AI's data gravity to consolidate cybersecurity, CrowdStrike as a winner
CrowdStrike vs Palo Alto Networks
CrowdStrike is the clear leader in endpoint security, both in the cloud and in its bread-and-butter end devices business. The cloud exposure is a particularly interesting one, as with the rise of microservices and containerization, there has been an explosion of endpoints in the cloud which have to be protected. This is a topic which we’ll go into in a bit.
Corporations adopt endpoint security to secure all their end devices coming into contact with the internet. These include desktops, notebooks and smartphones, and it basically entails making sure that no malware gets installed, monitoring the devices with behavioral analysis to detect suspicious activity, encryption of sensitive data, and making sure no blacklisted apps or websites get visited. The way this is done is by installing an agent on the end device which also sends data to a central monitoring system.
The endpoint is an interesting field in cybersecurity as this is where by far most of the data gets collected as well as where most of the breaches occur, i.e. a hacker gaining entry. Due to AI, responses to security incidents can increasingly be automated, and this is particularly good as there is a large shortage in cybersecurity engineers. We know that the competitive advantage in AI is gained by access to data, i.e. both quality and quantity of data. And data gravity is the idea that large amounts of data tend to attract other data, applications, and services towards them. So one of the theses which we’ll be exploring here is to what extent Crowdstrike should be able to leverage its strong position in endpoint security and turn that advantage to consolidate in the space.
Cybersecurity is a space within software which remains ripe for consolidation. In each particular field, which usually gets designated with its own and unique acronym, we can easily often see still 10 to 20 players handling workloads. However, as the field moves from purely manual responses to automated ones driven by AI, the best players with the data and AI know-how can provide a compelling solution to make the switch away from legacy systems. This is especially attractive as cybersecurity remains a high-growth area, one where CIOs are planning to increase most of their spending. So on top of this attractive industry growth, the best companies should be able to compound revenues at higher rates driven by additional market share gains.
Taking a hugely oversimplified view of cybersecurity, the endpoint is CrowdStrike’s original business, and the company has subsequently been moving into adjacent fields such as cloud, incident response, Security Operation Center (SOC), and identity by leveraging their core technology. So CrowdStrike is becoming a diversified player in the industry with plenty of data access.
Looking at revenues of the listed players, CrowdStrike is one of the largest companies in the field:
While Palo Alto remains the gorilla in the field thanks to its next-gen firewall business, CrowdStrike is due to its higher growth rate adding almost as much revenues this year as the gorilla:
This is CrowdStrike’s CEO George Kurtz commenting on where there platform fits in into the landscape:
“So when I started CrowdStrike, it was really to have a single platform, a single agent and a single interface that has the best-of-breed technologies in one platform. That's really what I call best-of-platform today and this is what customers are looking for. We don't do everything in the security space, we do a nice piece of it, but customers look at what we have and connect to a Zscaler or connect to someone else (for networking security). They want to be able to take the best of platforms and plug them together as opposed to be saddled with point products kind of masquerading as a platform.
5 to 10 years ago, endpoint was a McAfee or Symantec anti-virus product, that is not endpoint today. There's a module sure that does prevention, but once the data is collected, it's collected once and reused many times. And this is a much different model than anything that had been done before, we're solving data ingest and correlation, threat intelligence, file integrity monitoring, identity.. The chassis is an agent, a data set, a data store and a cloud architecture with modules. There's so many outcomes you can get aside from 10 years ago.”
Kurtz giving more details on the platform’s architecture:
“So when you actually get to deploy the product, there's a reason why it's so friction-free. Large cloud customers can deploy 25,000 agents in an hour because it just installs, there's no reboot and we're the only technology that doesn't have a reboot. I learned this lesson when I was at McAfee. We bought stuff where we would have to go into a company and say hey, we got a new agent, it's not integrated and you have to reboot 300,000 endpoints. No one wants to do that. So the fact that we've thought about the small details of getting a lightweight agent of less than 100 MB in, being able to manage it at scale — which is really hard for companies to do — and we only have one release of the agent, we don't make special agents for you or for another customer, that allows that manageability to run the platform very efficiently. This gives us the ability to collect data at scale and that then unlocks all of the other modules. And that is what gives you the leverage in the gross margin. Almost every other module we add is pure gross margin.”
It’s clear that a lot of clever software engineering has gone into this product. And while that isn’t necessarily a moat — as there are a lot of gifted coders around the world — the amount of data that CrowdStrike is collecting and then run a trained AI response model on top of that could form an effective moat. And one that would make it compelling to buy and stick with the product.
There aren’t that many players which could replicate such a system, potentially a Palo Alto or a Microsoft, but CrowdStrike is already head-and-shoulders above everyone else in endpoint and will have the best scale of data going forward, which should bring in the data advantages.
The company disclosed that they have penetrated 30% of logos within the Global 2000 in endpoint, highlighting their strong position already, with still massive opportunities in both the public sector and small businesses with penetration rates of less than 1%. Looking at the number of customers of other software companies, there is plenty of runway for growth:
The other point Kurtz raised about selling additional modules to their customer base is one of the attractions of software platforms in general. The client is already up and running on your software so any additional revenues you make from launching new features are very high gross margin.
To sum up, there are plenty of attractive growth angles in this name. Let’s go through a number of them in more detail, starting with the cloud and microservices.
The explosion in microservices
Modern software architectures have moved from monolithic code bases to isolated microservices running inside of containers. A container is a lightweight virtual environment running inside of a virtual machine or server. Let’s say you have two apps running on one server, one written in Python 3.10 and the other is still on Python 3.8, this could easily be achieved with two containers, as you can install the respective Python version inside each. By contrast, you can’t install both Python 3.8 and 3.10 on one server or virtual machine, so you would always have to update each app’s codebase as you move to a new Python version. Obviously this creates a lot of unnecessary friction.
A large company utilizing a microservices architecture such as Netflix can have hundreds or thousands of apps in communication with each other on their servers. Below is an illustration of Uber’s microservices architecture and how a particular request can flow through the system’s needed services. Each bubble on the illustration is a containerized app with its size indicating how frequently it has to handle requests. A fleet of containers like these is managed by an orchestration platform such as Google’s Kubernetes or Docker Swarm, and can be monitored with tools such as Datadog or open-source alternatives like Grafana.
As all apps running in containers expose APIs to exchange information with the outside world, they have to get protected. This is where the field of cloud security comes in, CEO Kurtz discussing the cloud business:
“We started with the hardest part first, which is cloud workload protection. That's really the preventative technology that runs in these virtual environments, in Kubernetes clusters. There's a lot of different ways that you can consume cloud workload protection and that took the better part of 10 years to build, something as robust as what we've built. We are protecting some of the world's largest clouds and largest SaaS platforms. You can't go to a dev team and say, we're going to put a piece of software on there that's going to interrupt what you're doing. So it is really a high barrier to entry to get a cloud agent in a critical workload. Then you combine the piece of cloud workload protection with CSPM (cloud security posture management), application security, and data security posture management, and we believe we've got the best cloud offering in the market. Not only is it best-of-breed in these areas, but the fact that it all works together and can seamlessly identify threats, identify misconfigurations and the big thing, prevent the breach.”
Kurtz discussing the growth in the TAM of this business, driven by virtualization and containerization:
“If you take a physical server and move it to the cloud, it equates to like ten different workloads, just how everything is split out in Kubernetes environments. I think it massively expands the TAM. If you look at where the growth is in protecting workloads and endpoints today, that isn't going down. The proliferation of agent and non-agent technologies, look at things like enterprise attack surface management, these were things that people didn't even consider 5 years ago.
The technology curve, as it gets more complicated, security has to parallel the slope of that technology curve. So if we just think about 30 years ago, you had a simple website and a firewall, really easy. Today, it's incredibly complex when we think about all of the different cloud environments, and that's only going to get more complicated. Ninety percent of the active incident responses that we're working on right now are all cloud-related exposures. So I think we're only in the early innings of what we're seeing in terms of cloud protection.”
CrowdStrike and Palo Alto are the two strong players in this field according to Forrester (below) and as the business grew at a 90%-plus rate over the last year and is now generating over $400 million in revenues, obviously we have a very interesting asset. Morgan Stanley commented that CrowdStrike is the fastest growing player in this area and at the capital markets day, the company mentioned that 28 out of the Fortune 100 are already customers for this product.
An advantage CrowdStrike has here vs Palo Alto is that the latter is running its endpoint and cloud security products from different platforms, whereas with CrowdStrike, everything is integrated into the single Falcon platform. Kurtz on the recent earnings call:
“A global financial services giant replaced their Palo Alto Prisma Cloud products in a large 7-figure deal. The Palo Alto cloud security products required separate management consoles and separate agents because cloud security is on a separate Palo Alto platform altogether. CrowdStrike was able to deliver an expected 70% time reduction in management as well as more than $5 million in annual staffing cost savings. The patchwork of multi-product, multi-agent and multi-console separate platform technologies resulted in visibility gaps, asynchronous alerts and overall fatigue managing cloud security. Falcon's single platform with its integrated cloud security component was a win for the customer.”
For premium subscribers, we’ll do an in-depth review of:
How AI data advantages can consolidate the cybersecurity industry
How CrowdStrike is building out its Falcon platform
Palo Alto Networks’ declaration of war
How SEC regulation can provide a tailwind for the cybersecurity industry
A financial analysis and thoughts on valuation for CrowdStrike