News of the Week (April 4-8)

News of the Week (April 4-8)

17 min read

Today's Piece is Presented by FTX.US:

1. CrowdStrike -- Investor Briefing and Forrester

a) Investor Briefing Notes from Co-Founder/CEO George Kurtz:

Impact Level 4 (IL-4) Defense Agency Authorization:

CrowdStrike was issued “Provisional Authorization to Operate” at Impact Level 4 (IL-4) by the federal government this week. CrowdStrike’s Cybersecurity and Infrastructure Security Agency (CISA) and FedRAMP wins announced in previous months came as a bi-product of IL-3 clearance for CrowdStrike which freed it to serve civilian agencies. To serve defense agencies, vendors need level 4 clearance -- which CrowdStrike now has. Translation? This paves the way for Falcon Platform deployment within defense-based agencies of the federal government so CrowdStrike can now protect “Controlled Unclassified Information” (CUI).

The firm is already well on its way to a dominant market share within large enterprise endpoint security and now the public sector is looking ripe with low hanging fruit for CrowdStrike to pick. These clearances also work to build commercial client confidence in the firm's technology -- federal approval processes like this one are intense.

Subscribe now

Endpoint market share gains -- per IDC:

  • Calendar 2019: 7.9% share (4th vendor overall)
  • Calendar 2020: 12.2% share (1st vendor overall)
  • First 6 months of 2021: 14.2% share (1st vendor overall)

Long Runway:

  • CrowdStrike is 35% penetrated in its original enterprise niche (over 7,500 employees)
    • 65% of the Fortune 100
    • 51% of the Fortune 500
    • 26% of the Global 2000
  • CrowdStrike is 3% penetrated within the mid-market segment (251-7,499 employees)
  • CrowdStrike is under 1% penetrated within the SMB segment (5-250 employees)
  • CrowdStrike is under 1% penetrated within the Public Sector

Even within CrowdStrike’s existing base of customers, there’s an opportunity to more than triple its ARR solely via module cross-selling.

Market Growth:

CrowdStrike’s Total Addressable Market (TAM) at its 2019 IPO was $25 billion. At that time, it expected its market to reach $44 billion by 2023. Now -- through a series of organic product launches and acquisitions -- it estimates its market size this year to be $58 billion: 32% and 12 months ahead of its previous projection. Leadership now sees a clear pathway to a TAM of $126 billion by calendar 2025.

Random notes:

  • CrowdStrike is the only software company with over $1 billion in trailing 12-month revenue, trailing 12-month revenue growth over 60% YoY and a free cash flow margin over 30% -- no other company with these credentials has a free cash flow margin over 25%.
  • Time to remediate and reboot continues to differentiate CrowdStrike as its exclusive cloud presence allows for real-time data collection while other vendors -- with cloud and legacy on-premise operations -- use a Batch Mode approach with far heavier data requirements.
  • Managed Security Service Provider (MSSP) growth continues to outpace expectations and so does the free trial programs it now offers. These are 2 lead-generating keys for aggregating SMB business to make CrowdStrike more successful and efficient within that niche.
  • MITRE (a non-profit organization supporting federal research) named CrowdStrike #1 with a 100% score for “prevention and stopping breaches” as well as “the XDR leader.”
    • Another MITRE study on “detection and protection” depicted SentinelOne as ranking ahead of CrowdStrike. This study does not penalize vendors as heavily for inundation with false positives. CrowdStrike's lack of this false positives issue (which takes up a security team's time and attention) has been key to its enterprise market share gains.
  • Kurtz also highlighted the e-commerce platform that CrowdStrike has built to seamlessly offer all of its modules. This shop fosters zero-friction module purchasing and on-boarding to raise conversion and up-sell activity.

“While the competitive landscape has been cluttered, today CrowdStrike stands in a class of its own in driving superior outcomes. And we are still in the early innings and taking share. We believe CrowdStrike is a generational platform company with a fundamental advantage over others in the market today.” — CrowdStrike Co-Founder/CEO George Kurtz

b) Investor Briefing Notes from CTO Michael Sentonas:

MITRE:

“Our perfect MITRE score is a great story about our capabilities. Our identity protection capabilities (thank you Preempt acquisition) stopped the attack in its tracks. CrowdStrike had to be asked to turn off its identity protection service just so MITRE could run the rest of its test. And we still got a perfect score.” — CrowdStrike CTO Michael Sentonas

Humio:

“We’ve re-engineered log management from the ground up with index-less management to collect structured and unstructured data to make exploring anything blazing fast at massive scale.” — CrowdStrike CTO Michael Sentonas

CrowdStrike talks about this log management opportunity as perhaps more greenfield than it actually is. Datadog is surely an elite, seasoned competitor and there are many others doing great work in the observability space. Still, it’s hard (impossible really) to ignore the fantastic success Humio has had under CrowdStrike to date. Revenues for the segment quadrupled year over year in 2021 (small base but still impressive).

Mandiant partnership announced:

Mandiant will now readily offer CrowdStrike’s threat detection and response tools in tandem with its security consulting services. There is some redundancy within the two product suites, but the companies still see a lot of benefits from working together. A key hurdle for optimizing hack remediation is what Washington Post describes as “splintered responders and reluctance to share intelligence within vendors.” This relationship will help ease that friction.

c) Investor Briefing Notes from CFO Burt Podbere:

New targets:

At CrowdStrike’s previous investor briefing, it had “illustrated” (they’re careful to not call this formal guidance) a path to over $3 billion in annual recurring revenue (ARR) by calendar 2024. Now, it expects to get there in calendar 2023. Furthermore, the company offered a calendar 2025 rough outline of over $5 billion in ARR. Considering the company’s track record of uniform under promise and overdeliver, this should be a somewhat safe assumption. The result would represent a minimum 4-year CAGR of 31% which is quite strong given its scale. Note that this estimate considers no M&A and CrowdStrike’s fortress balance sheet certainly affords it the opportunity to add more inorganic growth to its future operations.

From a profitability perspective, CrowdStrike has already eclipsed its long term gross margin, G&A and free cash flow margin goals -- it expects to remain above these targets. Some people rightfully point out that deferred revenue will contribute less to free cash flow for CrowdStrike as growth inevitably slows over the long term. While that is accurate, unit economics, and so net income margin, will continue to briskly improve which should more than offset that headwind. The company is confident that it already has the operational leverage to reach its operating and net income margin targets today but is instead choosing to invest in more growth. Podbere added that the firm now sees more “upside” to its long term margin targets beyond calendar 2025.

On customer traction:

  • It now takes $4.6 million and $2.2 million in ARR to be a top 25 and top 100 CrowdStrike customer respectively. Both of these metrics have more than 10Xed over the last 5 years.
  • New customers are landing with an average of 4.7 modules vs. 4.3 YoY and 2.0 in calendar 2016.
  • The firm expects its dollar-based net retention rate (DBNRR) to stay above its target of 120% going forward. DBNRR = YoY revenue growth from the same base of clients.

d) Forrester

A week after Forrester named CrowdStrike as one of four incident response leaders within the cybersecurity industry, it received another, perhaps more notable accolade -- this time within Endpoint Detection and Response (EDR). The company scored perfectly on 75% of the criteria metrics and placed furthest up and to the right (so best) on Forrester’s chart. The report ranked CrowdStrike 1st in all three of its categories: Current offering, strategy and market presence. Microsoft and Trend Micro ranked 2nd and 3rd in all three categories with SentinelOne ranked 4th.

This accolade is not only important for reiterating CrowdStrike’s ability to prevent and manage breaches at the endpoint, but for a new, exciting growth vector as well: Extended Detection and Response (XDR). XDR leverages EDR as a base while injecting more 3rd party data sources from other pieces of the security and software chains to allow endpoint coverage to extend beyond the endpoint. Data-sharing partners in CrowdStrike's "XDR Alliance" like Zscaler, ServiceNow and many more help make this a reality.

Considering all of this, a strong XDR offering relies on a strong EDR core to best augment and extend the utility and reach. Think of EDR as chicken tenders and XDR as your favorite dipping sauce -- the better the chicken tender (EDR), the better the sauce (XDR) is going to be on it. CrowdStrike has the best EDR base in the world according to this report.

Share

“Falcon is the most tested platform in the space and our results speak for themselves.” — CrowdStrike Co-Founder/CEO George Kurtz

All of this incremental XDR data ingestion and telemetry requires seamless scalability and data compression to effectively pull off. According to George Kurtz, Humio’s “compression algorithms exceed all competitors on the market which means it’s also more affordable.” Customers had been asking CrowdStrike for a better, more affordable solution for years and the Humio acquisition was the result. There’s a reason CrowdStrike paid 50X sales for it.

2. SoFi Technologies -- Student Loan Update, Board of Directors Right-Sizing & an APY Boost

a) Student Loans

The Biden administration extended the student loan moratorium through the end of August. As refinancing federal student debt is SoFi’s largest and most cash generative segment, this will weigh on 2022 results. To get ahead of this, management updated its 2022 guidance which is now:

  • $1.47 billion in sales vs. previous guidance of $1.57 billion.
  • $100 million in EBITDA vs. previous guidance of $180 million.
  • Q1 2022 guidance is unchanged as SoFi had assumed the moratorium would be in place through May.

The team is now assuming that this moratorium will be extended through the end of 2022 and that is reflected in the updated estimates. While this is surely frustrating, there are a few notes on this that I want to highlight:

  • Despite SoFi’s largest segment operating at 50% of normal volumes for 2022, it still expects 45% revenue growth and a tripling in its EBITDA generation (with doubling margins).
  • I’m encouraged to see that the team assumed the extension through the end of 2022 rather than the updated end of August timeframe.
    • With midterms around the corner -- which SoFi cited as a reason for the extension -- it’s likely that political theater will lead to this extension to foster goodwill from voters.
    • Good job ripping the Band-Aid off rather than peeling it off one extension at a time.
  • This demand headwind is entirely independent of the utility that SoFi’s federal re-fi product creates. This is not a matter of diminishing market share or eroding demand, it’s an industry-wide pause that will be lifted at some point in the future.
    • When this demand channel turns back on, the YoY growth comp headwind we are currently dealing with will morph into a lucrative tailwind.