Crowdstrike: Leading Cybersecurity Platform (NASDAQ:CRWD)

CrowdStrike (NASDAQ:CRWD) is a leader in the endpoint security market and the financials of the business are compelling. The key questions for investors are how will growth be impacted by a recession and what is a fair discount rate. CrowdStrike could face headwinds in coming months as customers have already invested heavily in cybersecurity over the past few years. Endpoint vendors may also face a decline in revenue growth if there is a recession and a large number of white-collar worker redundancies. Long-term, the cybersecurity market will continue to grow and next-gen vendors will take market share from legacy solutions, putting CrowdStrike in a strong position.

Market

Endpoint protection platforms utilize an agent installed on endpoints (servers, laptops, devices) to monitor for and detect malicious activities. The endpoint protection market has changed rapidly over the past decade, driven by a proliferation of widely distributed endpoints and increasingly advanced attacks. Legacy solutions are static and complicated, and as a result struggle to deliver value to customers. Next-gen solutions rely on data and machine learning to identify malicious behavior and improve endpoint protection.

Cybersecurity has been a focus area for many organizations in recent years due to the rise of remote work and an evolving threat landscape. Despite this, hiring data indicates that demand for endpoint protection is moderating and may face further pressure if there is a reduction in remote work or layoffs.

Within the next-gen endpoint market, the basis for competition is rapidly evolving. In 2021, 62% of attacks CrowdStrike observed were malware-less with most of these involving compromised identities. This indicates that companies need to employ a holistic breach provision strategy rather than relying on malware prevention. This trend is behind the shift to Zero Trust technologies, including CrowdStrike Falcon.

Cloud workloads are increasingly targeted by adversaries and are largely under-protected, representing a significant growth opportunity. Cloud workload protection refers to the runtime protection of VMs, containers, and Kubernetes clusters that are running in the cloud.

These requirements are driving an evolution towards Endpoint Detection and Response, which refers to cloud-based platforms that monitor endpoints for advanced threats and broader attacks, and help automate remediation. Not all devices can be protected by an EPP agent though, such as IoT devices. EPP/EDR platforms have therefore been adding network scanning capabilities to monitor the traffic generated by these types of devices.

EDR platforms also offer in-house threat intel (CrowdStrike Falcon X, SentinelOne Singularity Signals, and Palo Alto Cortex Autofocus) to provide insights, and allow customers to ingest third-party threat intel feeds from partners.

Extended Detection & Response adds to EDR by pulling in complementary data (network traffic, application logs, etc.) that provides greater context. This data may come from either a centralized SIEM, or directly from other integrated partnering services. CrowdStrike believes that XDR will subsume SIEM from a category perspective. CrowdStrike’s acquisition of Humio was focused on SIEM and building out their XDR capabilities.

Modern cybersecurity is largely a data problem, and the more data the better the insights. This is leading vendors to invest in technology that helps them ingest data and manage analytics at scale. SIEMs are essentially security-focused data lakes with analytics. They need to be able to ingest and analyze large amounts of data in real-time. Data lakes in public clouds allow organizations to store longer-term historical data and more easily manage the amount of data retained and the associated cost. This is part of the reason that Snowflake (SNOW) is focused on the security vertical. Snowflake’s ability to separate storage and compute also helps to control costs.

XDR platforms may take a closed, open or hybrid approach. Palo Alto (PANW) is taking a closed approach, attempting to provide the EDR capabilities and all other detection services used to provide context. Open XDR attempts to use the XDR platform as a common layer across existing security tools. CrowdStrike and SentinelOne (S) are taking a hybrid approach where they provide EDR capabilities and some detection services, but also support a tightly integrated ecosystems of partners.

Within cloud protection, vendors are offering workload protection and Cloud Security Posture Management. CSPM is a scanning service that monitors cloud environments for the security posture of a customer’s cloud infrastructure. It evaluates configurations against a set policy and allows enterprises to identify issues and close loopholes before an attacker attempts to exploit them.

Many organizations lack the expertise or resources to manage their own cybersecurity, and hence there are a range of outsourcing options with varying service levels. Managed Security Services Providers offer an automated service that aggregates customer logs to discover threats and provide alerts. Managed Detection and Response is an outsourced service used to discover and remediate threats. MDR provides deeper inspection than MSSP, and typically involves human monitoring as well as EDR. CrowdStrike, SentinelOne and Palo Alto all offer managed threat hunting services over their platforms. CrowdStrike and SentinelOne also have in-house MDR capabilities.

The endpoint security market is estimated to be worth approximately 10.3 billion USD, with the majority of this still spent on legacy solutions. This estimate may be low though as the cloud is increasing the number of endpoints/workloads that need to be protected. The revenue per endpoint/workload may also increase over time as solutions become more advanced, particularly if managed solutions are utilized. There are also a number of adjacent security verticals which endpoint vendors are able to address, which significantly increases the market opportunity. CrowdStrike is targeting a TAM of 126 billion USD in 2025.

CrowdStrike

CrowdStrike believes that endpoints/workloads, identity and data are the three most important risk areas for enterprises. They are able to leverage their single agent to address multiple use cases, enabling the development of an integrated security platform. CIOs and CISOs want a platform that can consolidate agents, reduce complexity, and reduce operational costs. This includes replacing legacy log management and SIEM products, and a weak macro environment may accelerate this process.

CrowdStrike’s platform now has 21 modules, which is helping to maintain robust revenue growth and strengthen CrowdStrike‘s competitive position. In Q4 FY22 CrowdStrike surpassed 150 million ARR outside of traditional endpoint security (IT hygiene, vulnerability management, identity protection and log management modules), while growing in excess of 100% YoY. CrowdStrike appears to be pushing for increased adoption of its modules, expanding the number of modules available in their trial program from 4 to 12 in Q4 FY22.

Identity protection is one of CrowdStrike’s most important product introductions. Close to 80% of cyber-attacks leverage identity-based tactics to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection. Identity protection currently has an estimated $3.7 billion TAM and provides a sizable uplift to ASP (can be upwards of 30%).

CrowdStrike’s identity protection modules give customers the ability to prevent the spread of ransomware and stop lateral movement when credentials are stolen. This is a greenfield market where comparable solutions have not previously existed.

The number of customers subscribing to CrowdStrike’s Identity Protection modules grew more than 30% QoQ in Q1 FY2023 and over 100% QoQ in Q2 FY2023. The Identity Protection lineup is now the largest contributor to ARR within CrowdStrike’s emerging category and is contributing to higher win rates.

Data protection is another growth area for CrowdStrike, and their recent acquisition of SecureCircle will allow them to enforce Zero Trust at the data layer. CrowdStrike believes the market for DLP and related technologies is approximately $3 billion in 2022.

Despite billions of dollars invested in legacy DLP tools, organizations continue to experience data breaches from accidental leaks, ransomware, etc. Legacy solutions generally only block or encrypt data when it is leaving the endpoint and only when triggered by pre-configured rules and behavioral parameters. This allows attackers to build malware and ransomware which evades the DLP solution. Legacy point products like DLP are also prone to false positives and have a high reliance on human intervention.

CrowdStrike is in the process of integrating SecureCircle’s technology and when this is complete, customers will gain more fine grain visibility and control as well as continuous risk monitoring to detect and respond to threats. Customers will be able to protect data on, and in transit to and from the endpoint. They will also be able to control data access and usage policies for each user based on their Zero Trust score, enabling dynamic risk mitigation.

Log management is another important area for CrowdStrike, which has been enabled by their acquisition of Humio. The acquisition has exceeded CrowdStrike’s expectations, with Humio gaining traction in observability as well as security use cases. CrowdStrike recently announced a Humio Community Edition to accelerate adoption. This gives users 16 gigabytes of streaming data ingestion per day with seven-day retention for free and is expected to be a strong lead generator.

CrowdStrike has stated that they see frustration with incumbent vendors across the SIEM and observability space. They believe that Humio’s log management platform is unmatched in speed, performance and storage capabilities. Humio does not require an index and is able to take data from anywhere, and it can do that ingestion free which is efficient from a cost perspective. In addition, CrowdStrike’s agent was designed with smart filtering capabilities, which allows CrowdStrike to control the stream of telemetry to the cloud in real-time. In comparison, competitors operate in batch mode and struggle with storing data on the endpoint.

CrowdStrike’s cloud security solutions involve workload protection and cloud security posture management. The CSPM solution is an agentless technology that ties into many APIs. Falcon Horizon enables customers to scan configurations and workloads across multiple cloud environments. It provides continuous control plane threat detection and indicator of attack detection as well as guided remediation.

CrowdStrike’s cloud solutions involve both agent-based and agentless technologies delivered in a single user interface with the Threat Graph as a shared data back end. The combination of agent-based and agentless capabilities in the cloud enables pre-runtime and runtime protection, whereas agentless-only solutions can only offer partial visibility and lack remediation capabilities.

CrowdStrike also recently introduced new Cloud Native Application Protection Platform capabilities to accelerate threat hunting for cloud environments and workloads and reduce the meantime to respond. CrowdStrike’s cloud footprint continues to grow faster than their overall server endpoint growth. Over 25% of the servers CrowdStrike protects are now in the public cloud.

CrowdStrike is also acquiring Reposify to reduce risk across the external attack surface and fortify customer security postures. Every asset that is connected to the internet represents risk and threat actors use advanced tools like automation to discover and exploit these assets. 69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. Reposify is an External Attack Surface Management vendor that helps customers identify and eliminate risk from vulnerable and unknown assets. CrowdStrike will combine insights on endpoints and IT environments with internet-scanning capabilities to provide a view of risks across both internal and external attack surfaces.

Channel partners are an important part of the cybersecurity business, and CrowdStrike’s partnerships are maturing. CrowdStrike’s MSSP business grew more than 200% in FY22. There have been questions raised about CrowdStrike’s services competing against channel partners though. Falcon Complete is an MDR solution that combines CrowdStrike’s technology and services. Falcon Complete is gaining momentum in the market as companies look to improve their cybersecurity and address the cybersecurity skills gap. Q1 FY23 was a record-breaking quarter for Falcon Complete, with net new ARR reaching an all-time high. The rapid growth of CrowdStrike’s partner business suggests that this is not currently an issue, and this may speak to the strength of CrowdStrike’s products.

CrowdStrike’s competitive position remains strong, with management stating that the competitive environment remains favorable. There is still a multi-year runway to displace legacy endpoint vendors and CrowdStrike’s win rate against both legacy and next-gen vendors is strong.

Financial Analysis

CrowdStrike has stated that demand has remained relatively robust so far, although some deals have required increased levels of approvals and taken longer to close. Cybersecurity is not a discretionary line item, but it is reasonable to expect CrowdStrike’s revenue growth to decelerate in the current environment. A recession appears highly likely at this point and many organizations over hired over the past few years, making a reduction in endpoints a distinct possibility.

Longer-term, next-gen security is underpenetrated and their remains a large growth opportunity. CrowdStrike believes their endpoint market share was approximately 6.3% in 2019 and is now 12.6%.

Growth is being driven by an expanding customer base and increased adoption of modules by existing customers. The adoption of new modules appears to be reaching a plateau though, which could pressure expansion rates going forward.

Gross retention remains high and has improved as CrowdStrike has expanded their platform. Customers who have adopted a number of modules appear less likely to churn.

CrowdStrike’s customer base continues to expand, and there is likely significant room left for further growth. CrowdStrike still has under 20,000 customers in comparison to Symantec’s peak of over 300,000 customers.

The number of job openings mentioning CrowdStrike in the job requirements continues to increase. This could indicate that demand for CrowdStrike’s platform amongst customers remains robust.

CrowdStrike’s gross margins have been fairly stable in recent quarters. Management has stated that the competitive and pricing environment remain favorable as their lead over legacy and next-gen vendors is expanding.

Service margins have deteriorated somewhat, as the professional services organization is a source of leads as well as revenue. This could indicate rising competition and an increased willingness by CrowdStrike to discount services in order to gain customers.

CrowdStrike’s operating margins continue to improve as the business scales, although the burden of sales and marketing expenses has risen somewhat in recent quarters. If growth disappoints to the downside going forward, margins are likely to deteriorate as software companies must hire ahead of expected growth.

CrowdStrike’s hiring has moderated somewhat over the past 12 months, but there is no real indication so far of a significant decline that would indicate problems with the business.

CrowdStrike continues to target operating profit margins of around 20% and free cash flow margins of around 30%. The feasibility of these targets will ultimately depend largely on the competitive environment and CrowdStrike’s ability to maintain pricing power. Based on CrowdStrike’s current performance, these figures appear quite conservative. CrowdStrike’s free cash flow margins have already been hovering around 30% for several years, and it is likely that they will improve as CrowdStrike’s revenues grow and growth declines.

By capitalizing a portion of CrowdStrike’s operating expenses to account for investments in intangible assets and adjusting margins for scale to account for operating leverage, a clearer picture of CrowdStrike’s profitability can be ascertained. Depending on how large CrowdStrike ultimately becomes, and whether they can maintain their low churn and high expansion, it would not be unreasonable to expect operating profit margins of around 30% at scale with normalized growth.

Valuation

CrowdStrike’s share price has pulled back significantly over the past 12 months, but could still be considered expensive from a revenue/earnings multiple perspective. The size of the security opportunity and CrowdStrike’s strong competitive position and financial performance warrant a premium valuation though. Based on a discounted cash flow analysis I estimate that CrowdStrike is worth approximately $275 per share. CrowdStrike’s recent acquisition of SecureCircle was funded entirely with cash, which may indicate that CrowdStrike believe their stock is currently undervalued.

In the short-term, CrowdStrike’s stock could face further pressure from rising interest rates and/or a decline in growth. The impact of rising rates is likely to be somewhat muted going forward, but it is not clear that a substantial deterioration in growth has been priced into the stock at this point.

Conclusion

CrowdStrike remains a best-of-breed security vendor with top-tier financial performance. The company is likely to face macro headwinds going forward, which could further pressure the stock price. Longer-term, the stock appears attractively priced, particularly if inflation abates and interest rates decline from current levels.