A CrowdStrike deep dive

The S-1 in-depth report from Meritech and the latest growth numbers sure got me interested in the upcoming CrowdStrike IPO. It went straight from 2nd Tier to 1st Tier interest after diving in a bit more.

They are pretty akin to Zscaler as a cloud-based security company using crowdsourced data and AI for threat detection, but a different technical setup and focus (that I dive into in more detail below). ZS is priced into stratosphere at $9.5B, while CRWD last privately valued at $3B (sure to be much much more once public). Hope it isn't all priced in at the start, but I am likely to be an owner regardless after this research. One can only hope Slack's IPO will distract from CrowdStrike's.

  • ZS and CRWD have similar revenue (~250M TTM).
  • ZS has better margins (80% vs 66%) and much lower net losses (almost profitable). CRWD has been improving margins, but Pro Svcs is weighing it down. (Counterpoint: Pro Svcs is a huge sales entry point for Falcon Platform.)
  • CRWD has way higher rev growth (124% vs 66%), nearly double!
  • CRWD has huge cust growth (+103%) that are spending more ($NER 147%). Muted $NER of 118% has been my one disappointment with ZS that I've griped about before; CRWD is showing way better expansion rates with its modular/tiered pricing, plus having a completely managed service at the top tier.

FYI this company made a name for itself by investigating the Democratic Party cyberattack breach and helped determine it was Russian intelligence.

So here is a deep dive...

CrowdStrike Overview

Detailed S-1 Review: https://medium.com/@alexfclayton/crowdstrike-ipo-s-1-breakdown-3f00b06f7a3a

Pre-IPO details: https://boards.fool.com/impressive-s-1-137-subscription-growth-yoy-103-34212522.aspx

Website: https://www.crowdstrike.com

FY19:
Rev 249.9M 110% !!
 - Sub Rev 219.4M +137% !!
 - Pro Svcs Rev 30.4M +16%
Gross Margin 65.1% +1100bps
Loss -140.1M  
Adj Loss -115.8M 
FCF -65.6M

Latest Q:
Revenue 72.8M +124% ^^, +26% seq !!
ARR 313M +121% !!
Gross Margins 66%
Cash 192M
Custs 2516 +103% !!
ACV (ARR/custs) 124.3K +9%
$NRR 147% ^^ +2800bps, +2000 bps seq !!

CrowdStrike is a SECaaS providing cloud-native endpoint protection, that leverages crowdsourced data and cloud analytics to stop threats.

  • Cloud-based architecture - customers can immediately implement & scale. Modular products can be used depending on need, or their managed service.
  • AI over threat detection. Replaces existing anti-virus & malware detection.
  • Internal teams of experts analyzing threat database, and providing services like assessment, proactive checks, incident response.
  • Marketplace to integrate products from partners that extend Falcon platform. Ties directly into to other SECaaS & analytics providers.

Product Lines

  1. Enterprise endpoint protection
  2. Threat intelligence
  3. Security and vulnerability mgmt
  4. IT Service mgmt
  5. Managed security services

Competitors: Symantec, Cylance (Blackberry), Cybereason, Carbon Black, Palo Alto, FireEye

Customers: ADP, Shutterstock, Pokemon Co, Rackspace, Tribune Media, State of Wyoming, Hubspot, City of San Diego, Hyatt

At a Glance

  • processes data from endpoints across all customer base (crowdsourced security)
  • use AI and behavior pattern-matching to stop breaches
  • started w/ focus on large enterprises, now sells to SMBs
  • in 44% of Fortune 100
  • 2/3 of custs <1k empl
  • 23% int'l (+700bps YoY)
  • recent cust onboarded in 1d to protect >100k endpoints
  • internal data showed 40% of detects were exploits in OS (not malware)
  • global TAM expected to be $29.2B by 2021 (ZS said $17.7B TAM at IPO a year ago)
  • last reported private valuation $3.15B

Accolades

Platform Overview

Falcon Platform

https://www.crowdstrike.com/endpoint-security-products/falcon-platform/

2 software components

  • light-weight endpoint agent: installed on Windows, Mac, Linux systems
  • Threat Graph cloud database: analyzes 1T real-time events/wk
  • 10 cloud modules, all subscription-based
  • 47% of sub custs on >4 modules (+1700bps YoY) !!

Crowdstrike discusses 2 different approaches to protection. https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/

Indicators of Compromise (IOCs) = The unique characteristics of a breach. Reactive approach. Examples: malware, exploits, attack signatures.

Indicators of Attack (IOAs) = A focus on detecting the intent of what an attacker is trying to accomplish. Represents series of actions adversary would take. Proactive approach. Examples: Code execution, persistence, stealth, lateral movements w/in network.

CrowdStrike focuses on both approaches, the more traditional IOC tracking, and the more advanced IOAs tracking through ML/AI (machine learning & AI).

Product Modules

Endpoint Security:

Falcon Prevent (Next-Gen Antivirus): comprehensive protection against both malware and fileless attacks; replaces legacy antivirus/malware detection products

  • protects against all threat vectors
  • known malware/ransomware prevention
  • prevent fileless and malware-free attacks
  • ML to detect known/unknown threats with Threat Intel
  • proactive threat hunting, with Indicator of Attack (IOA) detection, to identify and stop attacker behavior
  • full attack visibility (process tree graph)
  • exploit mitigation

Falcon Insight EDR (Endpoint Detection and Response): notify customers about endpoint activity in real time

  • real-time monitoring & visibility
  • records all endpoint activities for deeper inspection, historical review
  • immediate response
  • enriched w/ Threat Intel

Falcon Device Control: gives admins visibility and granular control of USB peripheral devices

Security and IT Ops:

Falcon Overwatch (Threat Hunting): elite team of security experts who utilize the Threat Graph to augment customer's in-house security

  • proactive threat hunting
  • investigate breaches
  • pinpoint urgent threats
  • guided response
  • premium: escalated notification, access to threat response analyst, quarterly briefings & recommendations

Falcon Discover (IT Hygiene): network security monitoring & introspection

  • rogue system/app detection within networks
  • monitors user accounts and sysadmin access
  • password policy enforcement
  • app security hygiene
  • app license management
  • AWS visibility & spend analysis
  • asset inventory

Falcon Complete (Turnkey Security): managed service for monitoring, mgmt, response, and remediation

Falcon Spotlight (Vulnerability Mgmt): detect vulnerabilities in real time across customer endpoints

Threat Intelligence:

Falcon X (Threat Intel): AI over endpoint protection

  • automated analysis of all incidents, speeding up breach response
  • uses AI, ML, IOAs tracking
  • learn from the attacks in your environment; custom IOCs generated from threats detected
  • weekly threat reports
  • premium tier w/ global threat research & analyst reports

Falcon Search Engine (Malware Search): search over 300Tb of 400M malwares collected across Falcon, overlaid with Threat Intel data

Falcon Sandbox (Malware Analysis): analyze files for malicious behavior in isolated VMs, can integrate into workflows & SIEMs

Services:

  • Cybersecurity assessment
  • Proactive checks
  • Pre/Post incident response
  • Compromise assessment

Other:

  • CrowdStrike Falcon for Mobile: (coming soon) EDR for mobile devices
  • Falcon on GovCloud: FedRAMP approved gov't endpoint security, delivered on AWS GovCloud; includes Prevent, Insight and Discover products, plus IR & Proactive services
  • Falcon for Data Centers: secure physical, virtual or cloud/hybrid infrastructure

CrowdStrike Store: PaaS store for cybersecurity tools, to sell products from CrowdStrike partners that enhance Falcon Platform and/or utilize same agent … example apps/partners:

  • User behavior analytics (eg Exabeam)
  • App behavior analytics (eg TrueFort)
  • Attack analysis (eg AttackIQ)
  • Managed security (eg Expel)
  • Incident response (eg Demisto [Palo Alto])

Falcon Connect: collection of APIs to interface with Falcon Platform

  • Query API - search IOAs, IOCs, devices & indicators
  • Streaming API - real-time streams for detections & alerts; hook into your SEIM
  • Data Replicator API - pull raw event data
  • Intel API - query indicators, adversaries, reports & tailored intel
  • Threat Graph API - query detection and IOC relationships

Pricing

Multiple tiers for 5-250 endpoints. Any tier can:

  • ... add optional services
  • ... add optional product Spotlight
  • ... operate in specialized environs (GovCloud, Data Centers)
  • ... add standalone products: Search Engine, Sandbox

Tiers:

Falcon Pro - endpoint protection & threat intelligence

  • ... includes Prevent & X
  • $7/endpoint/mo

Falcon Enterprise - prevents and detects attacks beyond malware, stop breaches, complete visibility

  • ... adds Insight, Device Control, Overwatch
  • $15/endpoint/mo

Falcon Premium - next level breach protection, real-time rogue detection and user monitoring, health checks and quarterly briefings w/ recommendations.

  • ... adds Discover and premium Overwatch
  • $18/endpoint/mo

Managed Service:

Falcon Complete - fully managed endpoint protection, delivered as a service by a CrowdStrike team of experts. Backed by $1M coverage to address breaches that occur within protected environ.

  • ... includes Prevent, X, Insight, Discover, premium Overwatch

IPO Details

https://news.crunchbase.com/news/crowdstrikes-sets-ipo-terms-targets-valuation-between-3-7b-and-4-5b/

18M shares at $19-$23 = valuation of $3.7B-$4.5B. Expected date around Wed 06/12/19.

They also wrapped up a suit against an independent testing lab, with the lab coming out with an apology retracting its inaccurate test results.

Competitive Landscape

There have been many threat-prevention SECaaS (Security-as-a-service) IPOs over past year: Tufin (TUFN), Zscaler (ZS), Carbon Black (CBLK) and Tenable (TENB), some of which are direct competitors. Another competitor is Cylance, bought by BlackBerry in Feb '19 for $1.4B. Then there are the traditional/big players in Symantec, Cisco, McAfee, Sophos, Palo Alto, FireEye and TrendMicro.

As for TAM, the cloud cybersecurity market is $138B this year, and estimated to be $232B by 2022 (CAGR 19% over 3y). There can be many winners. And many losers. Not only a market with huge competition, it's an overly risky industry just being in cybersecurity - one breach can seriously impact customer perception. [But I think the risk is mitigated when we have such fantastic hypergrowth!]

Quick look at last Q of each of those recent SECaaS IPOs:

  • CBLK Q119: Revenue 56.8M +21%, Cloud Rev +80%, GM 78%
  • TUFN LastQ: Revenue 29M +31%, GM 84% (just IPOd)
  • TENB Q119: Revenue 80.3M +36%, GM 85%
  • ZS Q219: Revenue 74.3M +65%^^, GM 80%, NER 118%
  • CRWD: LastQ Revenue 72.8M +124%^^, GM 66%, NER 147%, custs +103% (about to IPO)

Market caps? TUFN 800M, CBLK 1.2B, TENB 2.7B, ZS 8.8B. CRWD expects 4.5B at IPO. Market clearly prefers hypergrowth (as do we). ZS has strong accelerating growth. CRWD has even stronger accelerating growth, albeit at lower margins; however a jaw dropping, TWLO-sized $NER of 147% erases any concerns. So no way that market cap stays at $4.5B once public -- I wouldn't be surprised by a double out of the gate in this overzealous IPO environ (bringing it to ZS market cap). [Reminder: ZS rose 104% on IPO day.]

Fighting antivirus & malware, like the traditional competitors (anti-virus and anti-malware), is a small part of the problem - in today’s environment, endpoint protection providers focus on THREAT DETECTION as well as BREACH PROTECTION, INVESTIGATION, and MITIGATION. It is better to equate CrowdStrike's product lines with Zscaler, Tenable and Carbon Black, not traditional AV apps like Norton, Symantec and McAfee.

The smarter traditional AV companies like McAfee/Symantec have long ago moved way beyond the little red/yellow boxes and pre-installed AV softwares of the days of old - they are now SECaaS companies as well, providing many of the same services; yet these small upstarts are continuing to succeed and disrupt them further [shown in their hypergrowth, from recurring subscription revenue, coming from more and more customers, each spending more and more over time]. Both CrowdStrike and Zscaler are completely disrupting what is traditionally thought of as AV.

Crowdstrike vs Zscaler

Both companies mention protecting against viruses and malware, so it seems as if they are direct competitors.

ZS:

“Zscaler is a global cloud-based information security company that provides Internet security, web security, firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things environments. As of 2015, Zscaler provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing.”

CRWD:

“CrowdStrike, Inc. is an American cybersecurity technology company based in Sunnyvale, California, and a wholly owned subsidiary of CrowdStrike Holdings, Inc. The company provides endpoint security, threat intelligence, and incident response services to customers in more than 170 countries. ... In 2013, the company launched the Falcon software platform, a technology that stops breaches by combining next-generation antivirus, endpoint detection and response, and proactive hunting.”

They both focus on stopping breaches from malicious actors (hack attempts, viruses, malware). But know that they are protecting two separate pieces of the puzzle. CrowdStrike is focused on protecting the device or system (the endpoint), while Zscaler is focused on protecting the outgoing/incoming traffic (the network).

Zscaler's focus is on being a cloud firewall and Secure Web Gateway (SWG) with a Zero Trust focus. Their network of 100+ data centers have all customer traffic routed through them (somewhat akin to a VPN), and is a huge differentiator to their platform over the others. Zscaler has advanced features enabled by their VPN-esque data center setup, like SSL introspection. They claim a peak of 60B transactions a day. They are in the Gartner "Secure Web Gateway" quadrant, where they are a top Leader.

Gartner defines a Secure Web Gateway (SWG) as:

Secure Web gateway solutions protect Web-surfing PCs from infection and enforce company policies. A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.”

CrowdStrike, and its AI & expert driven threat detection and endpoint protection platform, is clearly doing something right with those revenue & customer growth numbers. They claim 91M blocked events a minute (meaning ~130B/day). They are in the Gartner "Endpoint Protection Platform" quadrant, where they are top Visionary (nearly Leader).

Gartner defines an Endpoint Protection Platform (EPP) as:

An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts. Detection capabilities will vary, but advanced solutions will use multiple detection techniques, ranging from static IOCs to behavioral analysis. The inclusion of artificial intelligence (AI) and human-driven managed services such as managed threat hunting — lowering the barrier to entry for more advanced capabilities — will increase over the next 18 months. Deception capabilities, intended to trick adversaries into revealing their presence by accessing fake services or planted files, or by using planted credentials, are emerging.
Desirable EPP solutions are primarily cloud-managed, allowing the continuous monitoring and collection of activity data, along with the ability to take remote remediation actions, whether the endpoint is on the corporate network or outside of the office. In addition, these solutions are cloud-data-assisted, meaning the endpoint agent does not have to maintain a local database of all known IOCs, but can check a cloud resource to find the latest verdicts on objects that it is unable to classify. Integration with security orchestration, automation and response (SOAR) tools will become increasingly desirable.

Does that sound like what AVG Antivirus gives you on your laptop behind your traditional firewall? These solutions are a whole new ballgame, with a crowd sourced data pool and advanced AI like IOC and behavioral analysis. I fear that folks really bring their biases from "the way things were back when I was in IT" when they hear terms like "antivirus". There is a whole new world of threats out there beyond that - nation-state hackers, ransomware, digital wallet theft, social engineering.

Regardless, all these SECaaS companies have a core strength over traditional on-premise networking devices or software -- they get a global view into threat detection, not just the on-premise network, and can apply AI and ML analytics over that global view, for the immediate benefit of strengthening their customers' security. There is NO REASON to have your company be its own oasis for security maintenance and knowledge. I love the cross applicability here - EVERY company out there can and should be using these products (hence the huge TAM). Cloud-enabled SECaaS is the NEW REALITY for enterprise security management. Every company needs security, but those that try to DIY ("do-it-themselves") are going to have a huge mountain of knowledge they'll need to become experts in, on a continual basis. Why wouldn't you outsource for that expertise?

So these two companies are protecting different angles - endpoint protection via installed agent, vs a web gateway handled via "VPN-esque" data centers. CrowdStrike added a huge number of products over the past year, so is moving closer to ZS's broad array of features. But they are very alike in their end goals.

Both companies provide these SECaaS services:

  • threat prevention
  • intrusion/breach detection
  • antivirus/malware detection
  • ML/AI-driven threat detection
  • vulnerability scanning
  • continuous monitoring
  • incident response
  • data loss prevention
  • device management
  • sandboxing (separate area for testing new files)

Zscaler goes beyond Crowdstrike with these services:

  • access control (cloud firewall)
  • content introspection

One thing Crowdstrike offers over Zscaler:

I find these services to be very complementary to each other (again, one protecting the devices/servers, and the other the network traffic). These are different services from what Okta provides as a IDaaS (Identity Management side of SECaaS), however Okta IS moving into some of these other SECaaS areas. And like Okta with Oktane, these two have major customer-focused annual conferences coming up...

  • Zenith Live 2019 - Zscaler Cloud Summit (9/16-18, Las Vegas)
  • Fal.Con 2019 - CrowdStrike Cybersecurity Conf (11/4-6, San Diego)

Ultimately, ZS is likely the (objectively) more secure and better product (again, SSL introspection is huge, and is entirely possible due to their VPN-like global data centers). But CrowdStrike has double the growth right now off the same revenue base. If they can continue that while raising margins (likely, as they been heavily expanding product line over past 2 years), look out.

-muji