Hi, I am Trung. I write 10+K words deep-dives on market leaders. I also write Thesis Trackers updates to follow up on their performance. When the right price comes, I buy them for the Sleep Well Portfolio, which I am building for my 4-year-old daughter to redeem in 2037. I disclose the reasoning of all BUY and SELL (ideally never) transactions (1st, 2nd, and 3rd). Join me in building generational wealth.

Before investing in 100-year-old market leaders, I closely tracked a few ‘unproven’ ones as they possessed the right ingredients to become future leaders. One is CrowdStrike (CRWD - $38B Market Cap), a leading cyber security platform founded in 2011 and IPOed in 2019 (at $20B Market Cap). This is one of the few hyper-growth tech names that continued to perform post-covid.

Thesis Tracker

I first bought CrowdStrike in May 2020, wrote the first note in September 2020, and updated it with more details in May 2021, in a format before the Sleep Well Investments framework was born and refined.

This write-up tracks how CrowdStrike’s moats and market share have moved since.

The following table shows CrowdStrike has consistently taken market share (green box highlighted below). Out of 7 peers I studied, I singled out Microsoft and Sentinel One as the biggest threat and the most similar product architecture, respectively.

The green boxes are the result of findings from:

1. Revenue growth vs. key rivals (seven)

2. Client wins / losses

3. Gartner industry rankings

4. Gartner customer’s reviews

The four points are specific for CrowdStrike. Read my Investment Thesis Tracker to learn more about how I measure market share and moats. For other picks, the criteria are different. Click here for MIPS and FND.

In the second part of the post, you will also see if CrowdStrike can continue gaining market share and whether it can achieve the new 5-7-year financial targets. We will see CrowdStrike’s

1. Product growth

2. Product stickiness

3. Operating leverage

4. Free cash flow per share

Finally, we explain how CrowdStrike earned 12/20 points from the Sleep Well Investments scorecard and consider scenarios in which we would add more shares.

What’s CrowdStrike?

CrowdStrike is a cybersecurity software company that provides cloud-based security solutions and services worldwide. The fundamental difference from its competitors is that CrowdStrike was built as a cloud-native platform driven by AI. The architecture allows data collection at scale, centrally storing it in the brain, which CrowdStrike calls the Threat Graph. The data then trains the algorithms on these vast amounts of high-fidelity data and develops into the legs and arms to do various services, which CrowdStrike calls the Falcon Platform.

The Falcon Platform has ten modules at IPO and has grown to 23 today. Starting on the left, the slide below contains functions such as detecting, preventing, and responding to all kinds of attacks for endpoints (desktops, laptops, servers, mobile, and IoT devices), the bread and butter of CrowdStrike. It’s what it started with and is known for. For the last few years, as more customers were onboarded, the Threat Graph has collected more data and become more intelligent. The data enabled the Falcon Platform to expand its functions to cloud security (protects cloud-based infrastructure, workload, applications, and data).

Today, CrowdStrike is an industry leader in endpoint and cloud workload protection, used by over 23,000 customers worldwide, generating almost $3B Annual Recurring Revenue, which recorded an impressive 77% 5-year revenue CAGR growth and 145% 5-year free cash flow per share growth! As cybersecurity becomes more and more mission-critical in our digital world, the company has a long road ahead.

I link the S-1 document at IPO here if you want to know more about the technical side. It goes deeper into the architecture and the history of the business.

Big Guidance Upgrade

Last week, at Fal.Con 2023, held in Las Vegas, CrowdStrike upgraded its long-term financial targets with

• Gross margin 82-86% (expanding by +4% from the prior target at the midpoint)

• Operating margin 28-32% (+9%)

• Free cash flow margin 34-38% (+5%)

For your reference, below is the long-term financial target set at IPO 2019 and at 2022.

Fal.Con 2023 surprised me because it upgraded massively its 5-7 year targets, aiming to achieve $10B Annual recurring revenue (ARR), a gross margin of 84%, and a free cash flow margin of 36%, higher than other software industry leaders.

The table below shows that CrowdStrike’s financial profile is not far off while recording the second fastest growth (behind Sentinel One - the youngest).

Fortinet (FTNT), the ‘legacy’ provider in cloud security and network security, together with Microsoft (MSFT) and Paolo Alto (PANW), are mature players. They show what’s possible at an optimum scale, enjoying 19%-35% free cash flow margins with above industry growth (10%+). CrowdStrike’s target at the low end is even higher, showing a lot of promises (but we’ll see that it has the track record to back it up).

Sentinel One (S), the most direct peer, labeled as the ‘next-gen,’ also a cloud-native, one-agent platform provider, is still burning cash with a -10% free cash flow margin. Meanwhile, Okta (Identity), Zscaler (ZeroTrust SASE), Cloudflare (‘4th’ Cloud Platform), and Palo Alto (Networks) trail behind Crowdstrike’s profitability and cash generation.

In Q2’23, CrowdStrike’s free cash flow margin was already at 27%, not far from the 36% guided at the mid-point, albeit non-GAAP. And Q3 and Q4 would be even closer, given net new ARR generation is typically greater in the second half of the year as CIOs draw up cloud budgets for the following calendar year. In addition, the operating margin is also typically higher in H2, as costs for payroll taxes, new hires, and annual sales and marketing events are mostly paid in H1.

The rosy outlook shows management’s belief in CrowdStrike’s superior platform products and best-of-class economies of scale. Wall Street loved the update and estimates CrowdStrike will hit $17B revenue in 2033 or 22% CAGR! (I beg to differ, and we’ll see why)

But are the new targets achievable, and how does it translate into value creation?

I think CrowdStrike has a high chance to compete with Microsoft to remain relevant for decades. It could create 15%+ shareholder value over the next ten years, despite assuming CrowdStrike only meets the low end of the target (82% gross margin and 35% free cash flow margin) with double the amount of years, ten instead of 5-7, and with 10% cost of capital, allowing an extra layer of margin of safety.

Moats and Market Share Direction

Gaining or losing market share speaks volumes about the quality of the moats and barriers to entry. This is my go-to KPI to sleep well at night. Keeping things simple and elegantly effective - as

CrowStrike has consistently taken market share from key rivals, illustrated by the green boxes from 2021-Q2’24.

Before I derive my findings from the four aspects mentioned:

1. Revenue growth vs. key rivals (seven),

2. Commentaries from management on client wins / losses,

3. Gartner industry rankings

4. Gartner customer’s reviews

I had a preview of the IDC market share report, but they cost $4500/each for the full report - which I don’t have. Thus, the digging exercise allows me to learn CrowdStrike’s key rivals intricately through reviews and management commentaries - reading IDC reports might not.

Nevertheless, I captured a few data points from the IDC report, which I can present as follows.

CrowdStrike and Microsoft are winning shares rapidly. It’s a fragmented market (48% still uses legacy anti-virus software) and expanding rapidly (from End Point Protection to Data security, industry consolidation, and geographic mix, a >$200B market in 2028). Meanwhile, a few years ago, McAfee and Symantec were the top five players but disappeared from the ‘Rest of Market’ pie.

Let’s review my interpretation of market share movements from IPO to 2023.

1. Revenue growth vs. peers (7)

This is not a perfect measurement, but it shows CrowdStrike as the second fastest grower, with 88% average growth, behind Sentinel One, with 109% in the past 4-6 years. Thus, I can safely say CrowdStrike has been gaining shares, and everyone’s growth has slowed in the last two years.

*No information is available for Cylance, Symantec, and McAfee, legacy competitors.

**For Microsoft, I used the Intelligent Cloud segment as a proxy as it’s the most relatable to cybersecurity. Microsoft Defender is a direct comparison to CrowdStrike Falcon, but only management commentary is available, which we will go into later.

2. Management commentaries on client wins / losses

First, a few lines about George Kurtz, the co-founder, CEO, and, intriguingly, an American racing driver. He was also the founder of Foundstone, chief technology officer of McAfee, and co-author of Hacking Exposed: Network Secrets and Solutions (2003) before CrowdStrike. It's safe to say he has seen things in cyber security. And this is his summary of the industry in the last 30 years.

We are also observing substantial changes in the competitive landscape, uniquely benefiting CrowdStrike...Working in cybersecurity for the past 30 years, I have recognized and created tectonic shifts in this industry, and we are in the midst of one right now. Organizations need better, faster, and more cost-effective protection for a digital society. Organizations need seamless, not stitched-together automation to break down legacy data silos.

The last sentence is a direct jab at the legacy providers. We will focus on just two:

1. the biggest threat is Microsoft, and

2. the most direct competitor in terms of product offering is Sentinel One.

Microsoft is a multi-platform & multi-cloud (Azure, Google Cloud, AWS) that offers 50+ security functions across Cloud Security, Identity and Management, Compliance, and Privacy, stepping on a lot of toes, Okta, Cloudflare, Datadog, Splunk, Elsatic, Sentinel One, not just CrowdStrike.

Microsoft Defender is a direct competitor solution to CrowdStrike’s Falcon Platform. It reported generated about $3B in sales, broken into 2:

i) Defender 365 for endpoints + XDR, which protects endpoints and competes with CrowdStrike directly

ii) Defender for Cloud Security, which provides security for cloud workloads, DevOps, and applications (integrates with GitHub). This business area competes against cloud security like Wiz, Snyk, and Datadog.

I won’t go into other areas, but interested readers can find Francis’s thread here as a starting point to research further.

Microsoft has been a competitor from day one and the biggest threat. The good news is that CrowdStrike considers Microsoft and all other peers as good sources of clients for CrowdStrike.

Today's competitive landscape solidifies CrowdStrike's leadership position and turns what were once competitors into immediate shared donors. CrowdStrike is purpose-built for this market. We have the technology innovation, mission-driven team and sizable scale to lead cybersecurity platform consolidation.

George Kurtz is a straight shooter, as you can see. He is also ‘aggressive’ in confronting his rivals. The corporate website would openly compare its offerings to peers and show why CrowdStrike is superior. This page recently shared a major US retailer experience when using both, and this page directly put the two head-to-head on various tests. Both tests openly concluded a big win for CrowdStrike in terms of costs, ease of use (needed just half a full-time employee vs. four FTE for $MSFT Defender), efficiency, and effectiveness (threat coverage).

In the annual CrowdStrike Threat Report, Microsoft was labeled a burden to clients’ security teams.

The constant disclosure of vulnerabilities affecting legacy infrastructure like Microsoft Active Directory continued to burden security teams and present an open door to attackers…

And George Kurtz might not be too harsh here. Fortinet also comes to a similar conclusion. Fortinet’s Threat report analyzes how likely (or unlikely) threat actors will exploit a specific vulnerability. It found that Microsoft's infrastructure makes it a weak point for attacks with the most Common Vulnerabilities and Exposures (shown as yellow boxes), of which 12.4% of incidents were attacked (red boxes).

Source: Fortinet’s Global Threat Landscape report H1 2023

The following are some quotes from George Kurtz on recent events:

He is not afraid to share bad customer experiences with Microsoft. In the Q2’23 conference call, he shared:

a major auto manufacturer that tried but failed to consolidate their security on Microsoft E5. This company's security team quickly realized Microsoft's complexity, multiple consoles, lack of integration, miss detections and complex deployments hampered their ability to defend themselves and consolidate. This customer is now consolidating on the Falcon platform with Falcon Complete for Endpoint, Identity and Cloud. Now with a single agent, single user interface and single platform, they have complete visibility across their end points, cloud and identities and the ability to stop threats in real time. By moving from expensive Microsoft E5 to CrowdStrike, organizations can save 50% plus per user per year on Microsoft licensing costs, adding up to millions of dollars of savings.

And another bad customer experience with Microsoft and others while he was at it.

Following remediation by CrowdStrike incident responders, this customer consolidated on the Falcon platform, adopting Falcon Complete, Falcon Identity Complete and Falcon Cloud Security Complete, displacing and consolidating four vendors in the process, Microsoft, SentinelOne, Arctic Wolf and Sophos.=

On why CrowdStrike achieved a record number of customer wins

We closed a record number of cloud customer wins in Q2, including multiple seven-figure cloud expansions with Fortune 500 customers, together in excess of $20 million in deal value. An iconic Fortune 50 retailer prioritized a full, not phased, Falcon Cloud Security purchase of $5 million in deal value, choosing CrowdStrike over a point product cloud security scanner and displacing their firewall vendor. Additionally, a major Fortune 500 manufacturer sought product superiority and a single-platform approach replacing Wiz with Falcon Cloud Security.

[…] cloud expansion with a Fortune 1000 retail brand facing increasing costs from their incumbent cloud security vendor and struggling with limited visibility over their cloud assets. This customer launched an initiative to unify their security stack and remove gaps between traditional endpoint, cloud runtime security and posture management. CrowdStrike is the only vendor that met these requirements and a unified platform and helped them drive down their overall operational costs.

When comparing CrowdStrike AI capability with others

when we started the company, we actually have a very well-defined training set that's annotated based upon all the threat hunting that we've done over the last 10 years. So we believe our 10-year head start in terms of having a data set that's actually curated is going to give us a distinct advantage of helping our customers.

This year, CrowdStrike’s Data Layers are collecting and training over 1 trillion data points a day, increasing from 1 trillion a week two years ago. And that these data points are trained to develop workflows and improve the 23 modules

On Sentinel One

SentinelOne ($5B market cap), a direct competitor, IPOed in 2021 and came out with aggressive marketing tactics. If you search for CrowdStrike on Google, Sentinel One would appear as the first paid post.

Lately, things have not been great. It hired investment bank Qatalyst Partners to advise on talks with potential buyers, including private equity shops, according to a Reuters report, which cited people familiar. Reuters said that initial expressions of interest for SentinelOne didn't meet the cybersecurity firm's expectations, and no deal may be reached.

But looking at underlying fundamentals draws a clear line between the two rivals.

SentinelOne's ARR per customer is $56,000. CrowdStrike's is well over $100,000. SentinelOne's dollar-based net retention is 115%, and CrowdStrike's is over 125% ( and over 120% dating back to 2019).

Why the disparity?

You guessed it, George Kutz had a few words about it (not directly, but it’s mostly likely pointing fingers at Sentinel One)

The competitive battlefield of cybersecurity today reflects these realities, separating the wheat from the chaff. Those who have platforms versus those with point products masquerading as platform stories.

What was a market littered with dozens of companies is quickly consolidating to several vendors. Smaller, narrower point product companies are being left behind. These companies are quickly going the way of legacy AV, already in the hands or looking for the safe hands of strategic or private equity buyers.

Point products, single-feature cloud security companies are learning the hard way that platforms built by design win at scale.

Sentinel One’s recent earnings call shows a few cracks

We're seeing customers evaluate usage and rightsize on renewals. Some enterprises are taking a wait-and-see approach by deferring purchase decisions. While not entirely new, the impact from these conditions was more pronounced this quarter. Second, operating in this environment raises the bar for execution. We were disappointed with some late-stage contract execution challenges on large deals that caused a few deals to slip to next quarter.

And we don’t see this in CrowdStrike calls

the selling environment is more difficult

But this is not due to the difficult macro environments. When asked by an analyst, Tomer Weingarten, the CEO of Sentinel One, admitted:

I think deal slippage is something that obviously we witnessed as early as Q3 and Q4 of last year. So some of it was known. And I think that generally, we factored some of that into how we convert pipeline. I think we have -- we've had a couple of execution hiccups where some deals that just were not supposed to slip -- this is not specifically macro related, we just weren't able to execute these contracts in time.

So Microsoft and Sentinel One have been openly ‘attacked’ by CrowdStrike; part is rhetoric, and part is backed up by numbers and external stats (IDC reports, Fortinet Threat reports), but after reading through conference calls of all three, I am leaning towards CrowdStrike winning market shares; if not from these two, then most likely from legacy providers, as past IDC reports already confirmed.

3. Gartner industry rankings

Gartner's industry-leading reports are the next reference point to triangulate the market share movement. (Gartner, Magic Quadrant for Endpoint Protection Platforms, by Peter Firstbrook, Chris Silva, 31 December 2022.)

Gartner Magic Quadrant is a culmination of research in a specific market, giving a wide view of the relative positions of competitors. Using a Gartner Magic Quadrant can be a good way to start understanding technology providers.

Among the 17 other vendors in the Magic Quadrant, CrowdStrike is a leader and furthest for Completeness of Vision. CrowdStrike achieved this position for three years consecutively: 2000, 2021, and 2022.

4. Gartner customer reviews

The Gartner Peer Insights also shows the ‘Voice of the Customer’, demonstrating overall customer experience. CrowdStrike is among the best in the top right corner (sorted alphabetically), with Sentinel One, while Microsoft sits below.

Below is CrowdStrike vs. Microsoft; you can read more here.

The other reference point for comparing CrowdStrike against peers is the MITRE Engenuity ATT&CK® Evaluations. The test release planned unknown and known adversaries to participating members’ platforms and was evaluated on how well they detected and dealt with them.

The results show CrowdStrike beating its peers for two consecutive years, achieving 100% protection, 100% visibility, and 100% analytic detection coverage in the MITRE Round 5 Evaluation.

It also achieved the highest detection coverage in the MITRE Managed Security Services Providers test, covering 75/76 steps.

So, who would you go for if you were a CIO of an enterprise?

There are other external reports, such as Forrester Wave; however, I stick to Gartner as they are the easiest to understand, and the conclusion is similar - CrowdStrike is the leader and gaining market share.

Platform unit economics - profitability at scale

Is CrowdStrike taking market share sustainably? Does it create value or destroy it?

Growth fuels long-term value creation, but it's pointless without turning into free cash flow per share, Jeff Bezos’s ultimate long-term financial measure. He said:

Earnings don’t directly translate into cash flows, and shares are worth only the present value of their future cash flows, not the present value of the future earnings.

Jeff Bezos 2004 Shareholder Letter

Let’s examine what drives CrowdStrike’s free cash flow per share!

It is distilled from a funnel of:

• Product growth: This is measured by the number of Falcon Modules and module adoption. Which trickle down to

• Annual recurring revenue. Combine it with the net dollar-based retention rate (NDBRR), and they tell us how sticky the product is and the durability of the recurring revenue it generated. If they are, the road should lead to

• Operating margin growth shows operating leverage and free cash flow per share growth, which means profits convert into cash and increase shareholder value.

As you can see, CrowdStrike has added new modules to the Falcon Platform every year. And as a higher percentage of subscribed customers adopt more modules, it proves the platform adds value as it grows. In the latest quarter, 41% of customers had more than six modules.

Unsurprisingly, strong platform growth has generated strong annual recurring revenue of $2.9B, compared to just $71M in 2018, representing a 59% CAGR growth in the last six years. Roughly, existing customers love it that they keep spending more each year, about 25% more, as the NDBRR rate indicates above.

And beautifully, it has converted into healthy free cash flow per share despite some dilution (4% per year).

I am satisfied that CrowdStrike is growing sustainably.

At this point, I want to plug in a few graphics from Fal.Con 2023 presentation for your appreciation. As mentioned, you can come back to my semi-deep dive into the business/moat /go-to-market strategy here, which I wrote in May 2021.

First is the Falcon platform. At the core is the lightweight single-agent API, which collects, analyses, and trains data through the three Data Layers (Threat Graph, Intel Graph, and Asset Graph) and AI Native LLMs, which develop into workflows and development of 23 modules that customers can pick and choose depending on their requirements.

This slide is older but lays out the 23 modules, which is easier to see.

And this slide shows what module adoption looks like.

One of the reasons for such growth is CrowdStrike's go-to-market strategy. It takes advantage of all channels from Amazon AWS marketplace to 90+ FedRAM - Government Certification to partnerships to forming a direct sales team.

Thus, I believe CrowdStrike can leverage its largest sale distribution capability/moat to capture the expanding TAM from $98B in 2025 (see below) to $200B+ in 2028 (with the growth of AI).

Sleep Well Investment scorecard.

Corporate slides and optimistic TAM numbers should be taken with a pinch of salt, but it does show the possibility. WallStreet seems to like it and attaches a huge revenue target by 2033 at $17B.

So, let’s return to earth and see how CrowdStrike performs under my Sleep Well Investment checklist before we look at valuation through a more conservative lens.

CrowdStrike - the first column, scores 12 points out of the possible 20. To see the reasoning behind each criterion - read my sleep well framework writeup here.

+1: Product relevance

CrowdStrike scores full points for product relevance. Cybersecurity is not an option for modern enterprises anymore. It’s mission-critical. A few hours of system blackout can wipe out billions of $.

+3: Business model

Then, the Falcon Platform is not easily replicable with 23 unified modules, lightweight agents, and best-of-class customer service. The company spent almost $700M of R&D and over $1B of stock-based compensation to get to a $2.9B ARR business today. At the same time, software developers are as hard to find as renting a two-bedroom apartment in central London.

+5: Financial strength

With 70%+ Revenue and over 100% Free cash flow per share CAGR, a $2B net cash position, consistent gross margin, and ample reinvestment opportunities. It deserves 5 points out of 6.

+2: Management

George Kurtz, the CEO and co-founder, owns 3.3% of shares or about $1.3B. The rest of the management team earns performance-based pay and owns <1% share. Their record of growing revenue by 70% CAGR and 100%+ free cash flow per share CAGR since 2018 while taking clients from Microsoft shows strong execution.

+0: Antifragile

As CrowdStrike still has lots to prove and operates in an ever-changing market, I don’t class it as anti-fragile despite having over $2B of net cash and starting to generate GAAP profit. Nevertheless, this score could change as it overcomes COVID-19 fully and beats legacy competitors.

The rest of the scores are straightforward.

-2: Competition is strong

We looked at Microsft, the biggest threat, in detail previously. It’s important to keep a close eye on what they do. But in a large and expanding market that favors cloud and AI native players with a platform approach, CrowdStrike has a good chance of overcoming competitive pressure.

+5: Moats & barriers to entry

CrowdStrike has points for network effects, high switching costs, scale/cost advantage, widening moat, and high barriers to entry. There is no point in intangible as I don’t feel its brand has lived long enough.

-2: Moderate to strong risks

There are strong operation risks, given that it operates in a highly sensitive industry, which can result in significant financial losses, potentially reaching billions when breaches are not stopped. The recent SolarWinds hack is estimated to cost up to $100 billion to recover from and has affected numerous parties. For smaller companies that have leaked confidential client data, a breach could mean the end of their business. Even if a company like Crowdstrike is brought in to remediate breaches, they, too, may become vulnerable in the future. In these situations, customers will only remember the lost trust, not past awards or accolades.

Finally, is CrowdStrike trading at a fair price? I think it is. Thus, no point is awarded here.

That makes 12/20 points.

I’m comfortable with the business quality, moats, and opportunity to reinvest in growth, but what’s missing is a point from valuation to make it investible today. Additionally, if I see further market share gains, particularly at the expense of Microsoft shares, then, CrowdStrike would get 13 points soon, at which point I would add more shares to my portfolio, provided valuation gives an additional layer of margin of safety. Let’s look at it next.

Valuation

CrowdStrike aims to reach $10B ARR in 5-7 years with 84% gross margin, 30% EBIT margin, and 36% FCF margin at the midpoint.

Growth will come from expansion to different solutions (Identity, Data security, etc.), geography (70% revenue is US based), partnering and expanding client base (23K vs. 150K Salesforce, 680K at Fortinet)

I recognize the untapped opportunity. Wall Street estimates revenue could hit $17B by 2033, or 22% CAGR growth. As I want to sleep well at night. I am only projecting $11B in revenue by 2033, or 16% CAGR growth. This also means CrowdStrike will underdeliver its revenue target by 3-5 years.

My conservative lens also assumes that in 2033, CrowdStrike would have:

• 28% EBIT margin

• 35% free cash flow margin

• 12% CAPEX and 2.5% dilution pa

With 10% WACC and 3% terminal growth. The fair value today is:

$37B or $160/share.

The stock is fairly priced.

Closing thoughts

CrowdStrike is my largest position, so I am not adding it here, but if I didn’t own it, the current level is tempting.

To review the previous write-up, please visit this link.

Links to other writeups are:

• The VAT Group - Vacuum valve monopoly +32% CAGR since IPO

• Shimano - Bike component monopoly +12% CAGR

• Floor and Decor - Future monopoly in hard-surface flooring +30% CAGR

• MIPS - Helmet safety monopoly +45% CAGR

• Thor Industries - RV monopoly +14% CAGR

• 7th SWI - Medical Device Monopoly +17% CAGR

Sleep Well Investments Score (25th Sept 2023)