CrowdStrike: My Highest Conviction Investment Right Now (NASDAQ:CRWD)

Investment Thesis

Cybersecurity threats have increased throughout the past decade, and as the world becomes even more digital, the threat of cyberattacks is only going to keep increasing. Companies know the risks posed if their cybersecurity provider is not up to scratch, and so cybersecurity is an industry where you want to be the very best – enter, CrowdStrike Holdings, Inc. (NASDAQ:CRWD).

Not only is CrowdStrike the best performing company in its industry, but its business model is based on a virtuous cycle that enables CrowdStrike to get stronger, smarter, and increase the gap on its competition with every second that passes.

An added bonus is that cybersecurity will be fairly immune to the pressures of a recession, as businesses know that they cannot take the risk of becoming more vulnerable to cyberattacks.

But does that make CrowdStrike a good investment right now? I put it through my framework to find out.

Business Overview

Founded in 2011, CrowdStrike is a cloud-native cybersecurity business operating a SaaS (software-as-a-service) business model. Due to this cloud-native approach, the CrowdStrike Falcon platform has been able to scale rapidly whilst delivering impressive results that legacy players struggle to compete with.

The Falcon platform specializes in endpoint and cloud workload protection, meaning that it can protect endpoint devices (laptops, desktops, mobile phones, IoT devices, etc.) operating in both on-premise and cloud-based environments. Whilst it may have started out specializing in endpoint devices, the Falcon platform has rapidly expanded its services, and now offers 22 different cloud modules across additional areas such as managed security services, identity protection, corporate workload security, and more.

There are a lot of rivals in the space, and CrowdStrike’s place in this competitive environment has left CEO George Kurtz smiling through every earnings call:

Moving to the competitive environment. We continue to believe we have a significant technology lead with no competitor matching our scalability, performance, ease of use and commitment to customers. I could not be more excited by our opportunity, which has continued to grow. This quarter, our win rates increased across the board, and we saw a record number of wins against both legacy and next-gen vendors with SMB, mid-market and large enterprise customers.

We also landed a record number of wins and displacements over a recently public next-gen vendor, SentinelOne. To be clear, we define a displacement as removing an incumbent’s product and replacing it with Falcon.

Now you wouldn’t expect a CEO to say anything else, but the latest Forrester Wave for Endpoint Detection and Response Providers paints the same picture. CrowdStrike remains in a league of its own, with Microsoft (MSFT) the only competitor that is managing to keep pace, and when it comes to Cybersecurity, companies will almost always opt for the best protection possible.

CrowdStrike has an industry-leading product, but that’s not always enough to make for a successful investment – just look at Uber (UBER) or Spotify (SPOT). Thankfully, CrowdStrike has one of the most powerful business models I have ever seen.

Economic Moats

With every business, I look to see if there are any durable competitive advantages (aka economic moats) that will help the company continue to thrive whilst protecting itself from competition. CrowdStrike truly has economic moats in abundance.

One of their most powerful economic moats relates to network effects, but in order to truly appreciate this, we must first detail how their Falcon platform works. The platform has two main components: an “agent” which is installed on the endpoint device such as a laptop, and CrowdStrike’s Threat Graph.

CrowdStrike collects data from the endpoint device via its agent and sends this data to the Threat Graph. The Threat Graph then uses analytics and artificial intelligence to see if there is any abnormal or threatening activity within the data. If the Threat Graph picks up on any potentially threatening activity, then CrowdStrike can detect and prevent the cyber-attack.

So, where does the network effect come in? CrowdStrike’s Security Cloud enriches and correlates trillions of cybersecurity events every single week to create actionable data, identify shifts in adversary tactics, and automatically prevent threats in real-time. Every time there is an attempted cyberattack on any of CrowdStrike’s endpoint devices, the Threat Graph is able to recognize this attack, learn from it, and then protect all other endpoint devices on CrowdStrike’s network from similar attacks – and this is happening trillions of times a week.

So, the network effect is this: CrowdStrike is a leader in the industry offering the best protection, so more companies join CrowdStrike’s network, which leads to more endpoint devices being installed, which gives CrowdStrike more data to learn from, which improves CrowdStrike’s ability to prevent cyberattacks, which increases CrowdStrike’s lead against its competitors, which in turn leads to more customers. This is an extremely powerful network effect.

To digress slightly, I read the book Antifragile: Things That Gain From Disorder by Nassim Nicholas Taleb whilst on holiday this year. In short, it states that everything falls into three categories:

• Fragile – gets negatively impacted by stressors (e.g., a teacup)
• Robust – withstands the impact of stressors (e.g., a stone)
• Antifragile – actually benefits when impacted by stressors (e.g., muscles after weightlifting)

The ultimate aim is to become antifragile; stressors and shocks will always occur, so wouldn’t it be amazing if we could benefit from them?

Like, for example, suppose a cybersecurity company could benefit every single time there’s an attempted cyberattack on their platform. If this company could learn from the data, and therefore get better at protecting its clients from future attacks. This is exactly what CrowdStrike does, and why I am so enamored by its business model and network effect.

Let’s also highlight another clear economic moat that CrowdStrike possesses – switching costs. Clearly the decision for any company to change their cybersecurity provider is a big one, as it would likely involve a huge overhaul of the company’s systems. So CrowdStrike is in the business of switching costs by the nature of being a cybersecurity firm, but it has taken this one step further. The company has seen the number of CrowdStrike modules (aka cybersecurity solutions) adopted by its customers continue to grow rapidly.

In fact, for FY22, the average number of modules adopted by customers with more than $1 million in annual recurring revenue was just over 7!

With every additional CrowdStrike module adopted, CrowdStrike becomes more and more engrained in these businesses – and, importantly for investors, each additional module makes it even tougher for these companies to switch away from CrowdStrike.

A quick look at CrowdStrike’s net and gross retention rates confirms that switching costs are at play here. Not only does it consistently have an impressive dollar based net revenue retention above 120%, but its latest gross retention in Q4’22 was 98.1% – meaning that less than 2% of customers churned in the past 12 months. Invert that calculation, and this implies that the average CrowdStrike customer would stay with the company for more than 50 years!

Outlook

CrowdStrike has consistently rolled out new solutions for its customers, and in doing so it has continued to expand its market opportunity – which now sits at $126 billion, having increased by 5x since its IPO in 2019.

Whilst this is a company that has grown rapidly, the opportunity ahead is still huge. According to Statista, the global cybersecurity market is projected to reach $212 billion in 2026, growing at a CAGR of ~10% from 2022-2026.

Given that CrowdStrike already counts 65 of the Fortune 100 & over half of the Fortune 500 as clients, investors may wonder how much future growth there is. CFO Burt Podbere spoke on CrowdStrike’s Q1’23 earnings call about this, and put some minds at rest.

It’s a question I often get and I love, because at this point, we’re still seeing net new ARR coming from both, new logo and cross-sell and upsell. And we feel we have a lot of runway in both. We’ve got a — we have a tremendous amount of headway in terms of new logos. We’ve had just number — we have just under 18,000. You look at one of our competitors like Symantec that had over 300,000 at one point, and we’ve got a long way to go.

Management

When it comes to fast-paced, disruptive companies, I always aim to find founder-led businesses where insider ownership is high, and I’m happy to find that this is the case with CrowdStrike. CEO George Kurtz co-founded CrowdStrike in 2011 alongside former CTO Dmitri Alperovitch and now retired CFO Gregg Marston.

Prior to co-founding CrowdStrike, Kurtz was the Chief Technology Officer of McAfee and founder of security consulting, training, and vulnerability management software company Foundstone (acquired by McAfee in 2004).

I want to invest in companies where leadership has skin-in-the-game, and CrowdStrike also ticks this box, as Kurtz owns just under 6% of all shares in CrowdStrike.

I also like to take a quick look on Glassdoor to get an idea about the culture of a company, and CrowdStrike gets some great scores from its 413 reviews. Generally, any score over 4.0 is impressive, and CrowdStrike gets this across the board – with an incredibly high score on Diversity & Inclusion, as well as strong scores on Work / Life Balance, Compensation and Benefits, and Career Opportunities. Normally companies don’t score as well in these categories, but CrowdStrike are able to charge premium prices to customers for their high-quality products, and it looks as though employees are rewarded accordingly. I am, however, surprised at the 70% CEO approval score, although this is only from 21 ratings (unlike the rest) so appears to be quite skewed.

Financials

Taking a look at CrowdStrike’s financials it’s clear to see that this business has been growing rapidly, accelerating revenues from ~$250m in 2019 to ~$1,500m in 2022, representing a 3-year CAGR of 80%! Gross profit margins are also strong and improving, with gross margins for their subscription business sitting at 79%.

Note that currently 6% of revenues come from professional services, which includes incident response and proactive services, forensic and malware analysis, and attribution analysis – these are generally sold separately from CrowdStrike’s subscriptions for the Falcon platform.

CrowdStrike tracks annual recurring revenue, or ARR, as a measure for its revenue growth for subscriptions to the Falcon platform. And, a quick look at a slide from their Q1’23 presentation shows that this ARR is growing exponentially.

The company also has a strong net cash position above $1 billion, and despite still having negative EBIT margins, it is raking in the cash. This, as with a lot of technology companies, is due to the substantial stock-based compensation received by employees – and the total SBC as a percentage of gross profit is rising, and this will in part be driven by the rising share price, but there is the risk of both further shareholder dilution & a shift in employee morale if the share price takes a turn for the worse.

Valuation

As with all high growth, disruptive companies, valuation is tough. I believe that my approach will give me an idea about whether CrowdStrike is insanely overvalued or undervalued, but valuation is the final thing I look at – the quality of the business itself is far more important in the long run.

Before I go onto my model, I’d like to highlight CrowdStrike’s targeted operating model for 2025, as this will be the basis of certain areas for my forecast – note that the figures used from CrowdStrike are non-GAAP.

With that caveat, onto the model itself:

I have based my outlook on an EV / FCF multiple, with the final 2026E multiple for my MED scenario of 49.2x – given that I expect CrowdStrike to still be growing revenue above 20% beyond 2026, whilst continuing to expand its FCF margin, I believe this to be an appropriate EV / FCF multiple for my mid-range scenario.

The revenue growth for 2022 is based on a slight beat of management’s Q1’23 guidance, since CrowdStrike has always exceeded the guidance laid out by Kurtz. From then onwards, I have assumed a slowdown in revenue growth in order to be conservative. I have also assumed FCF margins to remain fairly stable over the next 5 years.

I also assumed an increase of shares outstanding of 5% annually over the next 5 years; again I feel like this is a prudent assumption, and I think that the actual increase will be lower.

Put it all together, and I believe that CrowdStrike’s shares are capable of achieving a 22% CAGR from here through to 2026 in my mid-range scenario.

Risks

The primary risk for CrowdStrike, as with any cybersecurity firm, is the risk of a customer being badly impacted by a cyberattack that CrowdStrike failed to prevent. We have already seen how this company is best in class, but even so this is very much a possibility. Yet investors can take comfort in the fact that CrowdStrike is recognized as the leader within its industry, so even if it does fail to stop a large cyberattack, customers are still unlikely to find an alternative cybersecurity provider that does a better job.

There is also the risk of competition, as there always is, but once again I refer to the current position of CrowdStrike in its industry – as demonstrated by a different source, the Gartner Magic Quadrant for Endpoint Protection Platforms:

Any company runs the risk of failing if it cannot keep up with competition and innovation, and CrowdStrike is no different. It’s always a risk to keep an eye on with any company, but this is not an issue that I can see impacting CrowdStrike anytime soon.

Summary

CrowdStrike is the very definition of a high-quality business. It’s the leader in a growing industry, and has a business model that is intelligently designed to keep extending CrowdStrike’s lead against the competition.

This company is, without a doubt, my highest conviction holding by a long, long way.