This week Crowdstrike, which helps prevent security breaches, filed a $100M S-1, with the amount as a placeholder. It is the first American cybersecurity company to file in 2019 and second overall after Israeli Tufin. Crowdstrike offers cloud-delivered endpoint protection for anti-virus and threat monitoring. In 2016, the Democratic National Committee hired Crowdstrike to investigate its Russia-linked hack. At the end of the last fiscal year, Crowdstrike had 2.5K subscription customers generating $313M in Annual Recurring Revenue (ARR). Founded in August 2011, Crowdstrike has ~1.5K employees and is headquartered in Sunnyvale, CA.
Similar to Fastly’s recent S-1 that defined its service as an “edge cloud,” Crowdstrike believes it is creating a new category called the “security cloud.” They argue an effective modern solution should be a data-driven, automated, and open cloud-based platform that process events in real-time and benefits from network effects.
Crowdstrike’s Falcon platform protects endpoints. The platform has two parts: 1) a lightweight agent and 2) a cloud-based, dynamic graph database called Threat Graph. The lightweight agent collects information and streams data to the cloud. It does local endpoint prevention and detection. The Threat Graph processes, correlates, and analyzes endpoint-related events in real time and maintains an index of these events. It continuously analyzes malicious activity by applying graph analytics and AI.
Crowdstrike has 10 cloud modules across three categories: 1) endpoint security, 2) security and IT operations, and 3) threat intelligence. Within endpoint security is next-generation antivirus, endpoint detection and response (EDR), and device control. These modules help defend against malware and malware-free attacks, provide visibly into endpoint activity, and insight into USB peripheral devices. Security and IT operations modules include IT hygiene, scan-less vulnerability management, turnkey response and remediation, and threat hunting. Finally, the threat intelligence category offers threat research, a malware search engine, and a malware analysis tool for suspicious files.
The business contends that its platform has a data moat given the breadth of the customer base and exhibits network affects. Crowdstrike stated that the more data it has to train its AI models the higher efficacy the solution. Additionally, as one threat is identified in a customer, all benefit.
Crowdstrike addresses multiple markets including corporate endpoint security, threat intelligence, security and vulnerability management, IT service management software, and managed security services. In aggregate Crowdstrikes’s Total Addressable Market (TAM) represents $24.6B in 2019 and is expected to grow to $29.2B in 2021, a 9% CAGR.
There are numerous competitors across antivirus, endpoint security, and network security. Direct antivirus competitors include McAfee and Symantec. Endpoint security alternatives include Cylance and Carbon Black. In network security, Crowdstrike duels Palo Alto Networks and FireEye.
Crowdstrike is growing very fast. It achieved $250M in revenue in FY19 compared to $119M in FY18, 110% YoY growth. As a comparison, Carbon Black, a competitor, reached $162M in revenue growing 39% YoY when it IPOed last year. In FY19 Crowdstrike’s subscription revenue represented 88% of revenue while the other 12% was professional services.
It achieved $313M ARR in FY19 compared to $141M in FY18, 121% YoY growth. Crowdstrike’s FY19 ARR is almost twice as large as Carbon Black’s ARR when the company IPOed.
Crowdstrike’s subscription customers grew 103% YoY from 1.2K in FY18 to 2.5K in FY19. Customers including 44 of the Fortune 100, 37 of the top 100 global companies, and nine of the top 20 major banks.
One metric that stood out to us was the business’ impressive dollar-based net retention rate of 147% for FY19. It improved 28 points YoY. The dollar-based net retention rate (NRR) is total current period ARR divided by the total prior period ARR for the customer cohort. Our recent research found that the top decile businesses grow at 140% so Crowdstrike is doing very well. Its dollar-based net retention is above recently IPOed PagerDuty’s 139% and Zoom’s 140% and close to Atlassian’s 148%.
A main expansion driver is customers’ ability to add more modules over time. At the end of FY19, 47% of subscription customers had adopted four or more modules. Crowdstrike uses a single intelligent agent to execute multiple modules, allowing customers to consolidate and remove alternative agents.
Moving on to gross margin, which equals revenue minus the cost of goods sold that includes things like hosting costs and customer support. Crowdstrike achieved an 65% gross margin in FY19, below Carbon Black’s 78% when it filed. Subscription gross margin was 68%.
Of each operating expense item, Crowdstrike spends the most on sales and marketing at 69% of revenue. Crowdstrikes has a sales efficiency coefficient of 0.9. As a reminder, the sales efficiency coefficient measures gross profit increase over a period divided by sales and marketing investment. The company has a strong magic number of 1.2. A magic number of over 1.0 the business paid back its customer acquisition costs in a one-year time frame.
In terms of net income margin, Crowdstrike was -56% in FY18, an improvement from -114% for the equivalent period a year earlier.
The company raised a total of $481M from investors including Accel, IVP, and CapitalG. Its last round was a $200M Series E that valued the business at $3B.
Crowdstrike’s IPO registration touches on a few trends: 1) cyber security threats continue to increase, 2) attackers are more well-trained and possess significant technology compared to before, 3) the proliferation of endpoints expands the attack surface, and 4) legacy on-premise solutions can be constrained. With impressive revenue and customer growth, and very strong net dollar retention, it will be pretty exciting to watch as Crowdstrike goes public.