CrowdStrike IPO | S-1 Breakdown

Alex Clayton
May 20 · 13 min read

Company Overview

CrowdStrike Holdings, or CrowdStrike, filed for a $100M IPO with Goldman Sachs leading the offering. The $100M dollar amount is a placeholder and it’s likely they will raise significantly more. The company plans to trade on the Nasdaq under the symbol “CRWD”. CrowdStrike is a leading cybersecurity company with a mission to protect their customers from breaches. With their Falcon platform, the company says they have created the first cloud-native security solution that can protect workloads across any environment, and is underpinned by two main pillars 1) an intelligent lightweight agent and 2) their cloud-based graph database called Threat Graph. CrowdStrike believes they have created a new category called the “Security Cloud”, with the aim to transform the security industry much like what has happened to other industries like HR, CRM, etc. The company calls out the tectonic shift to the cloud, workforce mobility, growth in connected devices (which in many cases are outside the traditional security perimeter), along with the continuous sophistication of adversaries attacking this ever increasing digital surface area as trends demanding a new, cloud-first approach to cybersecurity, such as their Falcon Platform. CrowdStrike has grown rapidly to date and has 2,516 subscription customers globally (as of Jan-19) which include some of the world’s largest companies. The company was founded in 2011 and launched its first endpoint security product in 2013. CrowdStrike is based in Sunnyvale, California and has 1,455 full-time employees.

Below is a list of company milestones from the S-1:

  • July 2012: We launched our threat intelligence product.
  • June 2013: We launched our EDR capabilities as a single solution.
  • August 2013: We launched our threat hunting cloud module.
  • August 2015: We were named 2015 Technology Pioneer by World Economic Forum.
  • August 2016: We were named to the 2016 Inc. 500–5000 list.
  • February 2017: We launched our full next-generation antivirus cloud module.
  • February 2017: We launched our IT hygiene cloud module and our multi-SKU go-to-market strategy.
  • May 2017: We were named to CNBC’s 2017 Disruptor 50 list.
  • July 2017: We launched our malware search cloud module.
  • November 2017: We launched our sandbox and vulnerability management cloud modules.
  • April 2018: We received the SC Award for Best Security Company for the second year in a row, as well as for Best Enterprise Security Solution, and also launched our Falcon Complete cloud module.
  • August 2018: We launched our device control cloud module.
  • September 2018: We received FedRAMP authorization.
  • September 2018: We were ranked number six in Forbes Cloud 100 List (second consecutive year on list).
  • October 2018: We were named to the Fortune Best Companies To Work For list (second consecutive year on list).
  • February 2019: We launched the first open cloud-based application platform for endpoint security and the industry’s first unified security cloud ecosystem of trusted third-party applications.
  • March 2019: We announced the first enterprise EDR solution for mobile devices, which we expect will be commercially available later this year.

Product Offering

Source: Company S-1

CrowdStrike’s Falcon platform is a security solution capable of protecting workloads irrespective of environment and works across a variety of endpoints such as laptops, desktops, servers, virtual machines, and IoT devices. The two main pillars are a lightweight endpoint agent, which occupies less than 35 megabytes of storage space and supports Windows, Mac and Linux operating systems, and a database called Threat Graph. CrowdStrike processes data from endpoints, which they crowdsource from their entire customer base, and use AI and behavior pattern-matching to stop breaches. In early 2017 the company moved away from a single offering into 10 cloud modules, all subscription-based. CrowdStrike has been successful in upselling modules and as of Jan-2019, 47% of subscription customers have bought 4+ modules. Unfortunately, there is no breakout of revenue or ARR by product but I suspect that most of their revenue is from the endpoint security products. Below are descriptions of the categories and cloud modules:

Endpoint Security

  • Falcon Prevent; Next-Generation Antivirus: Provides next-generation antivirus capabilities, delivering comprehensive protection to defend customers against both malware and fileless attacks. Falcon Prevent replaces legacy antivirus products.
  • Falcon Insight; Endpoint Detection and Response: Provides EDR capabilities to customers to notify them about endpoint activity in real time. The product also records endpoint activity.
  • Falcon Device Control: Provides administrators with visibility and granular control of USB peripheral devices.

Security and IT Operations

  • Falcon OverWatch; Threat Hunting: A threat hunting solution that consists of a team of security experts who utilize the Threat Graph product. This augments customers’ in-house security resources.
  • Falcon Discover; IT Hygiene: Identifies rogue systems and applications in customers’ networks and monitors user accounts. The module also enables use cases outside of security which includes application license management, AWS spend analysis and asset inventory.
  • Falcon Complete; Turnkey Security Solution: Provides monitoring, management, response, and remediation solutions. This is CrowdStrike’s managed security service offering.
  • Falcon Spotlight; Vulnerability Management: Identifies vulnerabilities in real time across customer endpoints. The product uses data already collected by the CrowdStrike agent.

Threat Intelligence

  • Falcon X; Threat Intelligence: Integrates threat intelligence into endpoint protection. CrowdStrike also offers premium options that include global threat research and reporting from their team of analysts.
  • Falcon Search Engine; Malware Search: Enables customers to search in real time across 300 terabytes of malware collected across their products and is enriched with threat intelligence data.
  • Falcon Sandbox; Malware Analysis: Allows customers to analyze files for malicious behavior by detonating them safely in virtual machines.

CrowdStrike also recently launched the CrowdStrike Store, which is the first open platform as a service, or PaaS, for cybersecurity. This allows customers to purchase additional products from CrowdStrike partners and utilize the same CrowdStrike agent. Lastly, the company announced CrowdStrike Falcon for Mobile, which is their EDR solution for mobile devices that will be available later this year.

Summary Metrics and GTM (Go-to-Market)

CrowdStrike has significant scale and is growing incredibly quickly. And while their operating losses are in the red, they’re gaining operating leverage. The company did $249.8M of total revenue in FY’19, up 110% YoY. Almost 90% of their revenue is subscription-based and ended FY’19 at $312.7M of ending ARR, up 121% YoY. With that said, the company still has large losses — non-GAAP operating loss was $(115.8)M in FY’19, a (46)% margin, although that is up from a (100)% non-GAAP operating margin in FY’18. CrowdStrike ended FY’19 with 2,516 subscription customers, up 103% YoY and their implied ACV (annual contract value) was $124.3K in FY’19 (ARR/customers). Their dollar-based net retention rate was very strong in FY’19 at 147%, up from 119% in FY’18. Dollar-based gross retention was 98% in FY’19. Below are other relevant stats from their S-1:

  • CrowdStrike’s Threat Graph processes and analyzes over one trillion endpoint-related events per week in real time. Moreover, their algorithms make over 91 million indicator of attack decisions per minute.
  • As of Jan-2019 CrowdStrike had 2,516 subscription customers globally, including 44 of the Fortune 100, 37 of the top 100 global companies, and 9 of the top 20 major banks. Contracts are typically one year in length.
  • CrowdStrike also sells to SMBs and mid-market companies — as of Jan-2019, ~2/3 of subscription customers were organizations with fewer than 1,000 employees.
  • 23% of revenue was from international customers in FY’19, up from 16% in FY’18.
  • Since 2016 the company has launched 7 new cloud modules. 47% of subscription customers have bought 4+ modules, up from 30% a year ago.
  • According to data from the CrowdStrike customer base, 40% of detections in Q2'18 were not malware-based, but instead leveraged legitimate tools built into modern operating systems, enabling attackers to accomplish their objectives without writing files to the endpoint, making them more difficult for a traditional antivirus product to detect.
  • CrowdStrike calls out a stat from Cyence that estimated that the overall global economic costs incurred from the 2017 WannaCry attack were between $4B and $8B.
  • An enterprise customer recently deployed the Falcon Platform to 100K+ endpoints globally in 24 hours.
  • CrowdStrike recently launched a strategic technology GTM partnership with Dell that would enable Dell customers to add the Falcon Platform into their purchases of Dell hardware.
  • The CrowdStrike Champion Program has over 180 customers participating who have agreed to be references for CrowdStrike products and solutions.
  • As of Jan-2019, the company had 14 issued patents in the United States, eight issued patents in international jurisdictions, and 48 patent applications pending in the United States and 47 patent applications pending internationally.

CrowdStrike primarily sells through a direct sales team that leverages a network of channel partners. The direct sales team is segmented by inside and field sales reps based on the number of customer endpoints. More recently the company launched a free trial of the Falcon Prevent module (next-gen antivirus) available directly from the CrowdStrike website or through the AWS Marketplace. CrowdStrike got their start by just focusing on large enterprises but now sells to any size of company from hundreds of thousands of endpoints to as little as 3. They generally price by endpoint and by module. Unlike most SaaS companies, professional services provide strong lead generation for CrowdStrike — they offer Incident Response Services to companies and disclose that among companies that first became a customer after February 1st, 2017, for each $1.00 spent by those customers on their services engagement, it generated $2.97 in ARR.

Market Opportunity

The cybersecurity market is growing rapidly, and the cloud-based market is growing even faster. And while CrowdStrike believes their market initially began as a replacement market for the legacy AV market, it has expanded to include markets even outside of traditional cybersecurity like IT service management. CrowdStrike believes they serve the following markets;

  • Corporate endpoint (IDC estimates to be $7.6B in 2019 and $8.7B by 2021).
  • Threat intelligence (IDC estimates to be $1.6B in 2019 and $2.0B by 2021).
  • Security and vulnerability management (IDC estimates to be $8.4B in 2019 and $10.4B by 2021).
  • IT Service Management Software (IDC estimates to be $2.6B in 2019 and $3.1B by 2021).
  • Managed security services (IDC estimates to be $24.8B in 2019 but CrowdStrike thinks that they can touch ~$4.4B of that and $5.1B of it by 2021).

Overall, the company thinks their global TAM is $24.6B in 2019 and is expected to reach $29.2B by 2021. For some comparison, Zscaler, another cloud-based cybersecurity company that went public in early 2018 believed their TAM to be $17.7B.

Competition

CrowdStrike is selling into a hard-fought market and says they compete in 3 segments. Incumbents in the antivirus market, which CrowdStrike considers more legacy players with their signature-based approaches, which include McAfee and Symantec. Other modern endpoint security providers such as Cylance (which was acquired by Blackberry in 2018 for $1.4B), Carbon Black which went public in 2018, and Cybereason*. CrowdStrike also thinks they compete with network security vendors such as Palo Alto Networks and FireEye which are supplementing their core perimeter-based offerings with endpoint security solutions.

CrowdStrike and one of their main competitors, Cylance, have a close history. CrowdStrike’s CEO, George Kurtz, was the CEO and co-founder of Foundstone which was acquired by McAfee in 2004. Stuart McClure, who was the CEO/founder of Cylance, was also a founder and CTO at Foundstone. Both left McAfee to build successful very companies.

Investors and Ownership

According to Pitchbook, CrowdStrike has raised $481.2M to date from investors including General Atlantic, Warburg Pincus, Accel, CapitalG (Google Capital), IVP, March Capital Partners, Telstra Ventures and others. 5%+ pre-offering institutional investor shareholders include Warburg Pincus (30.3%), Accel (20.3%) and CapitalG (11.2%). George Kurtz, CrowdStrike’s co-founder, President, and CEO, is at a 10.5% pre-offering stake. Their last round, which was a $200M series E led by General Atlantic, IVP, and Accel in June-2018 was at a $3.15B pre-money valuation, according to Pitchbook.

Financials and Other Metrics Outputs

CrowdStrike is losing a lot of money but is gaining operating leverage — ending ARR grew from $141.3M in FY’18 with a (100)% non-GAAP operating margin to $312.7M in FY’19 with a (46)% non-GAAP operating margin. Their dollar-based net retention rate was quite high in FY’19 at almost 150% and it’s clear their strategy of upselling cloud modules is working. Moreover, their sales efficiency has improved over the past 4 quarters. Their implied months to pay back, which is the inverse of a CAC ratio (net new ARR * gross margin/sales and marketing spend of the prior quarter), has gone from 24 months in Apr-18 to 14 months in the most recent quarter. The median months to pay back in their disclosure period was 16.5. The company does not release customer counts by quarter. CrowdStrike has $191.7M of cash and marketable securities on their balance sheet and raised $481.2M, implying they have burned through almost $300M of cash to get to $312.7M of ARR, which is very impressive. Outputs of other metrics are below.

Historical P&L & Metrics (000's)

Source: Company S-1

Quarterly Subscription Revenue ($M)

Source: Company S-1

Ending ARR ($M)

Unlike almost all other SaaS companies, CrowdStrike actually releases ARR as a metric in their S-1. The company added $59M of net new ARR over the past quarter and $171.3M over the past year.

Source: Company S-1

Dollar-Based Gross and Net Retention Rates

The number of CrowdStrike customers that purchase multiple cloud modules is rising and so are their gross and net retention dollar rates.

Source: Company S-1

Subscription Customers with 4 or More Cloud Module Subscriptions

CrowdStrike’s platform strategy is working — as you can see below almost half of their total subscription customers have 4+ of their products and the number continues to rise quarter-over-quarter.

Source: Company S-1

Quarterly GAAP Gross Margins

Source: Company S-1

Quarterly non-GAAP Operating Expenses as a % of Revenue

CrowdStrike’s expenses as a percent of revenue are coming down.

Source: Company S-1

Quarterly GAAP and Non-GAAP Operating Margins

While operating margins are increasing.

Source: Company S-1.

Revenue Mix Percentage

Source: Company S-1

Sales Efficiency and Payback Periods

As mentioned previously, CrowdStrike’s sales efficiency has been improving over the past 4 quarters. CrowdStrike doesn’t release customer counts by quarter, but the below output plots their implied months to payback using the inverse of a CAC ratio (net new ARR * gross margin/sales and marketing spend of the prior quarter). The magic number is defined as just net new ARR/sales and marketing spend of the prior quarter. Both metrics are improving and the months to pay back are decreasing.

Source: Company S-1

Cash Flows ($M)

Source: Company S-1

Quarterly P&L / Metrics (000's)

Source: Company S-1

Valuation

CrowdStrike, like other high-growth software businesses with losses, will be valued on a multiple of forward revenue. The output below uses NTM (next-twelve-months) revenue as a proxy based on an illustrative range of growth rates with FY’19 as the base (companies don’t release projections in S-1's). The output also includes an ARR multiple range. Given CrowdStrike’s triple-digit year-over-year revenue growth, it’s likely they can grow 70–90% in FY’20. Given the multiples that similar, high-growth software companies are trading at today; Zoom, PagerDuty, Zscaler, Okta, MongoDB, Elastic, Coupa and others trading at 20–30x+ NTM revenue (as of 19-May-2019), I suspect CrowdStrike will trade well above their last reported private valuation of $3.15B. Carbon Black, which operates in CrowdStrike’s market, trades at ~5x NTM revenue but estimates have them growing at only ~15% over the next twelve months.

Note: Enterprise value ranges and growth rates are illustrative.

CrowdStrike is growing ARR in the triple digits and operating in a massive security market where the trends are moving in their favor — legacy antivirus solutions are becoming less effective, the traditional security perimeter is less relevant, the attack surface area is increasing along with the sophistication and the sheer number of breaches. Enterprises of all sizes need a cloud-first security platform that utilizes AI and can protect any workload, regardless of environment. Moreover, while CrowdStrike still has heavy losses, they have strong net dollar retention and sales efficiency. It’s clear they’re getting leverage in their business model — CrowdStrike should be investing to gain market share. There’s also a great story for them to move outside of security and deeper into IT operations where they have already launched a few products. Some public market investors will likely be nervous about the high losses, but CrowdStrike is in a great position to capitalize — they should have a very successful IPO.

Lastly, CrowdStrike’s CEO, George Kurtz, might be the only software CEO that drives race cars. See the disclosure in the S-1 below:

“As part of our sales and marketing activities, we sponsor a CrowdStrike-branded professional racing car, which our President and Chief Executive Officer drives in some races at no incremental cost to us and in lieu of us hiring a professional driver. As we do not pay any amounts to our President and Chief Executive Officer under these arrangements, it is not reflected in the above table.”

To sign up to receive these post by email, click here.

*Spark Capital is an investor in Cybereason.

Alex Clayton

Written by

Software investor at Spark Capital