News of the Week (April 3 - 7)

News of the Week (April 3 - 7)

23 min read

1. CrowdStrike (CRWD) -- Investor Briefing

Subscribe now

Legacy Endpoint Security:

The first antivirus (AV) product debuted in 1987. This signature-based approach was leaned on heavily to effectively block malware. Today, 36 years later, Symantec, McAfee and Microsoft Defender all still use a modernized, signature-based approach. This works somewhat well with stopping malware, but 71% of breaches no longer use any malware. This renders the signature-based mindset antiquated and is why Microsoft breaches and vulnerabilities continue to be a source of CrowdStrike lead generation.

Conversely, CrowdStrike’s platform operates on a single, light-weight agent that has proven to be extensible to multiple other ancillary use cases and environments. All this utility is centralized in one threat graph with consolidated reporting for an overarching view of security posture. This vendor and agent consolidation inherently fosters easier use, higher efficacy, quicker onboarding with no downtime and lower cost. This combination is a winning one, facilitating CrowdStrike’s rapid market share gains.

Its North Star is to “stop breaches” from the endpoint rather than stop malware; that’s what’s required to keep customers safe in an increasingly chaotic and sophisticated threat landscape. The buzzword for this approach is endpoint detection and response (EDR) which is considered next-generation AV. The threat graph constantly hunts down deviations in typical activity to flag and prioritize vulnerabilities and breaches for quicker, cheaper remediation.

With extended detection and response (XDR) now in the fold, this EDR base can add countless 3rd party data sources like Okta, Zscaler, ServiceNow and Salesforce to augment reach beyond the endpoint to cloud workload environments and beyond. It easily allows for web hook integrations to ensure data sources and apps are working cohesively. Furthermore, CrowdStrike’s log management module affordably devours and organizes all of this disparate data to unify, leverage and permanently store.

“McAfee, Symantec and Microsoft haven’t been able to make the jump from identifying malware to stopping breaches.” -- Founder/CEO George Kurtz

While CrowdStrike is briskly entering other fields like cloud and identity security, all of these expansions are being executed from the endpoint core. That’s CrowdStrike’s bread and butter and always will be. Why does this matter? Because 80% of vulnerable data comes from the endpoint, it’s “where work happens” and where attackers focus. 90% of successful cyberattacks start at the endpoint as the “tip of the sphere” for breaches.

“Endpoint is not just about the endpoint. It is a jumping point that opens us up to all of these other adjacencies in the platform like observability, threat intelligence and more.” -- Founder/CEO George Kurtz

More on Microsoft Competition & Market Share:

80% of the time that a customer tests Microsoft Defender and CrowdStrike Falcon, they go with CrowdStrike. That’s despite the compelling product bundling opportunities for Microsoft vs. CrowdStrike’s standalone security suite. Kurtz explained this as follows:

  • Microsoft runs its security stack through 9 consoles and several agents vs. 1 of each for CrowdStrike. That makes Microsoft’s product work flows more fragmented and its total cost of ownership higher.
  • 95% of compromised endpoints that CrowdStrike remediates for new customers within its incident response arm come from Microsoft. 75% of these instances are via Microsoft Defender customers.
  • Defender’s AV signature-based tech must be updated 6-7 times per day with the operating system and security stack fully tied together. That means these updates foster downtime and that Microsoft’s product will not even work properly unless the customer is on the latest update.

“Every CrowdStrike customer is always up to date with the latest protection thanks to the singular agent cloud architecture… we don’t blue screen endpoints with failed updates which constantly happens in the industry.” -- President Adam Sentonas

This is why CrowdStrike has overtaken Microsoft as the largest endpoint vendor since its 2018 IPO. Specifically, CrowdStrike’s share grew from 12.6% to 17.7% YoY in 2022 for its best year of market share-taking ever. Encouragingly, 47% of endpoint market share still remains with legacy vendors that are rapidly ceding share to CrowdStrike. The runway remains miles long even for its most mature endpoint offerings. In terms of the opportunity, its emerging modules are helping to expand its total addressable market (TAM) to $158 billion by calendar year 2026. It was $25 billion in 2019.

Case Studies:

  • Large school district switched from Microsoft Defender to Falcon:
    • Before CrowdStrike, it was unable to stop malware attacks despite Defender being up to date. 6,000 machines had to be whipped/reimaged due to a missed attack which halted student work.
    • Defender produced 10x the number of false positives vs. Falcon.
    • Incident response took several weeks with Defender vs. hours with CrowdStrike.
  • U.S. State switched from Microsoft Defender to Falcon:
    • With Defender, 30% of its ecosystem was not on the latest operating system and so received virtually no Defender protection. It was spending “more time figuring out licensing and system updates than protecting the organization.”
    • With Falcon, 100% of its ecosystem is on its latest protections with updates rendered in real-time.
    • The client will save $6.4 million over its first 3 years with CrowdStrike.
  • Global Services Firm switched from Microsoft Defender to Falcon:
    • With Defender, endpoint and identity alerts were siloed. This meant “no actionable insight for a managed detection and response firm to help it clean up constant vulnerabilities and breaches.” This led to false positive inundation and alert fatigue.
    • Falcon was deployed in 36 hours with a “unified XDR product to query data into 1 console for more rapid, unified response.”
    • CrowdStrike rapidly cleansed the ecosystem of adversaries that had been lurking for a full year.

On Identity Security as an Emerging Star Module:

  • Scaled to $100 million in 2022 ARR. Identity modules stem from the Preempt acquisition. Preempt was worth $90 million as of 2020.
  • This is NOT an Okta competitor. Okta is an identity broker which controls ID access and permissions. CrowdStrike identity prevents attackers who gained impermissible access to legitimate IDs from abusing those privileges. It prevents threat actors from breaching the most vulnerable piece of an enterprise’s ecosystem and then freely, horizontally moving throughout the rest of it. CrowdStrike does so by flagging deviations from typical behavior and network requests.

Agent vs. Agentless Approach:

Agent vs. agentless is a hot topic of debate in the world of endpoint efficacy. Leadership spent some time on the topic so I thought it would be valuable to explain what this actually is and the pros and cons of each approach.

Agent-based means software is directly installed on an endpoint like a car, robot, cloud workload or smart watch. The agent helps to collect and query data, ensures proper permissions and offers strong security posture to respond to breaches expeditiously. Agentless means the software is not installed on the device. It remotely protects endpoints based on desired client workflows and network scanners.

Agent-based offers more complete coverage of a client’s ecosystem and is greatly preferred for some of the more stringently regulated industries like banks. Agentless involves a more seamless onboarding process thanks to eliminating the installation need. On its own however, agentless solutions from some vendors (not CrowdStrike) have led to less than complete coverage and false positive inundation.

Agentless is usually preferred for a base of endpoints where physical installation is just not feasible. Think about massive cloud environments and data lakes. This approach generally scales more easily and is cheaper. Data collection however is more challenging and less organized while leaving environments more vulnerable to attacks stemming from the network as it innately relies more on the network. Puts and takes.

CrowdStrike offers both. Agent-based -- per CrowdStrike -- offers it full runtime protection to stop breaches while agentless “extends the agent-based approach” to automate the prevention of human error. Other vendors like SentinelOne only offer agentless as they think it offers sufficient protection.

“You have to be on the device or workload to stop a breach or you’ll detect it too slowly without an ability to remediate.” -- CrowdStrike President Adam Sentonas

Customer Accolades:

CrowdStrike is ranked first for endpoint protection and EDR among several independent customer review sites including G2, PeerSpot and Trustradius.

Incident Response Lead Generation:

CrowdStrike now enjoys $6.07 of added subscription annual recurring revenue (ARR) for every $1 its new clients spend with it on incident response and remediation. This was $5.51 2 years ago and around $3 at the time of its IPO. This continues to be an increasingly strong top of the funnel product for easy cross-selling. It’s a “small but extremely strategic portion of the business” per CFO Burt Podbere.

Long Term Demand Guidance:

CFO Burt Podbere reiterated CrowdStrike’s aim to reach or eclipse $5 billion in ARR in Calendar year 2025. This assumption includes a 10% YoY headwind to net new ARR growth in the first half of this year. Next year, it assumes macro headwinds “remain consistent” with this year when those headwinds are expected to be challenging. So? This guide doesn’t rely on any macro improvements and if they come there could be upside.

This calendar year 2025 guidance also only requires that CrowdStrike see flat net new ARR growth vs. 2022 through the entire period. It assumes its net retention rate falls more sharply than the company assumes it will. CrowdStrike expects to do much better than this and I expect it to obliterate this revenue target by a mile.

“We intend to continue to take market share across all aspects of the business and to expand wallet share with more modules as we enter new adjacencies.” -- CFO Burt Podbere

Long Term Margin Guidance:

Gross margin fluctuation has nothing to do with pricing pressures. There are no pricing pressures in the business currently. They are about infrastructure investments and M&A integration. The infrastructure investments are set to deliver 100 bps of gross margin expansion YoY next quarter as “fruits of labor pay off.” It is fully confident in its long-term margin target here of 82%.

It sees FCF margin of 30% this year, 30%-32% next year and 32%+ for calendar 2025. This represents an update to its margin model from 30%-32% previously.

It will get to its EBIT margin target of 20%-22%+ “some time in” calendar year 2024.

“We could reach these margin targets now. We don’t think this would be the best course of action given the massive market opportunity and our strategic position within the ecosystem.” -- CFO Burt Podbere

Module Adoption:

  • Average Module count:
    • 8 on average for its $1 million+ ARR customers vs. 3.7 5 years ago.
    • 6.3 on average for its $100,000-$1 million ARR customers vs. 2.9 5 years ago.
    • 4.7 on average for its sub-$100,000 ARR clients vs. 2.6 5 years ago.
  • New customers are landing with 4.8 modules vs. 2.8 in calendar 2017.
  • 4,500 customers have adopted 2+ emerging modules with emerging module ARR rising 116% YoY last quarter to $339 million. This is now very needle moving.
  • Identity modules are the largest emerging module ARR contributor growing 200% YoY.
  • The largest private global tech services provider (Cognizant or Accenture probably) has helped it close $200 million worth of deals in 18 months as it becomes a better ecosystem partner.
  • CrowdStrike has $9.6 billion in possible cross-selling opportunities within its current customer base vs. $7 billion YoY as it adds more use cases.

2. Airbnb (ABNB) -- Short Report Response

Subscribe now

As an independent investment analyst, I naturally feel somewhat connected to the author of the Bear Cave and root for his success. Still, his Airbnb ~short report~ published this past week was substance-lacking. I needed to address it bluntly and why I added to my stake following it.

Professional Landlord Competition:

Here is the premise: The report argued that individual landlords are somehow going to build their own competitors. They’re going to match Airbnb’s massive network effect while relying on 3rd parties for a sub-3% Airbnb host take rate. They’re somehow going to get all of the same, complementary insurance coverage and will match all of the ancillary utility building services that Airbnb continues to add. This will somehow make hosts more profitable than they are on Airbnb. Somehow.

Superhosts with several mortgages and maintenance fees are going to forego the steady stream of demand that Airbnb provides. They’re going to maintain their entire fixed cost base, add new fixed costs and take a chance on if they’ll still be able to find demand alone. Really? This is not remotely realistic. Airbnb’s superhost model only propagated because Airbnb made it work with its massive customer cohort.

The vast majority of drivers succeed more on Uber than alone. The vast majority of businesses succeed more with Shopify than building custom solutions on their own. The vast majority of hosts do better with Airbnb than alone. There are obviously exceptions to this rule… but not many. Network effects matter a lot and this report irrationally discounted the value of that perk to 0.

Regulation:

Airbnb is in a better position to comply with regulation vs. smaller, less deep-pocketed competition. Furthermore, lawmakers are mostly focused on ID verification and tax collection -- two issues where Airbnb has proactively led in its industry. It is better equipped to handle new rules than anyone else in the space based on size, balance sheet, and global relationships that it has painstakingly built. Tighter regulation often provides relative value for the richest and biggest in the space.

I love to use New York City as a case study. This has been the strictest city in the states for shorter term rentals and has boasted a wildly fluid regulatory backdrop. Airbnb has gracefully endured all of these changes and has continued to find success in that market. Regulation will continue to change. I expect Airbnb will continue to fruitfully adapt.

Property Damage and Bad Actors:

Sometimes guests damage host properties. Sometimes guests are not happy about an aspect of their stay and take to Twitter to vent. This apparently is a key bear case. Apparently, hotels never, ever deal with anything like this as all of their guests behave perfectly 100% of the time. I’m sure you can hear the sarcasm oozing out of these words. I found this argument not only irrelevant but also ironic. If it were actually a crippling risk for the business, it would mean hosts are even more reliant on Airbnb’s cash collection and insurance coverage. So which is it? Hosts deciding to take all of the risk to compete on their own? Or bad actors making it infeasible to do so? It can’t be both… and I think it’s neither.