Edited by Brian Birnbaum and an update of my original Crowdstrike deep dive.

New! You can now listen to my write ups on Spotify. They go live some days after I post them on Substack. The latest podcast is on the AMD deep dive:

And now, onto the Crowdstrike update.

Section 1.0 is an overview of the cybersecurity sector and why Crowdstrike has a meaningful competitive advantage.

In Section 2.0, I analyze the company´s progress since my original deep dive, which supports the idea that Crowdstrike indeed has an edge.

In Section 3.0, I share my conclusion on whether I should invest in the company or not.

1.0 A Recap of Cybersecurity, in the Age of AI

The cybersecurity industry is now about getting more and better data than anyone else. Crowdstrike understood this long ago and it shows.

As is the case with semiconductors, analyzing a cybersecurity company is often more fruitful by first understanding what is fundamentally happening in the industry. Otherwise, it is easy to get lost in the details, whereupon spotting investments just becomes too hard.

In this section, you will gain an understanding of what is happening in cybersecurity and why Crowdstrike has a structural advantage over its peers.

Share

With the emergence of AI, data is the price of admission, as AI models power all of the best modern security. Thus cybersecurity has revealed itself as a game of accruing greater and higher quality data than competitors. The foremost reasons for such are:

1. The models learn from what is happening in real time and thus program themselves, a far more cost effective approach than having humans program new logic.

2. Attacks are increasingly machine driven, meaning that they are not performed by humans. Attempting to defeat these machines with humans is futile. 

Therefore whoever has the most prominent data harvesting infrastructure will likely win because more data begets more data, ad infinitum. The best way to harvest data is to excel at distribution and retention–i.e. being great at deploying your cybersecurity solution and keeping customers happy. 

To turn data into superior models, the company in question must have not only an excellent talent pool, but also an organizational structure that optimizes said talent. The talent and structure must also enable and optimize distribution and retention capabilities, which yield the data in the first place.

Cybersecurity itself is delivered via an agent: a piece of software that takes actions to protect the device it sits on. The lighter the agent (the less memory and computing resources it takes up), the easier it is to distribute. In aggregate and over time, marginal differences in the lightness of an agent amount to an exponential advantage in distribution.

A company with dominant distribution and critical data mass takes the shape of a platform through which other vendors can distribute their own cybersecurity offerings and plug their own data harvesting infrastructures. As a platform emerges, data volume growth hits an inflection point, whereupon competitors can no longer keep up.

The cybersecurity industry is likely to create a singular power. People and organizations do not want hundreds of different security providers for one hundred different use cases. Naturally, they prefer to operate a single solution for all of them.

Platforms at critical data mass can release and deploy new modules (features, essentially) at marginal cost for each new case that arises. For every new module deployed and successfully embraced by customers, operating leverage increases exponentially.

If the mental model outlined above is an accurate depiction of reality, the way to spot winners in the space is to look for companies with this structural advantage. Such advantage may be condensed to the following two aspects:

1. A lighter agent and signs of superior deployment and retention capabilities.

2. A demonstrated ability to deploy new modules and therefore, a clear track record of leveraging the data pool to continuously add more value to customers.

If you read through the public filings of Crowdstrike and its closest competitor, Sentinel One, both management teams say the same things and claim to excel in the above two aspects. However, a detailed comparison of the two (e.g. my deep dive) likely points to structural differences.

Ultimately, the difference in their respective free cash flow figures separated the wheat from the chaff. FCF is the quintessential measure of operating leverage (factoring out stock based compensation, for a moment).

Note: SBC is an issue in all of these fast growing tech companies. Free cash flow on its own is nonetheless a measure of operating leverage. If the management team is capable and ethical, over time they will reign in the dilution caused by SBC to protect shareholder returns. 

When I wrote my deep dive, Crowdstrike´s free cash flow was impressive and, quite frankly, Sentinel One´s was not. The former´s management team was entirely transparent on module adoption rates, while the latter´s was optimistic but somewhat opaque. A coincidence? I think not.

Share

Consistently deploying one module after another that delights customers requires having a single source of truth in the first place. By this I refer to a data model, which aggregates all the data generated throughout the network. In the ideal case, this data model allows you to neatly feed the AI models that enable each new module with the appropriate data.

Without this intermediate architecture, successfully deploying new models, which in turn power modules, becomes a much more arduous task. It is very similar to the idea of abstracting hardware that I discussed in my Rivian deep dive - pace of iteration is vital and having an architecture that lets you try new things quickly is paramount to being competitive.

Much like is the case regarding the lightness of the agent, both Crowdstrike and Sentinel One claim that they have the best data model on the market. 

Again, it’s quite hard to get a read on this without being inside one of these companies, but in the last two quarters the delta between Crowdstrike and Sentinel One has been just as pronounced.