CrowdStrike: Eating Microsoft’s Lunch

Summary:

• CrowdStrike dominates the Endpoint Security market with several key competitive advantages.
• CrowdStrike outperforms its largest rival, Microsoft, on a host of metrics.
• The company’s expansion down-market and into new verticals should continue to propel growth for the next decade.
• Industry leadership, exploding growth, significant operating leverage, and a hefty balance sheet help justify CRWD’s premium valuation.

Investment Thesis

Cybersecurity is arguably one of the most attractive markets for investment over the next decade, driven by massive tailwinds in data and cloud computing. CrowdStrike (NASDAQ:CRWD) redefined the market with its innovative Falcon platform in the 2010’s and now holds a leading share of 17.7%. When stacked up against its largest rival, Microsoft (NASDAQ:MSFT), CrowdStrike outperforms in virtually every category. Continued product development and the leveraging of existing competitive advantages solidifies CRWD as the best play within cybersecurity. Huge growth and improving operating performance make the stock’s premium price worth it in my view.

CrowdStrike’s Competitive Advantages

The crux of CrowdStrike’s competitive edge is its product innovation. The company’s core cybersecurity offering is CrowdStrike Falcon, which more narrowly is focused on Endpoint protection (physical devices connected to a network). Falcon disrupted traditional cybersecurity norms in two key areas: use of AI-based (Artificial Intelligence) technology and cloud-native architecture, as highlighted in their S-1 filing. Previously leading firms like McAfee, Symantec, and even Microsoft were outpaced by CrowdStrike as they continued to rely on signature-based and on-premise solutions. CrowdStrike’s focus on endpoint and the cloud has paid off. According to the company’s threat report, 80% of breaches start at the endpoint and cloud exploitation has increased 95%. This makes sense given 94% of businesses utilize cloud services in some capacity and the persistence of remote work in many organizations.

Many of the legacy cybersecurity players still heavily rely on signature-based methods, which focus on identifying patterns or ‘signatures’ of malware viruses. The problem is, 71% of attacks are now malware free. Not only has Falcon’s AI-based tech been shown to be more efficacious, as we will see, but it has enabled CrowdStrike to build up a massive store of unique data. The company’s AI or Machine Learning (‘ML’) model trains itself on first- and third-party data of all breaches, attacks, or instances. Each occurrence learned results in an improved model, able to better predict and defend against future attacks. Falcon has a 99% detection coverage, able to report 75 out of 76 adversarial techniques measured in the MITRE ATT&CK evaluation. This ever-growing store of data and strong product quality gives CRWD an edge.

CrowdStrike has led the market for several years with a 2022 share of 17.7%. The company’s customer retention numbers clearly exhibit a product and scale advantage. Here is some evidence to prove it:

• Exceeded 120% dollar-based net revenue retention rate every quarter since 2018
• Total subscriptions customer base (94% of revenues) has grown at a 5-yr CAGR of 79%
• 5 years ago, had only 400 customers with greater than $60k ARR, now a customer needs to spend more than $1M in ARR to be considered top 400
• 556 of the global 2000, 271 of the Fortune 500, and 15 of the top 20 U.S. Banks are customers

Another interesting fact is that in 2023, two executives from SentinelOne (S) left to join CrowdStrike’s team, further highlighting their strategic edge against not only legacy firms Next-gen players as well.

CrowdStrike vs Microsoft

Microsoft Security does near $20B in revenue (10% of MSFT’s total revenue) but only part of that encompasses Endpoint protection, Microsoft Defender, Sentinel, and Entra. Microsoft comes in second with a 16.4% share in Endpoint Protection. Microsoft is CrowdStrike’s largest threat, clearly exhibited by management’s rhetoric this year. The executive team has made it a point to cite several customer case studies of converts switching from Microsoft to CrowdStrike. They’ve also released statistics alluding to their superior product and customer satisfaction. Here are a few that were mentioned:

• 8/10 times when an enterprise customer tests, they choose CWRD over MSFT
• CRWD has less complexity with only 1 agent and console, MSFT having up to 9 with multiple agents
• CRWD has a lower ‘TCO’ or total cost of ownership
• Microsoft Windows represents 95% of the compromised endpoints CRWD remediates
• When CRWD’s incident response team investigates a MSFT customer that has been breached, 75% of the time MSFT Defender has been bypassed

Claims from management should be taken with a grain of salt as they are biased against competitors. Though I cannot prove the claims made, when looking at third-party comparisons, CrowdStrike’s claims may carry some water.

I specifically looked at 3 independent comparisons from two highly reputable companies: Gartner and G2. The first study is Gartner’s Magic Quadrant for Endpoint Protection Platforms. This study highlights the strengths and cautions of each company and showcases a scatterplot of the industry based on completeness of vision and ability to execute. As you can see, CRWD and MSFT are fairly neck and neck:

Microsoft had strengths in market understanding, overall viability, surface management, log storage, and others with cautions in having numerous packaging and licensing permutations (more complexity), needing more experienced security staff, and lack of support for older OS’s. CrowdStrike had strengths in market understanding, innovation, customer experience, overall viability, and product expansion with cautions in higher pricing, though they’ve been more aggressive with smaller customers, less coverage in a few areas, and a more immature XDR (Extended detection and response) approach than others.

Next, I looked at G2’s direct comparison of CRWD Falcon and MSFT Defender. Here is a quick summary:

• CRWD rated higher overall with 4.7 stars (212 reviews), MSFT 4.4 stars (180 reviews)
• 56% CRWD reviews being Enterprises and 38% of MSFT reviews Mid-Market customers
• Users preferred CRWD, saying it met their needs better, had better quality of ongoing support, and featured more updates and product roadmaps
• CRWD beat MSFT in every single ratings category measured
• MSFT beat CRWD in a more features categories but both were comparable

Lastly, I reviewed Gartner’s Peer Insights comparison. CrowdStrike handily outperforms Microsoft in this comparison with 4.8 stars (900 ratings) vs 4.4 stars (1351 ratings) and 97% willing to recommend CRWD vs only 78% willing to recommend MSFT. Additionally, CrowdStrike beats Microsoft in every category measured including overall capability, evaluation & contracting, integration & deployment, and service & support.

Each of these comparisons further support my view of CrowdStrike taking the cake within Endpoint protection. I believe Microsoft has advantages in other areas of security like log and surface management. They also will continue to be a threat just given the company’s sheer size and resources. $20B in revenue, a large customer base, tons of cash for research & development, and being one of the frontrunners in the AI race are all reasons to respect Microsoft as a competitor. They even recently committed to a 250k headcount in Microsoft Security by 2025. Nonetheless, CrowdStrike’s innovation and customer leadership, combined with their ability to navigate the industry and retain market share, makes them the clear winner in my view.

Growth Potential

Not only has CrowdStrike defended its market leadership, it also grew its share 3.8% in 2022. The company is not slowing down when it comes to driving growth. Firstly, the top 10 legacy (largely signature-based) vendors control 46.7% of the market, a healthy chunk for CrowdStrike to chew away at. In 2022, they added 6,694 customers representing growth of 41%. What’s even more compelling is both existing and new customers are showing rapid module adoption within CrowdStrike’s platform. CrowdStrike Falcon started with 1 module and has grown to 23 as the company innovated. In 2018, the average module count of new customers was 2. Now in FY 2023, the average was 4.8, proving the company’s ability to cross-sell. Cross-selling to existing customers alone is a huge opportunity:

A few new verticals also look to contribute to CRWD’s continued growth. The company has a strategic focus on small-to-medium (‘SMB’) companies, international expansion, and other product segments. Customers under $100k in ARR grew 82% in FY23 with an average of 4.7 modules adopted. Strategic partnerships with Dell, AWS, and others should help propel lead generation in this segment. International revenue grew 57% YoY in Q4. And Emerging products via product development and acquisitions revenue grew 116% in Q4 FY23.

Operating Performance, Risks, & Valuation

The past few years have been characterized by growth and investment for CrowdStrike. But recently, management has shifted its focus to growth and profitability at scale. Gross margins have always been strong in the upper 70s but were weighed down slightly by lower margins of acquired companies last quarter. Operating expenses remain elevated at 81% of revenues (down from 83%) mainly due to a 46% increase in headcount. This is in contrast to many tech firms cutting headcount and is indicative of a healthy demand outlook. Operating margins are still negative but improving with potential operating leverage ahead.

The company reports a strong free cash flow margin upwards of 30% or $676M but this includes stock-based compensation of $526M. Though high ‘SBC’ makes sense given CrowdStrike’s success, this doesn’t represent free cash flow and presents dilution risk to shareholders. Additional operating and business risks are dilution risks with recent share issuances and the broader macroeconomy. Management touched on macro in the Q4 earnings call, highlighting the ‘mission-critical’ nature of cybersecurity and the durability they’ve seen against price increases and budget cuts. The company’s massive cash position of $2.7B and low debt-to-capital near 30% allows for greater resistance against macro and operational risks.

The biggest risk for shareholders in my view relates to valuation. CRWD has historically traded at a premium. Its 3-year average forward EV/Rev is an astonishing 26x. Currently, that multiple sits at about 11x. Comparing forward EV/Rev and forward revenue growth to peers, CRWD looks a bit more reasonable.

Looking at a reverse DCF, the current stock price has high expectations baked in for CrowdStrike. To justify the current price, CrowdStrike would need to grow revenues at 38% annually for 10 years, achieve an average EBIT margin of 22%, and grow free cash flow at a terminal rate of 5%. Additional assumptions are shown below:

I view CRWD as a long-term Buy given the tremendous business quality & competitive moat, huge growth potential, and improving fundamentals but caution investors regarding the stock’s premium price.

---

Analyst’s Disclosure: I/we have a beneficial long position in the shares of CRWD either through stock ownership, options, or other derivatives. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Seeking Alpha’s Disclosure: Past performance is no guarantee of future results. No recommendation or advice is being given as to whether any investment is suitable for a particular investor. Any views or opinions expressed above may not reflect those of Seeking Alpha as a whole. Seeking Alpha is not a licensed securities dealer, broker or US investment adviser or investment bank. Our analysts are third party authors that include both professional investors and individual investors who may not be licensed or certified by any institute or regulatory body.

---