CrowdStrike Earnings Review – March 05, 2024

CrowdStrike Earnings Review – March 05, 2024

CrowdStrike is a next-generation, cloud-native endpoint cybersecurity company. Its bread-and-butter is called endpoint detection and response (EDR), which replaces legacy anti-virus. Beyond EDR, it offers applications in cloud security, log management, forensics, identity security, data protection and more to round out its “Falcon Platform.” Falcon’s edge is in its ability to digest near-endless amounts of data to automate and uplift breach protection. CrowdStrike uses the diverse dataset from its scale and powerful cross-selling to constantly improve Falcon’s efficacy and use cases. It can recycle this same data over and over again to efficiently develop new products for the single, lightweight interface. More utility without adding complexity.

Important Endpoint Security Acronyms:

• Endpoint detection and response (EDR) provides end-to-end visibility and protection with automated remediation and detection services.
• Managed detection and response (MDR) encompasses CrowdStrike’s team of threat hunters to augment EDR with human touch when needed.
• Extended detection and response (XDR) is EDR with 3rd party, non-endpoint data sources infused. The incremental data uplifts breach protection and extends it beyond the endpoint.

Important Log Management Acronyms:

• Log Scale ingests, organizes and stores data logarithmically. This allows for ingestion with more scale and faster time to value. As an important aside, Log Scale is a key ingredient for Falcon Extended Detection and Response (XDR). It is instrumental in XDR’s onboarding of needed data sources in a scalable and efficient manner.
• Security Information and Event Management (SIEM) aggregates security logs/data to help organizations uncover and remediate threats. Log Scale is closely related to SIEM as Log Scale is what actually collects data from various sources to be utilized here.

Important Cloud Security Acronyms:

• Cloud Security & Posture Management (CSPM) tells you about your vulnerabilities and misconfigurations.
• Cloud Infrastructure Entitlement Management (CIEM) tells you who is entering a software environment. It tells you if these entrants are allowed and exactly what they’re allowed to do.
• Cloud Workload Protection (CWP) is a preventative measure to observe if anything bad is being done by entrants. This sounds the alarm bell while preventing and remediating cloud infrastructure attacks. It’s closely related to CSPM and CIEM.
• Cloud Native Application Protection Platform (CNAPP) is the overall suite tying all of these cloud products together.
• Application Security Posture Management (ASPM) locates and facilitates the safe control of cloud apps.

Demand

• Beat revenue estimates by 0.6% & beat guidance by 0.7%.
  • 47.2% 3-yr revenue compounded annual growth rate (CAGR) vs. 50.0% Q/Q & 54.3% 2 quarters ago.
  • Subscription revenue rose 33% Y/Y.
• Beat annual recurring revenue (ARR) estimates by 1.2%.
  • This is its 2nd straight quarter of accelerating net new ARR (NNARR) growth. That’s the most important demand number to track.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases

Profitability

• Beat EBIT estimates by 14.5% & Beat guidance by 14.5%.
• Beat $0.12 GAAP earnings per share (EPS) estimates by $0.10.
• Beat $0.82 EPS estimates by $0.13.
• Beat free cash flow (FCF) estimates by 7.0%.
• The company’s GAAP profitability now makes it eligible for S&P 500 inclusion and the coinciding potential boost to passive share demand.

CrowdStrike earned $3.09 per share vs. $1.54 Y/Y for about 100% Y/Y growth. FCF rose 39% Y/Y to reach $938 million for calendar 2023.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases

Balance Sheet

• $3.5 billion cash & equivalents.
• $740 million debt.
• Basic shares +2.5% Y/Y; diluted shares +5.5% Y/Y.

Annual Guidance & Valuation

Annual guidance was 0.3% ahead on revenue, 1.1% on EBIT and $0.11 better than $3.76 earnings per share (EPS) estimates. Encouragingly, this guidance assumes no macro improvements. It bakes in continued budget scrutiny and sales cycle elongation just like it saw in 2023. Under-promise… over-deliver.

In other news, it’s accelerating hiring and growth spend amid robust demand. This will lead to most of its fiscal year 2025 operating leverage coming later in the year. More spend won’t, however, lead to worsening margins. It raised its annual FCF margin target from 31% to 32% to pair nicely with the EBIT and new income beats. Finally, it sees net revenue retention (NRR) hovering around 120% for the year.

Net new ARR (NNARR) growth for Q1 is supposed to be about $198 million if we assume double-digit to low teens growth guidance means 13% Y/Y. This was exactly in line with Q1 2024 ending ARR guidance comfortably ahead (thanks to the Q4 beat). It expects (NNARR) growth to accelerate throughout the year. Q1 deal pipeline size is strong.

Finally, it reiterated its path and schedule for reaching $10 billion in ARR.

Based on CrowdStrike’s guidance, it trades for about 70x FCF and 95x earnings per share (EPS). FCF is expected to grow by 30% Y/Y and EPS by 25.2% Y/Y. This is a very expensive name, but it always sets guidance that it can consistently raise. Regardless, I plan to trim another 11% of my position tomorrow morning.

Call & Release Highlights 

The Real Platform:

CrowdStrike’s team aimed all competitive criticism at Palo Alto this quarter. Founder/CEO George Kurtz threw shade at its “stitched together” suite of improperly integrated tools and how they lead to complexity, false positives, poor outcomes and higher costs. He doesn’t think of Palo Alto as a true platform, but a set of point solutions. Conversely, CrowdStrike’s cloud native, single agent, single console architecture slickly ties together powerful microservices and 20+ modules into one cohesive platform and interface. That’s means lower user friction, better inter-departmental communication and broader efficiency.

For evidence, CrowdStrike’s gross revenue retention (GRR) sits at an elite 98% and is stable. Its net revenue retention rate of 119% is also stable. It’s actually slightly below its 120% target, but that’s because ARR growth is so much better than it’s supposed to be. Good problem to have.

You’ll notice that its margins are all exploding higher. That’s the cross-selling engine working its magic; CRWD incurs virtually zero added OpEx to sell any module but the first to a client. Clients can turn on more CrowdStrike products in real-time and with delightful ease.

Cost vs. Value:

There’s a large difference between perceived cost and true cost in the world of cybersecurity. Perceived is based solely on price per product. True cost accounts for time and expenses saved, breaches prevented and efficiencies gained from shedding remediation needs. CrowdStrike does not compete in terms of perceived costs. It does not aggressively discount to win deals and will not do so in response to PANW’s bundling, free product and price cutting-plans.

How can it avoid doing so? Because of the true cost benefits it delivers to customers. It competes on value. Per IDC, $1 spent on CrowdStrike Falcon yields a 6x return on investment. When you provide superior value, you enjoy pricing power. I’d rather pay $50 for $300 in value than $10 for $10 in value. This is concrete evidence of delivering compelling value, while its sky-high gross margin is evidence of the coinciding pricing power. Kurtz explicitly used Palo Alto’s “budget fatigue” language from its last call. CrowdStrike is not seeing any of that budget fatigue… and that’s not random.

Result of Being the True Platform:

CrowdStrike celebrated several large wins during the quarter. The two themes of these displacements were. It displaced Palo Alto in a 7 figure deal due to its disparate and clunky consoles and agents. With CrowdStrike, the client cut management time by 70% and saved $5 million in annual OpEx. Palo Alto’s “patch work with multiple products led to visibility gaps, false positives and fatigue.” It also beat Microsoft and Splunk in several log management and SIEM deals. It won another SIEM deal in Europe (thanks to its Deloitte relationship) to add a 16th module to an existing client’s ecosystem. SIEM and Log Management are showing clear signs of accelerating momentum. Overall, it enjoyed 30% growth in Y/Y deal count and “rising competitive win rates” across all sizes of customers. 8 module deals doubled Y/Y while million dollar deals rose 30% Y/Y. Kind of a good quarter… I guess.

To be a true platform, CrowdStrike cannot be solely an endpoint company. It’s been trying to prove that it’s much more than that for years. I don’t think there’s any proving left to do. Its three emerging product buckets are identity, log management and cloud security. They’re all growing like crazy with material scale:

• Cloud crossed $400 million in ARR up over 100% Y/Y.
  • Record quarter for identity customer additions.
• Identity crossed $300 million in ARR up over 100% Y/Y.
• Log management/SIEM crossed $150 million in ARR up 170% Y/Y.
  • It crossed $100 million just last quarter.
  • The log management pipeline is now in the hundreds of millions.

More notes:

• New customers are now landing with 4.9 modules to begin. This continues to steadily rise.
• Its total addressable market will compound at a 22% Y/Y clip through 2028.

Ease of Use & Go-to-Market:

Having great products is key, but not the only key. Pairing better tools with broader ease-of-use, seamless onboarding and powerful go-to-market is also highly important. CrowdStrike does all of these things. The aforementioned single agent set-up means customers can add additional CrowdStrike products with a few clicks. There’s no downtime, no manual integrations, zero custom/heavy APIs to build and no drama. Just wildly easier product purchasing to diminish user friction and augment module cross-selling.

As an example of strong go-to-market, consider its Falcon Flex bundle. This enables à la carte module purchasing and seamlessly expedient adding of new modules. It doesn’t try to force customers into bundles with random products that they don’t need. CrowdStrike sells you exactly what you want and gives it to you rapidly.

From a partner perspective, momentum is quite strong. It deepened its Dell partnership this week as that hardware giant will use CrowdStrike to run its managed detection and response (MDR) business. This new channel partner has already delivered $50 million in deal volume early in the relationship. AWS sales continue to represent one of its fastest growing revenue channels overall. CrowdStrike’s managed security service provider (MSSP) channel partners delivered 100%+ Y/Y growth within smaller and medium-sized businesses (SMBs). Business is boomin’.

More on Cloud Security and Buying Flow Security:

Cloud net new ARR (NNARR) rose 200% Y/Y to make CrowdStrike one of the largest in the market. It won an encouraging 8 figure deal to serve a hyper-growth AI firm with only a handful of physical endpoints. CrowdStrike’s ability to entirely protect their end-to-end cloud environment made them the clear choice. That’s evidence of Cloud not just being a powerful vendor consolidator, but a lead generator too. The client purchased CSPM, CIEM, CWP and ASPM (all defined above).

A “leading hyper-scaler” (so either Google or Amazon) significantly expanded their CRWD relationship to add its suite of cloud security tools. CrowdStrike is now protecting every device and large chunks of this client’s complex cloud ecosystem.

To widen its cloud and data security presence, CrowdStrike will acquire Flow Security. To Kurtz, this “stood out as the most unique tech amid a sea of start-ups.” In his mind, this is the only cloud data runtime security product on the market. It allows for both data classification and discovery for broad, real-time data risk visibility. Most products can do either classification or discovery, but not both.

This diverse set of services can be enjoyed with data at rest and in motion, including for large language models (LLMs). It also has data leakage prevention tools that should be a very compelling complement to CrowdStrike’s data loss protection (DLP) module. Flow will enhance that module and give CrowdStrike another standalone module post-integration. CRWD will call Flow’s product “Data Security Posture Management” (DSPM). Woo-hoo… another acronym. This will be paid for mostly in cash and should close in a few weeks. The price tag is not yet public, but Flow is very small.

Final Notes:

• The GenAI security analyst assistant (Charlotte AI) went into general availability this week.
• Early demand for Falcon for IT is “off the charts.”
• Completed assessments in Australia and Germany to pave the way for potential public sector growth in those nations.

Take

This would be a very good quarter in any environment. It was an especially good quarter after what we heard from Palo Alto and even data kings like Snowflake. The annual guidance left us with no negative surprises and a slew of positives to celebrate. ARR and other forward looking demand hints are rock-solid while it baked the same conservatism into guidance that it always does. This should mean it’s gearing up for more over-delivering.

No other software company in the world combines its growth, product superiority, elite go-to-market, cross-selling engine, margin trends, market share gains and TAM. I’ll keep saying it; not a single one. That is why it’s so expensive… it’s special. One out of one in a crowd full of pretenders.