CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

Okay. Good day, everybody. I'm Gur Talpaz, and I run the cybersecurity research team here at Stifel. I have the very good pleasure of virtually welcoming the CrowdStrike leadership team. With me is CEO, George Kurtz; and CFO, Burt Podbere. [Operator Instructions] I'll do my best to get your questions. George and Burt, first off, just many, many thanks for joining me today. It's much appreciated.

Thanks, Gur. Great to be here.

Of course. Yes. So the way I like to kick these things off typically is just, honestly, with a high-level overview. But here, I want to do things a little bit differently. When you look at the story today, George, you've defined the story as the security cloud. And what I'd love to kind of dig into is for you to sort of explain what that ultimately means, how you view the CrowdStrike story today and how do you view it in relation to other technology stories out there?

Sure, absolutely. So again, thanks for having us. I think if I just back up a little bit to get to the security cloud, it's probably worth 30-second explanation of what I was thinking when starting the company. So I spent some time, I started a company called Foundstone. I built that and sold that to McAfee and then spent 7 years there. And part of my journey there, I think it was clear to me, 2 things. People were paying money for security, not getting the outcome they were hoping for, which was not be breached. And the second one was really focused on the architectural issues, everything looked like Siebel, and I thought it should look more like Salesforce. So when we think about the security cloud, I looked around the environment, and there was a Salesforce and a ServiceNow and Workday, but there wasn't a security cloud. And in 2011, I thought there should be a company that really redefined security from the ground up as a foundational platform company. And we started focusing on endpoint, and we called it more workload today. But the general idea was how do we get a better outcome to prevent breaches, but also reduce a lot of the agent fatigue and create an architecture with a single agent, a data store, we call it Threat Graph and modules that can really do what Salesforce and ServiceNow did for the security market.

So there's a lot to cover here, and I still want to stay a little bit high level here. But if you look back, you've been public for just about a year now, just a few days short. It's funny. When I look out at the names out there, I think you've been among the most tested names as far as recent IPOs and you've been immensely successful. When you think about just the ingredient and the recipe for that success, what do you attribute it to? What do you think has been kind of the key components despite all the challenges that have kind of been out there whether macro or otherwise?

Well, when you -- I mean, there's a couple of tailwinds that we have, I would say. One is the cloud architecture, right? In 2011, when we started the company, it certainly wasn't fashionable to be an endpoint cloud company, right? Now everybody claims to do that. And we just saw things maybe a little sooner than everybody else who knew the cloud was going to be a massive tailwind. You combine that with the fact that we're replacing a lot of agents in the overall environment and I think that's probably an area that's underappreciated, just how much pain is involved for it. Large and small companies with all these agents they have, collecting the same information multiple times and bogging down the system. I haven't talked to too many people who hug their computers and say, "I love the performance." Normally, it's overworked with too many agents and they want to get rid of it. So we can do that. Many times, we replace up to 4, 5, 6 different agents out there. And then when you look at the competitive environment, it's a real change over the last number of years. We've seen a lot of the big players fall away. We've seen a lot of the next-gen players get bought. And to me, again, it feels a lot like the Siebel-Salesforce days where a lot of the on-premise legacy players try and play catch up but couldn't get there just because of the architectural challenges and the classic innovator's dilemma. So I think when you look at all those, combine that with digital transformation in the COVID-19 world, it's a sustainable tailwind trend that we see.

Let's dwell on that point a little bit here, right? If you go back a year, endpoint or broader workload protection would have been called one of the most competitive markets out there. Many players, you go back to Black Hat 3 years ago, and I think 1/3 of the vendors on the floor could be classified as endpoint vendors. You look at it today, it's vastly different. A lot of players have bowed out, a lot have been acquired. And we don't see their names as prevalent as they once were. Why do you think that's the case? What has ultimately changed here over the past few quarters?

Well, I think it became clear from a customer perspective what they were choosing, right? They were choosing cloud over on-prem, they were choosing AI over signatures, and they were choosing a technology that was focused on stopping breaches rather than stopping malware. And now that last point may seem like a simple statement, but I want to make sure that I double-click on that. A lot of the technologies, for many years, were focused on just stopping malware. And malware is a subset of stopping breaches. So again, at the end of the day, if you're a customer, one would think that you're paying for an outcome of -- I don't want to have a breach. And if you're only focused on malware, you're looking at half of the equation of how companies get breached, and a lot of breach is happening without malware. So that's one piece. And you're going to be behind the curve because you're probably dealing with signature instead of being able to predict whether something is good or bad. So when you look at the delivery mechanism of cloud, it's super easy to install up and running. And we've had customers that basically have installed over 25,000 agents per hour, and we're talking about hundreds and hundreds and hundreds of thousands of agents very quickly to get up and running for one customer. When you look at the time to value, you're up and running, no reboots, not a lot of configuration, it's a classic SaaS play. And they see the value, and they see the consolidation. And then a lot of time, it's spent on selling the value. What is the ROI that we can basically present to a customer? Typically 3 to 5x return very quickly. It could be a 3 to 6 months payback. And in today's challenging financial environment, it's very compelling.

That's interesting. I want to double-click on that point a little bit further. I think one of the most [ interesting ] concepts around the story is defensibility. A lot of people still look out there and say it's still a competitive space. I don't understand why this is so hard to replicate. When you think about the combination of the cloud back-end and the agent, how difficult is it for, let's say, another player to come in there and do what you do?

Well, if you look at -- a, it's really hard to do, and there's a variety of reasons. But if you look at a lot of our competition, they started the on-prem and they try to package up what they had and put it in the cloud. And that's -- that doesn't work. You really have to have the architecture from the ground up, again, like some of the large cloud providers or players that I mentioned earlier. And they haven't been able to do that. It's hard to -- typically, what people try to do with their agents is just kind of collect data and throw it up to the cloud and deal with it. And we took a different approach, which is we have a smart intelligent agent that essentially has a mini graph on the endpoint, which keeps track of a lot of things and also interacts with the cloud. So it's kind of a seamless end-to-end system as opposed to a data collection and then distribution model where you collect data and move it somewhere. We never lose the context. So we have that 20 megapixel view of what's happening, and we never lose it as it moves to the cloud. And we don't have to try to reassemble it. So a lot of our competitors keep all the data resting on the endpoint, where we're able to dynamically adjust our aperture and get the right amount of data at the right amount of -- at the right time up to our cloud. And that -- again, that's good for performance on the endpoint, good for network performance. And it's also good for margin. A lot of our competitors, this is -- I mean, I cannot underscore this enough that it is a barrier to entry to keep your margins up if you're trying to move a lot of data around. And you have to do that very efficiently and intelligently, and that's where we spend a lot of time and have a lot of IP and patents around. So I think that's -- it's just one of those things that's not easy to recreate. A lot of things sound similar, but when you actually use them and deploy them, it's much different. Even if you look at video conferencing, I'm sure everybody has their video conference of choice. They all sound the same. It should be a video conference. But there's some out there, you just turn it on, it all works. That's kind of like CrowdStrike.

So it's interesting. I want to drill in a bit further into that, both in terms of just scale and in terms of margin. When you look at the underlying back-end, you've grown the amount of data ingested and the amount of events ingested by a significant amount every single year -- [ you sort of ] go from less than 1 trillion events per week to over 3 trillion per week right now. At the same time, the gross margin has always scaled. When you look out there, do you see an upward threshold to what you can ingest from an event workload type of perspective? And then secondarily for you, Burt, when you think about that, how have you been able to also scale the gross margin as you've been able to ingest all that data at the same time?

So I'll take the first piece, and then I'll kick it over to Burt. When we look at the scalability, we don't anticipate any issues. I mean, we're always building out and maturing our technologies. But from the ground up, it was built to be horizontally scalable. So we spent a lot of time in the architecture, both our public cloud elements as well as our private cloud elements to make it a very scalable architecture. And I think, again, because it's a micro service, API-driven architecture, it's very contemporary, and it allows us that scalability. It looks a lot like a Google or a Facebook or a highly scalable cloud company behind the scenes because that's the way we built it. And I'll let Burt talk a little bit about the margin for a while.

Sure, George. And Gur, as you know, it's the topic nearest and dearest to my heart, think about where we came from to where we are today and seeing [ 78% ] on a non-GAAP basis on the subscription side. So I think that for gross margin, there are 2 really strong levers with respect to how to keep them up and even increase them over time. One, of course, is more modules. As we add more modules, every single module after the first one becomes virtually pure profit. So as more modules are ingested by the customers and we're able to continue to consolidate and continue to save them money, it actually makes us more money. So that's one area where we see continued leverage in the gross margin story. The second one is the efficiency within what George had talked about, the -- our efficiency within both our public and private clouds. We do use AWS. We started out on AWS, and then we've gotten to our own private clouds, where we've been able to not only optimize and fiddling with the dials to get the best performance at the best cost. But that and also to optimize between both AWS and our private cloud. So I think both of those 2 elements have contributed to the success story that we've seen in gross margins.

That's helpful. And just speaking to module adoption, I think one of the most interesting metrics that you gave on the last call was the adopting of the Falcon Discover module, traditionally an IP-based tool. It seems like you're having a lot of success selling outside of the security realm. And it seems like that's coming at a time when people are perhaps reevaluating a lot of their strategy, given the concerns and just the nature of everything that's happening as far as more remote workers, et cetera. When you look out there, where have you been able to kind of break down barriers and find success in pushing to other areas of the market like IT with a Discover module? And where do you sort of see that going on a go-forward basis?

Well, we got pulled into that market by our customers who basically said, "Okay, you have the right architecture. You know what our assets are. You provide prevention. You've got -- you keep the data in the cloud, or you collect data at scale rather than try to keep it on the endpoint and have this query model, which -- that's not a contemporary model today. It's much more effective to have everything in the cloud and then gain those insights." So they came to us and said, "Hey, we want things like asset inventory. We want application inventory. We want to understand what privileged users are doing. We want to find rogue systems. We want the ability to actually use things like PowerShell and other scripting languages to drive automation into all these workloads and endpoints." What -- the ability to touch these workloads or endpoints, wherever they are, on the network, off the network, in the cloud. And that was, I think, a big turning point for us as we continue to expand the TAM because the architecture is so effective, we can gather data that's outside of just security and we can take actions that are part of IT. And some of the things that I just went through in understanding your assets and the inventory, that's part and parcel to being secure. If you don't understand your assets, what systems are protected, what are your [ pass ] levels, it's hard to really protect against those. So that level of visibility, while it's in the IT group, it actually does dovetail into security. And that's been very well received. And when you look at something like COVID and remote work from home, I think it really accelerated people, I mean it's FAGA war, at the end of March, people were just trying to get up and running, looking at anything available that would help them and their traditional IT systems that were legacy depending on the network or peer-to-peer, we're just not going to work across the network and touch your home computer, Gur, as you were sitting behind your router. So Falcon became a very valuable tool for IT very quickly. And it had been gaining steam over the years, but I think it really was an eye-opening event for many people to realize, "Wow, I can make a configuration change. I can do an emergency patch, I can do a password reset." And it's so much easier than the existing tools that don't work across those boundaries. So that's where we just saw like an immediate catalyst and people in the IT group, they knew we were there and people used us and a lot of customers for that. But I think it was -- because it was all hands on deck, it really accelerated the view of what we can do.

It makes sense. And maybe just exploring it a little bit further. It's funny, when you look out there, a lot of stories throw the term platform around pretty loosely, yet I think in your case, it's actually -- it's very applicable and very relevant. When you look at the reasons for success around multiproduct adoption, how important is being frictionless in that dynamic? And when you look at appetite for multiproduct dynamic -- for multiproduct adoption, has it shifted in the environment that we're in today?

Well, multiproduct is important because it's replacing other technologies that are out there, right? It's all about cost efficiency, what can we replace. Our goal is 1 in and 3 or 4 out, and we've been successfully been able to do that many times with a very robust return. And module adoption, I think, again, is really the future. We are a true platform. You can look at the modules we have. You can look at the fact that we don't have anything on-premise where our competitors do. And that adoption, obviously, has been robust. We put those numbers out. Burt can comment on some of the adoption rates. But I think more importantly, it's sort of the mindset, right? And there's a shift that we've seen a couple of years ago, and it's really accelerating it. Again, it's almost like Salesforce. We use that and if our sales team came in with something and wanted a new widget, if it didn't integrate with Salesforce, we would basically say, "Go find something that did." And we're seeing that buying behavior from our customers saying, "Hey, if it doesn't integrate with CrowdStrike or they don't have it, it's not part of their story. They don't have it, we don't want it" because it became really a foundational platform, one of the most valuable pieces of security technology and now IT technology in their stack. So that's -- when you reach that status of people changing their buying behavior, unless it's like part of our stack, I think that's really a crossover point where you can go, "Okay. That really is a platform company."

Yes, and it's Burt. So just to add on to that, I think the percentage of customers [ with more modules ] in and of itself, there are many companies that, just to get that 10% of 1 additional module would be a win. And we're putting up numbers that are multiples of that. And when you think about where we came from in Q1 of last year on 4-plus modules, we were in the 40s, right? So now we're in the mid-50s, and so that's a significant progression from where we've been.

And Burt, just to elaborate on that, are you finding that you're able to actually land bigger as well as customers buying more modules at initial sale?

Yes. So in general, as we've added more modules and as we show more and more value, over time, over the last year, we've certainly seen more larger deals land. And so that's obviously good for us. But we also have that opportunity to upsell our existing installed base. And so for us, we have this great opportunity to really increase our net new ARR, which is the metric that we focus on most in both areas, both in the new logos as well as in the expansion of our installed base.

It makes sense. And I want to touch on TAM a little bit, but I want to drill into a concept, and you touched on this in the beginning, which is the idea of workload protection, not just endpoint security. And what I want to sort of better understand is how you can ultimately serve customers, whether it's in the cloud and IoT, on mobile, et cetera, and like we have to think about the workload protection approach as opposed to just thinking about institutional EPP in our sense?

Yes. I think that's an important point because when we can look in the endpoint bucket, which was a category, I get it. And that's how people look at it. But the reality is I think it's pretty limiting because when you look at the opportunity in front of us, it's more than desktops and servers. That's the way I view an endpoint, desktops and servers. And that's a subset of a workload, right? A workload to me is anything with compute network and storage, and it's really just a subset. So you have all the cloud workloads -- sorry, all the various cloud vendors out there. You got all the virtual workloads, containerized workloads, serverless workloads, IoT, mobile. And that's a massive opportunity. So even if you look at just kind of core security TAM and we expand well beyond just kind of the core "endpoint security", I think it's been limiting because I really think they're just counting endpoints and servers. And a lot of the cloud workloads don't have -- they're underprotected, right? And they're looking for technologies like CrowdStrike to be able to protect them. And as digital transformation accelerates, there is a compliance mandate. You have a lot of companies that can't move to the cloud because, I mean, if they're going to move there, they have to have security. And CrowdStrike is a great technology to protect all those cloud workloads at run time. So we see it as underrepresented in the TAM, and we see it as a fast-growing opportunity as digital transformation gets accelerated. And we spoke to a CIO who basically said, "Hey, I had a 2-year digital transformation road map that I executed one night in March." So that's what we're seeing, is that acceleration because of what happened.

So let's explore that part a little bit further, right? You're talking -- I think when investors think about digital transformation, they think about long disruptive multiyear projects that have a high initial cost and essentially a long tail to boost ROI, but something that will pay off in the long term. You guys have been able to [ work on ] transformational projects at a pretty rapid time frame. One, I think can you explain how that's the case? And then two, how do you think about the appetite for projects like that in the current environment that we're in?

Well, I do think it has accelerated very quickly because customers are looking around basically saying, "Hey, this is not going to happen again, right?" We're going to be prepared. I mean, I talked to one CIO of a huge company and said, "We will never buy a desktop ever again. It will never happen in our shop." And that's a broad statement, right? Because they had to ship everybody home, and they needed laptops, right? And part of that sort of thinking of this will not happen again is, okay, we're going to move a bunch of stuff to the cloud. We were going to do that, but we're going to do it even faster because we don't know what's going to happen. And as they accelerate those road maps, you're not going to move anything to the cloud unless you have the checkbox for security. It's just not going to happen. And there are various ways to do that, but these massive compliance mandates for runtime security and visibility with Discover and how we integrate with many of the cloud APIs, not only to provide runtime protection but also visibility in hygiene. And that became a blocker if you don't have security. So they have to check off the security, and then they can migrate over a period of time. So it's almost a foundational piece, the shelter, as I call it, in the corporate hierarchy of needs. You have to have it before you can go up and migrate those applications. And that's what we've seen. And people are still buying. They have not stopped buying because of this. And in certain areas, it certainly has accelerated the buying.

So it's interesting, right? I want to touch on another point, another metric you gave on the last quarterly call was the growth in deals sourced from AWS. That's been growing at a really rapid rate, I believe [ 75% ] sequentially. When you look out there, I think there's a pretty broad debate about what the right architecture for securing AWS is. I think you've found a lot success with host-based security and host-based approach. Why is that the case? Why are you finding success right now in cloud environments like AWS versus others that I think are still pretty heavily in the [ financial outcome ] mode still?

Well, I believe workload security and endpoint security is really the new firewall. In a 0 trust environment where workloads can be run anywhere, they have to be able to protect themselves, right? So they really have become the new firewall. And when we think about it, AWS has been a fantastic partner for us. As they continue to grow, we continue to grow and have a need to protect those workloads. And there's various ways to do it. There's certainly a network element, which they supply, which is fantastic. But as these workloads have to be exposed to the Internet, you still need protection, you still need visibility, and you still have to check the compliance box, right? You can't -- there's a lot of regulations across the globe, including finance services that say you have to have security on these workloads. So I think that's -- the technology works. It's easy to deploy. You don't have to reboot, integrates with their billing system. And it allows them to -- the customers get up and running very quickly.

It makes a lot of sense. And Burt, I wanted to include you in the conversation. There's this topic that I want to touch on with you. One is net retention. When you look out there and you held that above 120% for a very long time, what's the confidence threshold in sustaining that even as you land larger? That's part 1. I'll continue with part 2 in a bit.

Sure, Gur. So first, let me just start off by saying that, as you know, we don't manage our business with net retention. It's a noisy metric. And what do I mean by that? It means by -- just because it goes down, it's not necessarily a bad thing or vice versa. And as we've talked about, it could go down because we're just having larger lands that are -- that hit in the quarter. I think that over time, over the long period, you're going to see more shift, I think, to the expansion business as we drop more and more logos, but that's far out to the future. Today, again, and in the midterm time horizon, we still have this incredible opportunity to do both the lands and expands. The 120% was a metric that when we went public, we thought that was probably an appropriate metric and a good metric. And of course, we -- and that's obviously in a normalized environment. It remained above the 120% benchmark last quarter, and we'll continue to monitor it. But that's a metric that can clearly fluctuate on a quarter-to-quarter basis. And today, we're happy with both large lands and large expands, and we've seen both.

It makes sense, and then I think a common question I get right on the story, just think about the inputs that have gone into your updated thoughts around your FY '21 guide.

Yes. For the -- with respect to net new ARR, we have -- we delivered a very strong Q1 and continued to win new logos, and our momentum continued in May. And we generally don't give out any types of information within quarter, but we thought it would be appropriate given where we are today. But given that macro uncertainty, we are maintaining our appropriately prudent outlook for the year in terms of guide. I think that we gave the additional color on the earnings call with respect to the adjustments that we made to guidance. We talked about Q1, which has historically been the lowest Q in a particular year for net new ARR. And we said that, that might not be the case this year. And that's because of the overperformance. It's a couple of things, but mainly it's because of the overperformance in Q1. Generally, we see a fairly large dip between Q4 and Q1 today. What we saw this year was less pronounced. So we start there, and then we continued the momentum into Q2. I think because of we have less visibility in the second half of the year, obviously, we're more prudent in our approach. And clearly, Q3 has less visibility, more uncertainty. Q4 is generally a big quarter for us. So that's how we saw the landscape when we gave guidance. And then the other main impactful thing that we gave with respect to adjustments to guidance was churn and contraction. We haven't seen any variance, really, from what we saw pre COVID. But due to an abundance of caution, we increased the churn and contraction in our models. And so that's how we came out with our guidance the way we did.

That's super helpful. I know we're bumping up against time here. But I wanted to get one more in front of you. I think one thing we think a lot about is the potential to push into relevant adjacencies. When you look out there, it seems like there's a lot of places you can take in the platform as far as potential new workload that you can address, either directly or through the CrowdStrike store. When you think about where you want to take things, you're pushing to things like host-based firewall management. When we look forward, what areas look relevant to you, and what could be interesting for you guys as we kind of think about the evolution of the story?

Yes. Well, there's a lot of areas that we can go into. Obviously, there's a focus. But I think, again, expanding out our IT use cases will be an important element. There's many things in IT that they just struggle with that can be handled with an intelligent agent that we have. So we'll continue to build out those capabilities there and look for some of the pain points. And then specifically on the security side, providing more insights into what insiders are doing and just being able to expand out beyond just kind of the core security use cases, including asset visibility, I think, is important. So there's a lot of areas that we can go into and a lot of adjacencies. And I think for us, it's always -- we don't want to stray too far from our knitting, but there are core IT pieces that are absolutely interlocked with security that can be helpful. And we spend a lot of time nowadays selling to the CIO, which is great, not just the CISO, and that's really that intersection of IT and IT hygiene and security. So that's what we're going to continue to focus on.

Awesome. And I think with that, we're just at about time. So I want to thank both of you for joining me today. Thanks very much. Appreciate it and looking forward to catching up in the near future.

Okay. Thanks so much. We'll see you soon.

Thank you. Take care. Bye for now.