Long Tail Optionality In Cybercrime Will Benefit CrowdStrike And Deliv

Cybersecurity Threats Are Entering A New Era

Cybercrime is the other side of the coin of technological development and is expected to keep advancing at an unknown pace in the future, this makes companies like CrowdStrike well-positioned to help. They predict attackers will continue to target large companies "Big Game Hunting", internet-connected devices (edge devices) and end-of-life products (EOL). Cloud storage like Microsoft 365, SharePoint, and code repositories will be prime hunting grounds for valuable information. AI is also making attackers more sophisticated. For example, AI can create realistic emails and voice conversations that impersonate familiar people or trusted organizations to trick victims into giving up money. This highlights that cybercriminals are increasingly exploiting human vulnerabilities. CrowdStrike emphasizes identity-based attacks, where hackers use social engineering or bypass multi-factor authentication to gain access.

CrowdStrike's global threat analysis paints a concerning picture of rapidly evolving e-crime alongside technological advancements. This mix of advanced tactics by both state-backed actors and profit-driven criminals will drive heightened awareness and spending for digital security.

CrowdStrike: Global Threat Report 2024

The company noted an increase in global cloud, identity e-crime, and a proliferation in novel and traditional cyber-crime, which I break down below:

• State agents: Nation-states like Russia, China, and Iran employ hacktivist groups to steal data, conduct espionage, and disrupt critical infrastructure. These attacks are often sophisticated and targeted. While the West maintains a lead in physical weaponry, the true extent of any digital advantage and the vulnerability of digital infrastructure remain unclear. For example, in what was likely a cyberattack tied to tensions in the Middle East, a South Asian hacktivist group targeted a British military website on October 14, 2023. On October 16, 2023, a hacktivist group calling itself INFINITE INSIGHT, said they leaked personal information of nearly 790,000 U.S. doctors.
• Faketivism: A New Kind of Deception: Faketivism involves groups posing as hacktivists to advance the interests of a particular government. These fake personas can be difficult to identify, making them a dangerous tool for information warfare.
• Cyber-criminals: They may scan for VPN configuration files to compromise corporate networks or use social engineering tactics like LinkedIn catfishing to trick individuals into downloading malware. Cyber-criminals now have the capability to use large-scale automated agents to humanize and carry out a massive number of attacks.
• Supply chain attacks: CrowdStrike has identified two agent types nicknamed “Jackpot” and “Panda” that exploit trusted relationships through actor-on-the-side and actor-in-the-middle attacks. They target victims across the supply chain in order to get credentials and info. The typical attacks originate in branches in China or target Chinese speaking associates.
• AI Attacks: LLMs are already being used to personalize attacks, automate tasks and even generate working agents from the inside. For instance, the SCATTERED SPIDER group used the Azure AD PowerShell to download user IDs at a North American financial services firm. The operating code used to steal the IDs resembled LLM outputs matching the Llama 2 70B model.
• Big Game Hunting: This refers to cybercriminals targeting high-profile organizations. The DLS group exemplifies this trend, having victimized a record number of organizations across various industries in 2023.
• Malvertising: fake ads lure users into clicking and unleashing malware, data theft, or scams – prominent among online gambling ad banners.
• SEO poisoning: malicious websites are manipulated to climb search engine rankings.

The large growth in digital infrastructure over the years has increased the vulnerability area that adversaries can target. This represents a large optionality value for the company, as it is hard to predict to what extent cyber-crime will develop. Further, CrowdStrike has the opportunity to utilize the difficulty of management to correctly assess digital threats and a behavioral quirk of overestimating the potency of negative events. Conversely, corporate incentive structures rely on blame avoidance, and managers would rather allocate a lofty budget for CrowdStrike’s products than have to deal with answering for a digital breach.

CrowdStrike Has Reached A Quality Level That Entices Customers To Switch

CrowdStrike has developed a solution that is slowly taking-on the fragmented competition and integrating itself into a single platform. Their standard annual package is currently priced around $185 annually per device, and is targeting companies with a large number of employees. The company notes that 27% of customers are adopting 7 or more modules and that their number has grown more than double over the last year. This indicates that large companies are switching over to CrowdStrike and are willing to buy the more expensive packages.

CrowdStrike: Q4’24 Investor Presentation

The company’s initial core product was endpoint protection – meaning that they charge a subscription to protect devices (PCs, laptops, smartphones, etc) used by employees. They have since moved to integrate multiple aspects of protection, such as securing cloud environments, logins, network activity, data etc, into their Falcon Platform that integrates all of these solutions.

The company’s product was marked as a leader for endpoint protection by Gartner in 2023, and customer data is confirming an increased uptake.

CrowdStrike: Q4’24 Investor Presentation

Crowdstrike is successfully displacing competitors and taking over their customers. A large financial service company recently switched to CrowdStrike from Palo Alto in a seven figure deal. The company noted that their integrated platform played a major role in the customer’s decision, citing annual cost savings of $5M and a 70% in management time. The company is also going head to head with large competitors such as Microsoft, and has managed to convince customers to adapt their integrated platform.

An important aspect to consider is that CrowdStrike is finding customers in a period where management is rigorous on additional software spend. This indicates that companies want to mitigate potential security threats, and find CrowdStrike’s platform to have higher price to performance vs other peers.

The Sales Cycle Will Increase In Efficiency With Network Effects

CrowdStrike has one of the most valuable sales cycles in the industry. The company offers immediate support in the event of a data breach. Then, a technical team helps contain and recover as much as possible from the attack. After this happens, the business gains a much larger appreciation for security and the company is able to efficiently convert them into a customer.

Given that CrowdStrike is able to enter the sales cycle at a high pain-point, customer conversions are more reliant on the rise of cyber-crime, rather than high marketing spend, which is great for the business.

The company is experiencing a high degree of organic sales and a strong deal flow. CrowdStrike notes that in Q4 they closed more than 250 deals with a value greater than $1M, more than 490 deals greater than $500K, and more than 1,900 deals greater than $100K. Their deal volume increased more than 30% YoY.

SEC: CrowdStrike’s Income Statement In The Last Three Years

CrowdStrike will continue spending a sizable portion of marketing, however, I expect this to go down from the current 37% to 20% of revenues as CrowdStrike scales up and employs more network effects to acquire customers. Besides standard industry practices in marketing spend, the company makes efforts to raise awareness about the potential damage that can be incurred from a breach. In my view, CrowdStrike will gravitate towards the marketing practices of insurance companies when soliciting catastrophic insurance packages.

I believe that the next five years will represent a high growth period for the company, after which it will start optimizing expenses and start converting sales and marketing expenses into profitability margins.

An Uncharted And Growing Addressable Market Allows Expansion On Multiple Fronts

CrowdStrike’s management estimates a total addressable market (TAM) of $100B in 2025 and $225B in 2028, representing a 125% increase. The company expects that this TAM comes from an increased need for digital security products that they are building, including: $19B endpoint security, $18B security and IT operations, $17B managed services, $12B observability, $12B cloud security, $9B identity protection, $6B threat intelligence, $4B data protection, $3B generative AI.

CrowdStrike: Q4’24 Investor Presentation

As discussed before, I believe that the security industry has high-growth potential based on the potential rise in cyber-crime backed by a general increase in compute power, novel AI technologies, an advancement in tech, and a widening in the possible attack vector from more companies embracing digitization. However, I find it hard to justify that CrowdStrike will be equally competitive in all of the proposed fields. For this reason, I think it will be more helpful to estimate the portion of the market that the company may be able to service with their products, as well as their market share in the respective years.

In my view, CrowdStrike will be leader in endpoint protection, and will gradually pull customers to their unified security suite, however this is still some years away, which is why I am discounting their other market opportunities around 60% to arrive at my serviceable market estimate of 135B for 2029 – Note, I move one year forward for the purpose of estimating CrowdStrike’s value in the next 5 years.

The high optionality potential of novel cyber-crime justifies erring on the side of a larger market opportunity for CrowdStrike, as bad actors are privy to advanced technology, and companies are increasingly digitized, giving them a larger vulnerability surface.

In the past, companies implemented CRM, ERP and data systems on digital infrastructure, and managed to increase system productivity. I believe that these systems are still relatively new, and their rush to be competitive and get implemented ASAP has exposed security vulnerabilities as one of their trade-offs. I think that cyber-criminals are catching on to these new systems and we will see increasing waves of attacks in the coming years.

Revenue: Given the competitive landscape, I estimate that the company will capture 13% of the $135B SAM, resulting in $17.6B revenue in 2029. This is a 5.7x improvement over the current $3.1B revenue, and implies a CAGR growth of 41.5% in the next 5 years. In my view, the company will grow around the 30% mark in the next year, but re-accelerate growth as customers become more conscious of security threats and cross-promote their change in culture around security.

Market implied pricing: the estimate is close to what the market is pricing-in for the stock given that CrowdStrike has an EV/Sales of 24.5x, while post product-market fit companies with operating margins larger than 25%, tend to be priced at 5x EV/Sales. This means that we get a factor of 4.9x for the future revenues of CrowdStrike. By multiplying that factor with the current revenues of $3.1B, we get the market implied value of $15.2B – assuming a future EV/Sales multiple of 5x.

Profitability: most of CrowdStrike’s business is a subscriptions service with multiple modules. I expect their main expense to be sales and marketing related as they scale up. Once that phase subsides, I expect research and development to be their key expenses as the company is operating in an uncharted industry.

CrowdStrike has released full year operating estimates, which I use as my basis for my five-year estimates. I expect the company to keep optimizing performance after it scales up, further driving down operating costs.

CrowdStrike: Q4’24 Investor Presentation

As the company scales, I estimate that they will keep gross margins around 85%, reduce sales and marketing to 20%, keep research around 20% and G&A around 5%. This leads to an operating margin of 35% in 2029, well in-line with a highly scalable software business. Given that the company is still young, it will take a longer time before they start optimizing the bottom line, which is why I think that net income will be 40% of operating income, primarily reflecting stock based compensation expenses used to finance operations.

The resulting operating and net profit estimate for CrowdStrike in 2029 is around $6.2B and $2.5B respectively.

Multiple: CrowdStrike will continue growing beyond my 5-year forecast period. This is why it’s fair to assume that the company will keep trading at an elevated multiple of 30x.

Share dilution: I expect the company to continue financing operations with dilution, and estimate an average yearly stock dilution of 2.5% in the next five years. Management has issued guidance for 3% dilution next year, and I think that they will become less aggressive with dilution as the company grows. This will increase the total number of outstanding shares from 241.9M to 273.7M shares.

• The rise in software technology may surprise on the upside, and companies may develop a solution that successfully isolates their digital infrastructure from attacks. While the human factor is a weak-point in security, there is always a low probability of developing a solution that successfully contains the majority of attacks in this era.
• Talent recruitment is difficult in cybersecurity and there is a longer internal training period needed before employees become effective. This means that it will take longer for the company to build up the products aimed at tackling the $135B SAM.
• Should CrowdStrike find it harder to continuously innovate, or peers speed up, then their software products will start resembling a commodity offered by multiple vendors. The single platform approach may become adapted by more peers and even open-source developers may create (1, 2) a viable product at a lower cost. In this case, CrowdStrike will have to rely on specialist services to retain customers, however this will impact the bottom line since it decreases the scalability of the product.
• Competitors will do their best to impose high switching costs to potential customers by offering native cloud and cybersecurity solutions which integrate well with their other offerings. Further, cybersecurity peers may take advantage of complexity in the digital infrastructure to entrench their solutions.