It seems like we are currently in an AI arms race, with companies across all industries racing to embed AI functionalities within their products and services. Fortune recently reported that AI mentions on earnings calls increased by 77%. I’m excited by the future products and investment opportunities that will emerge from this wave of development.

However, despite the recent thrust of AI into the spotlight, many companies have been using AI within their products for several years. One of those companies is CrowdStrike, which has a long history of utilizing AI to protect its customers against cyber threats.

CrowdStrike: AI, Cloud, and the Crowd

CrowdStrike (CRWD) is a market leading cybersecurity company that has modernized the industry. CrowdStrike was one of the pioneers in leveraging the power of the cloud and AI to deliver a next-generation cybersecurity suite.

A key differentiator of CRWD has been its ability to leverage insights from billions of daily cybersecurity events, learning from these events in real-time, and use AI to provide advanced endpoint protection across all its clients.

CrowdStrike does this by crowdsourcing billions of daily cybersecurity events (i.e., attacks, patterns, adversary tactics) across all its customers’ endpoints via a lightweight agent. It uploads this data into its centralized Threat Graph database, uses AI to conduct machine learning and pattern recognition, and utilizes those learnings to automatically detect and prevent threats in real-time.

CrowdStrike has combined the benefits of various cutting-edge technologies, such as the cloud for scalability and AI/ML for learning and speed, to deliver a next-generation product. This market-leading approach has driven CRWD's strong growth, with its annualized recurring revenue (ARR) growing at a 78% compound annual growth rate (CAGR) over the last five years.

Prior to expanding further on CRWD’s position and financial profile, I would like to provide an overview of the cybersecurity landscape and why it will remain a significant area of investment for all businesses.

Big Picture: Cybersecurity is non-negotiable

1) Cyberattacks can lead to business failures

Cybersecurity is a critical piece of infrastructure for all businesses in the digital world. Cyberattacks and breaches can create going-concern risks as it can result in an inability to conduct business or a disclosure of their IP, which can have serious financial, regulatory and reputational ramifications. Here are some recent examples:

• In 2022, global logistics company Expeditors International lost $40m in sales and incurred $20m in remediation costs after ransomware prevented it from conducting full operations for 3 weeks.

• Optus - Australia’s second largest telecom - recently set aside $140m of remediation charges after their customers’ information was breached. The damage to Optus’ goodwill and brand is hard to quantify.

Smaller companies are particularly vulnerable since they face the same risks as enterprises but lack the IT resources of enterprises. The SEC previously stated that 60% of SMBs go out of business within 6-months of a cyberattack.

2) Digital transformation has increased the attack surface

The perimeters of businesses (aka attack surface) have grown significantly as they moved to the cloud, adopted various SaaS products, adopted more connected devices, and became more distributed (WFH). This means there are more endpoints or potential vulnerabilities for bad actors to exploit and enter an organisations network. According to the FBI, the total losses from cybercrime complaints had increased 4x over the last 4 years.

3) Private Sector needs to defend itself against Foreign Governments

According to Microsoft, over 85% of enterprise focused attacks by nation states were targeted at non-government sectors. Cyberwarfare is one of the only domains of war where a foreign nation can directly attack businesses, and those businesses are largely left to defend themselves. Given the rise in state-sponsored cyberattacks, businesses need to invest in next-gen cyber solutions to protect themselves against military-grade, nation state adversaries.

4) Physical infrastructure is not immune from cyberattacks

It isn’t just the digital domain that is at risk: physical infrastructure such as pipelines and utilities are at risk from cyberattacks. These assets are now at play for bad actors as many of the operational technologies that ran these assets became digitised (i.e., connect to the internet/ethernet). Nation states are particularly focused on attacking critical infrastructure.

Therefore, due to the significant business risk that companies face and the enhanced capabilities of bad actors, cybersecurity is regularly highlighted as one of the leading areas of investments by CIOs. This will continue to be a tailwind for cybersecurity providers.

What is CrowdStrike?

CrowdStrike is the market leading cybersecurity software provider in the endpoint protection market. An endpoint is any device that connects to a network, such as laptops, mobiles, cloud servers and IoT devices. The endpoint is probably the most important digital real estate for businesses as this is where all their data is created. This is why 90% of all cyberattacks start at the endpoint and 70% of all successful breaches occur at the endpoint, as compromising an endpoint would likely enable bad actors to gain access to a network. This is why endpoint security is one of the most important lines of defence.

In addition to being a leader in endpoint protection, CRWD has expanded into other cyber verticals, and now offers a platform of solutions.

Product: Why CrowdStrike wins?

Market leading product

CrowdStrike has a market leading product in the endpoint protection space as highlighted by Forrester and Gartner reports. CrowdStrike’s product leadership is due to their superior efficacy rates in threat detection and prevention; ease of adoption; lower total cost of ownership; lightweight endpoint agent; and ease of implementation.

User ratings on review sites such as Gartner and G2 (G2: CRWD 4.7/5 vs MSFT 4.4/5) also highlight CRWD as a leading endpoint product. Further evidence of CRWD’s leading product has been their ability to take market share and grow the overall market.

Next-gen approach to cybersecurity

CrowdStrike disrupted the endpoint cybersecurity market by leveraging AI and the cloud. A traditional endpoint product is locally hosted and uses signature-based malware detection models. A signature-based model just means that they have a list of signatures / patterns of known malware and use that list to prevent known malware. This has obvious limitations, mainly that they won’t be able to prevent non-malware attacks (which are the majority of modern attacks) or prevent zero-day threats (i.e., unknown/new).

CrowdStrike changed this approach by using a lightweight agent at the endpoint (doesn’t burden CPU/memory) and cloud-based AI to prevent non-malware and zero-day threats using behavioural analytics and machine learning. CrowdStrike also leverages crowdsourced data across all its endpoints in order to identify new attack patterns, using these learnings across its product suites in real-time.

Network Effects - Data has gravity

AI based models are only as good as the quality and quantity of the data that is fed into them. CrowdStrike’s scale is a significant advantage as their market leading share of endpoints enable them to ingest billions of daily security events into their cloud platform. The more data that is fed into the platform, the more intelligent it becomes, which creates attractive network effects and increases the value of CRWD’s solution.

Product-led company: Platform approach

The cybersecurity industry has always been highly fragmented. While CRWD maintained a strong lead in the critical endpoint security market, they are taking the platform approach with regards to their product investments and have expanded into other verticals such as cloud security, identity protection and observability.

CrowdStrike’s new products are fully integrated into their platform and run on their single agent, which has allowed their customers to try/buy new products in real-time, as opposed to having to go through lengthy implementation cycles or deploy multiple agents. CrowdStrike is in a great position to consolidate parts of the security market.

Financials: Why CrowdStrike is an attractive investment

Large and growing addressable market

CrowdStrike’s end-market growth is driven by the organic growth in the cybersecurity industry, as well as CRWD’s product expansions into new verticals. CrowdStrike’s current addressable market is $71b, indicating significant room for growth (~4% penetration).

Rule of 40

Rule of 40 (Revenue Growth + Free Cash Flow Margin) is one of my favourite SaaS metrics as it balances growth and efficiency. CrowdStrike delivered a Rule of 85 in FY23, and I expect them to operate on a Rule of 70 in FY24.

Product-led growth = Land and Expand

I previously highlighted CRWD’s product leadership driving their module expansion. This product leadership has provided financial benefits as 62% of CRWD’s customers use 5 or more of CRWD’s modules, which is up from 2% in 2018.

This dynamic powers CRWD’s land-and-expand motion, which is evident by their 125% net retention rate (i.e., existing customer increase spend by 25%, net of churn). In addition to strong land-and-expand dynamics, CrowdStrike also has low churn rates (2% in FY23) which is further evidence of their product leadership.

Strong Go-To-Market with world class unit economics

It is critical for market leading software companies to have an effective go-to-market strategy, whether it be a viral DTC model (Slack or Atlassian) or a powerful channel motion (Microsoft). CrowdStrike has continued to invest in its channel program, and the channel now drives the bulk of its revenue.

CrowdStrike’s strong channel program enables them to have world-class unit economics, as shown below (lower the number, the better). Furthermore, given their low churn, CRWD’s LTV / CAC has averaged 38x over the last 3 years.

Valuation - 80% return in three years

• I expect CRWD to generate +$6b in ARR by FY27 (~2026) with a 35% FCF margin. Given CRWD is already generating a 30% FCF margin at this point in its lifecycle (i.e., still in landgrab mode), it could comfortably generate a 40% FCF margin on a normalized basis.

• Based on that framework, I believe CRWD’s equity should increase by at least 80% over the next three years, delivering a 22% IRR. It is also worth noting that CRWD should have $6.5b of net cash in 3 years, which would equate to ~20% of the current market cap. If CRWD can generate anything close to my / consensus’ revenue forecasts I believe the businesses value should be significantly higher and they will be in a prime position to conduct accretive buybacks and acquisitions.

The peer set below has a 2.3% median FCF yield with 19% revenue growth. This gives some comfort in the target 4.0% FCF yield used above given CRWD has one of the strongest financial profiles out of its peers, with top-quartile growth, free cash flow and efficiency.

Other considerations and risks

Forecasts too bullish

The key risk for the investment case is that my ARR forecasts could be too high. The main driver of CRWD’s revenue is net revenue retention, which I have falling from 125% in FY23 to 117%/118% in FY26/FY27. To test a downside scenario, I modelled NRR to fall by 5 points each year across FY23-FY27. Assuming a 5% FCF yield, I still get a positive return (S&P 500 averaged a 4.3% FCF yield over the last 5 years). Furthermore, in a lower growth scenario I expect CRWD’s dilution would be lower than I have modelled (2.3% pa).

Dilution

While CRWD is FCF positive, it is unprofitable largely due to share-based payments which accounted for 23% of sales in FY23. I am not advocating to ignore stock-based compensation, however I think investors need to evaluate SBC on a case-by-case basis (i.e., dilution relative to growth, unit economics, company/industry lifecycle, LT guidance). CrowdStrike have already provided guidance for SBC to fall to the mid-teens (as % of revenue) over the next two years, or 2-3% annual dilution over the next few years.

Competition - Microsoft Risks

The big risk for CRWD is Microsoft as they are their largest competitor and are also doing well in the cybersecurity market. Industry feedback and customer reviews continue to point to CRWD as the overall best solution, but MSFT Defender is no slouch. CRWD will need to continue to invest in product and the channel to remain competitive. One advantage that CRWD has is the channel. Microsoft’s products have low margins for channel partners and some of their recent channel changes make it even more difficult for channel partners to make money. In my view this only further incentivises MSPs/SIs to bundle in non-MSFT products like CRWD in order to improve their margins and diversify vendor risk.

Enterprise IT spend is under pressure

Recent results from the hyperscale cloud vendors as well as other SaaS companies indicate continued pressure on IT budgets due to macroeconomic weakness. CrowdStrike have called this out as well, which should weigh on their growth.

These views are my own and is not intended to be financial advice.

Share