The cybersecurity industry stands at the forefront of the digital age, safeguarding our increasingly interconnected world from the pervasive and evolving threat of cyber attacks. As industries continue to undergo digital transformation—embracing cloud technologies, supporting hybrid and remote workforces, and relying more on IoT devices—the digital attack surface expands. Cybersecurity measures ensure these transformations do not become liabilities, protecting data integrity, privacy, and operational continuity across various sectors including finance, healthcare, and infrastructure. Additionally, rising geopolitical tensions have heightened the need for nations to protect strategic infrastructure from hostile external threats at all costs.

Index

1. Cybersecurity gold mine

2. A platform built by Archimedes

3. The crowd-powered AI

4. Conclusion

1. Cybersecurity gold mine

The global cybersecurity market is witnessing robust growth, driven by the increasing frequency and sophistication of cyber threats. Recent analyses suggest the market was valued at approximately USD 200 billion in 2023, with projections estimating it could reach up to USD 600+ billion by 2032, growing at a compound annual growth rate (CAGR) of around 13-14%.

Furthermore, I expect the cybersecurity market to remain in expansion territory during economic downturns. While organizations will slow the pace of investments, they cannot afford to neglect their cybersecurity infrastructure or reduce protection levels, as doing so would expose them to potential disruptions with potentially catastrophic consequences for their business and finances.

With its resilience and strong growth potential, this is certainly an industry I want represented in my investment portfolio. My goal is to be invested in the one standout company that will outperform the projected industry growth.

Looking at Canalys Cybersecurity Market Pulse: Q2 2024, several companies stand out:

• Palo Alto Networks ($PANW): An industry leader with its CTO as a co-founder, with a broad portfolio ranging from end-point security to SASE.

• Fortinet ($FTNT): Founder-led and a recognized industry leader.

• Microsoft ($MSFT): Leveraging its ecosystem power, it's rapidly expanding its already dominant market share.

• CrowdStrike ($CRWD): Founder-led and also quickly expanding its market presence.

• Zscaler ($ZS): Founder-led and gaining market share at a fast pace.

In addition, two smaller companies also seem promising:

• SentinelOne ($S): Founder-led and rapidly gaining market share.

• Cloudflare ($NET): Another founder-led company with strong market momentum.

In this analysis, I will focus on CrowdStrike, comparing it with key competitors like Microsoft, Palo Alto, and SentinelOne. I will leave companies primarily focused on SASE, such as Zscaler and Cloudflare, for a separate analysis.

Here is how CrowdStrike itself describes the competitive landscape.

Share

2. A platform built by Archimedes

"Give me a lever long enough and a fulcrum on which to place it, and I shall move the world," said Archimedes.

Think of CrowdStrike's lightweight agent as the fulcrum, its broad product portfolio and marketplace as the levers, and the vast range of cybersecurity use cases as the world to be moved.

Let me break down the metaphor, starting with the agent.

After the recent incident which led to a massive global IT outage, now more than ever, CrowdStrike's approach of using kernel-level access and cloud dependency has been criticized for introducing unnecessary risks, potential instability, and for not adhering to practices that could offer similar security with less invasive or risky methodologies.

However, the advantages of this unique and innovative architecture may outweigh the disadvantages.

From the last company's 10-K annual report:

Our single, lightweight-agent approach has changed how organizations experience cybersecurity, delivering protection without impacting the user, resources or productivity. With the lightweight agent installed on each endpoint and cloud workload, our Falcon platform automates detection and prevention capabilities in real time across our entire global customer base. This also enables our Falcon platform to intelligently ingest data once and stream high fidelity data back into the Security Cloud to be re-used for multiple use cases, …

George Kurtz, CEO of Crowdstrike, at the investor briefing 2024,

We've integrated the agent. People get benefits. They simply just turn on that module and continue their business. It's allowed us to cement our leadership position in this space. It makes it easier for our sellers. It makes it easier for us to demo. If a customer has a requirement, we can simply turn it on and within minutes, they get access to the platform. It's the same as you get from any other module within CrowdStrike, which is very different to other multi-agent products, other competitive solutions. These solutions work on domain controllers. If you have to roll out an agent on a domain controller, it could take months to years to get the ability to do that. We don't have that friction in our selling motion.

Here’s how the lightweight agent functions as a fulcrum: it is easy to deploy and acts as a unique gateway to stream endpoint data to the CrowdStrike Security cloud, where Crowdstrike modules are based. This seamless integration enables all platform modules and functionalities quickly without friction. If a customer wishes to enable an additional CrowdStrike module, there is no need for any disruption to the endpoint. Basically the platform is literally enabled by the lightweight agent.

If this architecture truly leads to superior platform scalability and easier cross-selling of additional modules and functionalities compared to competitors, I expect to see it reflected in the financial metrics. Since revenue growth becomes more significant as market share increases, I’ve compared CrowdStrike to its competitors by plotting each company's revenue growth against their absolute revenue figures over the past 10 years.

The results clearly confirm CrowdStrike’s superiority in growing its market share compared to SentinelOne, Palo Alto Networks and Fortinet, though Microsoft stands out as a remarkable outlier, achieving 30% growth despite having the largest market share.

Microsoft’s advantages over CrowdStrike is evident and mostly about distribution and ecosystem:

• Integrated Solutions and Platform Approach: Microsoft leverages its extensive ecosystem (Windows, Office 365, Azure) to offer integrated security solutions that seamlessly work across its products, providing a convenient option for businesses already using Microsoft software.

• Product Diversification: Microsoft offers a broad range of security services beyond just endpoint security, including identity management and cloud security, appealing to organizations looking for comprehensive security solutions from a single vendor.

• Global Infrastructure and Support: With a worldwide presence, Microsoft provides robust support and service availability, which is especially beneficial for global enterprises requiring consistent support across multiple regions.

Returning to the Archimedes metaphor, CrowdStrike’s broader and broader product portfolio, along with its recently launched marketplace, serves as the lever that capitalizes on its frictionless architecture to quickly sell and deploy additional modules for each customer.

Over the past few years, CrowdStrike solidified its leadership in endpoint security, as well as significantly expanded into cloud security, aligning with the industry's shift toward cloud environments by providing specialized solutions that now contribute meaningfully to its revenue growth. By continuing to invest in expanding their portfolio, they expect their total addressable market (TAM) to grow from $100 billion in 2024 to $225 billion by 2028.

Moreover, in 2023, CrowdStrike adopted an ecosystem approach with the launch of the CrowdStrike Marketplace, which now features over 260 listings from 140 technology partners, enhancing integration and interoperability with other security and IT tools.

Burt Podbere, CFO of CrowdStrike, highlighted the success of the company’s extensive product portfolio during the last Q2 earnings call:

Subscription customers with five, six, and seven or more modules represented 65%, 45%, and 29% of subscription customers respectively.

Notably, deals with eight or more modules grew by 66% over the prior year…

The evolution of CrowdStrike's solutions portfolio reflects a broader industry trend towards integrated, cloud-native security platforms that offer comprehensive protection across different vectors of cyber threats. Their focus has been on expanding capabilities, enhancing user experience through a unified platform, and ensuring scalability and adaptability to new threats, aligning with the growing complexity of cyber threats and the digital transformation of businesses.

In other words, Crowdstrike is positioning their cybersecurity platform to reduce customers’ complexity by consolidating redundant and legacy point products.

During this year’s Q1 earnings call, George Kurtz, CEO of CrowdStrike, highlighted how they are replacing competitors and helping customers save money:

A recent IDC report quantifies CrowdStrike's extreme cost savings. For every $1 invested in Falcon Solutions, our customers recognized $6 of cost savings.

He further explained:

Applying IDC's analysis would imply Falcon Flex has assisted customers in saving more than $3 billion that would have been spent on other products. Now that's extreme cost savings and indicative of the platform momentum we are seeing with new and existing customers.

Kurtz also shared a specific example:

A seven figure deal in a Fortune-100 healthcare company who was using Microsoft and experienced a breach. Our industry leading IR team deployed more than 46,000 sensors in days stopping the adversary, restarting business, and importantly keeping this business out of promotional vendor fanfare.

This customer immediately adopted Falcon Complete, Identity, Falcon Cloud Security, LogScale next-gen SIEM, and Charlotte AI. In addition to removing Microsoft security products, they were able to move off their vulnerability management vendor and their legacy SIEM too.

The consolidation outcome, 75% reduction in agent footprint by consolidating to our single agent and a 700% improvement in mean time to detect and respond, taking average alert triage times from four-plus hours down to minutes. We stopped the breach, displacing more than three vendors along the way and now this customer experiences not only lower TCO but also cybersecurity outcomes they hadn't thought possible.

To further enhance the effectiveness of its cross-selling efforts, CrowdStrike recently introduced FalconFlex, which, in the Archimedes metaphor, can be seen as the lubricant for the lever. It is a flexible licensing model, designed to provide customers with adaptable access to the company's comprehensive suite of cybersecurity modules:

• Flexible Access: Customers can choose which modules they need and deploy them as required, allowing for a tailored approach to cybersecurity based on specific organizational needs.

• Cost Efficiency: The model enables businesses to commit to a set dollar amount, providing pre-negotiated discounts across the platform, ultimately optimizing their total cost of ownership (TCO) while enhancing security outcomes.

• Immediate Utilization: Organizations can immediately access and use the modules they require, with the option to add more as their needs evolve

Having more customers using multiple modules should also improve retention rates: the more use cases a vendor covers, the less likely a customer is to switch providers. With a best-in-class 98% gross retention rate and over 119% annual dollar net retention, it’s hard to imagine CrowdStrike improving much further in this regard. However, I expect these strong retention metrics to remain solid for the foreseeable future.

Share

When I think of a platform, I envision a system with significant economies of scale, capable of sustained growth and increasing efficiency over time. To assess how CrowdStrike is performing against its competitors, I chose to analyze revenue per employee. Comparing cash flow or earnings could be misleading, as companies may be at different stages of their investment cycles, prioritizing growth over profit, or vice versa.

What interests me most here are the trend lines, as they reveal which companies are gaining efficiency and which are falling behind. It’s clear that CrowdStrike and SentinelOne are the winners, steadily closing the initial gaps with Fortinet and Palo Alto.

3. The crowd-powered AI

From the last company's 10-K annual report:

The expansive amount of high fidelity data crowdsourced and captured in our Security Cloud enables the continuous training of our algorithms. We call this cloud-scale AI. Our technology is uniquely effective because we not only have a massive amount of high fidelity data to continuously train our AI models but also because we couple that data with deep human cybersecurity expertise, which supports our industry-leading efficacy and low false positives.

By analyzing and correlating information across our massive, crowdsourced dataset, we are able to deploy our AI algorithms at cloud-scale and build a more intelligent, effective solution to detect threats and stop breaches that on-premise, cloud-hosted and hybrid products cannot match due to the inherent architectural limitations those products have with respect to data storage and analysis. The more data that is fed into our Falcon platform, the more intelligent the Security Cloud becomes, and the more our customers benefit, creating a powerful network effect that increases the overall value we provide.

Non cloud-native solutions cannot compete

If confirmed, this represents a highly powerful AI flywheel, especially considering that the effectiveness in stopping cyber threats should be the top priority when choosing a cybersecurity tool. A successful attack on a company can completely outweigh the total cost of ownership of the chosen cybersecurity platform.

MITRE Engenuity is a nonprofit independent organization that collaborates with government and industry to accelerate innovation and solve complex challenges. The findings of MITRE Engenuity from the MITRE ATT&CK Evaluations released on June 11, 2024, seems to confirm Crowdstrike superiority.

“In collaboration with the 11 providers who participated in this round of ATT&CK Evaluations Managed Services, we rigorously and transparently tested services against two well-known and prolific adversaries,” said William Booth, general manager, ATT&CK Evals, MITRE Engenuity.

Here is a summary of the results:

Crowdstrike generally detected more threats in less time than Microsoft, Palo Alto and SentinelOne.

CrowdStrike’s superior effectiveness, as we've seen, stems from its single, lightweight-agent architecture, which relies heavily on endpoint data combined with crowdsourced data processed in the cloud to stop cyber threats.

This foundational competitive advantage has allowed the company to aggressively gain market share in recent years. If competitors were to adopt a similar approach, it wouldn’t be straightforward. It represents a paradigm shift that requires significant investment to overhaul products and education of the customer base—something that doesn’t happen overnight.

While CrowdStrike’s competitors are certainly using AI to enhance threat detection and response, their approach is different and more limited in terms of data sources. For example, SentinelOne primarily relies on behavioral AI to analyze user and application behavior, detecting anomalies that may indicate threats. In contrast, CrowdStrike leverages AI and machine learning across its entire customer base, enabling real-time analysis and sharing of threat intelligence across multiple endpoints and customers. This suggests that CrowdStrike uses aggregated data from its customer base to continuously improve threat detection and response capabilities.

Even if competitors were to shift to a similar approach, CrowdStrike would still have the advantage of years of AI model training.

Share

4. Conclusion

With zero net debt, CrowdStrike's free cash flow per share is the ultimate proof that its competitive advantage has translated into strong financial results. Over the past three years, this metric has increased by 151.29%, representing an impressive 36% compound annual growth rate (CAGR).

For comparison, the second best is Palo Alto with a 96,72% increase, or a 25% CAGR.

CrowdStrike has a strong competitive moat, primarily driven by its superior use of AI to detect and stop cyber threats.

The company last July experienced a significant incident when it distributed a faulty configuration update for its Falcon sensor software, which operates on Windows PCs and servers. This update led to a massive global IT outage, causing approximately 8.5 million systems to crash worldwide.

CrowdStrike's response to the July 2024 incident highlights a focus on rapid recovery, strengthened testing protocols, independent reviews, and long-term improvements to prevent similar issues in the future. These actions demonstrate a commitment to maintaining customer trust and enhancing the operational resilience of their cybersecurity solutions.

Additionally, the company introduced a Customer Commitment Package to address concerns and reinforce relationships. By offering financial credits, extended subscriptions, and improved engagement strategies, CrowdStrike aims to reassure its clients while positioning itself for long-term growth despite short-term challenges.

Although management’s guidance in the Q2 earnings release remained strong, more clarity will come with the Q3 earnings report, when the financials may start reflecting the incident's impact, and management will have a clearer understanding of its consequences.

While I anticipate short-term pressure on revenue growth and margins, I do not expect the incident to have long-term consequences on CrowdStrike's growth story. If the foundational competitive advantage described here is genuine, an incident like this—though severe—does not undermine the overall thesis. CrowdStrike's solution remains highly effective, and the weaknesses will be adequately addressed by the remedial actions taken.

For now, CrowdStrike remains one of my largest positions, as I wait to reassess the thesis after the upcoming earnings report.