CrowdStrike (CRWD) – Earnings Review – Q3 2023

CrowdStrike (CRWD) – Earnings Review – Q3 2023

Exploring the results of this cybersecurity disruptor.

Demand

• Beat revenue estimates by 1.1% & beat guide by 1.2%.
• Beat net new annual recurring revenue (NNARR) estimates by 5.2%. Note that aggregate estimates come from the sell side. I was able to get access to a survey of buy side estimates for NNARR this quarter. CrowdStrike surpassed that number by 1.4%. This is the single most important metric that it reports.
• Based on this, it also beat total ARR estimates.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases.

CrowdStrike incurs nearly all client-related costs when it sells its first module. Up-selling additional modules thereafter comes with extremely high incremental profit. That means the pattern above not only means more revenue, but better margins too. Speaking of margins…

Margins

• Beat EBIT estimates by 12.6% & beat guide by 13.1%.
• Beat $0.74 earnings per share (EPS ) estimates by $0.08 & beat guide by $0.08. EPS rose by 105% Y/Y.
• Beat $0.06 GAAP EPS estimates by $0.05.
• Beat free cash flow (FCF) estimates by 3.5%.
• Subscription gross profit margin (GPM) was about 300 basis points (bps; bps = 0.01%) better than expected.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases.

Source: Brad Freeman – SEC Filings, Company Presentations, and Company Press Releases.

As you can see, gross margin took a brief and modest tumble throughout fiscal year 2023. This was due to up-front investments in server and data center infrastructure to foster better efficiency over time. Those investments were incurred and the margin line resumed expansion starting in FY 2024 — as planned.

A quarter earlier than expected, this was CrowdStrike’s first quarter of positive GAAP EBIT. It had already reached positive GAAP net income thanks to its pristine balance sheet and strong net interest income.

Guidance

For fiscal year Q4 2024, CrowdStrike’s guidance was slightly ahead on revenue. I was able to get access to a J.P. Morgan survey of buy side expectations for next quarter revenue. This likely featured a small sample size of respondents, but CrowdStrike’s guidance was about 1% lighter than that figure. Importantly, the guidance assumes zero Q4 budget flush, which typically benefits CrowdStrike at the end of each fiscal year. It sees this flush as possible, but chose to leave it out of the guide.

Under. Promise. Over. Deliver.

Q4 guidance was 5.1% ahead on EBIT and about 4.5% ahead on net income.

Balance Sheet

• $3.17B in cash & equivalents.
• $740M in debt.
• Share count rose 2.4% Y/Y.

Call & Release Notes

Winning

CrowdStrike’s platform formula continues to work extremely well. This is not just an endpoint security company. It has thriving products in cloud, identity, log management, forensics and several other categories. All of these products create relevant data points for the Falcon Threat Graph to collect. The firm collects this data once, and can use it across its other modules to sharpen AI models and uplift outcomes. AI needs to be trained enough to actually be valuable. What is used to train models? Relevant data. CrowdStrike has a world-class security dataset and an even more world-class ability to leverage it.

This fosters a positive feedback loop in which more data means better products which means more customers which means more data. On and on the cycle churns. Maybe that’s how it became the first to reach 100% coverage across protection, visibility and analytic detections for “MITRE Engenuity’s” latest evaluation.

Not only does this mean better products, but happier customers. Why? Tearing down product siloes means better inter-departmental cohesion. Furthermore, the single user interface is easier to navigate and cost cutting from shedding point solutions is consistently abundant. The platform play means better efficacy, higher retention and lower costs. That’s why CrowdStrike is consistently winning.

During the quarter, competitive win rates rose and 8+ module deals soared 78% Y/Y. It continued to spend aggressively on growth while margins continued to explode higher. Great combination. Macro headwinds did not at all improve, CrowdStrike just continued to overcome them. It wasn’t “we did poorly because of macro.” It was “we did well despite macro.” The firm reiterated its long term targets and called out competition as falling further and further behind. The team is always charismatic, but the results speak for themselves. Those results should stay elite based on its guide and its Q4 demand pipeline “setting new records.”

Log Scale, Security Information and Event Management (SIEM) and Raptor

Definitions

• Log Scale ingests, organizes and stores data logarithmically. This allows for ingestion with more scale and faster time to value.
• SIEM aggregates security data to help organizations uncover and remediate threats. Log Scale is closely related to SIEM as Log Scale is what actually collects data from various sources to be utilized here.

CrowdStrike’s Log Scale business continues to rapidly grow. It crossed $100 million in ARR this quarter and continues to enjoy improving customer traction. Features such as index-free logging mean searching 40+ terabytes of data takes minutes vs. days with others. That’s a key selling point and is clearly working. Log Scale inked multiple 7 figure expansion and new logo wins to replace point solutions and vendors such as Microsoft.

As an important aside, Log Scale is a key ingredient for Falcon Extended Detection and Response (XDR). This is an endpoint product that uses 3rd party data sources to sharpen breach protection. That 3rd party data infusion extends coverage beyond the endpoint. Log Scale is instrumental in onboarding these needed data sources in a scalable and efficient manner.

SIEM got an upgrade this quarter. As announced at the firm’s investor day, SIEM now natively integrates with the rest of Falcon’s modules. This newfound ability is thanks to its latest platform upgrade called Raptor. Not only does Raptor pave the way for this native integration, but allows for more data ingestion from the Log Scale tool. Furthermore, Raptor removes manual dependencies and creates newfound flexibility to innovate even faster. For competing products, when data is collected, it routinely loses needed context as it can’t directly communicate with a firm’s security suite. Because Falcon’s platform provides one interface and one ecosystem for security, data AND IT use cases, that headache disappears. Again, Raptor’s integration layer is the ibuprofen for that headache.

According to Kurtz, CrowdStrike’s SIEM momentum feels eerily similar to when the firm started with endpoint protection in 2011. The eagerness of customers to replace legacy anti-virus software closely rhymes with their present eagerness to upgrade SIEM.

There are a lot of firms going after the SIEM opportunity. As Kurtz reminded us, the vast majority of the data needed for SIEM comes from endpoint events. This is CrowdStrike’s bread and butter. That positions it well to take its fair share of the opportunity.

More on Cloud Security

Definitions

• Cloud Security and Posture Management (CSPM): Tells you about your vulnerabilities and misconfigurations.
• Cloud infrastructure entitlement management (CIEM): Tells you who is entering your software environment. It tells you if these entrants are allowed and exactly what they’re allowed to do.
• Cloud Workload Protection (CWP): Preventative measure to observe if anything bad is being done by entrants. This sounds the alarm bell while preventing and remediating cloud infrastructure attacks. It’s closely related to CSPM and CIEM.
• Cloud Native Application Protection Platform (CNAPP) is the overall suite tying all of these cloud products together.

Cloud security growth continues to accelerate. Public cloud NNARR rose 45% Y/Y as it rapidly displaced point solutions and incumbents. It inked an 8 figure deal to replace Microsoft and several 7 figure deals to displace other competition during the quarter.

Leadership continues to think of itself as one of one in terms of cloud security product breadth. The conjoined products above offer clients a uniquely complete view of a cloud environment. The suite allows for full breach protection of cloud native assets, a data hack shield and real-time ranking of vulnerabilities for remediation, hygiene optimization, permission minimization and more.

Newer Products & Sharpening an Edge

Its data loss prevention (DLP) tool is in its final stages of tweaking. CrowdStrike is beta testing the offering with some of its largest clients to ensure it accounted for all requirements. It will soon go live to unlock yet another large growth opportunity.

Falcon for IT repurposes part of CrowdStrike’s software to help with key IT functions like infrastructure maintenance and software installations. This module not only provides another growth lever, but another consolidation lever as well. It will allow CrowdStrike to be a single platform and source of record for all security and IT workflows. As briefly covered above, that combination will enable better communication, better outcomes and lower cost.

There was not a lot of new information on identity security in the release. Notably, the product earned CrowdStrike a new 8 figure deal with the federal government.

Partner Momentum

• Crossed $160 million in business from Ernst & Young (EY) (global consulting firm) to date. EY is now training a 150 person team on Falcon Log Scale and SIEM.
• 62% of its new clients this year came from partner channels. CrowdStrike continues to destroy the argument that it doesn’t work well with others.
• First in its category to cross $1 billion in AWS Marketplace sales. It just released Falcon Go for small and medium businesses (SMBs) on Amazon Business. It also debuted 1-click installation for Falcon Go which should remove all on-boarding friction. It’s now ready to invest in go-to-market for this subscription tier.

Take

This was a great quarter. Some will point to the small buy-side Q4 revenue miss, but it doesn’t bother me. The forecast assumes no budget flush and the team is always conservative with guidance. The net new ARR result was excellent as was the rest of the quarter. It’s spending like crazy on innovation while taking more market share, successfully pursuing new opportunities and rapidly expanding margins. What else do you want?

Great quarter.