UPDATED 11:14 EDT / MARCH 09 2024

Why CrowdStrike is separating from the cybersecurity pack

It has been an interesting month in the cybersecurity space. The sector has been somewhat less affected by budget tightening these past 24 months and at the same time has benefitted from AI tailwinds.

But in the past several weeks we’ve seen some separation in key highflying cybersecurity names. Specifically, Palo Alto Networks Inc. shocked the street last month with a $600 million billings forecast surprise and sounded the alarm that there were cracks in its consolidation execution. This dragged down other consolidation players in sympathy, namely CrowdStrike Holdings Inc. and Zscaler Inc.

But our research shows that the dynamics facing these three companies are quite different. Of particular note, CrowdStrike’s earnings print highlights the company’s impressive momentum, while recent negativity around Zscaler is a bit of a head-scratcher for us, which we’ll try to explain.

In this Breaking Analysis, we take a more narrow look at the information security business and dig deeper into the continued success of CrowdStrike. With recent survey data from Enterprise Technology Research, we continue to advance our premise that platforms beat products and we identify several levers that are powering CrowdStrike’s path to $5 billion in annual recurring revenue by fiscal year 2026 and to $10 billion by the end of the decade.

Four months of divergence

Since early 2022 and into most of 2023, CrowdStrike, Zscaler and Palo Alto Networks all exhibited fairly high-quality performance, trading in a similar pattern (notwithstanding a couple of speed bumps early last year for Zscaler). As well, through the second half of 2023 they significantly outperformed the Nasdaq, as shown in the orange line above. In factm on Feb. 15, the week before Palo Alto’s earnings, CrowdStrike was trading at 157% above its March 8, 2022, level. Zscaler was up 120% and Palo was up 95%, while the Nasdaq was up only 37%.

Palo Alto’s reduced outlook shocks the Street

On Feb. 20, after the close, Palo Alto announced its earnings. Although it beat expectations, investors, normally used to Palo’s consistent and predictable performance, heard about a delayed or perhaps lost government contract that took down FY ’24 billings guidance by $600 million at both ends of the previous guide range. This will directly hit the income statement going forward and, not surprisingly, took the stock down more than 100 points.

You can see in the corrected tweet above, the day after the earnings print, this billings shortfall was part of the guide and not the current quarter. Thunderdome is the zero-trust network architecture project of the Defense Information Systems Agency, or DISA. Palo Alto had reallocated significant resources to the project given the likely event that it would get the deal. But as we’ve seen with other large government contracts such as JEDI, things can change quickly.

So we wanted to understand what the spending data was telling us. The chart above from ETR shows Net Score or spending momentum on the vertical axis and Pervasion or account penetration in more than 1,700 respondent accounts. This is the cybersecurity sector and we’ve cherrypicked some of our favorite names and several that compete with CrowdStrike, Palo Alto Networks and Zscaler.

Broader security market feeling the macro pinch

What’s interesting if you look at a basket of cybersecurity stocks such as those in the BUG ETF, you’ll actually see, unlike CrowdStrike, Zscaler and Palo Alto, the broader group has actually traded much more closely with the Nasdaq and fell behind after the Palo Alto earnings announcement. And you can see by the squiggly lines on the chart above, the entire group, including our three consolidators, has been pushed down since January 2022, the beginning of the time series shown.

The one exception is Microsoft Corp., which continues to be ubiquitous as the “good enough” security company. Many will say good enough is not good enough in cybersecurity and the Russian hack that infiltrated Microsoft’s own internal systems should cause concern for its external customers.

The point is in looking at this data we thought maybe the combination of AI sucking up budget and continued macro headwinds will have an impact on the entire sector, including highfliers like CrowdStrike and Zscaler. But we wanted to keep digging.

Spending ‘fatigue’ sends a shock to the system

The other major topic on the Palo Alto call and in subsequent discussions at various financial conferences, were comments from Palo Alto’s CEO, Nikesh Arora.

The part that is new, despite the many demand drivers we’re seeing, we’re beginning to notice customers are facing spending fatigue in cybersecurity. – Nikesh Arora, CEO Palo Alto Networks; 2/20/24

Now we have some other data that we’re showing above that tells the story in a bit more detail from the customer angle – a chief information security officer at a midsized services company speaking on an ETR roundtable hosted by Erik Bradley.

The pain points that I’ve had with Palo have always been, once they figure out what to sell you, they’ll try to figure out how to sell you more…. And what you buy from Palo for two or three years is fine, and then all of a sudden now you got to spend more to get kind of where you were. They’ve done that over and over again, and I think people are quite honestly just tired of that. – VP IT and CISO midsized firm 2/16/24

The other bombshell from Palo Alto’s earnings was that spending fatigue was making it difficult for it to convert customers to its full platform. The problem they cited is that customers have existing licenses for legacy point products that haven’t expired and/or they’re not willing to risk taking on all the modules in a consolidation play at once. So Palo Alto began offering free trials to bridge customers as these licenses expire and to give time for the customer to absorb the budget hit.

This introduces an entirely new dynamic for Palo Alto where the timing of consolidation revenue is a function of existing license expiry, customer absorption capacity for new modules, the complexity of onboarding those modules and the overall impact all this has on conversion from free to paid.

Consolidation is waning across IT: What does it mean for cyber?

Of course, free trials are not a new tactic but it is a recently new dynamic that we wanted to investigate more deeply.

The graphic above shows the percent of more than 300 customers actively cutting budget that said consolidating redundant vendors was the primary means of cutting costs. Note the steep decline from 36% of customers in January 2023, down to 12% one year later.

You can see in the Tweet that this doesn’t necessarily mean CrowdStrike and Zscaler will be hit in a similar way because their history is much different from Palo Alto. Palo started as a hardware company, pivoted to software and has entered many new markets by stitching together numerous acquisitions. Very successfully, by the way, but definitely a heavier transformation challenge than CrowdStrike and Zscaler. Those two companies are also very acquisitive but they had a much less complicated path to the cloud than did Palo Alto, which struggled with its cloud transformation, as we reported earlier this decade.

Zscaler beats, raises, and the stock drops

We were watching these trends closely and waiting for ZS and CrowdStrike to announce earnings. Zscaler announced earnings on the last day of February and despite a strong print the stock has been under pressure. Was it spending fatigue? Evidently not, as CEO Jay Chaudhry explained:

We really do not see any cyber spending fatigue among our customers. In fact, many of the CIOs that told me that cyber is a priority for spend. But they do have ELA fatigue because a lot of stuff has been becoming shelfwear and it’s being scrutinized. Regarding free stuff, many vendors have been trying to give it away for a while and we have been successfully winning against this strategy for a long time. – Jay Chaudhry, CEO, Zscaler

So why was the stock under pressure? Analysts cited concerns about billings being below the high end of the range, guidance was back-loaded and concerns related to difficult compares in the back half. As well, Zscaler is really the only pure-play vendor in the SASE segment. SASE stands for secure access service edge and is a capability that converges network and security as a service. It includes software-defined wide-area network and cloud-native security functions such as gateways, brokers and firewalls as-a-service and is part of a comprehensive zero-trust network access framework.

Zscaler signaled that it is spending aggressively on go-to-market to secure a moat as a pure play in the field. Although the company is increasingly relying on larger deals to hit its targets, generally, we like this type of capital allocation because it will pay dividends down the road. But Wall Street is cutting estimates as a result of these factors and that is what we think is pressuring the stock.

At least that’s the explanation that makes sense to us. But we always like when a company has conviction and invests in research-and-development and go-to-market expansion.

Then CrowdStrike announced

The analyst community was eagerly anticipating CrowdStrike’s earnings and wow, did they get a gift

$3.44 billion ARR, 34% year-over-year growth.

Improved operating margins and free cash flow margins and an impressive 66 in the “Rule of 40” calculation – that is, FCF margin plus growth.

True platform expansion beyond endpoint

The metric that is getting investors excited about CrowdStrike is its expansion beyond core endpoint.

Twenty-five percent of its $850 million Q4 ending ARR came from modules outside endpoint. That’s double the non-endpoint ARR year-over-year. Specifically cloud, identity and next-gen security information and event management were the areas the company cited contributing the most to this growth. The company’s goal is that by the end of the decade, the non-endpoint parts of CrowdStrike’s business will comprise half of a $10 billion ARR.

This is the power of a platform. CrowdStrike’s chief financial officer said that new customers are averaging almost five modules when they come on the platform as new customers — with the number of customers deploying five, six, seven and eight or more modules growing consistently.

CEO George Kurtz is fond of saying these three businesses, cloud, identity and next gen SIEM are each, in and of themselves, IPO-able. Impressive.

George Kurtz seizes the moment

Now if you know George Kurtz, and we’ve gotten to know him a bit over the last few years, he doesn’t miss a chance to cross the finish line first. Here’s what he said on the earnings call.

… What organizations inevitably realize is that vendor lock-in leads to deployment difficulties, skyrocketing costs, and subpar cybersecurity.

The outcome is shelfware and sunk costs. ELA and bundling addiction become the only way to coax customers into purchasing non-integrated point products. If the organization trapped in these fragmented pseudo platforms riddled with bolt-on point products that are the ones suffering from fatigue. – George Kurtz, CrowdStrike CEO, 3/5/24

Dell deal starting to produce results for SMB

One other nugget from CrowdStrike’s quarter is the deal with Dell Technology Inc. targeting small and midsized businesses. CrowdStrike said that its Dell partnership has produced $50 million of total deal value. Though that’s not a lot, this is early days. Dell is standardizing on CrowdStrike Falcon to build its managed detection and respond or MDR services for small and midsized customers.

There’s a neat capability in the ETR data set that allows us to investigate the overlap in Dell accounts with CrowdStrike.

The chart above shows 314 Dell accounts, and you can see we’ve selected its PC products (this deal was done between Daniel Bernard, CrowdStrike’s chief business officer, and Sam Burd, Dell’s president of CSG, that is, the PC group). It shows Net Score or spending momentum on the vertical axis and CrowdStrike’s Overlap in those 314 Dell accounts on the horizontal plane. This is only SMB accounts.

You can see we’ve plotted the trajectory over the past two years. And it tells an interesting story. Specifically CrowdStrike back in 2022 had 30 Dell SMB accounts or a 15% overlap in the data set with a very robust Net Score of 67%. Remember anything over 40% is considered highly elevated. But two things happened over the course of two years:

  • CrowdStrike’s Net Score in these accounts plummeted, signaling to us a problem. The metric bottomed late last year. Perhaps SMBs found it too complicated to deploy and manage their own CrowdStrike instances. Or maybe they felt the price was too high. But clearly something needed to change. These two companies got together last year.
  • The second change is CrowdStrike’s penetration went from 30 Dell SMB accounts to 73 with 23% overlap, up from 15%. And a Net Score. And while CrowdStrike’s Net Score in Dell SMB accounts went from 67%, or 11 points above the CrowdStrike survey average, to 38%, or 10 points below CrowdStrike’s average, it tells us that the company took action to solve whatever problem it was facing and is now in a much stronger position to compete in the SMB space.

We see significant upside here.

Why CrowdStrike is thriving

Let’s wrap by looking at some of the critical success factors that are powering CrowdStrike’s outstanding execution.

First of all, it’s a true platform company. We’ve said many times, platforms beat products. CrowdStrike’s platform comprises a single lightweight agent and it’s the same agent for all the modules, they’ve also got agentless capabilities.

This enables it to create a unified data model and a single platform, not a collection of modules that have been bolted together. For years, CrowdStrike has leveraged advanced knowledge graphs and purpose-built data stores, which apply very nicely in security.

This high-quality data supports the company’s artificial intelligence strategy and will affect its entire business. Many companies today are “AI washing.” CrowdStrike is not one of them. It has been in AI for over a decade. We reported on this a couple of quarters ago, showing its AI journey since 2011 – and we think it’s legit.

CrowdStrike is founder-led, and very much mission-driven. We’ve talked about the importance of founder-led companies before. You think about Dell Technologies, you think about Oracle Corp., these are mission-driven companies. Of course, CrowdStrike’s mission is to stop the breach, which is aspirational and virtually impossible. But that’s the mindset – move faster because the adversary is compressing the time to get in, take valuable assets and get out.

CrowdStrike is cloud-native. It really pivoted heavily to the cloud at a point where that was not as much of a heavy lift as it was for Palo Alto, for example. Of course, Zscaler has always been in the cloud, but CrowdStrike made those investments early on because it saw the opportunity in cloud.

As well, as we pointed out with the ETR data, we see significant upside in SMB with the Dell relationship. This is important because SMBs need help and don’t have the resources to defend themselves adequately. And Dell knows how to help SMBs at a value price points.

CrowdStrike saw the clear opportunity to bring security to the cloud. We haven’t talked in-depth about AI, but CrowdStrike is a true AI practitioner – as are many cyber firms by the way – but CrowdStrike has real AI chops and has begun shipping its Charlotte Gen AI, which we believe will transform the security analyst experience.

CrowdStrike is executing on a true platform play better than any firm in the cyber market in our view. Its main competitor is Microsoft and by all accounts the company has a superior offering.

That said, some customers tell us they’re priced out of CrowdStrike and they are forced to go with good enough. But in cyber, more than any other market, the return on investment is much less a function of the capital expenditure and operational expenditure costs. While vital to any ROI calculation, the value of cybersecurity is a reduction in risk and corollary expected loss in revenue, cost and reputation. If a company can also lower the cost of cybersecurity through consolidation, such as CrowdStrike (and Zscaler) are effectively doing, then that is an added bonus and frees up more investment dollars.

Cyberthreats continuing to escalate and the probability of a breach is now near 100%. Reducing the impact of a breach by either stopping the breach — CrowdStrike’s stated mission– or responding as fast as possible, are the key drivers of ROI and generally organizations will find it’s worth every penny.

Keep in touch

Thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.

Remember we publish each week on theCUBE Research and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from theCUBE Research and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai or research@siliconangle.com.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of theCUBE Research. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.

Image: Adimas/Adobe Stock

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU