CrowdStrike is a fast-growing, innovative cloud security company in a highly fragmented market with massive tailwinds. The company is fast-growing, but valuation is still a concern. I rate CrowdStrike a hold here. The company was the first mover in the next generation of cloud platforms: After Salesforce (CRM) with CRM software in 1999, ServiceNow (NOW) with service management in 2004 and Workday (WDAY) with HR in 2005, CrowdStrike has introduced the world to the security cloud in 2011.
The cloud-based cyber security market is still highly fragmented, offering lots of opportunities for companies like CrowdStrike to gain market share. In the graphic below you can see that they went from 3.3% in 2018 to 9.2% in 2020 for the corporate endpoint security segment.
In the following article, I’ll go over industry tailwinds and I’ll assess the last earnings based on my Software as a Service (SaaS) checklist.
A Huge And Growing TAM To Support Growth
According to Fortune Business Insights, the global Cyber Security market is expected to grow from $165.8 billion in 2021 to a gigantic $366.1 billion by 2028, representing a stunning 12% compound annual growth rate (CAGR). To more accurately establish CrowdStrike’s TAM, we have to look at their niche: Cloud-based Cyber Security. Fortune Business Insights estimates the Cloud (Cyber) Security market to grow from $29.26 billion in 2021 to $106.02 billion by 2029, representing an 18.1% CAGR, even more impressive than the already fast-growing total Cyber Security market. In the graphic below, you can see that Cloud Security is expected to grow from 17.6% to 25.9% of the total Cyber Security market by 2029. As companies move their operations into the cloud, so does their security.
Ukraine Crisis Brings Cyber Security To The Top Of Mind
With the Russian invasion of Ukraine, a new focus is set upon new forms of warfare. Especially cyber warfare and cyberattacks are on people’s minds. For example, the Biden administration is calling for a new focus on cyber security to secure important organizations.
Furthermore, according to CrowdStrike’s 2021 Thread report, the amount of ransomware-related data leaks increased by 82% year over year. On top of that, we recently saw 2 large exploits and hacks with the Log4Shell exploit (estimated up to $10 billion in damages) and the Okta hack(up to 15000 organizations’ data affected). All of these factors brought Cyber Security onto companies’ minds and will accelerate the increase in Security budgets and thus customer spending for CrowdStrike.
SaaS Checklist Of The Last Earnings Report
I have a checklist of factors to look at for SaaS companies, so let’s take a look at the last earnings report and see how CRWD is performing regarding:
- Retention rates
- Multi-product customers
- Number of modules
- Rule of 40
SaaS businesses need to have high retention rates. We’ll take a look at both the Gross retention and the Net retention. The Gross retention rate says how many existing customers are still with the company, so new customer wins aren’t included here. The inverse of this number is the customer churn. As we can see in the graphic below, CRWD has been able to hold steady gross retention between 97% and 98% for the last 15 quarters. These are outstanding numbers. It means that the churn rate never exceeded 3% during this time. A 2%-3% churn leads us to an expected customer lifetime of 33-50 years with the company.
Next is the Net retention rate. This metric shows us how much an existing customer is paying compared to last year. Net retention should always be above 100%, otherwise you’re in trouble. CrowdStrike has a benchmark of 120%, which they have been able to exceed for 16 consecutive quarters. The current NRR of 123.9% is a very healthy number. Retention rates: Check.
An important way to grow revenues for a SaaS business is to upsell existing customers with more and more products and services. This not only increases the revenue per customer but also increases stickiness. A customer that built his entire cyber security strategy around a handful of CrowdStrike products will be hard to convince to use another service provider for additional needs in the future. In the graphic below we can see that CrowdStrike over the last two and a half years did an excellent job of converting existing customers to more products and services. Customers with 4 or more Modules went from 50% in fiscal Q2 20 to 69% in Q4 22. Customers with 5 or more Modules also had an impressive runway, growing from 30% in Q3 20 to 57% in Q4 22. Finally, customers with 6 or more Modules increased from 22% in Q4 21 to 34% in Q4 22. Everything is going according to plan for CrowdStrike regarding upselling.
Number Of Modules
To upsell existing customers with new modules, of course, CrowdStrike has to continuously develop more modules. In the IPO prospectus in 2019, CrowdStrike had 9 Modules in 4 different sections. In Q4 22 they had 23 Modules in 9 different sections. So we can see that over the years CrowdStrike managed to significantly increase its product offering. A few new additions were announced in Q4:
- The Falcon XDR Module, a Module to extend their leadership in endpoint detection and response capabilities was introduced.
- The Falcon Identity Threat Protection Complete Module was introduced, an extension to the Falcon Complete managed services package.
- Launch of Falcon Zero Trust Assessment on macOS and Linux.
Another check on the checklist.
Rule of 40
The rule of 40 is a metric to see if a SaaS company is growing healthily. The rule is calculated by adding the growth rate to the profit margin. There are different versions of the rule of 40, depending on the type of profit margin used. CrowdStrike uses the Non-GAAP Operating margin, but I prefer to use the Free Cash Flow margin.
In Q4 22 CRWD had a 63% revenue growth and a 29% FCF margin. This leaves CrowdStrike with a mindblowing 92! As the name suggests, the goal of the rule of 40 is to exceed a score of 40. We have to keep in mind though, that on a Net income basis the calculation would look differently. CrowdStrike currently has a net income margin of -16%. Which would leave us with 47, still beating the rule of 40.
CrowdStrike guided with around $2.15 billion of revenue in FY 23, a 48% revenue growth. This continues their trend of deceleration over the last few years. We have to keep in mind that a 48% revenue growth still is massive, but growth rates fell from 110% in 2019 to a projected 48% in 2022. For a fast-growing company like CrowdStrike, I like to look at Enterprise Value(EV)/Sales and EV/Gross profit. Because CrowdStrike is already Free Cash Flow positive, I’ll also look at the EV/FCF yield. During the height of the Covid hyper-growth bubble, CrowdStrike traded at 45 times forward sales and 95 times trailing gross profit. Multiples contracted around 50% to 24 times and 49 times respectively, which is still too expensive for me. I would be interested in initiating a position if we can see the stock around 15 times forward sales or 30 times gross profit. On a Free Cash Flow basis, the stock also isn’t cheap with a 0.87% yield.
CrowdStrike is an excellent business that is establishing a moat and has strong industry tailwinds. The company does an excellent job to retain and grow customer relationships. CrowdStrike is on my watchlist and right now would be a hold if I already owned shares. If we see lower multiples, either through a market selloff or an acceleration in growth, I’d be interested in initiating a position.