CrowdStrike is becoming a strong candidate for the I/O Fund portfolio for the following reasons:
- Larger revenue base than its peers at about $3 billion per year, yet often stronger growth than peers that have half the revenue
- Stronger bottom line than the majority of the 5-year cohort of IPOs that went public around 2018-2020. CrowdStrike is stronger on GAAP earnings and free cash flow.
- CrowdStrike is GAAP profitable for two quarters, although we prefer the company be GAAP profitable from operations. If GAAP operating margin continues on the same trajectory, this could happen soon.
Below, we go into a brief overview of CrowdStrike’s core business, plus a few ways the Falcon Platform has expanded since we last covered the stock. The analysis also discusses the impact AI will have on cybersecurity companies.
CrowdStrike’s Falcon Platform:
CrowdStrike’s Falcon platform delivers comprehensive breach protection against sophisticated attacks on endpoints. Due to the sheer number of endpoints in a corporate network, this is where the majority of attacks are made. Compromised credentials across desktops, laptops, and mobile devices are often the hardest points of access to secure.
Endpoint security refers to protecting the endpoints or entry points of the end-user devices such as desktop PCs, laptops, mobile devices, and servers from being exploited. Originally, CrowdStrike was a EDR platform (endpoint detection and response) until it expanded and adopted the XDR acronym in 2022, which stands for extended, as it includes more data points than a EDR platform. As part of moving from EDR to XDR, CrowdStrike added cloud security to its platform.
Extended detection and response (XDR) is cross-layered detection and response. XDR collects and automatically correlates data across multiple security layers – email, server, cloud workloads, and network – so threats are detected faster and security analysts improve investigation and response times.
CrowdStrike’s AI based security model is focused on collecting large amounts of data, centrally storing it in a single model, and continuously training its algorithms with vast amounts of data. The more data that the Falcon Platform collects, the more intelligent the platform becomes in detecting and stopping breaches.
The company’s cloud-native Falcon platform was built to provide automated protection to stop sophisticated cyber-attacks. It is capable of protecting workloads across servers, laptops, virtual machines, mobile, cloud, and the Internet of Things (IoT). With hybrid deployments, and the internet of things, the risk of cyber-attacks has increased, and the need to protect digital assets has increased.
The Falcon platform has 22 modules offered via a subscription-based model under various categories like cloud security, endpoint security, Crowd XDR, Security & IT Operations, Managed Services, Threat Intelligence, Identity Protection, and Log Management. These modules can be easily deployed on the customer’s endpoints and workloads and can be easily scaled depending on the needs of each customer.
One of the most popular upgrades is Falcon Complete, CrowdStrike’s fully managed detection and response solution that offers Fusion no-code security automation to proactively remediate issues. This helps less technical employees work alongside Falcon Complete throughout IT and security departments. This is important due to a cybersecurity training gap between the small talent pool and the dire need for larger security teams.
The upgrade process for modules within the Falcon Complete tier is driving CrowdStrike’s ongoing growth. For example, the company has been accelerating its growth in subscription customers that adopt five or more modules, six or more modules and seven or more modules. We discuss this more in the Financials Overview below.
This includes modules such as Discover, Spotlight, Identity Protection and Log Management. At one point, the company reported on four or more modules, yet retired this key metric as it became commonplace to upgrade to four. Users download a lightweight agent on each endpoint and cloud workload with only a single agent required to upgrade to more modules.
The agent also protects workloads when offline and sends data to the Falcon platform. The data from workloads are analyzed by machine learning models and are capable of preventing future attacks. The events are sent to the Threat Graph in real-time to be further analyzed.
The Threat Graph is a proprietary and a dynamic graph database. It continuously looks for malicious activity by using Artificial Intelligence. The data needs to be collected only once and can be used to analyze how to prevent future attacks. It also enables the company to introduce new products by using the same data and this is one of the reasons that CrowdStrike was able to rapidly introduce new modules.
The company has a smart filtering system that helps filter enormous amounts of data. The company estimates that a typical endpoint generates 100 GB of unfiltered system event data daily. A typical corporation will have several endpoints. The company’s smart filtering helps reduce the noise, and the Falcon agent only sends the crucial data required for detecting, preventing, and investigating attacks. It thereby improves the performance and allows for efficiently analyzing large volumes of data.
The Threat Graph is a powerful product in preventing breaches as it predicts and prevents modern threats in real-time through endpoint telemetry, threat intelligence and AI-powered analytics. This works alongside the modules to offer a best-of-breed endpoint security solution that offers a combination of agent-based and agentless solutions on one dashboard across public cloud, multi-cloud, and hybrid deployments.
The company feels that agent-based is still essential to offer pre-runtime and runtime protection, whereas according to CrowdStrike, agentless-only solutions offer partial visibility and lack remediation capabilities (i.e., the company is referring to SentinelOne which we’ve covered here and also here). With that said, CrowdStrike has recently enhanced it’s agentless offering with a virtual analyst with generative AI features.
The company has three graphs: Threat Graph, Intel Graph and the Asset Graph.
Threat Graph: As discussed, takes trillions of data points from millions of sensors and enriches the threat intelligence from third-party sources (hence “crowd” strike). This offers full visibility and provides automated threat prevention.
Intel Graph: Offers threat intelligence by correlating massive amounts of data and provides insights into any shifts in tactics or techniques
Asset Graph: Launched last year to increase protection across attack vectors such as cloud, on-premise systems, mobile, IoT and connects them into a unified, visual graph rather than a list.
CrowdStrike’s Land and Expand Strategy:
One of the company’s primary strategies is to use its strong, defensible position on endpoints and expand to other layers in the security stack. As enterprises look to lower budgets, the goal is to have them tap CrowdStrike as a replacement for the fragmented list of security vendors that enterprises currently use. This is a normal cycle for tech innovation to where it can become vertical and fragmented before more horizontal, consolidated platforms emerge.
Endpoints are arguably the most difficult to protect, therefore, it stands that an endpoint security company could expand into other turf by combining endpoint with other products. The company’s most recent expansion includes: cloud security, identity protection and LogScale SIEM.
The most important point for investors to take away from the section below is that the company’s total addressable market (TAM) is growing. It was $25 billion during the company’s IPO in 2019 and is expected to reach $126 billion in 2025 with planned new offerings. expected to reach $126 billion in 2025 with planned new offerings. The TAM is expected to be $71 billion in 2024 with the current portfolio offering.
Of CrowdStrike’s $2.9 billion in ending ARR, nearly $600 million came from cloud security, identity protection and SIEM. We want to highlight these three because they are the fastest growing components within the Falcon platform. As you’ll see, they will also help contribute to an inflection point in net new ARR.
Cloud Security:
According to Checkpoint, cloud-based environments are the second most popular targets for hackers, following corporate and internal networks as the number one. According to Frost & Sullivan, the global cloud workload protection platform market (CWPP) recorded revenue of $3.05 billion, representing growth of 47.9%. The market is expected to grow at a CAGR of 26.3% through 2027 due to “the increasing demand for runtime protection and automated threat response.” The forecast below predicts cloud security will grow at a CAGR of 22.5% through 2032.

Source: GlobeNewsWire
Cloud is a growth lever for CrowdStrike as the company leverages a microservices architecture for rapid and frequent updates. The company offers support for Kubernetes workloads with additional runtime protection and simplified deployment. Kubernetes is automation orchestration for containers and allows for scaling of a container rather than an entire application. Kubernetes was created by Google and is used by 78% of companies managing containers with this open-source system.
Agentless is important for cloud security in order to reduce friction for developers. Instead of requiring an agent for workloads, developers can adopt agentless workload protection that is built into cloud-native applications for total coverage including runtime, plus full automation, including features such as zero trust.
CNAPP, or cloud native application protection platform, is a term coined by Gartner in 2021. Due to Zero Trust being an important component for CNAPP, CrowdStrike competes with Zscaler and Cloudflare in Cloud Security.
Management was recently asked on the earnings call what the benefit is to offering CNAAP from an endpoint security company instead of a Zero Trust company. This is a good question to ask because Zero Trust manages perimeter-less security architectures, and cloud is certainly perimeter-less. Workloads that include both containers and serverless also spin up and down based on demand, and this could also be best served by a Zero Trust company as permissions are more complex given the dynamic quality of cloud workloads.
The primary difference is that Zscaler and Cloudflare will protect the environment by controlling access, whereas CrowdStrike is trained in detecting and responding to threats. Another primary difference is that CrowdStrike only recently began to offer cloud security as it’s traditionally an endpoint company that launched cloud security in 2020, whereas Zscaler and Cloudflare are predominately cloud security companies that grew in prominence by helping companies migrate to the cloud by replacing their traditional VPNs and networking solutions. In contrast, about 10% of endpoints secured by a typical endpoint security company are cloud related. However, over time, cloud security could surpass the endpoint market, and thus, you can expect CrowdStrike to make an outsized effort here.
As to why CrowdStrike would be used for cloud security over ZS and NET, management answered with this: “It's not just around the cloud workload protection, but it's also around the cloud security posture management and everything really from code to cloud.”
Cloud security posture management refers to a comprehensive view of a security landscape to help identify misconfiguration issues or compliance risks. An example of “code to cloud,” is to secure the development pipeline as applications are built from open-source code, libraries, and APIs. CrowdStrike’s management is also stating that workload protection is also important, which refers to real-time threat detection and vulnerability management.
Another interpretation is this – Zscaler and Cloudflare may have been first, but CrowdStrike is better because it consolidates what other best-of-breed companies do while offering more comprehensive coverage. That’s CrowdStrike’s perspective although I’m sure ZS and NET would argue that an endpoint company with $300 million in cloud security revenue does not compare to a company that specializes in cloud migrations and has $1 to $2 billion in revenue.
Notably, in July, it was rumored that CrowdStrike was in negotiations to acquire a startup called Bionic.AI for about $300 million. If this acquisition is officially announced, it would grow CrowdStrike’s cloud security footprint to become more specialized in application visibility. The company uses an AI domain because the solution is agentless.
Identity Protection:
This quarter, identity protection reported $200 million in ending annual recurring revenue, which is up 194% year-over-year. The identity protection adoption rate for new customers grew over 100% year-over-year and the total number of deals tied to identity increased 200%.
According to management, “identity-based attacks represented 62% of all interactive intrusions we observed in the last 12 months.” Also, according to CrowdStrike, 80% of breaches are identity-driven. These attacks are particularly difficult to identify because they mimic typical user behavior. Examples include stolen credentials that are used on other systems, accessing user data stored in Microsoft Active Directory, or man-in-the-middle attack where an attacker intercepts passwords or banking details.
The Falcon Identity Platform offers threat detection and threat protection (that’s a tongue twister!) through behavioral analysis and looks for anomalies across accounts and users, while also tracking authentications for elevated risk. The platform offers authentication protection end-to-end.
LogScale SIEM:
“The number of customers using LogScale grew more than 3x year-over-year. LogScale ending ARR grew over 200% year-over-year and is quickly approaching the $100 million ARR milestone, which we expect to achieve in Q3.” –Q2 2023 Earnings Call
SIEM combines security information and security events into one management tool. SIEM systems log data from many sources to identify deviations and alert the security team. The system is either rules-based or correlates to event log entries. The goal is to find the priorities within a large volume of security data through incident detection.
For example, a user that attempts to login 10 times but fails would be a lower priority event, whereas a user that attempts to login 100 times would be a high priority event as it’s likely a brute-force attack.
SOAR is another acronym used in advanced SIEM, and it stands for security orchestration, automation and response. SOAR platforms ingest alert data, and then automate response workflows. Overall, SOARs are more efficient than SIEM systems by adding in automation through automated playbooks and by using AI to learn pattern behaviors with the goal of predicting threats before they happen. Human analysts are needed to sort through events to determine which ones require prioritizing, while AI learns pattern behaviors to help flag which anomalies are most urgent.
Splunk is a heavyweight in SIEM with $3.7 billion in revenue last year. About two years ago, CrowdStrike acquired a leading SIEM provider called Humio. As stated above, the $100 million does not compare to Splunk, but CrowdStrike’s goal is that those looking to consolidate endpoint protection with SIEM will choose CrowdStrike to drive down costs compared to stringing together many vendors.
Cybersecurity and AI:
Combining cybersecurity with AI has a natural affinity as cyberattacks are computer generated, and in turn, computers are uniquely capable of finding computer-generated threats. For example, Chat-GPT heightens security risks as generative AI is capable of writing malicious code or acting as a sidekick to the human hacker writing malicious code. To level the playing field, the best defense will also be self-learning, generative AI tools.
This is early days, so I don’t want to get too far ahead of ourselves, yet the point is that CrowdStrike already has a strong foundation. Now, we may be layering in a new trend that can drive further growth, which is to protect against the risks that large language models pose. By offering agentless, theoretically, fewer human agents will be needed.
Charlotte AI uses generative artificial intelligence as an agent, or a security analyst. Security professionals can ask the AI assistant questions about threat vectors and receive responses, such as “Which threat actors target us?” It also reduces repetitive tasks by automating them. Rather than relying on existing data sets, generative AI is able to create net-new outputs that are based on patterns and structures inherent to the training data. According to management, a virtual analyst that automates tasks can complete eight hours of work in 10 minutes.to management, a virtual analyst that automates tasks can complete eight hours of work in 10 minutes. Pricing information will become available later this month at the Fal.Con conference.
There will be competitors with generative AI agentless solutions. However, CrowdStrike’s contention is that their data is more valuable, and this is the most important element to AI-related outcomes. The statement that CrowdStrike’s data is more valuable is based on the vast number of threats their platform has already detected. Essentially, the argument is that their XDR platform is better than competitors, and therefore, their data is better than competitors, which results in smarter and more accurate AI output. Here is how management spoke about it: “we actually have a very well-defined training set that's annotated based upon all the threat hunting that we've done over the last 10 years.”
Automation reduces the number of false positives. Instead of getting every piece of telemetry that requires the security team to investigate, AI-assisted endpoint detection and response solutions eliminates the noise so that the security team is only responding to those that have the potential to be critical. Fundamentally, cybersecurity is a data problem. CrowdStrike’s Falcon platform ingests, correlates, and queries petabytes of structured and unstructured data from ever-expanding disparate external and internal sources in real-time. It builds rich context and delivers greater visibility by constructing a dynamic representation of data across an organization. As a result, the company’s AI models are often highly accurate in triggering a response.
What matters to customers is that every threat is detected very quickly, and CrowdStrike proposes a solution that is able to do both because automation and AI is best done at the data level rather than by only managing thousands of user endpoints to mitigate attacks.
Financials:
CrowdStrike’s revenue growth was in the 60% range this time last year, and will exit the year at a 30% growth rate over the span of 18 months. For our purposes, this deceleration is not ideal. However, we are willing to overlook this for two reasons:
- The bottom line has been growing, and this is what separates a cloud company from the long list of cloud companies that are years away from becoming GAAP profitable. In our opinion, to own companies that are not GAAP profitable is to gamble the Fed is done raising rates, which is a complicated gamble as it’s entirely outside of a company’s control.
- CrowdStrike’s key metrics may be pointing toward an acceleration, or at least, an improvement in the growth profile.
In the most recent quarter, CrowdStrike reported revenue of $731.6 million, for growth of 36.7%. For the next quarter, CrowdStrike is guiding for revenue of $775.4M to $778M, for growth of 33.7% at the midpoint.
The company reported adjusted EPS of $0.74 and GAAP EPS of $0.03. This beat estimates of $0.56 and ($0.06). Next quarter, CrowdStrike is expected to report adjusted EPS of $0.74.
This quarter, CrowdStrike earned $36.6 million in interest income, which offset losses from operations at (-$15.4) million. The outcome was a net profit of $8.5 million. Operating losses have improved from (-$48.3) million in the year ago quarter. Ideally, this time next year, CrowdStrike reports GAAP operating profits. The company is certainly on that trajectory.
Margins:
In the most recent quarter, CrowdStrike reported a gross margin of 75%, which has improved one to two basis points over the past few quarters. The adjusted gross margin has also improved one or two basis points to 78%.
The GAAP operating margin reported quite a bit of improvement at (-2%) up from (-9%) in the year ago quarter.
In Q2, there was a sizable beat on adjusted operating profit at $155.7 million, compared to management’s guidance of $120.1M, at the midpoint. Adjusted operating profits have nearly doubled YoY from $87.4M in the year ago quarter. There was also strong growth QoQ of 34.2%. The last time CrowdStrike grew its adjusted operating margin by four basis points QoQ was in CY 2021. Management has guided flat for fiscal Q3 for $155.4M at the midpoint. The same is true for the adjusted net margin at 25%, which added five basis points QoQ.
As discussed, the GAAP net profits were $8.5 million for a margin of 1%.
Stock based compensation weighs on CrowdStrike’s GAAP operating margin, although less so compared to other cloud companies. In the current quarter, SBC was 22.5% of revenue. This is higher than last quarter at 18.9% of revenue. An analyst asked about this in the call, with management replying with this:
“So, number one, we are going to continue to invest as aggressively as we can while keeping to our commitment to our profitability metrics. And for us, I think that the key here, you had mentioned on the stock-based compensation, a lot of that is based on timing of grants and I think that for us, we're going to continue to use grants to attract and retain. Having said that, we think that we are going to continue to show low dilution, less than 2% this year and strive to keep it under 3% for next year.”
In Q1, the company had stated the following: "Third evolution is GAAP profit which we will continue to focus on and drive towards achieving sustainability. Of course, SBC is the biggest piece of that. We continued to manage SBC and we are going to be mindful balanced with retaining the best and the brightest talent that's paramount for us."

Key Metrics:
There were two key metrics that are worth pointing out. The first was management’s comments about an inflection in net new ARR in the second half of the year. We had highlighted the importance of this key metric going into the call: “We are interested in this earnings report to see if Crowdstrike bottoms soon in this regard, which would indicate new business is recovering and upgrades are resuming.”
This statement was quite important in terms of confirming what we wanted to see.
“Heading into the second half of the year, we see increased momentum in the business, driven by record levels of new logo and upsell pipeline, record deal registrations from our market-leading partner ecosystem and record levels of customers proudly trusting CrowdStrike to be their long-term security platform consolidator of choice. We are also observing substantial changes in the competitive landscape, uniquely benefiting CrowdStrike. With the business momentum we see and competitive market dynamics, we believe our second half performance will yield double-digit net new ARR growth.”
In the current quarter, net new ARR growth hopefully bottomed at (-10%) decline YoY for $196.2 million. This compares to 44.8% growth in the year ago quarter. The steep difference, and the risk of going double-digit negative, is ultimately why we stepped aside from this company. If we take the current quarter’s results coupled with management’s comments at face value, it appears net new ARR is at an inflection point.

Pictured Above: Net new ARR is showing signs of bottoming in this quarter, and when coupled with CrowdStrike’s guide that net new ARR will “yield double-digit net new ARR growth”
When providing full year guidance, the company’s CFO, Burt Podbere stated: “We are raising our revenue guidance for the fiscal year and maintaining our net new ARR assumptions for the second half and fiscal year, which call for in line to modestly up net new ARR for the full year.” Using this guidance, we calculate that net new ARR in the 2H 2023 will be around $460 million, representing about 10% YoY growth. The ending ARR is expected to grow 32% YoY to $3.4 billion.
ARR in the current quarter was $2.93 billion for growth of 37% YoY, compared to 42% YoY last quarter. This is a deceleration from the 59% growth in the year ago quarter.
One thing to note is that the company used to report number of subscription customers, and has dropped this key metric from its coverage. Typically, this means the growth rate was undesirable.
However, the number of modules per customer is increasing, and the company has seen a steady acceleration of one basis points or more per quarter in customers adopting 7 or more modules, 6 or more modules, and 5 or more modules.

The second highlight in key metrics was remaining performance obligation (RPO) of $3.6 billion, which was up 43% year-over-year and up 8% QoQ. This accelerated from Q1, which was up 41% YoY and flat QoQ. In the year ago quarter, RPO decelerated in growth from Q1-Q2 from 60% growth in Q1 to 49% growth in Q2. In an effort to find an inflection point, RPO could also be signaling that this quarter might be the bottom.
Per our write-up going into the earnings report, this was a key metric we were watching closely: “It will also be interesting to see if RPO bottoms over the next few quarters. It was at 41.2% growth last quarter.”
Dollar based net retention rate of 120% was lower than last year by five to seven basis points.
Cash Flow:
Operating cash flow of $244.8 million is up from $210 million in the year ago quarter. This represents an op cash flow margin of 33%.
Free cash flow of $188.7 million is up from $2.32M in the year ago quarter. This represents a free cash flow margin of 26%. The company has $3.2 billion in cash and $742M in debt.
After the first two quarters in FY2024, the free cash flow margin is at 29% of revenue, representing 42% YoY growth. As stated in the earnings call, management is on track to reach its goal of a 30% free cash flow margin in FY2024.

A Note on Microsoft:
Big Tech is formidable when it comes to AI because it has the cash reserves coupled with a strong motivation to not only succeed, but rather to “rule them all.” We are talking about companies that have been cash flow positive for decades up against a company that is a fraction of its size. As enamored as we may be with a smaller company taking on Big Tech, Microsoft’s cybersecurity revenue stands 6X-7X larger than CrowdStrike’s revenue today, and there is plenty of cash reserves and adjacent products that can fuel Microsoft’s growth. The reason customers choose Microsoft is because it drives down costs to consolidate cybersecurity with their suite of enterprise software. As a lead investor in OpenAI and ChatGPT, Microsoft is likely years ahead of CrowdStrike when it comes to AI capabilities – especially generative AI.
Conclusion:
We’d like to add cybersecurity to our portfolio on the next pullback. This is one strong candidate and we will cover another strong candidate over the next week or so. Advanced Market Signals members receive real-time trade alerts when we enter a position, along with a 1 hour webinar every week with the I/O Fund Portfolio Manager who discusses what positions he is looking to trim, add, buy or sell. Learn more here.
Recommended Reading: