CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

Welcome, everyone, and thank you for joining CrowdStrike's Investor Product Briefing on Cloud Workload Protection. During the era of social distancing, our goal is to hold additional informational-based sessions for investors. Your feedback is welcome, and please send comments to [email protected]. We have a great lineup for you. Today, you will hear brief presentations from George Kurtz, our Founder and CEO; and Mike Sentonas, our Chief Technology Officer. Then we will open up the session for Q&A. [Operator Instructions] Before we get started, I would like to note that we will not be providing any financial updates today and we ask that you would be mindful of this during the Q&A session. Today's presentations may contain forward-looking statements, including CrowdStrike's current view of its industries, opportunities in select markets, performance, products and business outlook and other statements that are not historical facts. These statements are subject to risks and uncertainties that could cause actual results to differ materially from those expressed or implied by such statements and are not guarantees of future performance. Information concerning these risks and uncertainties is contained in CrowdStrike's most recent Form 10-K and other filings with the SEC. All forward-looking statements are based on management's estimates, projections and assumptions as of today, October 15, 2020, and CrowdStrike assumes no obligation to update them. Without further ado, I would like to hand it over to George.

Thank you, Maria, and welcome, everyone, to our investor briefing on cloud workload security. I think it's going to be a great and informative event. I'm doing this with Mike Sentonas, who is our worldwide Chief Technology Officer. So you're going to hear from him in just a bit. And there's really 3 key takeaways that I want to make sure that we leave you with. Number one, CrowdStrike is focused on protecting more than just endpoints. It's also about protecting workloads. We've done a lot of work in this area over the last couple of years, made tremendous strides in our capabilities and a lot of customers that are using our technology. And we believe this represents a 10x opportunity over the current TAM estimates, and we'll go through why we believe that. Number two is cloud workloads represent a 10x increase of multiplier factor for every endpoint that we see in the enterprise. So said another way, for every endpoint we see in the enterprise, we think there's 10 cloud workloads in the future. And number three, Mike Sentonas will talk about specific capabilities that we built, why our technology is superior to others and the success we've seen in the field. So before I get into the meat of the presentation, I really want to talk about endpoint security versus workload protection. And thinking about us just as an endpoint security company is really an outdated way to look at us. And the reason why I believe that is in 2009, '10, '11, you had workstations and servers. And that's where you get the term "endpoint." But in today's environment, in 2020 and beyond, it's really about workload protection, and workstations and servers are really a subset of a workload. So what's a workload? A workload is network, compute and storage. It could be something in the data center, it could be a public cloud, a private cloud, ephemeral virtual instance, container or mobile and IoT. So these are all workloads that can be protected by CrowdStrike. So that's why when we kind of frame up who we are, it goes well beyond just endpoints. And I think that's really why we're different than all the companies that came before us. Yes, we're a platform company, but this isn't a McAfee or a Symantec 2.0. This is a platform company that has a much broader market opportunity because of all the various workloads that are out there. So just to put it in perspective, over 1 billion PCs shipped worldwide in the last 4 years. CrowdStrike protects a fraction of those. We've been very successful in this area, but it's still a fraction. And just to juxtapose that, we see days where we protect over 1 billion containers on a daily basis, which is incredible. So just reframing it, I want you to think about workload protection, and it's one of the reasons why we spend so much time and so much money investing in this area. And Mike Sentonas is going to go through a lot more detail on what we do and how we do it. So let's talk a little bit about containers and why they're going mainstream. You can see from the Gartner stat that more than 85% of global organizations will be running some containerized application and production. Most of the companies we talk to today have something in a container or have a plan to go to a container. And with COVID and digital transformation, it really has accelerated the move to the cloud and containers. So you can see the use of Kubernetes in production massively up since 2018. And obviously, we can see just the level of use that Docker gets. So as companies begin their digital transformation, as I said before, a security transformation has to take place at the same time, and CrowdStrike is a perfect vendor. So we think about CrowdStrike as a cloud protection leader. You can just see the stats in terms of the sheer volume of data we handle. And we handle this amount of data because as a cloud-native company, we were born in the cloud, we deliver our technology for the cloud, and it's the perfect solution to protect cloud environments, whether they're virtual or containerized. And on a weekly basis, we handle 4 trillion high-fidelity signals per week. We've got 14 petabytes of data, protect over 1 billion containers. These are ephemeral containers that go up and down on a daily basis. We've seen a 14x growth in protection for containers since March of 2020. And greater than 20% of all the servers we protect across our entire fleet of customers are in the public cloud. So as a company that basically grew up in the cloud, we believe we are in the best position to protect our customers. They're looking for a single pane of glass that can not only protect their on-premise servers and endpoints, but also all of their cloud workloads. And with this cloud environment, we also think there's a lot more complexity, probably 10x because customers don't control the infrastructure. So when we think about running in the public cloud, yes, it's a little bit easier, but we think the security is actually harder simply because you don't have all the instrumentation that you normally would have by being able to control the entire stack from the hardware, all the way up through the operating system. So what's the balancing act? Obviously, the leading companies have moved to a DevOps model which is focused on speed, agility, number of releases per day and continuous integration and continuous deployment. So what that means is that security needs to actually keep up with DevOps. So we've seen SecOps be created. And that's really groups of folks that are focused on visibility, security and compliance. And it's much more difficult in the cloud because, again, you don't have your traditional tools in place, you don't control the infrastructure. There's a little bit of a paradox because you want to be as fast as you can in getting all of your bills out, but at the same time, you have the security team wanting to slow things down a bit because they need visibility, security and compliance. And that friction leads to dissatisfaction. So the way we built our technology, it makes it seamless to deploy. It doesn't get in the way of the DevOps team and the Secure Ops team, actually gets the visibility and security that they're looking for. Let's go through cloud workloads and what we see being protected and not. And today, we believe cloud workloads are massively underprotected. When we show up to an organization, it's almost like many, many years ago, showing up to a company and AV wasn't installed, 25, 30 years ago. People were just trying to figure out what AV was and to get it -- and how they would get it deployed. And we see the same dynamic in the cloud. Most cloud workloads have no protection. And it really does represent a greenfield opportunity. So if you look at the numbers, I think that bears out what we see in the field. So the current cloud IT spend for IaaS and PaaS vendors, according to IDC, is $106 billion going to $217 billion in 2023. The cloud security spend is $1.2 billion going to $2 billion. And that just seems really low to us. If you just do the quick math, you've got 1.1% of the overall cloud IT spend on security, going to 0.9%. In the current environment, given all the sophisticated attacks, given all the regulation, to me, that makes no sense. It's insufficient security, it's insufficient in terms of investment. And we think it's underrepresented. So let's go through what we believe the real opportunity is. If you took those same numbers, $106 billion going to $217 billion, and you said most organizations should spend between 5% to 10%, according to IDC, Gartner as well, they're in that 5.7% range, if you just applied that to the overall cloud IT spend, you would get a cloud security opportunity of $6.1 billion going to $12.4 billion. We think that's more representative. I think most people in the audience would believe 1.1% going to 0.9% for cloud security is just not realistic. And it's going to have to be higher than that. So when you put that all together, where we are today and why we believe it's a 10x opportunity, current spend, $1.2 billion, we believe the real opportunity in 2023 is $12.4 billion. Again, 10x opportunity, underrepresented, and CrowdStrike is the perfect company to take advantage of this wide-open market. I'm going to turn this over to Mike Sentonas, who is our CTO. Mike, he worked extensively with me when I was at McAfee. He's one of the smartest guys I know, and he's going to talk you through more about what we've built, our technology, our philosophy, and where we are today and where we're going in the future. So Mike, take it away.

Thank you, George, and thank you all for joining us on the call today. When I joined CrowdStrike 4.5 years ago, one of the unique technologies that was really compelling to me was the CrowdStrike platform, built in the cloud, for the cloud, and of course, the problems then we could solve with that technology. I'm thrilled today to share the evolution of the technology to continue the vision for cloud security and to talk about the massive opportunity we have ahead. Let's first discuss some of the key challenges in cloud workload protection, and then we'll outline the approach we've taken to protect workloads as well as the capabilities around cloud security that we unveiled earlier today. There are specific requirements to effectively secure the cloud, and we'll tell you why we think we're uniquely positioned to win in this market. Firstly, it is necessary to understand DevOps before we talk about the potential friction and some of the challenges between DevOps and SecOps. DevOps is a combination of tools, practices, that together increase an organization's ability to deliver applications and services at high velocity. The key aim is to shorten the software development life cycle and to provide continuous delivery. In the past, to bring a new application to market, we would see operations build infrastructure. We would see the team start to code that would take an incredible amount of time to take something to an infrastructure to the team to allow you to build an application and take it to market. With DevOps, the entire process is automated, allowing apps to be developed and deployed at a rapid rate. The reality is that DevOps and security teams do often struggle to align. It's not to say that DevOps doesn't understand security, absolutely, they do, but it's this constant balancing act of ensuring services and apps are secure, but ensuring security does not get in the way. What we see in organizations is that DevOps and security teams often don't work together. Security gets left out of the equation, and we see applications and services in use that have very, too little security included. In many cases, we actually find, when we talk to end users, that security teams didn't know what cloud or container environments are in use, and this is ultimately where security incidents take place. This is where CrowdStrike can come in. When enabled by proper security solutions, like what CrowdStrike can deliver, that friction goes away. We avoid security becoming left out of the CI/CD pipeline. Security teams can begin to define security configurations that allow development teams to deploy continuously whilst meeting security and compliance needs. And this is critical for both teams. The new way of working means that DevOps teams can secure environments at every step in the CI/CD pipeline. Our security teams can comprehensively ensure security and compliance is carried through the entire development process. When talking about agile development and security, you'll hear the phrase "organizations should shift left." What this refers to is that you should integrate deployment and in this context, security, right from the start. They have SecOps environments to ensure that the velocity of new development isn't slowed down, and the quality of new developments is maintained at a high level whilst ensuring security is included in every step of the way. This is increasingly critical as cloud is more rapidly adopted, and it's critical to ensure that security is included from the get-go. When we start to talk about cloud-native technologies like containers that run in multi-cloud environments, that are build on DevOps principles, you can't use traditional security technologies. That's one of the core reasons as to why we see security left behind. You can't have agile technology, you can't have the ability to push out applications and services rapidly whilst using legacy technologies. You can't have one without the other. Traditional on-premise security tools and methodologies are ill-suited to protect cloud-native, developer-driven and infrastructure-agile and agnostic multi-cloud environments. They don't scale. They are very difficult to deploy. And the reality is, is that the Dev experience is very poor, and this is when we start to see Dev moving faster than security. What's commonly seen today is hosted versions of on-prem and legacy solution approaches. It's this halfway point that still requires additional infrastructure to be deployed; at a minimum, a different agent to the core functionality that's offered by a traditional security capability. And this adds complexity, both during deployment and also during management, when you try to operationalize the technology. The other challenge is when you have multiple solutions specific to environments and features, how do you know which one to use and how do you build this technology in a way that doesn't introduce additional friction to the environment? As mentioned, this doesn't work when you have agile development and when you're hunting for agent-specific to certain environments to try to download them, to try to deploy, to integrate multiple solutions into CI/CD pipelines. And again, the reality is that security will ultimately get left behind. If an organization doesn't put security first and doesn't have the ability to integrate, this is when operational complexity becomes the next problem that you'll deal with, especially in a time of need, which solution do you go to when you are coming under attack, and that's, again, when you see a lot of these issues and incidents start to happen. Cloud-native technologies need cloud-native solutions like what CrowdStrike supplies. This means cloud-native security requires a solution that has been designed in the cloud, for the cloud. A cloud-native architecture is needed that can deal with ephemeral workloads, the machines that are nonpersistent. Storing telemetry data at the endpoint and querying where needed does not work. It needs to be kept off-site and needs to be part of a graph-based architecture. You need scalability. What this means is you need to be able to deal with billions of workloads and trillions of events. You need to be able to scale up and scale down, but you don't have to be the one worrying about it, let the vendor deal with that, like what we offer at CrowdStrike. It means an extremely lightweight presence. Organizations don't want to pay for a vendor's workload and inefficiencies in technology design. This means a cloud-neutral approach, a truly multi-cloud support ecosystem. And finally, this means a unified view, not a view from multiple systems, not a view that requires you to integrate and then try to unify and try to get any workload from anywhere working. So let's take a deep dive into our approach. As mentioned previously, CrowdStrike Falcon was built in the cloud, for the cloud. We have and we protect one of the largest security clouds in the world. We run thousands of micro services across multiple hybrid clouds. And we correlate today over 4 trillion signals from workloads spread around the world every single week. That ultimately means we are processing petabytes of data that require best-in-class security. Our strategy for cloud security is to build and bring to market the best capabilities to provide protection at runtime, attack surface monitoring, reduction in risk exposure and a focus on the adversary. And I want to step through a couple of those and provide examples as to what this means. So firstly, protecting at runtime. Our solution today provides best-in-class runtime security protection for all workloads and all workload environments, including containers and protection of the underlying hosts powering the container environment, which is critical. We provide attack surface monitoring. So we monitor the attack surface and provide attack surface reduction, and that's a key element to improve security posture. We've got a number of capabilities to provide visibility and alerting into common misconfigurations. And we will continue to develop Falcon Spotlight, our vulnerability management features and technology, to further expand the attack surface reduction offerings. Reducing risk of exposure is critical, especially when we talk about cloud technology. Misconfigurations remain one of the biggest challenges with cloud environments. A key focus of our approach is to reduce risk of exposure, and this happens through cloud resource detail discovery and remediation, unified visibility across multi-cloud environments, misconfiguration management and remediation, through to a reduction in alert fatigue and improved SOC productivity. The last point that I'll make is a focus on the adversary. Everything that we do is underpinned by the industry's best threat-hunting team, OverWatch and our CrowdStrike intelligence team. But we're here today to talk about our new announcements. So let's get to it and go through a couple of those. This week, we announced the new Falcon Horizon module to protect multi-cloud environments. I'm incredibly thrilled to talk about this new offering that automates cloud security management across the application development life cycle for any cloud. This enables customers to securely deploy applications in the cloud with greater speed and efficiency. It provides visibility into your private, public, hybrid and multi-cloud environments. And enables security teams to proactively minimize threats and ensure continuous compliance and governance against organizational security policies. Doing so reduces complexity, it minimizes the impact of security incidents, and it accelerates business performance. So let me go through the key deliverables and benefits of the Falcon Horizon module. Now to be clear, the Falcon Horizon cloud security posture management capability automates security management across the application development life cycle, as mentioned, for any cloud, to allow you to securely deploy applications in the cloud with greater speed and efficiency as covered. So the technology provides visibility and control into all cloud environments, as mentioned, public, private, hybrid and multi-cloud environments; continuous discovery and visibility of cloud-native assets, providing context and insights into the overall security posture and the actions required to prevent potential security incidents; prevention of cloud misconfigurations, again, one of the biggest reasons why we see issues happening, and we provide that via real-time monitoring of cloud resources to detect and to provide guided remediation for misconfigurations and vulnerabilities before they impact the business; we provide continuous monitoring for anomalies and suspicious activity across all cloud infrastructure, and we correlate these insights with misconfigurations to accelerate response and optimize business performance; and finally, I talked about this earlier, a reduction in alert fatigue with targeted threat prevention, the solution integrates with same solutions, enabling security teams to gain visibility, allowing them to prioritize threats, reduce alert fatigue by eliminating noise, enabling them to take immediate action. So if I summarize the unique value and what makes us unique, we provide unified visibility across all workloads. We provide the ability to perform forensics and threat-hunting on ephemeral workloads. You can see and investigate attacks that span multiple workload types and locations. We provide a true managed threat-hunting capability in the cloud. We have integrated threat intelligence as part of this capability. And we provide a single lightweight agent that is incredibly well-suited for cloud workloads. I've talked about this a number of times. This is a really important point to keep making, the CrowdStrike Falcon platform being built in the cloud, for the cloud. Our customers benefit from runtime security, from workload security, cloud security posture management, cloud threat-hunting and forensics. And to further eliminate blind spots and maintain compliance, we offer specialist services for the cloud, built on the capability that we've created inside CrowdStrike for many years now. We took the approach of providing cloud security using a single agent deployed on the host server, the worker node in container pilots that executes any number of containers as well as on the master nodes that coordinate the cluster. This effectively means that runtime security is enabled and enforced at scale in production, and it's a core requirement. It's a core ingredient of any container security solution. There's a lot of benefits to this approach. We secure the host and all containers executing on the host via a single agent, the same agent we use for traditional workloads as well as cloud workloads. It means that there's no deployment necessary per container, which reduces the complexity, reduces the footprint size and the performance overhead, again, critical in cloud. It makes for frictionless deployment. Our security teams gain visibility into container environments without requiring cloud teams to adopt additional technologies and to deploy them and try to manage across multiple technologies. We think of this as container security at DevOps scale, which is critically important. The Falcon technology provides full visibility into containers, to contain the runtime versions, spin-up and spin-down activity. We provide information about container images and registries used and so on due to the rich visibility, which is consolidated and correlated in the Threat Graph. We provide easy-to-view dashboards, showing all of this information that's being collected, registry information, container runtimes used. We provide the ability to search containers by container ID, search containers by host, find detailed container image information, understand container configuration and common misconfigurations, as mentioned previously. Customers can take action on all of that information. That's critically important to provide that capability, so people can do network containment. They can do that right from the alert or detection. It's a unified workflow built into the platform. They can blacklist the container image in their container registry based on the container image that's been identified or through the alerts and the tools that we provide. One of the things that I really want to highlight is the Threat Graph, the fact that we track the signals and the banner data, the activity for each container instance. And we don't lose any of that fidelity or applicability, including in ephemeral workloads, environments that spin up and spin down within minutes and then are destroyed. We track all of the environments. We store all of this telemetry in a persistent manner. We make it searchable, irrespective of whether the container instance is long-running or it's been spun up and spun down and destroyed, sometimes within seconds. So we uniquely track information and activity happening in the environment. And we track all of this information all throughout any iteration that, that environment may have. So it means that together with the customer, we have the ability to hunt and provide forensic capabilities for these environments. And finally, CrowdStrike also provides a cloud security assessment service to help customers quickly perform a comprehensive security analysis of their cloud environment. We bring the power of the Falcon Horizon module and the expertise of our consultants to help identify misconfiguration issues and provide detailed guidance on the best methods to mitigate and resolve these issues. The benefits of that assessment module include thorough analysis of individual cloud-based systems and the assessment of your entire environment to determine the full scope of potential attack. It provides a comprehensive analysis of internal and external components of all of your hosted infrastructure. We provide identification of potential issues, and we'll provide detailed guidance and specific recommendations to improve your overall cloud security posture to help prevent, detect and rapidly recover from breaches. I'm incredibly excited about bringing Preempt Security, the acquisition we just closed, and the huge benefit that Preempt technologies bring into this ecosystem and architecture. I talked about this earlier. Misconfiguration is a huge issue. We have the huge opportunity ahead of us to bring identity and workload security on-premise and importantly, to bring identity to the cloud to ensure that when any user tries to access a new application and new service, we can ensure they are approved and we can unify identity and workload security and bring this capability into the cloud security architecture that we now have and I've just taken you through. And no one else has what we have. I'm incredibly excited about the opportunity to be able to do this on-premise, in the cloud and across all environments. George shared with you a TAM view of the massive opportunity cloud workloads present. I would like to supplement that with a few anecdotal case studies to illustrate what a cloud customer looks like and what the opportunity ultimately means. I'll go through a retail company, a web content company and a SaaS company. They're all a little bit different. The retail company. We've got an example of a company that we work with, a large employee base with around 75,000 employees, which means a large traditional footprint. However, they also operate a large and very ephemeral cloud footprint, with around 2/3 of their environment being ephemeral, which we're defining here as cloud workloads that are up for less than 10 hours. A company like this may launch a product and see a surge in website traffic and purchasing activity that normalizes quickly after a few hours or days. Similarly, they could need to scale up for major shopping holidays, and these ephemeral workloads can be up for a very short period of time. They will scale up and scale down as needed. Previously, this customer was using a competitor's AV product to meet PCI Compliance, but this was frustrating for the DevOps teams as a build would take an hour or more. As a result, it was that legacy approach to security for the cloud, and security, effectively, was removed. So they were taking applications and services to market, in many cases, without any security technology. In contrast, a build with CrowdStrike and the CrowdStrike agent takes simply a few minutes without the complexity and with the back-end architecture coming along with that. We're protecting about 10% of the cloud workloads today compared to 100% of the traditional endpoints, which gives us a ratio of less than one cloud workload per endpoint, but it also means an incredibly large expansion opportunity, particularly as we hear demand from customers around offerings like Falcon Horizon. Because of that large footprint, just expanding into 10% of their cloud workloads, it represents an approximate 50% expansion of ARR on the account compared to if we just protected their traditional endpoints. If we are to expand to 100% of their workloads, we're talking about a cloud opportunity that could be as high as 10x what we're seeing today in the account. I'll pivot now to a web content company. Slightly different. In this example here, smaller employee base, but a very large cloud footprint that we're covering 100% of. In this case, approximately 4x the size of their traditional endpoint deployment and a similar uplift in ARR compared to if we were just protecting their traditional endpoints. Similar to the retail company, this organization sees a lot of peaks and valleys in website traffic and purchases. So they stay very ephemeral. Regardless of whether the workload is spun up for a minute or for an hour, this customer finds the visibility that CrowdStrike provides unmatched and extremely valuable for their organization. In fact, they do not spin up any workload that does not have CrowdStrike deployed, providing security and visibility into their environment. Now let me talk about the SaaS company. When looking at a SaaS company, you'll see a very different set of dynamics. As we know with SaaS, you often have a lot of automation and leverage in the platform. Employee count can be relatively small compared to the size of their customer base that they're serving. This leads to a company with a relatively small number of traditional endpoints but a huge cloud footprint, as you can see in the 36:1 ratio. The difference that, while they may be growing the size of the overall cloud environment to meet their needs, the cloud instances themselves are long-lived and working constantly. It's not economical, in their case, to be spinning environments up and down constantly. In this example here, you can see the cloud ARR opportunity could be significantly above that of the traditional endpoints. So what do these examples tell you? The expansion opportunity presented by cloud is apparent, but it varies quite a lot by industry size and application. There are big cloud footprints out there that remain unprotected, and we largely see this as a significantly greenfield opportunity. Customers don't want to pay for the security vendor's workloads. Performance and scalability are key as environments can be highly ephemeral, which I've talked about. This is why traditional security tools and cloud retrofit approaches to cloud security do not work and are at odds with DevOps teams, and we see security being left behind. The same attributes that have made CrowdStrike successful in traditional endpoint security and workload security position us well to unify DevOps and SecOps into DevSecOps, to fortify customers, cloud security posture and to stop breaches. Let me summarize the key takeaways. CrowdStrike operates one of the world's largest security clouds. When we started building the security cloud, there were little to no security solutions available. We've built to protect our cloud, and we are now bringing battle-tested and cloud-scale security solutions to our customers. Building cloud security for the past decade, this is a huge advantage over other security companies. Cloud security represents unique challenges that we are in a unique position to solve, and we have real-world experience protecting cloud workloads. The opportunity is tangible. It's extremely large and growing exponentially. Back to you, George, for the final wrap-up.

All right. Thanks, Mike. I think it was a fantastic presentation, and we'll get wrapped up here. So just to summarize, cloud security does represent a unique challenge, and CrowdStrike is in a unique position to solve it. We've got the real-world experience and the technology. We've been doing this for many years, to be able to protect these workloads, and we do it for many, many customers around the globe. And when we think about our 10x opportunity, what I want to leave you with is we believe that for every endpoint within an organization, there's at least 10x the cloud workloads that need to be protected. That's today and into the future. We also believe that there's a lot more complexity in the environment when you talk about securing cloud workloads, right? This isn't traditional infrastructure that many companies are familiar with, right? There's a lot of policies, and there's a lot of infrastructure they don't control. So they have to go about it in a different way to actually solve it, which is one of the reasons why we've launched Falcon Horizon. And the last point here is really on the opportunity. If you look at the current market opportunity, $1.2 billion, again, we believe that's underrepresented. We believe that's going to go to at least $12 billion, 10x because it's a greenfield opportunity and the current investment is so low in terms of overall spend. So with that, let's take some questions, and we can go into more detail about our technology, about our success in this area or about our philosophy on where we are today and where we're going in the future.

Thank you, George. Let's get into some Q&A. As a reminder, we will not be providing any financial updates today. Please keep that in mind when asking your questions. [Operator Instructions] Our first question will be from Sterling Auty of JPMorgan, followed by Saket Kalia with Barclays.

Just wondering, when you look at your customer base, is there any sense, and it might be tough, but what portion of your customer base do you think Horizon and even Forensics would be applicable? So what kind of penetration do you think these new solutions can get within your existing customer base?

Yes. I'll start, and Mike, feel free to jump in. I think when you look at those 2 areas, there really aren't many customers that don't have something in the cloud. You could be a small SMB and maybe you don't have a bunch of cloud workloads. But when you look at enterprise and mid-sized companies, they all have a presence somewhere in the cloud. So we think it's a fantastic opportunity as they continue to move their infrastructure off. Even small companies, they don't have IT teams anymore. They just basically put their service in the cloud, they do all their backups and things of that nature. So I think through something like an AWS Marketplace, it's a perfect opportunity even in a smaller company. When we think about Forensics, this has been something that has been asked for, for a long time. And for many years, we actually have built our own technology. We've used it in other parts of our business. And we've now commercialized that. So this is not something that we just came up with overnight and are -- what really came out of customers every time we use it, they said, "Hey, that's better than anything we've ever seen. When can we get it in Falcon?" So we're here now. And I think, in terms of that market segment, it can go all the way down to a small SMB, particularly when you combine it with some of the managed offerings we have, right? If it's a Falcon Complete, it's not a problem. We can do the Forensics for them using that technology. They can use it. They can log in. So I think it's technology that's applicable across the board, and we're really excited about both of those modules.

Great. Our next question is from Saket Kalia with Barclays. [Technical Difficulty]

I think we lost Saket.

Looks that way. Right. Well, our next question will be from Alex Henderson with Needham until we get Saket. It looks like Saket's back. You have to unmute your line, Saket.

Okay. Sorry, can you hear me now?

Yes.

Okay. Sorry about that. Sorry about that. George, maybe for you. You mentioned that the cloud security market kind of reminds you of the AV market 25-plus years ago. And clearly, there were -- there was a catalyst or a series of catalysts that drove that adoption to probably near 100%. The question for you is, having seen that, what are going to be those catalysts now that are going to drive increased penetration of this cloud security spending market, which is clearly higher than what Gartner and IDC kind of predict? Does it make sense?

Yes, it does. It's a good question. I think there's a supply and demand. So when you look many years ago, look, I remember downloading McAfee from bulletin boards. It was freeware, and you would get your signature updates and things of that nature, right? And that's sort of how people started using AV. And the supply became available as it became commercialized. And then the demand is there because of all the viruses that had come out 30 years ago. People were getting crushed with Michelangelo and things of that nature. So when you look at today's environment, the technologies haven't been there. I mean we're lucky in a position that our technology has been able to work across multiple clouds on-prem, off-prem. Obviously, we've added capabilities since we started the company. And I think that's been a big barrier to companies deploying it. In fact, I've talked to company CIOs where they said, "Hey, look, we want to go to the cloud in a digital transformation, but we were held back because we had no way to check the compliance box on security." So I think you have a compliance need from a cloud perspective, you have technologies like ours that are available, and the threats are ever increasing in the cloud environment. And when we talk about Falcon Horizon, a lot of the breaches that you've seen are just misconfigurations. So those need to be addressed. So I think we're still in the early innings, but if you can actually have technology that works at scale that doesn't impact the performance like ours does, you're going to have a lot of adoption.

Next question is from Alex Henderson of Needham, and that will be followed by a question from Brian Essex at Goldman Sachs.

George, and I appreciate how much you've helped me move down the learning curve on this technology. You guys were more than generous with your time on it. It seems pretty clear to me that the adoption of Kubernetes is a key piece of this puzzle. It's our understanding that roughly 15% of workloads were new workloads, were going out as Kubernetes in 2019. And we would be interested in what your estimate of what that would look like out 3 to 5 years. I'm hearing numbers as much as 50%. And in an environment where there's 1 billion applications and according to IDC, growing in 40% clip, that's an enormous growth rate. And so does that tapping into this 10x-size market with that 100%-type growth rate result in an ability to sustain your current growth rate? Is that how we should be thinking about this? Because that's an enormous opportunity. And then the second piece of it is I get that your position in runtime is really powerful. But it seems like that position is unique in the sense that you're the only company that I'm aware of that's really doing that at the kernel level on the server. Can you expand those projects beyond the AWS to some of the other key clouds so that you can get that kind of penetration across the multi-cloud?

Sure. I'll handle a few of them, then I'm going to turn it over to Mike. I mean I think, in general, when you look at how we operate at the kernel level and how we're able to protect all these containers at scale without getting in the way of the DevOps team, I think it's very effective. And that will work across really almost any cloud provider. So the overall -- and one of your big questions is in terms of growth rates and opportunity, I'll focus on opportunity, not growth rates. But I don't know of any modern sort of cloud projects that aren't containerized, right? So that's really where the world is going. And even our -- second generation of our cloud was all containerized. So I think it does bode well for us, as we said before, one of our other calls in here, we protect 1 billion ephemeral cloud containers on a daily basis, and that's only going to continue to grow. So I don't know, Mike, if you had some thoughts on Kubernetes and just our place in how we operate, just quickly.

Yes, sure. Hey, Alex. Yes. Look, I think we're certainly seeing that growth in Kubernetes as well. All the customers that we speak to are really aggressively going down that path. So -- and we expect that to continue. What I would say to your question is we look at the environment, I guess, we break it down into 2 ways. We look at runtime security and also the attack surface reduction. We focused on runtime security because ultimately, that's where we're starting to see the activity. So where we see attacks target, living off the land techniques, when they use admin tools, and it's not so much the vulnerabilities, for example, in the container images. So that's where we're focused. But our -- what we're announcing today is a coverage across both runtime and reducing that attack surface because we are starting to see the demand move across. We're uniquely placed to be able to look at that CI/CD pipeline, starting to think about how we can integrate there and provide coverage across both areas.

Just to follow on that, and then we can go to our next question. I would say we're probably a little like Google, in that we've built a lot of these things already. So when we're coming out with products like Forensics or we're coming out with our Horizon product, we built it our own tech -- for our own cloud, right? So now we've basically packaged it up for our customers. We'll make it easy to use. But we have many years of actually using this technology in-house.

Our next question is from Brian Essex of Goldman Sachs. Brian, unmute yourself, yes, thank you.

Yes. Are we good?

Yes.

Great. Great. I just wanted to follow up to the last question and just kind of if we can differentiate between runtime and test and development, how much of an opportunity do you see potentially going into the test and development versus runtime? It seems like you're kind of very focused on the latter. I just want to kind of clarify how you think about that.

Well, we look at runtime. A lot of the runtime is either in the configuration or it's in vulnerability. So as an example, on your runtime build, do you have a bunch of old libraries, you have vulnerabilities in the open source code. And I think Spotlight is the perfect technology to be able to look at those sort of runtime configurations as well as vulnerabilities. So I do think we have a great future opportunity there. But in terms of runtime, with people, it's runtime and visibility, right? People want to understand is there an issue in my container. And because the containers are ephemeral, they actually want to be able to track what happened there. And it's very difficult to do that in other technologies, and when you combine our Insight with our AV technology and anti-malware technology, we give you good visibility on what happened. Even when the container is destroyed, we can tell you exactly what happened in it and we can give you the protection. So we thought that was the best place to start, and there are plenty of other opportunities in the areas that you talked about and we've got technologies in those areas already.

Thank you, Brian. Our next question is from Gregg Moskowitz of Mizuho. Gregg, upon entry, please unmute your line.

The cloud workload TAM analysis was very interesting. But the reality today, George, is that customers are spending about 6x less on cloud security today than you think they should. So from a go-to-market standpoint, how is CrowdStrike going to educate customers about the importance of securing cloud workloads? And more importantly, how long do you think it takes before this gap starts to significantly close?

Yes. It's a good question, and there's only so much education we can do. I think the market continues to get educated. I think the compliance drivers, if you look at the financial services as an example, they can't put anything up without some level of protection. So I think you're going to have a natural kind of pull just with compliance and the fact that people are going through digital transformation. Somebody's got to check the box on compliance. I think then working with any of the number of marketplaces that we work with on the cloud side is a good way to help educate people, right? "Hey, I want to spin up a container, what am I going to use? Well, CrowdStrike is sitting right there in AWS Marketplace. Fantastic. I can put it in, I can get exposed to it, and we can do our education there." And I think that's probably the most scalable way to do it. But just like cloud, when I started the company in 2011, nobody was doing endpoint-delivered cloud security, where cloud security delivered at the endpoint. So the idea for us is to look for the market to actually move in our direction. And we've always been a little bit early, but it's always worked out to our advantage.

Our next question will be from Andrew Nowinski with D.A. Davidson, followed by Fatima Boolani of UBS.

Just one question on the cloud spend. So I know you said the opportunity is about 10x the size of endpoint spend in terms of the opportunity. I'm wondering, based on some of your existing customers, I would imagine you have customers where you are protecting both cloud workloads and endpoints. Can you give us an idea on the revenue ratio of cloud spend versus endpoint spend at your existing customers now? And then as a follow-up to that, I was just wondering, you said in the past, when you introduce new modules, they're high, typically high margin because it's a software introduction. Is it fair to expect margin expansion going forward given you introduced about 3 new modules today?

Yes. So let me try to hit that. So just to kind of clarify what we talked about in the example is a 10x of the existing cloud security spend. Right? So when you look at what we see as a security spend, we think it's just underrepresented, just with the simple math and it should be 10x that. So that's different than the ratio of endpoint revenue to cloud. What we do see, and we're trying to put some sizing on this, is that for every endpoint, we see about 10 cloud workloads. That's just pure numbers. In terms of our opportunity there, we think it's because they're servers, we do think there is a great opportunity. Now ephemeral workloads come and go. You can't always build them at the same rate. But from the standpoint of our ability to actually capture that in the future in meaningful revenue trends, I think it's absolutely there. We're seeing it now. So I do believe it represents a huge opportunity for us going forward. In terms of the margin, obviously, whenever we come out with a new module, I would say, for the most part, it does represent new margin opportunity for us. And we would certainly see that with the modules that we introduced today. We've already basically collected the data. We know it's there. So when we add a new module, most modules are pure margin on top of it because we're just pulling the data right out of Threat Graph, and we created a workflow route.

Our next question is from Fatima Boolani of UBS, followed by Erik Suppiger of JMP.

A question on Horizon and a question on Spotlight. I look at that product with some love because we didn't get a chance to really talk about that too much. But just with Horizon, I appreciate this makes your cloud security pillar more fulsome. But can you help drill into some of the technical differentiation and maybe some of the engineering nuances between your approach to CSPM and how some of your peers in the vulnerability management arena, in the network security arena and even web security arena, are tackling this problem? And then a follow-up on Spotlight.

Sure. I think, Mike, that's a great question for you.

Yes. Absolutely. So thanks for the question, Fatima. Look, it's part of, as I mentioned in the session, it's part of that overall strategy of leveraging the traditional technology that we have and extending that capability to allow us to cover these additional areas. As mentioned, one of the big challenges that we see today is the fact that Dev is running a lot faster than security, and a lot of the technology gets left behind. Part of that is because we're using a lot of -- a lot of the vendors use traditional approaches to security. They're not multi-cloud. And it's just cumbersome. So if I think of our unique value proposition, it's visibility first. It's looking at our indicators of attack and looking at indicators of misconfiguration. It's having the ability to be multi-cloud, doing artificial intelligence off that Threat Graph, covering the traditional cloud infrastructure as well as newer containers and ephemeral workloads, where we can start to do things like threat-hunting and leverage those IOAs and IOMs even after these environments have spun down. But it's also being able to do that security load across on-prem, hybrid, in the cloud and multi-cloud environments. So I think we're extremely well-placed, as we've mentioned, to cover all environments.

Fair enough. And just on Spotlight, with some of the enhancements and the increased breadth of operating system support that you guys announced during the conference, I get the sense there's more of an emphasis on cornering vulnerability-based exploits. And so at a high level, how should this change the technical in marketplace and even mindshare aspirations that you have within the vulnerability management arena against some of the more traditionally -- traditional household names in that space?

Well, I'm sure George will have comments there, being a topic that's near and dear to his heart, but this is an area that, obviously, we want to continue to focus on. It's part of being able to understand every workload that's in an environment, being able to defend against anyone trying to exploit it. And part of that is hygiene, and part of that is vulnerability management. It's understanding across all of those workloads, and that's part of the strategy that we have, to make sure that over time, we are able to give our customers the ability to see where they're vulnerable, to allow them to isolate machines, to allow them through our store partners, to roll out patches. But most importantly, if somebody does try to attack these environments, that we can provide prevention very, very quickly and ensure that an organization isn't breached. So it's a key part of that strategy, especially as we start to think about the cloud, and we've talked about CI/CD and being able to move further to the left in that pipeline. Spotlight again becomes a critical component in this architecture.

Yes. And just to follow on that, I think there's an easy way to look at this, and that is real-time versus scanning. And what we find with existing cloud VM products or endpoint products that are delivered from the cloud, from the VM folks, is that just scanning. They're just looking for things and it takes forever, and it kills the performance of the machine, that just about all the customers that we talk to that have those legacy VM agent technologies, you want to get rid of it because it just destroys the machine. So again, it's really hard to build what we've built at scale to work in real-time. And because we're pulling all the data off the Threat Graph, we don't have to really impact the performance of the cloud. It becomes a big data exercise. So that's a huge differentiation -- differentiating factor between us and others. And then on the network side, we feel it's commoditized. I mean there will be plenty of network scanners that will find things out there. But the reality is, our customers see a lot of value in the workloads and the endpoints. You get that real-time vulnerability information.

Thank you, Fatima. Our next question is from Erik Suppiger of JPMorgan -- sorry, of JMP, and that will be followed by Gray Powell of BTIG.

I would be interested to know what the pricing dynamics are for securing containers and workloads in the cloud. If there's a 10x expansion of workloads versus on-premise, are each of those equivalent in terms of an opportunity for you? Or how should we think of the price per workload?

It's not necessarily one-to-one because you have so many ephemeral workloads. So you have to look at the size of the machine, the number of workloads that are running. And then you also have to look at some metered billing-type options, right? Because the way people run their containers, they want to be able to flex and be elastic. So it's not necessarily a one-to-one, but it does represent, I think, a large incremental opportunity just because they're not protected. So we would like to provide some more color on that, I think, in the future. But at this point, the way we roll out and the way we charge has been more server-based. We have introduced metered billing. And it's really coming out with flexible models of billing that meet our customer demand and also gives us the value that we believe the customers are getting because we're protecting so many ephemeral workloads per server.

So are you currently still evaluating the pricing strategy for containers?

Well, we have a pricing strategy, but again, a lot of it is server-based. And we're always looking to see what's the best way to price it because we don't necessarily price it on every container, we price it on every server, but every server is different. And we have some servers that run 142 cores and some that run like 2. So I think there is an opportunity to look at that. But I think, in general, where people are going is really into the metered billing-type model and how many containers are running, how long are they running, things of that nature. And that's, I think, a pretty emerging area for everyone. So it's matching up how customers want to use their containers, but also the way they want to pay for their security. I think there's more work to be done in that area.

Okay. Then just expanding on the last question. In on-premise, the vulnerability scanning can identify and scan devices that wouldn't have an endpoint agent. In the cloud, do you have that same dynamic? Or can CrowdStrike cover most of the devices that would be -- need vulnerability management in the cloud?

It's a good question. In general, if you have a device that's spun up and it's connected to your account, you kind of know what it is. And we integrate with things like CloudTrail from AWS, so we know what's there. So we have an inventory. So it's a lot easier for us to cover everything that's there because you're not running an IoT device as an example in the cloud. You kind of know what it is. Could there be some cases where you want to do external scanning? Sure. And people are still able to do that. But I think they're -- by and large, anything that comes up in the cloud, you would be able to cover with an agent-based VM-type technology.

Thank you, Erik. Our next question is from Gray Powell of BTIG, and that will be followed by a question from Shaul Eyal of Oppenheimer.

Can you guys hear me?

Go ahead.

Okay. Great. Yes. So I think the math that you did on the addressable market was pretty straightforward. I understand how you get to $12.4 billion. So I guess my question is, do you feel like you have the product set in place today to address that full market? Or is there something else that you guys need to introduce? And then I just had a quick follow-up.

Well, there's multiple pieces to it. So I think we have a pretty good start in terms of runtime, in terms of configuration. I think we talked a little bit about having visibility into some of the vulnerabilities in containers, our ability to block vulnerable containers before they get deployed, things of that nature. So it's ever evolving. Your -- it's really a journey, it's never a destination. But I think we've got a great suite of cloud technologies that can capture what people are looking for in terms of our customers. And Mike, if you have any other thoughts of areas of focus for us.

Yes. I was just going to add that we have a very rich road map in terms of additional capabilities that we want to focus on in this area. I think I'll go back to the comments that I made earlier around covering runtime protection and then attack surface reduction. Obviously, the runtime protection is our natural core, our sweet spot. And we want to keep building out into that attack surface reduction area, so security for the build pipeline, doing more vulnerability scans and conflict management. So we're certainly excited about where we are today, and we sit really well in terms of customer requirements. But as this area grows, we will continue to leverage that technology and keep building into that suite.

Okay. Great. And then just one quick follow-up. I think Fatima touched on this earlier, but how does Falcon Horizon -- how is that different from sort of the cloud posture management solutions from folks like Palo Alto's Prisma Cloud?

So I can take that one. I mean the first thing that I would say, there's obviously a lot of technologies being announced in this area. When you look into them, some are focused on public cloud, some are naturally leaning towards a certain -- they're stronger in Kubernetes or they're stronger in other areas. Some are really good with AWS, less so with Azure or GCP, as an example, when you dig in their road map items. If I go back to those comments that I made earlier, for us, it's about covering that multi-cloud, covering AI with the Threat Graph, having the ability to cover across runtime as well as the attack surface reduction. And the most important thing for me is making sure that we use it with the same infrastructure that we have for our traditional workloads. And a lot of customers are -- actually, Dev are pulling our technology into their process because we're helping them with fault-finding. We're helping them through the Dev process. So we're finding actually Dev teams wanting to add. And as I mentioned in my SaaS example, we got customers that won't publish any service without CrowdStrike, and that's because it's a lot easier to use.

Thank you, Gray. Our next question is from -- looks -- is from Shaul Eyal with Oppenheimer, but let's make sure he didn't drop off. I see him in -- on the queue. Thank you, Shaul, you're up.

George, thanks for the Security DevOps discussion and in the direction that CrowdStrike is taking towards this upcoming cycle time. Given that SecDevOp is addressing a different OEM, not your typical IT SecOp buyer, do you see CrowdStrike going deeper into the SecDevOp through partnerships with some of the emerging players in the space? Will it be more homegrown, maybe even an opportunity to look at it inorganically?

Well, there are different buyers, and I think that's part of your question, right? You have the security buyer. You have a DevOps manager. You have sort of the security architect/CTO. So you have to be able to target each one of those. And the way we're focused on going to market with them, I think, will be effective, right, some specialization in that area because it is a specialized element. So that's first. And in terms of our partnership-type strategy, like anything else, I mean, we don't do everything. What we do, we do really well. And we'll look to build-buy a partner. We have obviously the CrowdStrike Store, things that we've built. And I think Horizon is a great one. We looked at things like RedLock and Evident.io, which was part of the former question, and they just didn't meet our needs for what we wanted. So that's why we built our own. So -- and there's potential acquisitions down the road in the space. I mean there are a lot of companies that are focused on kind of solving small pieces of it. And for us, I think, having a one-platform strategy with things that are totally integrated has been our focus. So we'll just evaluate it, but I do think there's some great opportunities for us as we look to buy a partner in this area. And certainly, we've shown that we are more than capable of building.

Thank you, Shaul. And our last question is Walter Pritchard from Citi. Walter, you'll need to unmute your line.

Can you hear me okay?

Yes. Hey, Walter.

2 questions. One, just around -- I think you highlighted the math is pretty clear around the cloud opportunity. I guess the only pushback there may be that you do have substantial deployments already in the cloud market with Capital One, lots of big companies putting mission-critical workloads in there. Do you think, at this point, they're just -- they're sort of using bespoke security or other things just in this early stage of the market development? And do you expect the market to switch over? I'm just trying to get a sense as to why we're not maybe seeing more deployments as a percentage of the cloud spend, given the fairly robust volume of revenue in IaaS and PaaS? And then I just had a quick follow-up.

I think a lot of the players have used just traditional existing sort of networking, where you can create your own VPC and try to network things off because that's all that was there, right? So they're getting that from the IaaS, PaaS players, the hyperscalers. I think where we are now, again, it's a maturing market. It's still early innings, but it's a maturing market with us and others that are out there. And I think a lot of the players are looking real hard into what they can deploy. So if you think about just their viewpoint, right, assuming they can get by the compliance piece, it's been like we can't deploy stuff because we can't take existing technologies because they just break everything and they're not meant to work in that cloud environment. They impact performance. They don't really work. They're hard to manage. And when you give them an alternative, I think people start taking a hard look at it. So just as I said, it's like the early innings of AV, where I remember the days. I mean it's hard to believe. You probably remember it as well, Walter, where people didn't have AV on their computers, right? There were days like that. And you would look back today and say, how can that possibly be? And it's the same thing in the cloud. People just roll it out. They put some firewalls around it. I remember, Cisco routers were your firewall, right? And people called it good until they had something better, and we think we're that better.

And then just I know Burt's not here. We're not doing much on the financial side. But should we just think about disclosure here as being you're going to talk about percent of customers with certain number of modules and this is another module? Or given the 10x opportunity, do you expect to focus more on the sort of revenue as this product becomes more material?

Well, this -- it is another module. So certainly, as we've done before, we continue to talk about the attach rates for the number of models that we have, similar to what we've done. I certainly don't see that changing. And it's just another module. Again, our strategy is we've got the data in the Threat Graph. We create new modules and workflows around it, and then we monetize. All right. Maria, are we -- we're probably out of time or…

Yes. We're actually a little over, and so we should wrap up.

Okay. So I will wrap up here. Thanks for a fantastic session here. I hope you enjoyed the earlier keynotes. I think there's a lot that's exciting about what we announced today, again just execution on our strategy of creating new modules and taking advantage of the footprint we have. We haven't talked so much about Preempt, and we'll reserve that for a future meeting that I know Maria will help organize for us. But we're really excited about Zero Trust and what Preempt actually brings to the cloud. Identity is critical in cloud environments, not only accessing those resources, but also machine-to-machine identity, and we're really excited about that. So when you look at kind of the full picture, the threats continue to get worse. People are looking for cloud-based solutions in a work-from-anywhere environment and as they go through their digital transformation with the security transformation, and we certainly believe we're the right company to take advantage of that. So with that, I'll get it wrapped up. And I want to thank everyone. Stay safe, and we'll talk soon. Thank you.