Summary
- Cybersecurity is one of the most important aspects in the digital world, gaining more and more significance with weekly new breaches.
- CrowdStrike says goodbye to reactive antivirus and offers only a pro-active Indicator of Attack Solution. I explain in detail what this means.
- CrowdStrike is the most mature new-gen cybersecurity company leaving its competition far behind in maturity and reputation in the new-age world.
- CrowdStrike is expensive, but investors can profit if they maintain a long-term view.
mdegrood/iStock via Getty Images
One of my readers asked me to take a deeper look into CrowdStrike (CRWD), and luckily I've been reading a lot about them lately.
Cybersecurity is one if not the most important aspects for IT departments these days. Every month or even week, we hear stories about hackers infecting companies.
Here is a list of the largest hacks of 2021 (with sources):
- Kia Motors- Hacked with Ransomware - Demand ~$20m
- CD Project- Hacked with Ransomware - Refuse to pay the ransom - financial damage due to workers inability to access internal documents and resources -> High
- AXA- Hacked with Ransomware (after stopping to reimburse clients for ransomware attacks :D) - 3TB of data Stolen
- JBS Foods- Hacked with Ransomware - Hacker group REvil - JBS paid $11m in Bitcoin - Largest paid ransom to that date. Shutdown damage not included.
These are just a few of the hacks that happened in 2021. The list for 2021 is long and ongoing. YoY growth in monetary damage, meaning the amount of money paid by companies and individuals to receive access to their data, is extremely high.
Chart by author, Data fromStatista
Monetary damage doesn't include the economic damage by not having access to data or data being leaked to other countries or competitors.
According to Cybersecurity Ventures, cybercrime is expected to induce $6 trillion in damage annually by 2021. There is a huge monetary incentive for hackers globally to continue with their ransom and malware attacks. The risk-reward balance tilts strongly towards the reward side for hackers.
Thesis
CrowdStrike provides security measures to stop a virus before initiating the processes required to infect the host computer and network.
CrowdStrike's total addressable market - TAM - is expanding YoY with new product offerings, new breaches and hacks, home office expansion, IoT, and much more.
I'm bullish on CrowdStrike over the next 5 years as its next-generation antivirus (NGAV) technology is an effective way to stop viruses from breaching networks and companies' IT infrastructures. CrowdStrike has the first-mover advantage, a mature platform, and an excellent and strong reputation throughout the industry.
CrowdStrike is cloud-native, which means that it is scalable, adaptable, and gains through a network effect. Each new node and potential breach within a node helps strengthen the network by sharing information about the virus, strengthening its first-mover advantage in the market.
How does CrowdStrike work?
When investing in a high-growth company, I make sure to understand how its offerings differentiate from existing technologies within the industry and why they solve their customers' problems better than their competitors.
First, we must understand the difference between the Indicator of Compromise - IoC - and the Indicator of Attack - IoA.
An IoC is a post-infection indicator. That means that after a virus has been installed, the antivirus program scans files and documents for known virus signatures (like we do with the PCR tests and Covid-19) and then quarantines the files and deletes them.
That's not what CrowdStrike specializes in.CrowdStrike focuses on IoA.
IoA scans for suspicious processes that are started in the background by malicious files. Let's understand what this means.
There are many types of viruses - malware, ransomware, phishing, spear-phishing... There are also endless versions of these viruses. An antivirus program will have a hard time finding each new iteration because manipulating the virus in some sort changes the file's hash (signature of the virus), making it impossible for IoCs to find the virus. But all viruses have things in common.
IoC vs. IoA - reactive vs. proactive - Source:CrowdStrike
Any virus must execute processes, which results in patterns. The virus can change its face, color, size, but it must execute and run code in some distinguishable way. For example, many viruses alter Window registry keys, create new users, or start encryption processes on the host.
CrowdStrike stops the virus in its tracks. Below is an example of how the Falcon Sensor executes.
CrowdStrike Falcon in Action malware prevention based on behavior.YouTube
The host, in this case, a virtual machine - VM - by CrowdStrike. The user clicked on a malicious file, and the virus begins to "install" itself. The Falcon sensor detects if something in the background is initiating processes that indicate suspicious activity and stops those processes from executing.
That's the distinguishing factor for CrowdStrike.
CrowdStrike's EPP is cloud-native and gains from the network effect. The more nodes connect to its platform, the more secure it becomes by training the AI model with process signatures of new viruses.
CrowdStrike combines AI with its Indicator of Attack approach and scales it up in its cloud. The cloud helps train the virus-threat model from endless endpoints.
Based on statements from CrowdStrike, none of its customers has yet experienced a breach while using its sensors, and CrowdStrike is confident enough in its NGAV that it provides a $1 million warranty if a breach happens.
Competition
CrowdStrike's largest market is the endpoint protection platform - EPP. Within this segment, CrowdStrike is competing with many companies like Microsoft (MSFT), Trend Micro(OTCPK:TMICF)(OTCPK:TMICY), SentinelOne(NYSE:S), or McAfee(NASDAQ:MCFE).
Source:Gartner Magic Quadrant for Endpoint Protection Platforms
In terms of EPP, CrowdStrike is pretty much in a league of itself.
The only negative 'real' negative with CrowdStrike is that they are very secretive about their detection logic. There is no way for IT personnel to look into the Falcon sensor and the logic behind it.
Other EPPs like TrendMicro or SentinelOne score highly in the quadrant but lack against CrowdStrike in scale and maturity.
SentinelOne is one of CrowdStrike's closest competitors and boasts a much better technology than CrowdStrike. This is two-sided as CrowdStrike pushes back against SentinelOne, calling them 'outdated.'
SentinelOne is focused on a completely AI-driven security approach. Removing the human aspect from resolving breaches to a larger extent than CrowdStrike.
Nevertheless, the difference between the platforms is small.
CrowdStrike is more mature than SentinelOne, and its offerings are more scalable SentinelOne's. CrowdStrike's platform is easier to use, deploy, and has a solid reputation (source1,source2,source3).
IT personnel deciding on either one of these AVs wouldn't harm their company.
Valuation
CrowdStrike is expensive, no question about it. It's definitely not the value investment I usually cover, like KLAC,SWKS, or QRVO.
Data by YCharts
CrowdStrike is trading at a 53 price to sales ratio and a forward EV to sales of 38. CrowdStrike is a fast-growing company in an expanding market.
Chart by author, Data from CrowdStrike Quarterly reports
The scale and maturity of CrowdStrike are clearly visible as it's the first choice among the largest companies in the world. That translates into revenue growth and customer retention rates above 100%.
Source: CrowdStrike Corporate OverviewPresentation
That means that CrowdStrike is not only acquiring more customers but that existing customers pay more for more of CrowdStrike's services. That's a really, really good situation for an as-a-Service company.
CrowdStrike's TAM is expanding YoY from multiple sources like Cloud, IoT, home office.
Source: CrowdStrike Corporate OverviewPresentation
I find CrowdStrike's own TAM projections rather conservative. Believing the statements from large research companies like Gartner or IDC, cybersecurity expenditures of companies are likely to increase significantly (source1,source2,source).
Gartner estimates the size of the cybersecurity market to be $150bn in 2021 with a 12.4% CAGR over the next 5 years. The breakdown is below.
Gartner ForecastWorldwide Security
CrowdStrike is not only profiting from an expanding market, but it's also pulling customers from competitors within the antivirus market.
More and more companies switch towards IoA next-gen antivirus companies.
CrowdStrike is the top choice among its competitors.
Is the valuation justified?
Comparing CrowdStrike with other high-growth IT companies like SentinelOne, Cloudflare (NET), or ZScaler (ZS), we find CrowdStrike between those. CrowdStrike's Gross Margin is 74%, just below ZS's 77.5% and NET's 76.78%, and well above Sentinel's 55%.
CrowdStrike has strong pricing power, which translates into the best GAAP net margins. CrowdStrike is the only company that operates profitably when looking at its non-GAAP numbers.
SentinelOne has to push its prices down to remain competitive and balance the immaturity of its platform.
CrowdStrike has the largest market cap with $53bn and boasts a sales growth of 77% against ZS's and NET's 54% and 52%. SentinelOne has a higher sales growth rate of 100% but only 1/10th of CrowdStrike's revenue.
Investor's Takeaway
CrowdStrike is not just any antivirus company in a crowded cybersecurity market. It'sthecybersecurity company in the market.
CrowdStrike built a strong reputation with excellent reviews among IT experts, calling it the top-choice in cybersecurity. Gartner positions CrowdStrike above any other EPP in its magic quadrant.
CrowdStrike is definitely not a value-play and requires conviction to buy and hold at these prices for the next 3-5 years.
On the other hand, it wouldn't surprise me a bit if CrowdStrike can double, triple, or even quadruple its revenue over the next 3-5 years. As it's very common for high-growth companies, the share price is largely determined by the companies' sales growth in these early stages.
Many sources are depicting a high correlation between sales growth and share price increase.Aswath Damodarandiscussed this topic in detail for Amazon in 2000 in thispaper.
One of my Seeking Alpha colleagues,From Growth To Value, discussed this topic in his latest article aboutFiverr, including this chart.
BCG showed that valuation correlates the strongest with revenue growth in the long term, especially for high-growth companies.
CrowdStrike will likely experience a multiples contraction, but its revenue expansion will more than outperform that contraction, providing investors with a return on their investment.
Comments