CrowdStrike's Possible Yellow Card or Opportunity?
ARR growth and retention declined for 2 Qs hinted at lasting IT outage impact. Cloud security and Identity also slowed. George Kurtz justified it as a strategic shift. Can we trust him?
Hi sleep-well friends,
CrowdStrike (CRWD) is my first Sleep Well pick and the most tracked business in my Sleep Well Portfolio. Last year's IT outage rattled investors, and Q4 ’25 shows lingering impacts.
So, today, I will dig deep to help you determine if CrowdStrike is still a sleep-well investment after 2 quarters of uncertainty.
CrowdStrike claims to have the most scalable agent architecture. A leader in endpoint security, it reuses all the data collected on the assets (phones, PCs, etc), security telemetry, and users to create new security products. Revenue and free cash flow grew by 71% and 100% in the past seven years, backing up the claim. It has handsomely beaten its direct peer, Sentinel One, and is shoulder-to-shoulder against Microsoft’s Defender. It also counts the best in cloud security (Zscaler), identity (Okta), and network (Fortinet) as partners.
CrowdStrike suffered a setback from last July’s IT outage; its share fell 50% to $200/share from $400/share. Management responded expertly with customer commitment packages and minimized the legal damage. The incident also showed how prevalent CrowdStrike was to the world. We took a position at $205/share, up 70%.
However, eight months have passed, and given the back-to-back decelerating ARR and net dollar-based retention rate, we suspect a lasting impact.
CEO George Kurtz linked it to the strategic shift to FalconFlex, which aimed to extend customers’ contract length and platform adoption (vs. module adoption).
Can we trust him? The stock fell 20% from its recent high but is still 70% above last July's low. Will it continue to fall, or is this an opportunity to add?
For a complete picture, read my extended coverage of CrowdStrike below:
Q3’25 business update - Dec 2024
CrowdStrike + Fortinet partnership - Nov 2024
Deep review of the IT outage damages, purchase note at $205/share, Aug 2024
Initial review of IT outage, bought Fortinet as a hedge, July 2024
Lofty valuation, trimmed Crowdstrike, Jun 2024
Q1’25 review, Mar 2024
Fal.con review, Oct 2023
Deep-dive in 2021 (pre-sleep-well framework).
First note in 2020
Core thesis
If you don’t know CrowdStrike, the following paragraphs explain why it has been a core position in my portfolio since 2020 and the Sleep Well Portfolio since last July.
CrowdStrike is a cloud-native cyber security platform driven by AI. Its modern architecture allows data collection at scale, centrally storing it in the brain, which CrowdStrike calls the Threat Graph. The data then trains the algorithms on these vast amounts of high-fidelity data and develops into the legs and arms to do various services, which CrowdStrike calls the Falcon Platform. It had ten modules at IPO and has grown to 29 today.
The diagram below categorizes the 29 modules into endpoints security (desktops, laptops, servers, mobile, and IoT devices), where it is the category leader. For the last few years, as more customers were onboarded, the data collected in the Threat Graph has enabled the Falcon Platform to expand to cloud security (protects cloud-based infrastructure, workload, applications, and data), identity, SecOps, and others.
Today, CrowdStrike is generating > $4B Annual Recurring Revenue, a 71% 7-year revenue CAGR, and an 88% 7-year free cash flow per share growth! As cybersecurity becomes more and more mission-critical in our digital world, the company has a long road ahead.
I link the S-1 document at IPO here if you want to learn more about the technical side. It delves deeper into the business's architecture and history.
CrowdStrike Q4’25 - slight concern
Crowdstrike ended the year with a $4.2B ARR and reported 48%, 32%, and 21% of customers with 6+, 7+, and 8+ modules. The number has consistently grown since their first disclosure in 2018, proving the Falcon platform remains sticky. These are the core stats that I track. Customers may leave for many reasons but stay for one; CrowdStrike works.
However, I see a slight concern.
The net new ARR dropped for the second time, -22% YoY in Q4’25, after a -40% drop in Q3’25.
Gross retention also dropped to 97% from 98%, and the net dollar-based retention rate dropped to 112% from 119% last year and 115% last quarter.
Moreover, new categories, cloud security, and identity growth have markedly decelerated to 45% and 20%, from 80% and 70%, in previous quarters.
The decelerations above make me question if the IT outage is a long-term problem. Let’s explore.
IT outage impact, a longer-term structural issue?
Don’t miss out on my latest sleep well pick and my two US tariff-resistant businesses.
