George Kurtz is pumped up — and why not? The chief executive of CrowdStrike Holdings Inc. heads a business that appears to be on a fast track and entering a new phase of growth, despite the difficult macro and elongated sales cycles.

The cybersecurity company’s products are considered best-in-class, its business is growing steadily and an improved profitability and cash flow outlook had investors excited, at least up until this week. A still challenging environment and a rich 13X revenue multiple perhaps led to some profit-taking, but generative artificial intelligence could be the next catalyst for the company. In the race to close the SecOps staffing gap, CrowdStrike has what appears to be a strong play with a natural language-based intelligent assistant known as Charlotte AI.

In this Breaking Analysis, we update our scenario on security leader CrowdStrike. We’ll review the company’s recent progress, share survey data that shows where it is strong and where there may be icebergs ahead. And we’ll preview Fal.Con 2023, which takes place next week in Las Vegas.

2H 2023: Good for cybersecurity platform plays

This year has seen ups and downs for CrowdStrike and the cyber industry in general.

Above is a year-to-date chart of some cyber-related data points showing the performance of Palo Alto Networks Inc., CrowdStrike, Zscaler Inc., the Nasdaq and the BUG cybersecurity ETF. As you can see, the sector is not immune to tech headwinds, as the BUG is performing below the Nasdaq. But there are definitely some bright spots with the likes of Palo, CrowdStrike and ZS, which are outperforming the Nasdaq this year by a decent margin. Those three are playing the consolidation game effectively while many others are losing share.

Generally these platform plays, of which CrowdStrike is one of the more prominent, are winning, and the leaders are expanding their total available markets with new modules and participating at the periphery of certain adjacencies – such as observability.

As we hear at every conference this year, gen AI will be a hot topic at Fal.Con, with the company expected to announce pricing for its Charlotte AI intelligent security operations center assistant. Charlotte is one of the first examples of gen AI specifically for security use cases and was on display at Black Hat this past August. CrowdStrike was one of the few companies actually showing a real demo versus vaporware at Black Hat and we’re eager to see more at the upcoming conference.

CrowdStrike’s journey to become a generational platform

In a Breaking Analysis last year, we put forth our thesis as to how and why CrowdStrike would become an enduring company. Despite a few potholes in the road, generally CrowdStrike is on track and continues to execute as we expected.

Let’s review the recent performance of CrowdStrike.

We consulted with SiliconANGLE’s lead cybersecurity journalist David Strom to get his take on the company. He as well is positive on the company and points out that the Falcon platform has succeeded at both integrating dozens of modules and, importantly, understanding how those modules map to a customer’s skill sets — and, moreover, how the data collected by Falcon’s lightweight agent is shared across teams.

Strom correctly points out that CrowdStrike was early getting into cloud-based security – perhaps a bit late on protecting containers – but catching up fast with a dynamic analysis tool for containers.

As we’ve shared previously, CrowdStrike combines both an agent and agentless approach and is generally considered leading-edge. As a point of comparison, red-hot emerging security company Wiz Inc., which Kurtz called out on the last earnings call, is generally viewed as having a better dashboard and user interface, but its agentless architecture doesn’t have the data richness of CrowdStrike. This is just one example of the many tradeoffs that users face in evaluating platforms, but generally CrowdStrike is seen as being capable of handling many different security situations, a key criterion for today’s cloud-native application protection platform or CNAPP players.

But as Strom points out, “there’s still room for improvement” for all vendors in the market.

Below is a snapshot of CrowdStrike’s financial performance:

Its annualized recurring revenue is up $790 million since last year at this time. That’s a 37% year-on-year growth.

Subscription customers with five plus modules grew 63% versus 59% last year.

We saw a big jump in free cash flow margin, up from single digits a year ago to 26% last quarter.

And then rule of 63, that is, free cash flow margin plus revenue growth. That’s quite impressive, although down from an unsustainable 84% year-over-year.

Year-on-year subscription revenue growth was 36% (not shown) versus 60% last year.

The Street, given this stellar performance and relatively easy compare, wanted more aggressive guidance. But for reasons that we’ll cite in a moment, we think CrowdStrike’s caution is prudent.

There’s no compression algorithm for experience

At the recent Goldman Sachs Communacopia & Technology Conference, Kurtz invoked Amazon.com Inc. CEO Andy Jassy’s famous line, “There’s no compression algorithm for experience.”

With all the AI-washing going on in the market, extracting the signal from the noise becomes even more important for customers. CrowdStrike has a long history in AI and will make its case at Fal.Con 2023.

Above is CrowdStrike’s attempt to underscore its history in AI. Now, you may say, it’s easy to create a slide like this after the AI shot heard ‘round the world last November. But the fact is, CrowdStrike has been deep in AI for a decade-plus. The callout on Charlotte AI is new however and we believe we’re entering a new era where technology will truly begin to attack the No. 1 problem faced by security operations teams: lack of deep talent. Estimates indicate there are 3.5 million unfilled security jobs today and the vision is that AI can begin to close that gap. (Note: There is an error in the video below in which this figure is incorrectly cited at 3,000.)

Unpacking CrowdStrike’s customer spending profile

Let’s get into some of the Enterprise Technology Research data and look at CrowdStrike’s spending performance and the breakdown of ETR’s proprietary Net Score methodology.

Above we show data from the 422 CrowdStrike customers in the survey of 1,700-plus information technology decision makers. Focus on the July 2023 bar. Note that the October survey is in the field, so we have to block it out. We have early results and we’ll talk about that in a moment, but focus on July.

The lime green at 12% is the percentage of customers that are new adds. You can see it has been compressing steadily over the last several quarters. The forest green, at a healthy 41%, is spending that’s increasing by 6% or more. Note it is down from earlier highs. The gray at 48% is flat spending (plus or minus 5%) and you can see the big uptick there. The the pink is spending down 6% or worse and the red is defections or churn. Note that the red is also compressing, which is a healthy sign of retention.

Subtract the reds from the greens and you get Net Score which is shown on that blue line at 48%. It’s on a downward trajectory, but notice the red dotted line at 40%. That indicates a highly elevated spending momentum level and CrowdStrike is well above that.

The yellow line represents presence or pervasiveness in the dataset and it’s calculated by taking that CrowdStrike N of 422 and dividing it by the total N in the survey and then tracking that in a time series. And you can see CrowdStrike is gaining share in the dataset quite strongly.

The one caution is we took a glimpse at the survey that’s in the field now and there’s definitely is some slowing overall and specifically within small and midsized businesses.

Momentum in the Global 2000 powers CrowdStrike

CrowdStrike appears to be performing extremely well in the G2000. Cutting ETR data, we see below the same Net Score granularity in a time series but only for 109 G2000 customers in the survey. The story is impressive.

Look what happens to Net Score: It jumps from 48% in the previous chart to 61% in the G2000. Note the very steady increase in Global 2000 spending velocity since the Oct22 survey. And also note the much rise in the shape of the yellow curve, which is a representation of pervasion inside the dataset.

The latter (yellow line) data point is a strong indication that CrowdStrike is a consolidator and gaining share with larger customers.

Peer performance for cybersecurity companies in the G2000

Let’s test this assertion a bit further. Below we show CrowdStrike’s peer performance within the Global 2000. The survey captures 430 G2000 customers in the security sector. Remember there are 109 CrowdStrike accounts in that cut. So it’s a pretty good representation.

On the vertical axis is Net Score or spending momentum, which we explained earlier. On the horizontal axis is that N in the dataset and the overlap with all these companies. The plot position is determined by the N and Net Score for each firm.

The following key points are noteworthy:

• The squiggly line is CrowdStrike’s performance over the last several quarters. Notice its Net Score on the vertical axis has held steadily, but as we saw in that steep yellow line in the previous chart, a big uptick in pervasiveness in the sector.
• This is another indicator CrowdStrike is gaining share relative to peers and is its consolidation play is working.
• You’d likely see something similar for Palo Alto Networks and Zscaler, but we’ll leave that detail for another Breaking Analysis.

CrowdStrike CEO competitive call-outs

The other call-outs on this chart are Microsoft Corp., SentinelOne Inc. and Wiz. Kurtz mentioned each of these companies on the last earnings call in a competitive context. Citing the high expense and lack of security focus for Microsoft overall, throwing FUD at SentinelOne with regard to the reports of it going to private equity and a competitive win against Wiz. He also called out an Arctic Wolf Networks Inc. takeout (not shown in this cut).

In regard to Microsoft, it’s clearly CrowdStrike’s largest competitor, while the others are independent pure-play cybersecurity firms. Microsoft is ubiquitous and can’t be ignored. The simple takeaway is CrowdStrike must move faster, build better, more comprehensive products, and move faster than Microsoft. As well, it is a horizontal platform that works across clouds and on-premises environments.

The most impressive data points on Microsoft are that it has a huge market presence in security and yet its momentum is, like CrowdStrike, Zscaler and Okta Inc., above that 40% mark. Palo Alto as well is prominent and close to the 40% line. The point is Microsoft is big and has momentum in cyber and can’t be ignored. This is particularly important as it relates to the small and midsized business market, an area that has seen some headwinds for CrowdStrike and one we cited earlier as a sector of concern.

Overlap between Microsoft and CrowdStrike accounts and the importance of Dell as a partner

Next we want to look at the overlap of 422 CrowdStrike accounts with Microsoft. Below we show the same vertical axis that is, Net Score, and the presence in the dataset in the horizontal axis. Microsoft is such a big competitor to CrowdStrike and, notably, Kurtz commented on the last earnings call that there was a big overlap between CrowdStrike customers and Microsoft accounts.

What we show above is 422 CrowdStrike accounts and the overlap with some of its competitors and some of its partners.

Here are the key points:

• In the ETR dataset, 79% of those 422 CrowdStrike accounts are running Microsoft security software. It’s not surprising that Microsoft has such a huge presence inside CrowdStrike accounts but it’s meaningful.
• Zscaler and Okta are partners with CrowdStrike and are sponsors of the Fal.Con Conference, so we placed them for reference.
• Palo Alto Networks has a broad agenda and has grown via acquisition in many areas that overlap with CrowdStrike. It’s a larger company and has a bigger presence. It doesn’t have the spending velocity, but as you saw in the earlier chart, its stock is doing very well this year.
• You can see Wiz, Tanium Inc. and SentinelOne as some of the companies that compete as endpoint players.

CrowdStrike in Microsoft accounts

Notice the insert text. Within the ETR dataset, the CrowdStrike overlap in Microsoft accounts is 25%. We’re not showing the graphic, but if you flipped it — in other words, if you ran across tab on over 1,000 Microsoft security accounts in the dataset — 25% would also have CrowdStrike. Now you might say, “Wow, that’s a lot lower than the overlap on the reverse, 79% Microsoft overlap,” but 25% is pretty high. That 25% of the Microsoft security accounts also have CrowdStrike says that customers are looking for more. Or perhaps it’s a consolidation opportunity for CrowdStrike since its scope transcends Azure.

The point is this data further supports Kurtz’ assertion.

The importance of Dell as a partner

The second bullet above shows the CrowdStrike overlap in Dell Technologies Inc. accounts at 28%, and the Dell overlap in CrowdStrike accounts is around 38%. So in other words, in these 422 CrowdStrike accounts, 38% of them have Dell, and then when you flip that, 28% of Dell accounts have CrowdStrike.

Why do we call that out?

• If there’s some softness in SMB, Dell can help.
• Th0ugh there’s significant overlap, it represents upsell opportunities for Dell and CrowdStrike.
• As well, there’s plenty of greenfield Dell accounts that don’t have CrowdStrike and Dell can package in CrowdStrike as part of larger bundled deals, in its services engagements and also through its channel partners – value-added resellers, system integrators and managed security service providers.

Dell is one of three top-level partners at Fal.Con this year and is a key channel lever for CrowdStrike.

Highlights to watch for at Fal.Con 2023

Fal.Con is a multiday event at Caesar’s Palace, which ironically got hacked last week along with the MGM Grand. TheCUBE is going to be there as we were last week at the SAS Explore event, which didn’t have serious disruptions. The situation at Caesar’s could be more challenging, but we’ll see.

Regardless, we’ll be listening to and analyzing keynotes from Kurtz, the chief information service officers of Intel Corp. and Mattel Inc., and practitioners from Liberty Mutual Insurance Co. and Salesforce Inc.. It looks like the event is going to be significantly larger this year – perhaps 60% bigger.

A main focus will be on Charlotte AI and its pricing. We’re really interested to see how CrowdStrike prices its gen AI tool. Will it be value-based pricing – that is make a case of, “Hey look how much time we’re saving you and what that’s worth in terms of staffing”? But again, it can’t be so expensive that it’s prohibitive to people adopting, especially in the context of Microsoft and OpenAI LP.

So it’s going to have to balance this while still aligning with their margin model. The key will be the degree to which Charlotte will be integrated into the Falcon platform. We expect to see broad integration over time but more narrow out of the gate.

On the fourth bullet above, expanding the Falcon platform: We’re going to hear a lot about its many modules that run in the cloud – that is, Falcon in the cloud. CrowdStrike was a first mover in cloud, as we said at the top. It also protects identity as an endpoint and then LogScale going after all that mess of logs, and that’s another growing business for CrowdStrike. One of the things Kurtz said, which was quite interesting, is that each of these businesses – Cloud, Identify and LogScale — could go public in and of themselves. So put that together in a single platform, inject AI throughout and you’ve got a pretty hot company right now.

The last bullet is that, last year at Falcon 2022, we said one of the things we want to see from CrowdStrike is ecosystem expansion. And we’re starting to see that. Amazon Web Services Inc. was there last year, but other partners are leaning in. We talked about Dell but also Intel, Cloudflare Inc., Mandiant, Zscaler and 70-plus sponsors at the event. That is a nice expansion and we expect significant momentum from that ecosystem.

If you’re going to be a platform play, you got to have ecosystems. The hallmark of a cloud company is ecosystem energy and flywheel from partnerships – we’ll be analyzing that and speaking with joint customers.

If you’re at the Fal.Con conference this week, stop by theCUBE and catch our two days of coverage. We’re covering a simultaneous cybersecurity event at Mandiant, by the way – John Furrier will be in D.C., so if you’re there come see us.

As always we’ll be reporting, analyzing and bringing the best guests and hope to see you there or online.

Keep in touch

Many thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.

Image: Postmodern Studio/Adobe Stock