More Thoughts on CrowdStrike (CRWD) & A New Investment Case

15 min read

Updated CrowdStrike Thoughts

I took the weekend to contemplate the CrowdStrike news and potential fallout. After much consideration, I’ve evolved my thinking on how best to handle the news. While I had already taken off a large chunk of my position in normal trimming in June, I’ve decided to take more profits. The specific changes were sent to Max subs a few minutes ago. This name has treated me extremely well since the IPO, and I want to harvest more profit in the wake of significantly more uncertainty. In connection with this decision, I will be allocating that chunk of funds to a new name highlighted in section 2 (investment case included). These transactions will take place Monday morning.

1. Why the CrowdStrike Trim

There’s a great deal of uncertainty over the implications of Friday’s news. I’ve spoken with several industry contacts and “we have no idea what to expect” is the common theme. When a company is responsible for shutting down global transportation, hospitals and emergency systems, litigation is all but inevitable and that cloud will likely hang over this firm for quarters — not days or weeks. This is routinely being called the largest IT failure event of our lifetimes, and I don’t think that’s overly dramatic. Okta is still citing hesitancy among some prospective clients due to its own security failure nearly a year ago.

CrowdStrike is arguably the best endpoint security company on the planet. It thrives under 3rd party testing, boasts elite customer retention rates and routinely cleans up the messes of other vendors to win more business. This was not a security breach or a vulnerability in CRWD’s core infrastructure. It was an erroneous software update that needed more scrutiny and had a bug. Regardless of this, the development comes with awful press. To an unknown degree, it stains Crowdstrike’s  reputation of invincibility that it has built over more than a decade. This company was viewed as the perfect software vendor you never needed to worry about. That changed on Friday.

It is true that Microsoft Defender causes far more issues than CrowdStrike or any other vendor. Still, the world has accepted that. They’ve conceded inferior security for the world-class, highly convenient software bundle that Microsoft delivers alongside it. CrowdStrike doesn’t have that, and they need to be clearly, objectively better than Defender (like they have been and are) to keep winning. This doesn’t change the reality that Falcon has higher efficacy than Defender. But it will create noise, negative sentiment, bad press and litigation that could create issues in the near term. I do see that giving Defender, SentinelOne and Palo Alto a small leg up in competitive bids for new clients. That, to me, is what to worry about more so than a likely large, one-off fine. This could easily be a tiebreaker for some customers and a near term headwind to net new annual recurring revenue (NNARR). The key word is could, and that’s the real issue here. We truly don’t know what the actual ramifications of this will be. And? In the wake of extreme uncertainty, I like to be cautious.

None of this is to say that CrowdStrike can’t recover. I fully expect that to happen in the coming years. Still, I like the idea of broader diversification within what I view as the most compelling part of enterprise software (cybersecurity). That’s why my recent SentinelOne stake has actually become a larger position than CrowdStrike in the portfolio.  It’s also why I will be reallocating CRWD profits into a new Zscaler position:

2. Why ZScaler

CrowdStrike and SentinelOne are the best-in-breed endpoint platforms. Zscaler and Cloudflare are the best-in-breed network platforms. The two endpoint vendors routinely pull the network vendors into large deals and vice versa. This decision is my way of maintaining cybersecurity exposure while diversifying my allocation within the sector. It’s my way of enjoying all of the upside I see from long term, structural growth while diminishing the headline risk associated with owning one specific company. If Friday can happen to CrowdStrike, it can happen to anyone. 

This will function as a brief(ish) investment case that pulls from all of my previous research on the name to work through Zscaler’s business & prospects.

a. What Does Zscaler Do?

ZScaler’s Zero Trust Exchange (ZTE) is its latest and greatest, cloud-native network security platform. It’s the firm’s consolidated product suite for driving vendor consolidation, superior protection and lower cost. ZTE blazes a trail between users, data, apps and devices across eligible networks. Zero trust is exactly what it sounds like: never trusting a device or user. The exchange vets and verifies all traffic as it moves within a company’s perimeter. It does not allow bad actors to breach the most vulnerable piece of infrastructure and freely move about it thereafter without any subsequent verification. ZScaler ranks risk tied to each request for access or usage to assess needed levels of security for requests. That makes sure it’s only creating user friction when there’s actual security concern.

This zero trust approach routinely cuts infrastructure costs for customers. How? By shrinking the protection surface down to grant permission to one app, one user and one piece of traffic at a time. This vastly raises the precision bar for a successful attack from hackers. They can’t just pick on the weakest link. Permissions are based on client policy. This replaces an antiquated firewall and virtual private network (VPN) based philosophy in which every device & user within a perimeter gets perpetual and unconditional access. So? Zero trust is safer, cheaper AND allows remote employees to responsibly work from anywhere. Zero trust is rapidly replacing firewalls and VPNs for these reasons.

Zscaler Core Product Definitions:

  • Zscaler Internet Access (ZIA) protects internet connections. It’s the middleman between a user and a network that ensures proper authorization & access.
  • Zscaler Private Access (ZPA) offers remote, secure access to internal apps. This is an upgraded VPN by “connecting directly to the required resources without public exposure” — per Zscaler filings.
  • Zscaler Digital Experience (ZDX) ensures the high quality and always-on performance of cloud apps. It sifts through networks to identify sources holding back performance to be remediated. Also tracks user experience levels to guide any needed changes. 

More Sector Definitions:

  • Secure Service Edge (SSE) provides access to software for users regardless of where they’re working. Legacy vendors do this via firewalls while ZScaler (and others like Cloudflare) do so through the zero trust architecture to shrink the attack surface and bolster protection.
  • Virtual Private Cloud (VPC): These are subsections of public cloud environments. They offer users more autonomy with their network and apps. They also allow for secure connections between cloud and self-hosted (on-premise) environments with no public network exposure. This is especially key for highly regulated industries.
  • Virtual Desktop Infrastructure (VDI): Allows software to be accessed on remote devices. Zscaler’s Zero Trust Exchange (ZTE) ensures this is done safely and securely.
  • Firewall is a legacy form of network security that uses a fixed set of rules to authorize outbound and inbound traffic.

A True Platform Overcoming Continued Macro Headwinds:

Zscaler’s high-quality, cohesive network security platform has provided strong growth and profitability through a chaotic macro environment. Specifically, Zscaler’s suite offers a unique ability to consolidate point solutions across internet connectivity, cloud and app entitlement and security, user experience tracking, data loss prevention, workload protection, vulnerability management and remediation, risk scoring and (much) more. It can end the never-ending process of just spinning up more legacy firewalls and thinking that actually secures a network.

The desire to displace firewall-based systems has never been stronger… Zscaler provides the upgrade. Continued zero-day (new) exploits of competitors continue to bolster the appetite for displacing ineffective, costly systems with something that actually works. Phishing attempt activity is rapidly rising Y/Y, incumbents are failing to prevent lateral threat movement and Zscaler is taking full advantage. For some evidence, $1 million+ annual recurring revenue (ARR) customers last quarter rose 31% Y/Y and it expects demand to “stay strong.”

Despite continued recent budget scrutiny and macro anxiety, its approach is allowing customers to do more with less and turn operating expenses into efficiency gains and profit drivers. It’s worth noting: ZTE does routinely cost more than archaic firewalls. Still, the cost-to-value dynamic is far more compelling as Zscaler drives better coverage, better automation, easier usage, better interoperability and superior outcomes. Customers may pay more today… but they save more tomorrow. That’s how companies are bucking weak trends so far in 2024. Winning today requires that capability. And again, all of this success is despite macro difficulties. Specifically, its sales cycle has elongated from about 10.5 months to 12 months as of a few months ago.

Not Seeing The “Budget Fatigue” or Pricing Pressure Cited by Palo Alto:

On Zscaler’s last two earnings calls, it has been asked several times about pricing pressure and the competitive environment. This is likely due to Palo Alto’s pivot to “platformization” and its push towards free trials and product bundling. Zscaler sees no pricing pressures or the “budget fatigue” that Palo Alto cited. Why? Because of its superior zero trust architecture. Superior value breeds price elasticity of demand.

Another recent concern has been the rise of smaller, specialized network security providers, but Zscaler doesn’t see these players in competitive bids. And if they got large or real enough, Zscaler could simply use its strong balance sheet to buy them.

Its win rates remain stable and “very high.” It continues to command premium pricing thanks to superior outcomes justifying paying more than cheaper alternatives.

3rd party product recognition and happy customers are great evidence for gauging how valuable a product suite actually is. It’s one thing for Zscaler to say “we’re the best.” Talk is cheap. Independent confirmation is less cheap.

Gartner has named it a leader in SSE (already defined) for three straight years and Forrester routinely ranks it a leader in SSE, with Zscaler getting top scores on 11 different categories as of Q1 2024. CRN named Zscaler’s data protection suite as the “product of the year” in 2023. Its website contains a large library of happy customers boasting their success stories and its net promoter score (NPS) sits at 70+ vs. a software industry average of 30. NPS is wonky as it’s subjective and internally derived… but it’s not irrelevant. Most companies with awful customer service don’t talk about NPS. Not a coincidence. You can only fudge the number so much.

Whether it’s a sub 1 year payback period for a Global 2000 Telecom firm, a 5x ROI for a Fortune 100 Financial Services firm, a 3x ROI for a Fortune 100 Logistics firm or countless other examples, Zscaler provides tangible value even with premium pricing. Generally speaking, retention rates have also been quite resilient and stayed above 115% as of last quarter. This is despite a recent new business mix shift to new customer wins.

A Bit More on Competition and the Opportunity:

Competition is fierce. Palo Alto, Netskope, Cloudflare and maybe Fortinet are all strong competitors. The market is large, quickly growing, relatively insulated from macrocycles and so highly compelling. For context, network security is expected to grow well in excess of 10% for the foreseeable future, with the broad zero trust category compounding at a clip above 15% regardless of which vendor we look at. The regulatory climate is also favorable for nurturing that strong growth. The SEC is now forcing companies to openly disclose cybersecurity risk management. This should motivate more firms to embrace best practices like zero trust. The federal government’s mandate to embrace zero trust, paired with Zscaler’s Impact Level 5 (IL5) Department of Defense authorization merely adds public sector fuel to this fire. The broad array of firewall and VPN-based vulnerabilities now must be more openly disclosed (per SEC mandates). This is highlighting poor outcomes and product offerings from other vendors and is accelerating demand for Zscaler. 

Phishing attempts are up 60% Y/Y, more than half of Zscaler-surveyed respondents are struggling to prevent lateral threat movement (which zero trust accomplishes) and more than half are experiencing attacks. GenAI is merely removing friction associated with conducting large scale attacks, and there’s likely no slowdown in sight for this trend playing out. Security is highly important and the least discretionary bucket in enterprise software. Zscaler will need to continue to rev the innovation engine and successfully execute this go-to-market pivot.