CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

Good afternoon, everyone. Before we get started, if you are a member of the press or media, please disconnect at this time. This is a restricted line. Any unauthorized party in this meeting or any unauthorized use of the information communicated in this meeting is subject to prosecution to the fullest extent of the law. Any unauthorized person, including the media that is on the line at this time, please disconnect. Please note, today's call is being recorded.

Good afternoon, everyone. Thank you for joining us at the last fireside chat of the 5th Annual Wells Fargo TMT Summit. So my name is Andy Nowinski, and I'm a software analyst here at Wells Fargo. It's my pleasure to close out this TMT Summit by hosting a chat with Burt Podbere, the CFO of CrowdStrike; and Mike Sentonas, the CTO. So before we get started, if anyone has any questions for Burt or Mike, please don't hesitate to e-mail them to me at [email protected], and I'll certainly weave them into the discussion. With that, let's get started. So Burt, thank you for joining us today. We saved the best for last. Probably been looking forward to this, and it's great to see you.

Great to see, and we're happy to be here.

All right. Let's start by taking a look at the results from last night, the Q3 results. It looks like it's still raining deals at CrowdStrike, but now they're $1 million deals.

Yes. Really excited about the quarter that we were able to post. I think it goes to the fact that we were able to execute across the board. We had excellent coverage through the SMB market all the way up to the enterprise market, and we were excited to see continued great execution by the team.

That's great. I wanted to touch on the CISA win that you announced last night. That seemed really important, and that has to be one of the most security-savvy customers you've ever had a sell to that probably evaluated every solution in the market. So maybe if you could just talk about maybe how long that sales cycle was and what you had to do to demonstrate the effectiveness of the CrowdStrike solution to them.

Yes. No. Great, you're correct. The CISA win was a really important win for us. It was a really big deal for us, one of our biggest deals that we've ever consummated. And we like to say that it was the fastest overnight deal that took 10 years. So whenever you're working with the government, it's never lickety-split. They do a really thorough job in looking at, not only us, but all the other folks that we're trying to compete for that business. And so they turned us upside down and sideways to go figure out if we were the right ones for them. And it turned out we were. So we're really excited about that. It was extremely competitive. Everybody was there. I think, though, that when you take a look at the executive order that came out from the White House, you could see that CrowdStrike Falcon was tailor-made for that executive order. And it's not by chance, right? Our efficacy, the way that the product works, how easy it is to deploy, how easy it is to use, all those things matter. And at the end of the day, this is just the beginning. And so yes, it was a very important win for us from a standpoint of just the deal size itself. But more importantly, I think it's the -- opening the door to many more deals to come.

That's a good -- that's maybe a good follow-up. I thought you already had a pretty sizable presence with the U.S. federal government. Do you think any of those other prior wins with other agencies may have influenced this deal? Or is this just the start of your foray into the Fed?

Yes. No. So we have had other agency wins prior to this. This is our biggest one. We've had a lot of traction in SLED and that's been something that we've been really proud of. In terms of Fed itself, it's early innings for us. It takes time. There's a lot of certifications to go through. We're certified to IL3. We've got IL4 already submitted to the government, and we're already working on the next levels of certification. So it's a long process. But now that we've got our inroad with CISA and they were instrumental in terms of how they thought about our tech and also the people involved from the top of the house in CISA to the top of the house here and Mike and myself, that all matters. And so we're pleased to say that we've got great relationships with CISA and we look forward to doing more business with them. And as I said, it's just the beginning. And as you know, that when you're in the government, especially the federal government, that's an annuity. And the good news for that initial deal is that, that was only in some of the core -- some of our core modules. And so we have an opportunity to sell more into those agencies that were the first step. And then we have obviously all the other agencies that we can go after.

Yes, that's right. I would hope the other agencies don't recreate the wheel and try to go down all the same evaluation that the CISA did. If they can leverage that work that's already been done, hopefully, that gives you another path to more agencies.

Absolutely. And that's the idea, right? Get everybody comfortable at CISA. The agencies that have us obviously continue to delight them, make sure that everything is well taken care of. And we're really good at that. So I have no doubt that it's going to lead to more deals for us.

That's great. Why don't we talk about just at a high level, I think ransomware attacks alone, which seems to be your sweet spot for defending against and stopping, they're up like 10x over last year at this point. Why do you think we're seeing such a significant increase in specifically in ransomware attacks relative to maybe other types of attacks?

Yes. So I'm going to take the first part of this and then turn it over to Mike who's really got his ear to the ground. But from a high level, it's been a very challenging threat environment. The threat actors are more sophisticated. There are more of them. And the reason that's the case is that it's profitable and it's easy. You've got ransomware as a service. Anyone can have it. It can be flighted with dashboards. It's a line item for organized crime. I mean it goes on and on. And I think that some of these high-profile breaches that we've seen, they drive the conversation at the Board and CIO level. I mean companies are definitely rethinking their approach to security. The old ways just simply aren't good enough. They don't work. They need another solution, and that's where we come in. I think it's not certainly a security problem. This is a business resiliency problem. And we are winning customers at a rapid pace because I think the threat landscape proves that the alternative solutions to us are not working. And to be fair, our tech is the best way to fight today's adversary. But it's a good segue for Mike to kind of give his view on it.

Yes. The only thing I'd add to this is that's concerning is the amount of ransom that people are paying, especially in the U.S., is going up year-on-year. It's gone up quite dramatically. And the amount of extortion requests that come following a ransomware incident is also going up. And those are stats that are never good, obviously. And it's something that we talk a lot about because people need to be aware that the traditional approaches to dealing with security are not working, especially in the ransomware environment. And to Burt's comment, we've proven time and time again, we have the best platform to be able to help people. And it's important that people understand that these issues are only getting worse. The amount, as I said, people are paying up is getting larger, and they need to do something about it.

That's very helpful. I suppose if we look at the number of attacks, I mean, there really isn't any sort of repercussions to waging one of these ransomware attacks, whether it's either successful or they don't get paid, but there's no downside to do it. So it seems like there's no reason for these attacks not to continue escalating into 2022, driving your business, unless, of course, everyone deploys CrowdStrike and shuts down ransomware. But is there anything else that would potentially -- any reason that would slow down ransomware attacks next year?

I think Burt said it perfectly, there's so much money being made today that it's just fueling the growth, and we certainly don't see any slowdown there. The other thing that you got to remember is the attacks come from all over the globe. They come from areas where it's going to be hard to have any repercussions. But that said, there are several laws under consideration in the U.S. and in other countries abroad. The idea there is to strengthen government insights into cyber incidents to make it a little bit harder to look at supply chain attacks, to look at ransomware. The growth is obviously driving a lot of these initiatives. But at the end of the day, I would say the organizations -- you own the risk, and it's up to you to make sure that your organization is protected, not waiting for a policy change because I'm not sure that's going to drive a massive difference, certainly not in the short term.

That makes sense. Why don't we kind of shift gears now. Let's talk about the portfolio, the product portfolio. I think when you IPO-ed, you started with about maybe 8 software modules. And over the course of the last 3-plus years, you've increased that to about 21 modules now covering many different market segments. I guess how is the evolution of your platform changed your win rates against the competition?

I'll let Mike take the lion's share of that question. I think that we -- I think at the end of the day, I think big picture for everybody on the call is that we actually have real modules that work. Let's start there. And then after that, the rest takes care of itself, and you can see by things like the quarter we just posted. But let me turn it over to Mike in terms of the win rates and why we are winning specifically.

Yes. Thanks, Burt. And just to echo Burt's comments, they are, as you said, real modules. That means we -- our firewall management module is a module hygiene, which we call discovery as a module, our vulnerability management as a module. And we kind of call that out because there's a lot of talk where people talk about modules using the sort of the terminology that we use. But support is not a module or documentation is not a module. You got to be a little bit careful when you dig into those numbers. But our strategy has been to continue to build on the platform to collect data once and reuse many of the cloud platform and architecture that we have allows us to rapidly innovate and to build new capabilities. And as you pointed out, Andrew, we kind of moved from having less than 10 now to over 20, and we will continue to grow there. And that's the benefit that you see in the platform. I mean customers have the ability to start with EDR or to start with next-gen AV, to add hygiene, to add identity, to manage the firewall and the endpoint, to start to think about forensics. And as we start to build -- continue to build out the capability, our customers have the ability to just turn on a trial. They have the ability to say, okay, this solves a massive problem. I'm just going to keep it. It's a license change. There's no requirement to roll out a new agent or a new management console. So it drives stickiness. Customers love the ability that it doesn't add complexity. If you have a look at the size of our agent, it hasn't really changed dramatically over the years as we've built out modules. And I think that's unique. You've got the basic physics. If you get a customer, an organization that wants to roll out to 300,000 machines, they can't do that if the product is several gig in size. If they're under attack and they need to rapidly respond, they can't do that, again, if you have complex architecture. So that's been really key of what we've done from day 1, and we continue to hold to that. That's part of our design strategy.

Okay. Great. I want to just -- before we dive into products as well, I kind of want to talk about maybe a terminology discussion that comes up a lot in our community. And I don't know if it necessarily matters in the real world, EDR and XDR. Your company started really as an EDR platform. You've migrated now to this XDR platform. I know XDR is essentially just an extension of EDR doing more, but does it really matter to customers whether -- I mean do they come to you because it's an XDR platform? Or do they come to you because you stop breaches? I'd love to know the importance of XDR, what that means and why we should care about it.

Yes. Look, I think if you ask 5 different people to give you a definition of XDR, you're going to get 5 radically different answers. And it's a term that gets thrown around in the industry massively today. You've got network vendors that say we're XDR, and you get the traditional legacy players that say we've got the biggest phone book, deep list of SKUs, so we're XDR. And then you have the same vendors saying we're XDR. People come to us because they want an outcome. They don't come because they want to have a data sheet that's been found and replaced that says EDR and now it says XDR. We've been recognized for having XDR capabilities without actually referencing XDR anywhere on the website. The agent that I talked about that we have, we've been pulling network telemetry off the wire through the endpoint for years now. We bring in identity data, hygiene data, vulnerability data. We're bringing cloud configuration data and more. So by definition, people call us XDR, and we call that CrowdStrike Falcon. More recently, we have talked about Falcon XDR, which is going to be another module. This is where we have the ability to bring in third-party data. And what's unique about our strategy is we're quite unique in that we're talking about having some schematized data from third-party vendors. And basically, what that means is the capabilities that people come to for CrowdStrike or from CrowdStrike, the benefit they get from our AI models, the efficacy rates, the indicators of attack, the way that we do threat hunting, those core fundamental capabilities will extend beyond just CrowdStrike and to third-party vendors. That's XDR. So I would kind of make sure, and I always talk about this a lot in the industry, you've got to look into that. When people talk about XDR, what is it? Did you do the find and replace in your data sheet? Or are you actually doing something fundamentally different?

And you have that capability to ingest the schematized data from third parties right now? Or is that something that's coming?

That's what we've announced that we're working on at our last Falcon event just recently. But like I said, we're being recognized for our XDR use cases already through the integrations that we have already. But we want to extend that core capability that CrowdStrike has on top of third-party data, and that's what is unique.

Okay. So I think looking at the results from last night, we know the Falcon platform is second to none. But so why don't we just dig into more of the individual modules versus the overall platform? Just some of the ones that I think are probably the most interesting that could move the needle going forward. I want to start with Humio was an acquisition. I know George talked about a number of Humio wins last night. Even somewhere, Humio wasn't necessarily used as a security use case. So it looks like you're sort of branching out into even nonsecurity plays with Humio. Can you just talk about why customers would choose Humio maybe over, let's say, Splunk or another vendor when it's for a nonsecurity use case? And how many of those you actually saw?

Yes. The vast majority of use cases, the vast majority of wins that we've had with Humio have actually come outside of security, which has been really encouraging to see. We certainly expected that we're excited about Humio to solve a number of different use cases and problems. A lot of DevOps teams coming to us to get help from Humio. We've had customers that have contacted us, organizations that have contacted us because their UB tools, their user behavior analytics tools were struggling, sitting on top of other platforms that couldn't cope with the amount of traffic. And we've had wins not only replacing the data warehouse, the data storage platform underneath, but actually also replacing the UB tool because we were able to reproduce the use cases within Humio. But then we've also had wins in the traditional segments that you'd expect in terms of replacing same tools, replacing log management tools. So we're really excited about Humio. It's part of the reason as to why we wanted to buy it. And I think there's no single vendor that I can point to, to say we're displacing this vendor more than the other. We're actually getting some pretty significant wins across the board, which is just highlighting what a lot of people told us. They're not happy with the existing solution. They're too expensive. They're too complex. And this is giving them a better offering at a cheaper price point. It's easier to use for them, and that's why there's a lot of satisfaction with Humio.

Okay. That makes sense. Let's talk about cloud workloads now. I think in the past, you guys have talked about cloud workloads maybe even 10x greater than the number of traditional endpoints that you could protect. And last night, George said that 25% of servers that you protect are currently in the cloud. So maybe help us understand what does that metric telling us about your ARR. What kind of contribution are you getting from the cloud as far as ARR? And maybe how big of a -- where is your biggest channel that's pushing or providing a lot of the sales from the -- for those cloud workloads?

Yes. So what I'm saying is that we're gaining momentum in that space, and it's early days. We think that it's greenfield for us. There's nobody there. It's not like when we were going after the AV market 5, 6, 7 years ago when there were some incumbents there and we were displacing them. There's nobody there. And so we feel that at this point, there's this opportunity to go after this market that's really, really underserved. And we gave out that stat to just to give you an idea of what's out there for us. We think that this has a long runway, and that's where the world is going, right? Cloud workloads, that's going to be something bigger and bigger, growing really fast and probably growing faster than anything else. And I think that the idea here is that there are a lot -- there's lots of room for innovation. And this quarter, we extended Falcon Horizon to support even Google Cloud environments. So now we're supporting the 3 largest clouds. And at the same time, you asked where it's coming from, we deepening our partnership with AWS. So I think that you put that all together, and you've got something that we're going to be able to grow on for years to come. And that's exciting for us. And I think that the fact that it's underserved, the fact that it's still early days and the fact that there's a lot of headroom, all 3 of those things are going to, I think, lead to good growth.

Great. We'll keep an eye on it. Another one I want to ask about is a lot of vendors talk about the Zero Trust market. I know every organization needs to adopt that framework. And you recently made an acquisition of SecureCircle, which I think brings you into that Zero Trust discussion. Can you just help us understand, is that going to be sold as another module on your platform? And what's the customer interest in Zero Trust?

Well, we moved into the Zero Trust area some time ago actually with the acquisition of Preempt. And a big part of that strategy and what Preempt brought us was the ability to provide multi-directory visibility into the scope and access of privileges for identities across all clouds, whether it's on-prem -- sorry, I should say, across different directories, Microsoft AD, Azure AD, whether they're on-premise, directory stores, cloud directory stores, segments. We segment accounts into human, service shared accounts and privileged accounts. That's been a big area for us. And George and Burt talked a lot about the benefit that Preempt has brought to customers and obviously to bookings as well. But SecureCircle builds on top of this. SecureCircle is a different approach, an innovative approach to data protection. It helps. There's a number of different use cases. It's making sure that -- whether it's your high-value intellectual property, your customer information, your financial data, doesn't fall into the wrong hands. And if it does, the technology is built in a way that the adversary, the attacker couldn't actually get any value from that data. So if you talk about ransomware, if somebody steals your data, they can't use it against you. They can't sell that. They can't do anything with it because it's not going to mean anything to them. So it's a Zero Trust approach to data protection, and that is going to be another module that we will be selling. There's a lot of excitement since we announced the acquisition of SecureCircle.

That's great. Are there any other sort of maybe key growth drivers or modules you would highlight that we should focus on we haven't brought up today?

Well, we announced FileVantage, which is our new file integrity monitoring module. There's an incredible amount of excitement around that. I touched on Preempt before, which is our Falcon identity product and Zero Trust technology. I mean there's just so much excitement around that, and customers just getting a lot of value. But then we've got to look at the core and the opportunity around the core in terms of what we're doing with our next-gen AV. We've got the highest efficacy rates we've seen in the product in terms of stopping attacks. The capabilities that we're building on, on top of EDR. We've announced some new capabilities with Falcon Spotlight to help organizations prioritize which vulnerability they need to patch first. I mean think of every month, you have zero-day Tuesday, when there's all these vulnerabilities announced, what do you focus on first? And we're helping organizations solve problems with these. So across the board, it's been one of our biggest innovation years. So I'm very happy with the work that the team has done. And our engineering team is pound-for-pound. They're just amazing.

That's great. All right. Maybe shifting gears to the services side. I know your motto is we stop breaches, but you also respond to breaches with your incident response organization. I'd imagine that side of the business is pretty busy with all the attacks we've seen this year. Maybe if you could just talk about how that's doing. I know in the past, you've also said it's typically got a 3:1 ratio in terms of for every dollar of services sold that brings in $3 of product. Is that still accurate? And how is that business doing?

So it's actually gone up. It's more in the 5 50 range. So for every dollar of incident response that we get from services, it turns into 5 51 in terms of products. So continued success in the cross-sell from that business into our product business. So yes, it was an increase in the IR inbounds in Q3. It was a record quarter. We certainly have in the lead team. I think that the folks out there know that it's us and one other group, and that other group has shed their product business. So that synergy is gone. So we're that shop that people come for the synergy. So one is we come in, we clean up somebody else's mess. The product didn't work, and then we clean it up and then we leave ours behind. That is something that's worked for us for years. And although our incident response business and our services business is a small percentage of our overall business, it is a great lead gen for us, and it's worked really well.

Okay. That's a good segue to the next. I've only got 2 left for you guys, but good segue here into -- as it relates to lead gen. Let's talk about the channel. How is -- how have you grown over the last few years with regard to channel partners? And where are you -- are you seeing more deals come to you and brought to you via the channel? Or are you still out there finding a vast majority, though?

No. We're getting more from our channel partners. It's been a great success. We're a channel-first company. Look, the channel, they're looking for vendors like us where customers are asking for it and they can sell it, right? They're going to come in and it's flying off the shelf, so to speak. And they make money off us. So if they make money off us, it means they're going to invest in us. It means they're going to be thinking about us first. It's going to be the first out of their bag. And being a channel-first company, you see what numbers we just posted, right? And we put most of that through the channel. Some of it obviously is us going to the channel and from a fulfillment standpoint or we call it a teaming effort where we might bring the deal, but we need their help in closing it, getting intel around, where we are in the deal, what's the customer looking for, et cetera, et cetera. But a lot of it is the deal rates from the channel side, and that's been ever increasing. And we're really excited about where we are with the channel and all the programs that we have in place with the channel.

Well, that's great. Well, let's close out with a financial question. You're on track to generate over $350 million in free cash flow this year, and it should eclipse about $500 million next year if estimates are correct, which seems to be somewhat underappreciated in the market. And you also accumulated a nice cash balance of over $1 billion now. Like can you give us any insight in terms of potential uses of that war chest of cash?

Yes, close to $2 billion. So we are excited about where we stand from a balance sheet perspective. We're really happy with our free cash flow generation. Our performance this year demonstrates what we can achieve with our model. We talk about it as the power of the model. The model was built to throw off cash, and we've seen that. But we're going to use it, I think, to invest in the business. We see a massive opportunity in our doorstep, and we're going to invest and capitalize on that. And we'll certainly talk more about it in the future. But right now, I constantly talk about, hey, we're going to invest aggressively. We've tried to do that this year. We saw some of our unit economics come down just a tad, and we want to continue to leverage that number and even bring it down a little bit, so to continue to invest in the business. But the real key, which makes Mike really happy, is that we're going to over-index in investing into R&D and more than S&M or DNA. I think that we've got a real opportunity out in front of us. We have a great team in our engineering. We want to boost that team, augment that team globally to go after the market in front of us and to, a, add to our existing offerings and then bring in new offerings that are going to delight the customer even more.

Do you feel like you have the right sales capacity now in place to -- for the -- at least the next 12 months so that you can overinvest in R&D given the shortage of talent out there, and I think it's difficult to hire. Just curious to feel like -- where do you feel like you're at in terms of sales capacity?

Yes. So we finance, and especially myself and my team lead, we have a great relationship with sales, right? And so it's not only, as you know, Andy, not only going out there and doing deals together with the sales team, but it's the back end, looking at their capacity planning. They'll obviously put together their first foray. They put together the quota plans. They put together the geographies, and they'll do all the lion's share of the work. Then we take it and finance it, and we threw it through our models, and we come out with what does the unit economics look like? And as long as it's in band, off you go. So we do feel that we've got the right capacity planning. We've been really good at it for many years, and we've been able to overperform. So that's been fantastic. And we're going to -- we continue to deepen that relationship. And I think it gives us greater visibility to finance and to know where the highest and best of our resources should go. And so right now, I do feel that we're in a great spot to be able to work with sales and get the right capacity planning again for next year. And then overall, just the power of the model, being able to generate the profitability and cash that we would like to -- and continue to aggressively invest in the business.

All right. Well, that's great. It looks like we're out of time. Burt and Mike, thank you so much for being here today and everyone on the call. On behalf of everyone at Wells Fargo, thank you so much for spending the week with us.

Thank you, Andy. Great seeing you, and great talking to you. Talk soon.

Sounds good.