CrowdStrike: Cyber SaaS

Sector

TechnologyCybersecurity

Background

Roneal Desai is a public markets investor focused on enterprise software. We cover how CrowdStrike reinvented cybersecurity for the cloud era, why the pandemic-induced shift to remote work drove a paradigm shift in the industry, and how the company helped identify Russian hackers during the 2016 election.

Cover

Date

September 1, 2022

Episode Number

72

Platform vs. Best-Of-Breed. Crowdstrike decided to go down the Platform route.

Key Learnings & Lessons for Investors

1. Evolutionary Product Advantage: CrowdStrike's unique approach of proactive threat identification rather than relying on historical threat databases shows importance of evolutionary product development in achieving market leadership.
2. Anticipating Market Growth (And Not Anchoring on “Market Forecasts”): In investing, it's critical to recognize that market estimates (like TAM) are not static but evolve based on innovations and changing consumer demands. For instance, IDC's estimate for the endpoint market grew by 85% over a few years, suggesting that recognizing areas of underestimated growth can be a significant advantage for investors. One should keep an eye on how value per customer is changing, as evidenced by the endpoint security market's growth driven by the increasing dollars spent per customer rather than an increase in customer numbers.
3. Counterpositioning (one of Helmer’s 7 Powers) vs. Legacy Vendors: The decline of Symantec's market share from 15% to roughly 5% post its acquisition by Broadcom in 2019 and CrowdStrike's growth points to the importance of counterpositioning.
4. Adaptability and Scalability in Business Models: CrowdStrike's transition from the client-server era to the cloud era is a testament to the importance of adaptability in business.
5. Strategic Acquisitions for Growth: The strategic purchases made by CrowdStrike, like the identity product and Humio (product M&A). For investors, identifying businesses that can make such strategic acquisitions and seamlessly integrate them can be indicative of strong management and a clear vision for future growth. Humio took from $6 million ARR to $50 million.
6. Importance of Founding Team's Experience: Kurts' and Alperovitch's previous roles and achievements at McAfee played a crucial role in the direction and vision of CrowdStrike.
7. Platform Transition: In the software space, companies that evolve into platforms usually yield higher returns than those that remain specialized solutions. For example, during the client-server era, choosing a platform yielded a seven out of eight success rate, while selecting a best-of-breed player in the ERP space gave only a one in 40 chance. CrowdStrike's move to become a security platform is a significant growth lever, consolidating spend and acting as an integration point.
8. Customer-Centric Approach: Instead of focusing on just improving their product slightly better than competitors, the company succeeded by truly understanding the "job to be done" that customers were willing to pay for. For instance, instead of just a slightly better EDR machine learning algorithm, they offered an integrated managed services approach. Investment Lesson: When evaluating companies, look for those that deeply understand and cater to their customers' real needs, rather than just incremental product improvements.
9. Patience on Product Architecture (First-Mover Advantage Not Necessary): Despite being the third to market, the company succeeded by having the right product and scalable architecture. This approach allowed them to avoid massive acquisitions that often result in mingling diverse products. The company focused on offering what customers truly wanted: security as a service, instead of just a software product.

Key Takeaways & Business Model

1. CrowdStrike's Differentiation: Founded in 2011 by George Kurtz, CrowdStrike innovatively shifted the cybersecurity paradigm from traditional firewalls and anti-malware solutions that simply block known threats to an active prediction model. This system involves a cloud-native agent placed on each device, monitoring all activities and interactions. Data from these agents feed into a central threat graph, where machine learning identifies anomalous behavior and threats in real-time.
2. Business Metrics and Size: As of the given date, CrowdStrike boasted an impressive $45 billion enterprise value with a 61% YoY growth in ARR reaching $1.9 billion. It currently serves about 18,000 customers globally, translating to an average of around $100K of ARR per customer. To put this growth into perspective, no other SaaS company at this ARR scale has shown such rapid growth apart from Snowflake
3. Evolution of Cybersecurity: Cybersecurity's landscape has shifted from static firewalls exemplified by McAfee (akin to TSA airport security) to behavior-monitoring systems like CrowdStrike (similar to casino surveillance). While a McAfee Firewall might only be 1/100,000 as powerful as the Palo Alto Firewall, the endpoint protection now involves next-gen antivirus and EDR (Endpoint Detection and Response), focusing on real-time threats and unusual user behavior.
4. Market Dynamics: Legacy vendors such as Symantec, McAfee, and Trend Micro currently make up 60% of the $10.3 billion endpoint security market. However, this figure is misleading as IDC's forecast for the endpoint market changed from $10 billion (in June 2020) to $18.5 billion for 2025. CrowdStrike's offering in this space ranges from $16/month for basic endpoint protection to an additional $6 to $22/month for monitoring.
5. Innovative Business Model and Evolution: CrowdStrike's approach is centered on Clay Christensen's theory of interdependence and modularity. Historically, client-server architectures focused on software suites with the likes of Oracle, SAP, PeopleSoft, etc. The shift to cloud architecture has changed this dynamics, focusing on the infrastructure and middleware layers, with the application layer getting commoditized. This change has positioned companies like CrowdStrike at the forefront of new platforms in cybersecurity, especially as they grow from an endpoint company to providing a diverse range of modules and services.
6. Strategic Expansion and Integration: CrowdStrike's ability to identify and capitalize on opportunities is evident. Their growth from having 10 modules in 2019 to 22 modules in the present day showcases their expansion strategy. They have successfully integrated acquisitions such as the identity product and Humio to bolster their offerings. The launch of XDR, extended detection and response, indicates their vision to provide a unified view of the entire security estate, offering a transformative solution in cybersecurity.
7. CrowdStrike's Unique Founding and Strategic Growth: CrowdStrike was founded by George Kurts and Dmitri Alperovitch, both of whom had extensive cybersecurity experience and prior affiliations with McAfee. The company differentiated itself by emphasizing the significance of a lightweight agent and using the incident response team as a proof of concept for their endpoint product. Key milestones include aiding Sony during their 2014 hack and identifying North Korea as the culprit, detecting Chinese hackers targeting US healthcare companies, and identifying Russian involvement in the DNC hack.
8. CrowdStrike's Advantage in the COVID-era: The pandemic emphasized the need for secure remote work. Traditional security models relied on a centralized protection mechanism (firewall at the office) which became ineffective when everyone started working remotely. CrowdStrike's model offers security directly at the device level, ensuring protection for each user's device regardless of their location.
9. Risk from Closed Systems: One potential threat to CrowdStrike is the emergence of closed XDR systems, like those from Microsoft and Palo Alto, which are end-to-end solutions and don't rely on external contributions.
10. Channel Partnerships: CrowdStrike uses a mix of channel partners to sell its products. This includes Value-Add Resellers (VARs) and Managed Security Software Providers (MSSPs). VARs act as cybersecurity experts recommending products to enterprises while MSSPs manage the software's entire lifecycle. CrowdStrike benefits from these channel partners as they push their product to customers, leading to a kind of competitive dynamics among them, where even reduced margins from CrowdStrike can yield more profit due to the high product price and associated benefits.
11. Unit Economics and Growth: CrowdStrike's Customer Acquisition Cost (CAC) has been stable for eight quarters, implying they spend about 90 cents to get a dollar of Annual Recurring Revenue (ARR). With a 30% incremental margin and 2% churn, this results in a 40% incremental ROIC, showcasing effective capital efficiency. CrowdStrike's ASPs are about 20% higher than competitors, making it more profitable for channel partners to push their product even with lower margins.

Transcript