Edited by Brian Birnbaum and an update of my original Crowdstrike deep dive.
New! You can now listen to my write ups on Spotify. They go live some days after I post them on Substack. The latest podcast is on the AMD deep dive:
And now, onto the Crowdstrike update.
Section 1.0 is an overview of the cybersecurity sector and why Crowdstrike has a meaningful competitive advantage.
In Section 2.0, I analyze the company´s progress since my original deep dive, which supports the idea that Crowdstrike indeed has an edge.
In Section 3.0, I share my conclusion on whether I should invest in the company or not.
1.0 A Recap of Cybersecurity, in the Age of AI
The cybersecurity industry is now about getting more and better data than anyone else. Crowdstrike understood this long ago and it shows.
As is the case with semiconductors, analyzing a cybersecurity company is often more fruitful by first understanding what is fundamentally happening in the industry. Otherwise, it is easy to get lost in the details, whereupon spotting investments just becomes too hard.
In this section, you will gain an understanding of what is happening in cybersecurity and why Crowdstrike has a structural advantage over its peers.
With the emergence of AI, data is the price of admission, as AI models power all of the best modern security. Thus cybersecurity has revealed itself as a game of accruing greater and higher quality data than competitors. The foremost reasons for such are:
The models learn from what is happening in real time and thus program themselves, a far more cost effective approach than having humans program new logic.
Attacks are increasingly machine driven, meaning that they are not performed by humans. Attempting to defeat these machines with humans is futile.
Therefore whoever has the most prominent data harvesting infrastructure will likely win because more data begets more data, ad infinitum. The best way to harvest data is to excel at distribution and retention–i.e. being great at deploying your cybersecurity solution and keeping customers happy.
To turn data into superior models, the company in question must have not only an excellent talent pool, but also an organizational structure that optimizes said talent. The talent and structure must also enable and optimize distribution and retention capabilities, which yield the data in the first place.
Cybersecurity itself is delivered via an agent: a piece of software that takes actions to protect the device it sits on. The lighter the agent (the less memory and computing resources it takes up), the easier it is to distribute. In aggregate and over time, marginal differences in the lightness of an agent amount to an exponential advantage in distribution.
A company with dominant distribution and critical data mass takes the shape of a platform through which other vendors can distribute their own cybersecurity offerings and plug their own data harvesting infrastructures. As a platform emerges, data volume growth hits an inflection point, whereupon competitors can no longer keep up.
The cybersecurity industry is likely to create a singular power. People and organizations do not want hundreds of different security providers for one hundred different use cases. Naturally, they prefer to operate a single solution for all of them.
Platforms at critical data mass can release and deploy new modules (features, essentially) at marginal cost for each new case that arises. For every new module deployed and successfully embraced by customers, operating leverage increases exponentially.
If the mental model outlined above is an accurate depiction of reality, the way to spot winners in the space is to look for companies with this structural advantage. Such advantage may be condensed to the following two aspects:
A lighter agent and signs of superior deployment and retention capabilities.
A demonstrated ability to deploy new modules and therefore, a clear track record of leveraging the data pool to continuously add more value to customers.
If you read through the public filings of Crowdstrike and its closest competitor, Sentinel One, both management teams say the same things and claim to excel in the above two aspects. However, a detailed comparison of the two (e.g. my deep dive) likely points to structural differences.
Ultimately, the difference in their respective free cash flow figures separated the wheat from the chaff. FCF is the quintessential measure of operating leverage (factoring out stock based compensation, for a moment).
Note: SBC is an issue in all of these fast growing tech companies. Free cash flow on its own is nonetheless a measure of operating leverage. If the management team is capable and ethical, over time they will reign in the dilution caused by SBC to protect shareholder returns.
When I wrote my deep dive, Crowdstrike´s free cash flow was impressive and, quite frankly, Sentinel One´s was not. The former´s management team was entirely transparent on module adoption rates, while the latter´s was optimistic but somewhat opaque. A coincidence? I think not.
Consistently deploying one module after another that delights customers requires having a single source of truth in the first place. By this I refer to a data model, which aggregates all the data generated throughout the network. In the ideal case, this data model allows you to neatly feed the AI models that enable each new module with the appropriate data.
Without this intermediate architecture, successfully deploying new models, which in turn power modules, becomes a much more arduous task. It is very similar to the idea of abstracting hardware that I discussed in my Rivian deep dive - pace of iteration is vital and having an architecture that lets you try new things quickly is paramount to being competitive.
Much like is the case regarding the lightness of the agent, both Crowdstrike and Sentinel One claim that they have the best data model on the market.
Again, it’s quite hard to get a read on this without being inside one of these companies, but in the last two quarters the delta between Crowdstrike and Sentinel One has been just as pronounced.
2.0 Crowdstrike´s Progress is Impressive
Crowdstrike is deploying more modules per customer, which is translating into very fast improving financials. Meanwhile, Sentinel One is also progressing very well.
Crowdstrike discloses what percentage of its customers have adopted more than n models. YoY (as of Q2 2023), the metric has evolved as follows:
4+ modules: 66% => % not reported.
5+ modules: 53% => 63%.
6+ modules: 29% to 41%.
7+ modules: % not reported => 29%.
As a result, ARR (annual recurring revenue) came in at $2.9B in Q2 2023, up 37% YoY. Also, the net retention rate came in “above the 120% mark”.
Apart from the net retention rate, which has been trending down for some time, this is phenomenal progress. It came as little surprise when Q2 earnings revealed a record free cash flow of $188.7M, accounting for an impressive 25% total revenue in the period. However, what is unfortunate is that, if you remove stock based compensation ($164.8M in Q2 2023), you are left with just $23.9M in free cash flow.
To further illustrate how the module metrics fit in with the mental model outlined in Section 1.0, here is a quote from CFO Burt Podbere during the Q2 2023 conference call:
The way our technology works, it's single-agent architecture, a common data store and then modules and then we've been able to obviously monetize that across different areas. Protection is just one area. But when you look at cloud, you look at agentless, you look at some of the other offerings, LogScale and Identity, it's really about the platform sale, not an individual area and getting the right outcome.
Regarding how to factor SBC issuance into our analysis, the concern is always present in these high-growth, high-quality tech companies. The topic is far from black and white. We will only truly know how to analyze SBC in hindsight. For now, I suggest concentrating on management’s ethical composition.
[…] we think that we are going to continue to show low dilution, less than 2% this year and strive to keep it under 3% for next year. - Burt Podbere, CFO, during the Q2 2023 conference call.
In my deep dive I outlined how, initially, I thought that Sentinel One was like a Crowdstrike but two years younger. Per the deltas in free cash flow and other datapoints discussed in the deep dive, I walked away with a sense that this was not really the case, with there being some notable structural differences.
Although I still believe this to be true, I am quite impressed by Sentinel One´s progress YoY too. ARR grew 47% YoY to $612 million (just over a fifth of Crowdstrike´s ARR) and margins are clearly increasing rapidly. In the last two years since its IPO, Sentinel One has:
delivered more than 20 percentage points of non-GAAP gross margin expansion,
GAAP and non-GAAP operating margin have expanded by 39 and 34 percentage points year-over-year and,
free cash flow margin came in at (10)% in Q2 2023, 55 percentage points higher than in Q2 2023, when it came in at (65)%.
Note: Sentinel One´s fiscal calendar is one year ahead of that of the natural cycle. Their FY2024 is everyone else´s FY2023 and so forth.
Compared to Crowdstrike, these are quite pedestrian numbers, but the convergence is striking. Sentinel One owes improved numbers to an increasing customer base and more modules deployed per customer. However, I remain frustrated that management does not issue exact metrics on the latter component.
Net retention rate came in at 115%, which is still excellent, but seemingly below that of Crowdstrike´s. Digging deeper into the Q2 earnings results, however, according to CFO David Bernhardt, the net retention rate would have been 120% on an organic basis, excluding the legacy products Sentinel One onboarded with the acquisition of Attivo. So actually, quite close to Crowdstrike.
The retention rates of both companies have been trending down for the past few years, which according to both management teams is largely due to macro-driven budgetary constraints. Therein lies my main problem: that, with respect to cybersecurity, I’m burdened with too many unknown unknowns. I have not studied the space in enough depth to discern my true sentiments.
3.0 Conclusion
I lack knowledge to comfortably invest in Crowdstrike, for now.
If indeed cybersecurity does evolve into a winner takes all scenario, Crowdstrike is the only logical pick. However, the Sentinel One is evolving rather impressively and is valued at an eighth of Crowdstrike’s market cap. If the space does accommodate two winners, Sentinel One has considerable upside.
Having said that, the digital economy is only going to continue flourishing in the coming decades, and all of it will require protection. In this sense, the number one in the space can turn into a successful long term compounder. Acquiring more and better data will lead Crowdstrike to the next computing platform–one beyond the data/AI model symbiosis.
While I work everyday to expand my circle of competence, I still feel a slightly eerie sensation when dipping my toes in the waters of cybersecurity. Although Crowdstrike is right up my alley in terms of AI, and though it seems like a formidable organization, I do not have a complete understanding of:
who their customers are and what they want exactly,
what alternatives they are tempted to hire instead of Crowdstrike, and
what ways this company can be disrupted over the coming five years.
I do hold considerable appreciation for this company, however, and I will continue monitoring it going forward.
Until next time!
⚡ If you enjoyed the post, please feel free to share with friends, drop a like and leave me a comment.
You can also reach me at:
Twitter: @alc2022
LinkedIn: antoniolinaresc
As someone new to the cybersecurity space, could you explain what are the differences between blackberry and crowdstrike? Are they in direct competition with each other? Cheers mate!
Antonio on the magic quadrant review Microsoft scores higher than Crowdstrike. Yet Cylance who score much lower has been shown to be far more effective than Microsoft.
Cylance has been AI long before any other vendor yet BlackBerry decided not to go after the same market and concentrate on the long term goal of convergence between QNX and Cylance.
Do you think Cylance if marketed more towards Crowdstrike's customers could compete? Why are Governments and regulated industries choosing Cylance ?