days away, and encompass the dead period from just before Christmas to New Years. One analyst was a little braver; the analyst at Daiwa Capital Markets raised his rating to Buy from Outperform. On the other hand, the analyst at Wolfe Research, chose to recently lower his rating from Outperform to Peer Perform, while the analyst at Stifel also lowered his rating on the shares.
CrowdStrike shares, in my opinion represent an excellent value to investors who are able to look through the current turbulence both in the investing environment and in through the macro headwinds. The shares are not going to have the kind of appreciation I think warranted until the risk-off focus of the market wanes. The shares, as I write this on 12/6, are still reacting to the rating changes indicated above and are close to their 52-week low, providing an even greater opportunity to investors. I will discuss valuation specifically later in this article; suffice to say at this point, that from a level that in hindsight looks lofty, the shares are now at a significant discount to average IT shares, particularly when considering the combination of growth and free cash flow.
This is not the place to comment about last week’s jobs report or the spike in monthly hourly compensation expense, or the outlier report of ISM Services. The new record for yield inversion seen as I write this suggests that investors in Treasuries do not believe that the ISM Services number is real, or representative of demand trends. Interestingly, there is another Services Index developed by S&P and called Markit, which purportedly measures the same kinds of data as that of the ISM Index. It is showing a reading indicating contraction. The ISM services index itself, did show the growth of new orders decreasing.
Personally, having listened to 8 or 9 conference calls in the last several days, I find it difficult to accept that economic activity is not contracting. It is what almost all software companies of any size or shape are telling listeners-specifically that their customers are telling them that they see demand for their own products and services contracting. Of course, even within the ISM Services, information technology demand showed a contraction trend. A friend of mine shared the linked article from the WSJ. CrowdStrike shares, in my mind, are one of those opportunities that are outlined in the linked article.
I usually don’t write an article on SA focusing on 1 quarter and on just a revised outlook. To reiterate, in my view, CrowdStrike shares, or shares of many other IT names I have recommended, are unlikely to sustain a material rally until markets become less toxic to what are deemed risk-on trades. I have recognized that for some months now, and have, perhaps bemoaned that tendency more than some, although, perhaps with less fervor than Cathy Wood.
But in this case, I think a focus on the immediate is warranted. I think investors who ignore context, regardless of what that context is, are ignoring how companies really operate. CrowdStrike lives in the real world, along with Snowflake (SNOW), Elastic (ESTC), Okta (OKTA), Zscaler (ZS) and just about all other IT vendors. The perceptions that have now arisen regarding its outlook have presented a specific buying opportunity that has perhaps been lacking as investors had been concerned about the valuation of CrowdStrike specifically-along with many other high growth IT equities. I am taking advantage of it.
I confess to being somewhat surprised to hear that larger organizations are currently ignoring the threat environment and are escalating decision making approvals and delaying needed contract sign-offs. It is probably not the most logical response to macro headwinds given the existential risks both in terms of actual losses and compliance issues that a cyber breach can create. I wonder just how long it might be before some well publicized breaches reverse this trend and cause boards to instruct operating executives to spare cyber security in terms of budget cutting. And as I will explain, CrowdStrike’s solutions can allow large organizations to do more with less through vendor consolidation.
While the quarter reported at a headline level was not disappointing, there is no getting around that two of the company’s sales performance metrics were weaker than expected and caused the company to adjust forward expectations with regards to revenue growth. On the other hand, these conditions are based on macro headwinds and not long-term sales execution or competitive challenges. Further, I don’t think it is reasonable or logical to use the current demand picture as a reason to believe that the growth prospects for end-point security has waned or will wane. In addition, these negative sales metrics come in the midst of strong gains in margins and free cash flow generation. I think CrowdStrike shares will turn out to be one of the better performers of 2023.
Just what did CrowdStrike report and what was the guidance that upset investors?
The quarter that CrowdStrike actually reported was a strong one albeit with a couple of caveats. Revenues rose by 53% to $581 million. The company had forecast that revenues would be about $572 million. That 1.5% beat is about half or less the average beat the company has reported going back several years. The company’s non-GAAP operating margin was 17.5% which compares to a forecast level of 13%. The company’s non-GAAP gross margins fell slightly year on year, as the proportion of revenue coming from the company’s largest customers, who get better deals, continued to increase. The net result of the revenue beat and the higher margins was that EPS for the quarter reached $0.40, more than double the level in the year earlier level and a beat of 25% compared to the prior consensus level of $0.32.
The company’s free cash flow margin in the quarter was 30%. I usually prefer to look at cashflow for a longer period than just a single quarter; through 9 months the operating cash flow rose by 61%. The 9-month free cash flow margin was 30%, constrained a bit by a substantial increase in capex which more than doubled year on year.
The companies DBE ratio, i.e. its net expansion rate, was above the company’s benchmark and churn was also at record low levels. There were some other positives that were overlooked or not considered in the rush to judgement regarding the valuation of the shares. One new product that is apparently gaining substantial traction is the company’s Identity Protection solution. Net new ARR for Identity Protection grew to a new all-time high and it is being attached at increasing rates to net new logos.
A couple of weeks ago, I wrote an article on SentinelOne (S). At that time, I observed that one likely factor in that company’s hyper-growth was its #1 ranking on several MITRE cyber security testing reports. That appears to have changed to some extent; in the latest MITRE cyber-security testing result, CRWD was said to deliver the highest coverage.
The significant advantages of CrowdStrike’s Falcon Complete offering were showcased in the first MITRE ATT&CK evaluation for security service providers. Out of 16 participants evaluating, the Falcon platform’s integration of industry-leading technology and human expertise enable us to deliver the highest coverage. This was MITRE’s first closed door test, which means the participants did not have prior knowledge of the adversary, and retesting was not allowed.
We believe this evaluation demonstrates why CrowdStrike is the clear leader in EDR and XDR, whether our capabilities are delivered as a fully managed service from CrowdStrike or through our network of MSSP partners or operated independently by our customers.
The Falcon platform also won the SE Labs EDR ransomware detection and protection test. This well-regarded third-party testing firm involved 270 ransomware variations and deep attack tactics. Falcon achieved 100% ransomware prevention with zero false positives.
I am certainly not purporting to be an expert in either evaluating or procuring endpoint solution technology. I do think that these two studies certainly suggest that CrowdStrike has a reasonable case to make in being a technology leader as well as a market leader. Endpoint security is a large market that is expected to double over the next 7-8 years; much of CrowdStrike’s growth, and that of SentinelOne comes from replacing legacy solutions from vendors such as Symantec/Broadcom (AVGO), FireEye, Cisco (CSCO) and other point solutions. Much of CrowdStrike’s growth is coming as the company moves into adjacencies such as Identity Management, Spotlight and LogScale modules.
So, what’s the dark side?
CrowdStrike runs its business based on net new ARR/Annual recurring revenue. It is, in my opinion, the best way the subscription companies have to measure their sales performance. Obviously, net new ARR gets translated into revenue, although of course the correlation is not one for one and usually lags by about 1 quarter. Last quarter, net new ARR was $197 million. While that is up by 16% from the level in the year earlier period, it was about 11%, or $25 million below the company’s target. The shortfall was a product of two trends. The company’s SMB customer cohort, as has been the case for many IT vendors, delayed purchases, and the company CEO, George Kurtz, said that the company’s days to close metric for SMB customers increased by 11% sequentially. This caused net new ARR to fall by $15 million from the prior quarter. The lengthening sales cycles for SMB customers resulted in a noticeable drop in new customers from 1741 last quarter to 1460 this quarter.
The other factor that led to about $10 million in diminished ARR growth last quarter related to the timing of new contract commitments from enterprise customers. Apparently, some enterprises, while signing contractual commitments with CrowdStrike, have delayed their subscription start dates, and thus the recognition of net new ARR, and of course CrowdStrike revenues into future periods. That said, CrowdStrike indicated that the cadence of enterprise deal closures remained consistent, more or less between Q2 and Q3.
Will this pattern of purchasing continue? The company’s guidance is predicated on continued issues in the timing of deals with SMBs and the start dates of large deals with enterprises. One might, I think, pardonably question the logic of those choices on the part of customers; it takes just a single intrusion/hack to pay for thousands of endpoint security bundles from CrowdStrike which these days cost $59.99/user/year.
Obviously, CrowdStrike for enterprise customers can be a significant commitment. Indeed most of the company’s revenue comes from enterprise users who spend more than $1 million/year on CrowdStrike services and software. But with the cost of breaches often running into millions and tens of millions, delaying cyber security implementation seems hard to justify. Just the unquantifiable risks of being hacked would seemingly be worth prioritizing endpoint security spend.
But clearly, that just hasn’t been the case, and that is true for analog companies in the space such as Zscaler and even companies such as Palo Alto (PANW) which reported relatively strong results. The company is now expecting an absence of any or most budget flush despite entering the quarter with a record pipeline. It is expecting elongated sales cycles due to macro concerns to persist, at least for its SMB customers. At this point, the company is projecting that net new ARR will decline by as much as 10% sequentially, which would put it at about $180 million, or as much as 17% below the year earlier level of net new ARR.
With that level of net new ARR, the company is projecting that revenue growth this current quarter will be around $626 million, or growth of about 45%. The prior revenue growth expectation had been around $634 million. Should a 2% reduction in revenue growth expectations caused a 14%+ share price implosion? Given just how much the shares were already reflecting such an expectation, this further leg down seems…well less than logical.
At this point, and perhaps in abundance of caution, the company forecast that the net new ARR would continue to fall in the first half of the coming fiscal year, before starting to improve in 2H and winding up either flat or up modestly year over year. Net new ARR at that level would, in turn, lead to revenue growth for all of FY’2024 in the low mid-30% range next year. Prior to the earnings release, the published consensus revenue growth forecast had been 37%, although it seems likely that many investors/analysts were actually looking for growth of more than that.
The other side of the company’s forecast is that it now expects non-GAAP EPS of around $.43 for the current quarter, up by 1/3rd from prior expectations. Almost all analysts have also raised their EPS expectations for FY 2024 earnings; given management commentary with regards to growth and margin expansion, the FY 2024 EPS consensus of $1.99 is less than the conservative guidance actually provided by CrowdStrike during the course of its conference call. The company is talking about a substantial reduction in new hiring, as well as some other cost remediation steps; it seems likely, therefore that operating margins will rise by at least 200 bps which should therefore drive EPS growth to levels greater than the new consensus. Further, the company is forecasting that its free cashflow margin will continue to rise to 30% or more, above previously forecast levels.
Some thoughts about competition
I am not going to do the kind of deep dive I frequently do for articles I publish on SA. When I reviewed SentinelOne a few weeks ago, I commented that for the most part, modern endpoint security solutions were a 2 horse race between that company and CrowdStrike. There are numerous other companies in the space; it has been around a long time, but the technology now used to detect anomalies is radically different compared to what had previously been available. In terms of market share, Microsoft’s (MSFT) Defender product is actually a close second to CrowdStrike, but Defender has had its share of technology challenges. Defender is cheap, and is popular in the SMB space, but it doesn’t seem to do well when it comes to enterprise customers or for customers outside of the Microsoft ecosystem.
During this latest conference call, CrowdStrike’s CEO said the company had seen improving win rates. Of course I have yet to hear of a company saying that their win rates were deteriorating no matter what the evidence might be. In this case, however, my own anecdotal checks suggest that win rates, particularly at the enterprise level, are probably increasing within a difficult environment. The basic reason for CrowdStrike’s increasing win rates, at least so far as I can determine, is cost. Not first cost, per se, as CrowdStrike tends to be more expensive than its competitors. But the ability of CrowdStrike to eliminate point products, and in particular to eliminate personnel who are typically required in monitoring and analyzing anomalies when they are detected in a network is a major selling point in this environment. Further, the ability of the CrowdStrike algorithms to eliminate false positives is part of the story of total cost of ownership story.
I am not going to make, or try to make the case that CrowdStrike has “better” solutions than SentinelOne however better might be defined. I do think, nonetheless, that its competitive position is a strength and not a weakness, and its ability to grow is not being hampered by competitive problems with S or with the many other smaller and larger vendors in the space. The link above with regards to a comparison between Defender and CrowdStrike provides a pretty straightforward commentary that CrowdStrike is offering better functionality, and is a preferred vendor, at least for users who do not have a Microsoft heavy tech stack.
Valuation/Conclusion
No, CrowdStrike shares are not the deep value that some readers of SA seek. After revising my outlook to take account of the new company forecast for revenue growth, my calculation of the forward EV/S is a bit more than 9X. That is above average for the company’s growth cohort. But with the company forecast for rising free cash flow margin, the combination of free cash flow + growth shows the shares at about a 25% discount from average valuation. And my calculation of the company’s DCF valuation is 93% greater than the current share price, using the company’s free cash flow projection for its FY ’24 year, with fairly consistent growth thereafter and a 8.5% weighted average cost of capital which is based on the Finbox metric. While that 93% appreciation potential may seem hard to believe at this point, it really shows how divergent valuations have become from valuations based on growth and growth of free cash flow. Sentiment is still exceptionally negative when it comes to IT shares, and the end of the “safe haven” thesis in terms of CrowdStrike’s outlook has clearly upended the short-term supply/demand balance for the shares.
Will there be a second shoe for CrowdStrike in terms of its guidance, or is its guidance what has been called, a kitchen sink model for that metric? I don’t have second sight-I think that is fairly obvious to readers at this point. But, as the CEO observed, it is difficult, if not impossible to reduce cyber security spending. And it also appears that cyber security spending is still a priority as compared to the other various categories of IT. I personally think it is a highly risky strategy for enterprises to defer spending on this category, if for no other reason than the risks and financial consequences of a breach are so significant relative to the costs of cyber security software.
CrowdStrike’s emerging products, outside of the end point security space are achieving very rapid growth, albeit from a small base. Most recently, about 11% of the revenues for the company have been coming from its emerging products area. In that area, the company has what appears to be a major opportunity in identity management which even in this environment continues to show triple digit growth. And with the recent acquisition of Humio, it now has an entry in the observability space.
At the end of the day, despite the reduced growth guidance the company provided, there is no evidence that end point security is less of a priority or has less total potential than heretofore. And what evidence there is suggests that the company’s win rates, and overall competitive positioning are actually improving. The company can demonstrate that despite having higher first costs, its total cost of ownership in most cases is lower than that of its rivals, even Microsoft which often bundles its Defender offering in with its many other solutions.
I obviously have no special insight in determining when the extreme risk off sentiment that is prevalent in investing these days will wane. It will wane, presumably when inflation expectations diminish, and in turn that is a function of how poorly the economy is performing. Trying to forecast those metrics is not something on which I want to focus, or on which I bring some special insight. With a DPV for CrowdStrike shares 93% greater than its current share price, it is obvious that investors are not focusing on either free cash flow or free cash flow growth in their current evaluations.
CrowdStrike shares are currently suffering from two recent downgrades, and are probably a target of tax loss selling as well. For investors working with a different time scale, this presents a significant opportunity – one that I am taking advantage. It isn’t that often that high quality growth assets are on sale to the extent that this one is at this point. I think there is lots of positive alpha ahead, although patience will be required.
Be the first to comment