Discover more from Investment Ideas by Antonio
Crowdstrike: A Generational Company?
The cybersecurity space is positioned to explode over the next decade. Below follows a map to help you understand the industry and capitalize on potential opportunities, in the form of a CRWD 0.00%↑ deep dive.
Enjoy and happy holidays!
1.0 The Distribution Game
Cybersecurity is now about who can get the most data and then turn it into the best AI model/s possible. The mental model I expose in this section is a powerful tool to identify opportunities in the space and is fundamental to understanding Crowdstrike and its competitors.
Much like many other areas of the economy that I have covered, cybersecurity is turning into an electron management problem. Cybersecurity was previously about making clever software to anticipate and neutralize the moves of the bad guys. It has now evolved to be about gathering the most and highest quality data possible and using it to train AI models, that can then train themselves to offset the increasingly sophisticated and machine driven attacks: this is known as XDR (extended detection and response). I believe the mental model depicted below is a powerful tool to understand where the industry is heading and thus, what to look out for in companies:
The more and better data you have, the more accurately you can train an AI model to navigate reality. To get a richer dataset than anyone else, you have to excel at distribution and retention, which in the case of cybersecurity broadly involves the following:
A lighter agent: cybersecurity itself is delivered by an agent (a piece of software), that sits on the device in question and that picks up data and then performs action to counter attacks. The more devices you get your agent on, the more data you pick up. The lighter the agent is the less space it takes up and the happier end users are with it and viceversa.
Quick time to value: customers want to be protected hassle free and in the least amount of time possible after hiring a solution. This of course involves a light agent as described above, but also involves being proficient at protecting the customer´s specific type of workloads. If the customer runs on the cloud, the only way to achieve minimal time to value is by deploying a cloud native solution. As I will explore in depth further on in this section, this is a far deeper wormhole than the market believes.
Looking at Crowdstrike and comparing it to its competitors, like Sentinel One and Microsoft, a lot of its current prowess is due to its distribution capabilities, which largely stem from the two sub-components illustrated above. Further, data on its own is valuable, but far more so if pegged to an organization that can translate it into effective AI models. This organizational ability comes down to many qualitative properties that I often explore in my write ups, but can be condensed to the combination of talent and organizational culture, which is what enables the company in question to lucratively serve customers through time.
In the context of the above mental model, a meaningful cultural deviation can in the long term nullify a distribution advantage that would otherwise set a company apart from the competition. Whilst the market sees companies as largely static objects, I see them as dynamic entities that emerge from people and how they work together. To illustrate, see the snapshot below that depicts how the right corporate culture enabled 3M to obliterate Norton (which actively fostered a stagnant culture during the time series) despite being at a vast disadvantage at the outset. Looking at Crowdstrike and its vicinity, I believe I have spotted an arbitrage situation that can be very lucrative and that I will explore in depth in the next section.
The next indispensable addition to the mental model that I am deconstructing in this section is price and one can only truly grasp its relevance by transcending the winner takes all framework, which would otherwise be the norm in this space. The world is only beginning its digitization journey and as such, I believe that multiple pockets of distribution will emerge in the context of next-gen cybersecurity and that naturally, many of them are currently underpriced because they are far removed from the mainstream narrative and in the embryo stage.
As I brushed over above, as a vendor you are more likely to secure a cloud-based customer if your agent and its underlying infrastructure are cloud native, but I find that there are endless ways to categorize workloads and as such, infinite approaches to successfully distributing an agent within them. For instance, serving automobile OEMs is quite different to serving video game companies, perhaps not in the core nature of the workloads, which are just instances of compute, but rather in the specific needs each organization may have. By serving these specific needs, next-gen players can become indispensable and thus gain a distribution advantage.
Whichever your observations of the industry and what pockets of distribution emerge (or not), I argue that the name of the game is capitalizing on underpriced distribution channels with high barriers of entry that are pegged to optimal organizational cultures, which can translate the data advantage into effective AI models. Sufficiently high barriers of entry on the data side are likely to yield platforms, whereby it makes particular economic sense for participants in the pocket´s neighborhood to plug into the system, be it as a data or as a feature provider (AI models, apps built on AI models), because they can leverage the network effects to make more money with less work.
In terms of the economics, the whole next-gen space fits my Electrons and Dollars thesis like a glove. The next-gen players that fit this section´s model are ideally suited to deploy additional cash-rich layers of electron management at a marginal cost. Once you have deployed the infrastructure to collect data once and work with it many times over to create different AI models, you can effectively deploy additional cybersecurity modules that do all sorts of things in a very cost effective way. This is because you do not have to rebuild the entire system per every module you release, but only write some code, in relative terms.
Over the long term, this should translate into very high margins and rich cashflow profiles, coupled with increasingly higher barriers of entry until we see a new paradigm shift, such as AI is to legacy players like Symantec and McAfee. In fact, looking at the financials of Crowdstrike and Sentinel One, the evolution of the financials very much fits this thesis, with gross margins skyrocketing over the past 5 years.
2.0 The (Potential) Arbitrage: Crowdstrike vs Sentinel One
Sentinel One seems to be like Crowdstrike but two years ago and at 1/10th of the market cap, with some caveats. Exploring the potential arbitrage leaves me with a better fundamental understanding of Crowdstrike than otherwise.
Studying younger companies with short track records in the public market, such as Crowdstrike, one usually walks away with a reasonable understanding of the business and that is about it. This time, however, I have found a fairly interesting potential arbitrage situation and fortunately, the mental model outlined in section 1.0 does 90% of the work for you. Further, I am not entirely convinced of the arbitrage, but I do believe that exploring it until a conclusion is reached is likely to reveal an investment opportunity in one form or another.
Essentially, the (technical, time to value) difference between Crowdstrike and Sentinel One is largely imperceptible with the publicly available information and both are on seemingly identical growth curves, with Sentinel One lagging behind Crowdstrike by 2 years, with less than 1/10th the market cap of the latter. If:
there is room for more than one big platform in the space
and multiple distribution pockets do end up crystallizing,
then perhaps Sentinel One has far more upside than Crowdstrike. To be specific, the one thing that I particularly like about Sentinel One is its culture, which I will explore in depth in this section too. It seems far superior to that of Crowdstrike´s and per my view of what companies are and how they work, this greatly increases the odds that at some point in the future the two companies may even come on par.
In what remains of this section, I will dissect the hypothetical arbitrage, which will by itself help you to understand Crowdstrike´s business deeply and hopefully, that of its competitors too. Note that the analysis is by no means skewed towards Sentinel One despite my excellent impressions of it, because the domain we are inspecting evolves non-linearly and so, a 2 year head start is no negligible advantage, regardless of other observations. In aggregate, this delta makes the odds that Crowdstrike ends up being the far larger and more lucrative platform much higher than otherwise and as we move into the bear market, Crowdstrike on its own may be a formidable long term opportunity.
Going back to the mental model in section 1.0, Crowdstrike is its prodigal son. In absolute terms, Crowdstrike leads the industry in terms of the number of endpoints it covers and thus exhibits a scale that no other next-gen player seems to come close to. Per its latest disclosure, the platform collects data on more than 7 trillion events weekly and it has been ramping up the deployment of new modules, with considerable adoption from their customers:
To be clear, no company pulls of this sort of performance without having an excellent organizational culture, so bear in mind that the analysis is exposed in relative terms. Further, Crowdstrike´s execution seems to have been largely enabled by the following aspects, which stem from quite phenomenal foresight from its CEO and founder George Kurtz:
A very lightweight agent and perhaps the lightest one among next-gen players, that can be deployed on any type of endpoint.
A single data model, which the company calls its “Threat Vector Graph”, which neatly packages all the data they pick up into clever associations between events. The company is continuously adding to this data model as it picks up data and it enables it to create new modules at a marginal cost: it picks up data once and reuses it many times to create new solutions for its customers, by “simply” coding up new features.
A smart filter within its lightweight agent, that enables the company to pick up the right data and not just bulks of useless data.
A single code base that lives in the cloud. According to Crowdstrike´s management, its solution was designed for the cloud from scratch, which enables it to more efficiently server customers that are moving to the cloud in comparison to other competitors, that actually manage two code bases: one on-prem and the other on the cloud, because their solutions were not designed for the cloud from the outset.
The issue is, as I was saying earlier, that Sentinel One management says roughly the same about its solutions and whilst there is no reason to fully believe what either management team says, the following suggests that indeed the two companies are not too different, except for the fact that Crowdstrike was founded 2 years earlier and Sentinel One is valued at a fraction of the latter:
Both agents seem to weigh around the same: 20MB.
Both companies are on an exponential growth curve.
Both have very high retention rates, well above 120%.
Crowdstrike currently has 19.69K customers, but had 8.4K 2 years ago. Sentinel One now has 8.6K customers. Other KPIs like top line revenue and gross margin exhibit a similar ~2 year lag.
Beyond this optical perception, there are a number of datapoints and incongruences which are very much worth exploring:
Culture: as mentioned, the achievements of both companies are largely non attainable without world class cultures. However, a deep dive on the two reveals that Sentinel One´s culture is very cultish, whilst Crowdstrike´s seems to be stained by a sub-optimal middle management and the bitter feeling that it generates among employees.
Essentially, Sentinel One´s Glassdoor profile has mostly very positive reviews and even the cons have a cheerful and spirited connotation to the them. The main con seems to be that there is a lot of work, but the tone denotes a kind of “maybe this is not for you, but it is for me because I am a sentinel” tone, which is very typical of the world´s top performing organizations of all types through out history.
People seem to really love working at Sentinel One and the passion is somewhat contagious. Management makes repeated mentions of how important culture is for the company´s long term success and the internet is filled with appraisals of this aspect from employees. The company exhibits balance and harmony at a pace and volume of work that is unusual to see.
“Our employee retention remains better than industry average as a result of a dynamic and inclusive culture that is highly valued by all sentinels” - Sentinel One management, Q3 2022 ER.
Distribution: Crowdstrike started off focused on larger enterprises whilst Sentinel One started off focused on SMBs. SMBs do not have the resources to hire security personnel and so tend to default to hiring MSSPs (managed security service providers) which in turn naturally tend to default to software that empowers them and does not aim to replace them.
Crowdstrike´s software aims to replace MSSPs, whilst Sentinel One´s aims to empower them. As such, MSSPs are flocking to Sentinel One, giving the company an edge in terms of SMB distribution.
One can argue back and forth what is better during a hypothetical (and ever so pre-announced recession), whether an edge with large enterprises or SMBs. Perhaps the former, if one has sufficiently penetrated the large enterprise space so that more performance is obtained at the margin by giving SMBs the basic tools, but this is largely speculation in my view.
The point is, although both companies are making strides to move to the other side of the distribution spectrum (Crowdstrike towards SMBs and Sentinel One towards large enterprises), both are native to two different distribution channels and generally, both types of organizations have different specific needs to upon having a distribution advantage, both companies seem to be uniquely positioned to satisfy.
“Many small and medium-sized businesses are increasingly turning to many security service providers. It helps them address cyber talent shortages, gain cost efficiencies, and offset potential economic challenges. We designed our platform to support multi-tenancy, fully customizable role-based access control, and a full set of open and documented APIs.” - Sentinel One management, Q3 2022 ER.
Cashflow: whilst the metrics near the top line suggest that the companies are similar, Crowdstrike’s cashflow statement is far superior to that of Sentinel One’s and this is particularly visible in terms of free cashflow generation.
I believe that this metric potentially reveals Crowdstrike´s infrastructure to command significantly higher operating leverage than Sentinel One´s, in line with the alleged superiority of Crowdstrike´s architecture. The management of the former is very vocal about its leading time to value in the industry and is comfortable narrating examples of large deployments that take just 5 days, for example. On the other hand, Sentinel One´s management seems rather quiet on this front.
Sentinel One´s Free Cashflow, $:
Crowdstrike´s Free Cashflow, $:
Per Sentinel One´s last quarterly report (Q3 2022), however, it seems that operating leverage is ramping up fast, so perhaps this does not write off the potential arbitrage:
“Looking at the rest of our P&L, we delivered substantial operating margin improvement, expanding 26 percentage points year over year to negative 43%.” - Sentinel One management, Q3 2022 ER.
3.0 On Crowdstrike Becoming a Platform
The probability that Crowdstrike ends up being the dominant XDR platform rises non-linearly as it continues to achieve further scale and efficiently deploy the capital that results from said scale. Sentinel One does not generate positive cashflow yet and that is a particular source of weakness.
As outlined in section 1.0, a further dimension of the analysis to explore is the likelihood of one pick versus another becoming a platform. At any given point in time, a platform with more scale is more likely to become a platform than others with less scale - the obvious pick in this context is Crowdstrike. However, going deeper into the underlying dynamics that enables a company to obtain the superior scale in the first place is a more certain way of grasping the truth and potentially, spotting a worthwhile bet.
The fact that, normalizing for the 2 year lag, Crowdstrike exhibits much healthier cashflows than Sentinel One makes it likely that indeed Crowdstrike´s time to value and overall operational leverage is superior. Although both companies started off at different ends of the distribution spectrum (in terms of the size of the organizations that they serve), the differences between serving an SMB and serving a large enterprises are perhaps not insurmountable and so, given enough time and efficient capital allocation either one of them could eat the other´s lunch. With its much healthier cashflows, Crowdstrike seems to have much more capital allocation muscle.
Inverting the problem, scale seems to be leading Sentinel One into very red numbers in its bottom line and cashflow profile and perhaps, it is true that its architecture is inherently flawed relative to Crowdstrike´s. In this light, the odds of Crowdstrike becoming a platform that data and feature providers plug into seem much higher than the odds of Sentinel One doing so. With the dynamic outlined in the paragraph above, unless there really are insurmountable differences between serving SMBs and large enterprises, there is also a chance that Crowdstrike can displace Sentinel One. Of course, I am thinking quite a few years out.
We do not have much data on this yet, but I do expect that through time, we will learn about which company is best at decreasing the cost of deployment/distribution through time. I suspect (again per the cashflow profiles), that Crowdstrike leads here too, but at this stage this is still uncertain and as mentioned in the previous section, whether Sentinel One can catch up in terms of operating leverage cannot be fully written off at this stage. This KPI would shed much light on the thesis and I will track it carefully going forward.
Over the last quarter in Fal.Con 2022, Crowdstrike announced that it is now going to be pulling in data from Palo Alto, Microsoft and others. Crowdstrike also launched its Crowdstrike store in 2019, Salesforce-style. This gives it an additional advantage, as the volume of data on its platform is likely to increase non-linearly per every additional data source that it connects to its system. As I touched on briefly in section 2.0, we are analyzing what is effectively a non-linear plane and even if Sentinel One exhibited similarly healthy cashflows, a 2 year head start likely represents an exponential advantage.
To finish off this section, I would like to briefly discuss the implications of the proliferation of digital twins throughout industry. Palantir and Microsoft, namely, excel at the creation and deployment of digital twins and in case you have not studied the space, the business dynamics are quite similar: it is about lowering the time to value and maximizing distribution per unit of input, to ultimately capture and orderly process the most amount of data possible. In that sense, a company like Palantir also has a future in terms of becoming a data pool for XDR since it essentially turns what are otherwise analogue operations into a set of interactions between digital end points.
To further illustrate the intimacy between digital twins and XDR, consider one of Crowdstrike´s recent acquisitions: data visibility company Humio, which it acquired in 2021 for $352M in cash and $40M in stock. Humio, placed on top of Crowdstrike´s Threat Graph, basically gives customers visibility into their endpoints across the organization which is perhaps the most important function of a digital twin. In short, I expect these two spaces to collide and likely merge in the coming decade and I believe that having this dynamic in mind may yield interesting investment opportunities.
This brings me onto the next section, which is how I think about spotting other undervalued distribution channels in the XDR space.
4.0 Looking Around the Industry
A fundamental understanding of the XDR space reveals Blackberry to be a highly asymmetric opportunity. Blackberry occupies an exceptionally moated distribution channel in the IoT space, which it can use down the line to distribute its maturing XDR offering.
Microsoft seems to have leveraged its distribution advantage to take a leading spot in the industry, but a number of issues stand out:
Microsoft is a large company and thus, capturing the upside of cybersecurity meaningfully is unlikely as a stand alone stock pick.
My impression having read many of its offerings´reviews is that they do not seem to work too well beyond the Windows ecosystem.
The fact that Microsoft is leading the space together with Crowdstrike, without a versatile infrastructure similar to that of Crowdstrike I think suggests that a distribution advantage is indeed paramount in this game. One frontier in which distribution is very much a question mark is IoT, which in the words of Jefferies´analyst Joseph Gallos in Sentinel One´s Q3 2022 ER call “remains the wild west”.
In this sense, the broad analysis of the space further ratifies my investment in Blackberry, because the company has a highly moated and growing distribution advantage in the IoT space and is simultaneously maturing its XDR offering. This distribution advantage stems from its QNX RT-OS (real time operating system), which has a dominant position in the following segments:
Auto: almost all the top legacy and novel EV OEMs on the planet use QNX as the foundation of their automobiles. Every quarter, the company secures top of the line design wins, such as the BMW win this last quarter:
“BMW entered a multi-year agreement with us to develop new Level 2 and 2 plus autonomous drive system on QNX for makes and models across the entire BMW Group.” - John Chen, Blackberry CEO, Q3 2022 ER.
Quarter over quarter, I see the industry consolidating and moving towards QNX. For example, this last quarter “Google, Qualcomm and BlackBerry, three of the leaders in the autonomous digital cockpit announced a collaboration to build a chipset that allows BlackBerry's Hypervisor to seamlessly integrate with Android automotive”.
Medical and industrial: the company is also making its way into these domains, as the core value proposal remains the same: to enable the operation of devices that cannot fail.
Aviation: the company set its eyes on this domain a quarter or two ago and is now making meaningful progress here too.
Blackberry is currently split into two different business units (IoT and cybersecurity), but management plans to merge the two in 5 years or so. I believe that a fundamental understanding of the XDR space very much clarifies what Blackberry is up to and at a market cap of just $2.1B, I do believe this is the most undervalued tech platform on Earth. I will be dropping a Q3 2022 ER digest in the coming days, so stay tuned for that.
Before moving on to dissect Crowdstrike´s financials, some context. Across the board, organizations are tightening their belts and so duration of sales cycles are increasing. As was the case with other companies like Meta (deep dive), for example, there seemed to be no end in sight to the fast paced growth that we got used to during the pandemic. Now, things are generally cooling off and the market is gifting us far more attractive entry points into companies, with largely intact long term theses. In the case of cybersecurity, the space is likely to explode with or without several recessions along the way and the top companies with it.
“Consistent with many other software companies and even our competitors, we're seeing higher cost consciousness and prudence around IT budgets. That's leading to elongated sales cycles and limited budget availability.” - Tomer Weingarten Sentinel One CEO, Q3 2022 ER
In the graph below you can see how Crowdstrike´s gross margin (green) and revenue (brown) have both maintained pleasing trajectories, but the price to sales ratio (white) has plummeted. Going back to the mental model from section 1.0, so long as the company continues to onboard and retain more endpoints, pick up more data and deploy additional modules that its customers are happy to onboard at a reasonable price, then the company will likely tend to do fine in the long term. There are some important considerations to the company´s financials, but with this brief section I wanted to explain how I am tentatively framing a potential investment here.
Crowdstrike´s income statement is far more appealing. However, two things stand out:
Sentinel One seems to be going through a similar inflection point than Crowdstrike went through Q1 2020, with OPEX as a % of revenue coming down really fast, in line with the CEO´s comments during the Q3 2022 ER call about operating leverage going up quickly.
In the next graph you will see that regardless, the bottom line is very much in the red for both companies, despite considerable optimization on the OPEX side and particularly so in the case of Crowdstrike. Also in the case of the latter, this is despite having deployed many modules (more than 20 to date) and so it begs the question, how many further successful modules must the company deploy for the bottom line to turn green?
Admittedly, per Crowdstrike’s free cashflow generation, there seems to be an intentional component to this, but it is still worth noting.
Below, revenue in brown, OPEX as % of revenue in white.
Below, net income in blue and operating income in pink.
Below, gross margin in yellow.
It is also worth nothing how most of Crowdstrike´s sales, as I believe is the case with Sentinel One, come from channel partners. This seems to be the norm throughout the industry, but I believe that this is inherently a non-desirable property in a business. The excessive reliance on one particular channel, be it for sales or procurement of raw materials and so forth is a fragile situation to be in. Of course, I imagine that management is smart and diversifies within the channel and actively manages the relationships with the different partners, but the point is that I have no visibility into this.
Just as Sentinel One seems to be experiencing an inflection point in terms to revenue growth and OPEX as a % of revenue coming down quickly, the same can be argued on the cashflow side of things, with cash from operations and free cashflow starting to point upwards in tandem. It is still very early to tell, but I do get the sense that the company is heading in the right direction and going back to the idea of both businesses existing in a non-linear plane, my intuition is that Sentinel One is just about to ramp up its cashflow production.
Crowdstrike´s cashflow profile stands in stark contrast, with both cash from operations and free cashflow rising steadily together for quite some time and looking back to Q3 2018, it seems to have not exhibited such erratic behavior. Whilst I do get the sense that Sentinel One is progressing adequately, I think that Crowdstrike´s cashflow evolution does indicate better foresight and technical architecture somehow.
Crowdstrike’s management story about the company planning for the cloud and investing heavily in its lightweight / very easily deployable agent relative to its competitors shows through the numbers. As outlined, the company is far ahead of Sentinel One, but I sense that a meaningful part of the financial delta is not due to the time lag only, but to fundamentally better operations too.
Below, Cash from Operations in white and Free Cashflow in green.
Both Crowdstrike and Sentinel One have meaningful net cash positions, but again, Crowdstrike’s superior operating leverage, be it due to the time lag, the superior architecture or a combination of the two, comes across in the steadily widening gap between cash and debt.
Below, Cash and ST Investments in light blue and Short and Long Term Debt in light blue.
As the cost of distribution tends to 0, I believe the XDR space will end up looking like the search engine space, with the perimeters of companies only truly delineated by distribution moats.
I believe XDR companies have a very long runway ahead of them, as cybercrime becomes a problem that affects everyone daily. Crowdstrike is very well positioned in the industry to continue acquiring more endpoints, gather more data and train the best AI models out there. As it gains critical mass, it will likely attract enough data and feature/module providers to act as a platform, enabling its customers to satisfy a growing part of their security needs in one single place.
Comparing the company to Sentinel One reveals that indeed Crowdstrike seems to have a better performing architecture, that enables it to command a higher operating leverage than otherwise. Meanwhile, nonetheless, Sentinel One is making strides to catch up and exhibits a seemingly far more potent corporate culture, that in the long term can be a very powerful asset, despite its initial disadvantage.
As we go further into the bear market, both companies are coming down to attractive valuations and so two potential plays arise:
Buying the leader, Crowdstrike, at a very reasonable price.
Buying a contender, Sentinel One, if the conditions for it to catch up or co-exist with Crowdstrike do occur. The conditions are the following:
That Crowdstrike is unable to extend its prowess to the SMB space, with Sentinel One remaining dominant in the distribution channel via MSSPs.
That the difference in cashflow profiles is due mostly to the explored ~2 year time lag between the two companies and not to insurmountable inherent architectural flaws in Sentinel One vs Crowdstrike.
That, in accordance to condition b, Sentinel One is therefore able to ramp up its free cashflow production as it moves forward through time and is thus able to deploy incremental capital on its infrastructure as it continues to achieve scale, like Crowdstrike is currently doing.
Additionally if for instance condition a does not occur, but b and c do, then a hypothetical Sentinel One investment is likely to do well if the market is indeed large enough for a number of big platforms to co-exist in the same distribution channel/s. I believe that as the cost of distribution/deployment decreases, the probability of the future panning out in this way tends to 0.
To illustrate the above hypothesis, consider the following mental experiment. Reasoning to the limit, if the cost of deployment of Crowdstrike´s solution was 0, there would be no reason for any customer to pick Sentinel One´s, so long as Crowdstrike has superior acceptance in the marketplace, which it currently does. In other words, as the cost of distribution tends to 0 (if it ever can do, which remains unknown but likely given the increasingly virtual nature of endpoints) the XDR space will tend to look more like the search engine space, with the perimeters of companies only truly delineated by distribution moats.
To encapsulate the importance of “superior acceptance”, consider what I term the SAP Paradox. Most folks in most companies despise SAP´s offerings, but they continue to hire them because they cannot get fired for doing so if something goes wrong. I see the same sort of dynamic unfolding in this space and I believe it will drive a lot of the outcomes as distribution becomes increasingly seamless. Anyways, just my thoughts for now.
Both Crowdstrike and Sentinel One are now on my watch list.
Until next time!
⚡ If you enjoyed the post, please feel free to share with friends, drop a like and leave me a comment.
You can also reach me at: