CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

All right. We'll go ahead and kick it off. Thanks, everyone, for joining us at the Goldman Sachs Communacopia & Technology Conference. I'm Gabriela Borges. I lead the emerging software vertical here at GS. It's a real pleasure to have on stage with me George Kurtz, CEO and Founder of CrowdStrike. Thank you for your time.

Great to be here.

So I wanted to start this conversation talking about the strategic importance of the real estate that you have on the endpoint. I remember with the founding of the company, with the core focus being on having a lightweight agent. There is a lot that you can do longer term with the types of data and the access that you have on the endpoint. I wanted to ask -- start off by asking, how do you think about the strategic importance of the endpoint evolving? And where do you think you can lean in over the longer term, not just on the security side, but perhaps even more broadly on the IT infrastructure and operations side?

Sure. So when I started the company, I knew the endpoint was important. I didn't quite know how important it was going to be in 2023, and that's a good thing. So if we think about today versus just 10, 12, 15 years ago, and we look at the form factors and where endpoints and what I'll call workloads run, the proliferation of the cloud has just exploded the ability to actually have different endpoints and agents and the ability to actually prevent and collect data. So in today's environment, just think, say from 10 years earlier, like do we think network equipment and hardware is going to be used more? Or less? And in my view, it's being used less because of all of this infrastructure has now moved out into the cloud. And when we think about even the core endpoints, they're outside the firewall, and that happened with COVID. So the real estate that we have, I call beachfront real estate. I always get asked, "What do you do?" I say, "I'm real estate investor." They go, "But like, you're a tech guy, aren't you?" I go, "Yes, I am. But I have beachfront real estate on many, many different endpoints and workloads." And that accrues value to CrowdStrike because, as you said, not only security use cases, but nonsecurity use cases become available to us.

I would love to hear a little more about how you're thinking about some of those nonsecurity use cases longer term.

Sure. If you think about how our agent works today, it has the ability to obviously collect data. And today, even in what we have -- and we'll talk about this a little bit later, our asset graph, we know the assets. We know the state they're in. We know how they're running. We know the performance of them. We know what software is installed. We have all of this very relevant information which is really hard to come by in most large companies. So we have that information. And at least from an observability standpoint, and there's like 5 levels of observability, we can deal with 1 and 2 of them. The first 1 and 2 is more around infrastructure. We have customers today that absolutely use our technology and our platform, including things like LogScale to instrument their environment outside of just security. The second piece, the agent actually has the ability to take action. And the creation of -- and automation around workflow is super important, certainly from a security perspective, but also from an IT perspective. So all of the functionality that we've built becomes available not only to the security team but also to the IT operations teams.

So it leads into a little bit of a discussion on the proprietary nature of the data set that you have. And you made an interesting comment on the earnings call about how the data set for AI use cases isn't about simply having the most data. So give us a little more detail there. How do we think about the differentiation of the data set that you have relative to perhaps some of your endpoint peers or some of your security peers?

Sure. So I think it starts with you're going to hear a lot of companies say, "Oh, we have the most data." Having data is good. We have a lot of data. I would hazard a guess that we have one of the biggest data sets around. But it isn't really about the data set itself and the size. It really is about the data and how you collected it, and what we talk about, this annotated data. So when we think about generative AI, a big part of generative AI is the human training around it, right? If you think about ChatGPT, there's an army of people trying to train it so that you don't have these hallucinations, which is really kind of an error in the algorithm. I always like to say I'd rather be probably lucky than good. And I'd say over the last 10 years, we got lucky in that, through Falcon Complete, through OverWatch, which is our managed detection and response services, we've been able to annotate a lot of these threat pairing in this data. So we just did it because we had to do it. So now when we train the algorithms, we already have a lot of the data. Not only the threat data, but we have how it works and is it real, is it not real, et cetera. So when it goes into the algorithm, it comes out with better efficacy out the other side. And that we took -- that took 10 years to build up. So we look at that as a data moat. And that, again, you could have a lot of data, but you still have to train it the right way. That's number one. Number two is we've been doing AI since the beginning of the company. Generative AI obviously has come later as a technology. But when I started the company, we held pioneer, using AI to detect and prevent these sort of attacks. So we do have the muscle memory there, and I think the data has always been an important element to our story.

So let's talk a little bit about the application within Charlotte. How do you take all of that training, that 10 years of data that you've built up, and then commercialize it into a product that customers find easily accessible and can actually move the needle for them in a way that they can trust?

Sure. So when we think about Charlotte and why we're so excited about Charlotte is it's not just a -- it's not like a side chatbot feature, it's actually a foundational platform service. What I mean by that is everything on the platform is consumed as a service the way it runs technologically. So Charlotte becomes available to every other module that's out there, and that makes it super powerful. And how do we make money or provide value to a customer? Well, let's look at what a Tier 1 analyst does today, right? A Tier 1 analyst in their 8-hour day basically logs in, goes through alert triage, tries to figure out, okay, what do we have to work on? What's the priority? Takes action. Maybe writes a report at the end of the day. I mean, there's a lot of work that goes into it, even though we have automation in the product. In today's environment, people log in and they kind of click around and triage. That's the way a Tier 1 analyst works. Really, where we see this going is to create what we call generative workflows, which is more of a conversation with Charlotte. So in the morning, you would come in and you'd say, "Okay, well, Charlotte, what are the latest threats that CrowdStrike knows about in the last 24 hours? What are the adversaries doing in my particular industry?" "Okay, how does that apply to the assets in my company? Which ones might be exposed? Can I take a mitigating action? Can I roll out a patch?" "Oh, I want to roll out a patch, so create a PowerShell script on the fly and then use Falcon Fusion," which is our automated workflow. We have a whole workflow built in. It's pure automation that's already part of the platform. Every service can use it. "And then roll out that patch. And then when you're done, write a report." So if you think about that 8-hour day, that's 10 minutes' worth of work. And that's where the value comes in. A, you can't find enough security people; B, they're too expensive and hard to keep. And real value is in the automation and taking the cumulative knowledge of CrowdStrike and all of our threat hunters and basically distilling that into something that Charlotte knows and then making that level of intelligence available, but also a level of automation available to our customers. And that, we believe, is incredibly valuable for our customer base.

How much of what you're describing is part of the longer-term road map versus available that's part of what you're trialing today in Charlotte?

Well, I think you should come to Fal.Con and we can show you what it all looks like because we've been working on it. And what I talked about is part of Charlotte, right? So obviously, over time, it's going to have more capabilities and tie it to more services and those sort of things. But so far, the response has been phenomenal from customers, and in particular, the level of automation that we've built in. And again, from an AI perspective, I think it's just like the early days of when we came out with our technology. It was like, okay, just tell us it's bad, and then when we're convinced you really know what you're doing, then prevent it all. And I think it's going to be the same with this generative AI. Just tell us what we need to do, and then we'll hit the button if we want to do it. But we'll have it all staged and ready to go. And I see that level of adoption paralleling what we saw in the early days of using AI to prevent attacks.

So it leads nicely to a pricing strategy question. As an analyst, we can do math on time saved going to 10 minutes, automation, et cetera. What are some of the pricing philosophies or the pricing principles that you all are thinking of as you think about setting a price point for Charlotte at Fal.Con?

Yes. And as we mentioned, we talked about the pricing being exposed at Fal.Con. When we think about what we're doing, again, it comes down to value pricing. What would it cost for a team of analysts? What would it cost for this sort of automation and how much value can we provide? And for us, we want to strike a balance of making sure that customers leverage it and use it and are exposed to it versus just so overpriced. We've seen other pricing out there that I think is just way overpriced from competitors. And when we kind of come out with it, focus is let's get everyone using it because we know there's going to be a level of pull. We know, when you actually see it, it's sort of like one of those iPhone moments, right? Even first time you probably play with ChatGPT, like, wow, this is pretty cool, right? So I think when that's applied to security, people are going to be really excited and hooked on it and use it in ways that we hadn't even thought about. So we want to make some level of it certainly affordable and exposed. And then how we'd premium-price some of the other elements, we'll talk about that at Fal.Con. But in general, I'm just trying to give you my philosophy. Let's make sure we can get the masses using it because the pull will be there to be able to monetize.

So the broader question I have on pricing is we see this across different areas of the technology stack, where technologies that have been around for longer see price compression, and then you move the needle forward on innovation and you're able to capture more value from next-generation technologies. So as you think about CrowdStrike selling a platform, how do you think about the value you're capturing holistically across the Falcon Complete bundle? Are you seeing or do you think about pricing compression at technologies that have been around for a while and then offsetting that with TAM expansion at the high end? How do you think about pricing of the platform holistically?

I think you said it well. Obviously, when new technologies come out, there's different price points that are available. And then as technology evolves, new technologies come out and you kind of go through that cycle. I think the philosophy has always been how do we come up with pricing which is fair and good? And we've never been one that just wins on price. I mean, we can if we need to, but we generally don't have to. And how do we provide the value and demonstrate that to our customer? And we spend a lot of time on value selling. So in the early days of a module, it could be 2 things. One is if the module is really early in its development, it might be priced to just get out and exposed to our customers. And then over time, as we add new capabilities into Rev 2 and Rev 3, I mean, there's always new -- every week, there's new releases that go out. But as we add new capabilities, do we have the ability to then increase the price? Do we have the ability to put it into a bundle? Can we wrap and roll it into a broader category in how we sell it? So from our perspective, if we can see the value there and we can demonstrate it to the customer, that's what we want to be able to capture. And certain modules are, if you look at our USB control, right, it's good, it works really well, but is at the same price point as LogScale? No, it's not. It just does different things. So we have to look at the market. We have to look at what we're providing, how mature it is and the overall value to the customer. And then we look at that equation, kind of individually price, and then think about bundled pricing and go to market with that.

So I think at any given time of CrowdStrike's history, you could have taken a snapshot on the pricing environment and the competitive environment, and endpoint has been competitive for a long time. Are there any observations that you would call out about the pricing environment and the competitive environment today versus 5 years ago or 10 years ago? And then maybe it allows me to directly ask the question about Microsoft as a competitor.

Sure. Well, I think you have to look at it, and I know we talk about endpoint. Like 5 years ago, 10 years ago, endpoint was, I'd buy something from McAfee and Symantec, and I -- that was my AV product. That is not endpoint today. We talk about platform and endpoint is just the delivery mechanism. So when you think about what people -- what we're selling, what people are buying, they're buying a platform, they're not buying the endpoint. There's a module, sure, that does prevention, there's a module that does EDR, yes. But once the data is collected, it's collect once, reuse many. And this is a much different model than anything that had been done before. When I started the company, used to be all disconnected ePO servers and those sort of things. So when we think about the environment today and the ability to extract more dollars, you have to look at the outcomes and what you're actually solving for customers, right? We're solving data ingest and correlation. We're solving threat intelligence. We're solving the ability to actually do file integrity monitoring. Obviously, all of the core endpoint security pieces of it. It goes on and on. Identity, which is one of our huge growth drivers for us. So all of that is the form factor. The chassis is an agent, a data set and a data store and a cloud architecture with modules. But there's so many outcomes you can get aside from 10 years ago, where some of them was just buying an endpoint for pure AV.

And the way that you're thinking about the evolution of the platform, how do you think about Microsoft as a competitor evolving alongside you?

Sure. Microsoft is always going to be a competitor that's out there. I think over time, you've seen it come and go in certain industries. I know they're putting a lot of effort into it. But at the end of the day, you have to look at the company itself, and you can never discount Microsoft and their capabilities. But fundamentally, they create applications. Fundamentally, they're 1 of the 3 large cloud providers, if you will. That's where they're spending their time and effort. Every day, we wake up thinking about how do we protect our customers? How do we actually make sure they've got the right security outcomes? And that's what we do. And customers are looking for someone who is independent. We've seen, just over the last quarter, a huge inflection point in customers going, "Wait a minute. If Microsoft has a security issue which leads to a security issue in the government, what does that mean for us as a customer?" And that's what's swirling around in customer circles. And you have a lot of customers saying, "Okay, we have to use Microsoft because they're a big player, people use Microsoft technologies, fine." But they don't want the fox guarding the hen house, and they're looking for other technologies to be able to provide a more broader platform, particularly in security, and something that's independently focused on stopping breaches. The other thing that I will say, which is, again, just making sure everybody level sets. Even if someone is a Microsoft customer, they E5, they bought everything from Microsoft, they still can be a CrowdStrike and still are a CrowdStrike customer. We have plenty of Microsoft E5 customers. So it isn't mutually exclusive, which is I think important as people think about their models and market share. It doesn't mean, if Microsoft has something on an endpoint with an E5, that they're not going to have CrowdStrike.

That's a fair comment. Okay. So I want to connect the dots between the strategic importance of the endpoint and identity and cloud and some of the other modules that you offer with customer willingness to invest today. Companies talked about deal cycles elongating, more budget scrutiny. Would love to hear a little bit about what you're hearing on the ground with regards to customer willingness to invest in the products that you sell.

I think customers are willing to invest in platforms and consolidation. And if you're a point product or you don't have as much value, that's going to wane over time. The conversations that we're having with customers are really around how can they do more with CrowdStrike? How can they do more? They have too many vendors. Some customers have 60 different security vendors. They've looked at a lot of the controls. Interesting story. I was talking to a CISO a number of months back where they -- I'll just tell you a quick story and then we'll get into the consolidation piece, to just give you an idea, though. They called me on a Friday at 5 because nothing good happens before 5 on a Friday. And they said, "Hey, we've got this issue and we want to have your response guys come in. They were a customer, we found something." And long story short, we roll up there on a Saturday and we say, "Okay, well, we actually think it's a pentest." And they said, "No, no, no, it's not. We would know if it's a pentest." Long story short, the internal audit team had a pentest, which we caught. And they had -- it was kind of -- there's more to the story, it was really funny. But at the end of the day, my point is they had 60 different products, 60 different controls, and we were the only product and technology that caught what was happening. It was actually a Mandiant pentest. So what does that mean? It gets to the conversation that we're having. They have too much stuff. They're actually looking at the controls, what's working, what isn't working, and saying, "Hey, we're getting no value out of these other technologies," will want to consolidate on CrowdStrike across the stack and get the outcomes that they're looking for.

So you've got, and you very consistently have talked about the pipeline into the second half of the fiscal year, and your ability to ramp momentum with partnerships, consolidate spend, ramp sales reps. There are a number of internal factors that you have control over in the context of the macro. And so with all that said, help us get more comfortable, from the outside in, on the visibility that you have that lead the company to consistently talk about net new ARR growth in the back half.

Sure. It's a good question. I spent some time on that, obviously, in the earnings call. So if you kind of zoom out at the macro level, and then we'll talk about CrowdStrike, it's really around the 3 Cs. The comps in the back half of the year, obviously, we're rolling over macro impacted comps. Second one is competition. There's a lot of movement now in the competitive market space. There's a lot of noise that's out there and a lot of customers concerned. So we think that the competitive environment gets better in the back half of the year. And then consolidation, right? We're seeing the consolidation play. So that's sort of the kind of the macro view. When we think about CrowdStrike, it really then is the 3 Ps. The first one is around product. The product portfolio is in the best shape it's ever been in. And I can't wait for Fal.Con because there's just some amazing stuff that we're going to be announcing. So the product is in great shape. We've got partnerships, which is a second P. We've got things like Dell and Pax8 and others, all the way from the high end to the low end. We spent a lot of time. Daniel Bernard is our Chief Business Officer, really working on the partner and go-to-market motions. And we put a lot of that in place 6 months ago and we're starting to see the fruit of that. And then when we think about the pipeline, the product and the partners generate pipeline for us, and we're going into the back half of the year with the strongest pipeline we see in Q3. So that's the way we look at it. Is it going to be easy? No. Is it still a tough environment with elongated sales cycles? Yes. It's a matter of having visibility and line of sight to where we need to be for the back half of the year. And I think, again, coming out of Fal.Con, there will be a lot of excitement, and that's part of what we're looking at as well for the back half.

So you made an interesting comment on competition that crystallized your earlier comments, which is the competitive environment will be getting better in the back half. Would love to hear, is that a function of what you're seeing in the pipeline, some of the examples you have on the customer side of consolidation of spend? Why do you think the competitive environment is getting better?

I think the competitive -- it's always going to be competitive. I think we're going to be the beneficiaries of some of the movement and noise in the market that we see today. And I think when you look at what we're doing from a consolidation perspective, the consolidators are going to win. And I think that's going to allow us to compete even more effectively in the back half of the year. Again, I'm not going to take anything away from the macro or that it's a tough environment or you've got to put a lot of work in, right? Because you really do have to put a lot of work in to manage all these deals in the pipeline. But from a pure competition perspective, we're already starting to see the wins in -- given the noise in the environment today. Customers don't like uncertainty, and they're looking for the kind of the bedrock brands that are going to be here today and into the future.

Is that a way of saying that win rates are going up? Can I frame it that directly?

You can say whatever you want. What I'm saying is I got line of sight to the back of the year, and I'm excited about our products in the market.

Fair enough. Okay. So I want to ask about your cloud business and the new statistics that you've disclosed, $300 million in ARR as defined by modules deployed in the public cloud. So there are a number of ways that you can think about security in the cloud. Your cloud business, how do we think about the mix between something like Cloud Workload Protection, where you're running an agent in a container, versus XDR modules deployed in the cloud? Help us understand the mix of that $300 million.

Well, you have to look at the core pieces of the cloud business, which is really Falcon Cloud Security, which is composed of CSPM and Cloud Workload Protection and sort of everything in between, including cloud detection and response. So it really is the ability to help make sure that code is secure, that it's deployed and that it's run in a secure environment. And those are the big drivers. One of the things that I talked about in the earnings call is that we've made it easier for customers to consume Falcon Cloud Security. So you can buy that and you can basically use our CSPM as well as our Cloud Workload Protection. And I think that has been a huge game changer because people are looking at it, going, "Wow, I have price certainty. I've got flexibility. And the product -- all the products are amazing and extremely competitive in their own world." So from that standpoint, I think going to a customer and saying, "It's easy to buy. You've got both the integration of agent and agentless together, that work together, and a control plane that instruments all that with our cloud. And then if you really want the extra eyes, Cloud -- Falcon Complete for Cloud has been a game changer." And what we're seeing right now in terms of breaches, I'm going to hazard a guess. 90% of the active incident response that we're working on right now are all cloud-related exposures, right? So I think we're only in the early innings of what we're seeing in terms of cloud protection, visibility, as well as the cloud detection and response market.

Is there a piece of that cloud business that is lift and shift? Meaning, business that CrowdStrike previously wouldn't have classified in cloud where a customer is supporting workloads or supporting security functionality?

Well, there's always some level of modernization that's taking place in an enterprise. And we did a kind of back of the napkin math, I guess, on this on one of our webinars a number of years ago, which was, if you took a physical server and you moved it to the cloud, it equates to like 10 different workloads, just how everything is split out. And that's what we're seeing. So certainly, there's some lift and shift, but I think there's a multiplication factor of, when it gets to the cloud and different Kubernetes environments, it kind of multiplies. It doesn't go down that you just -- it's not a one-to-one lift and shift is what I'm saying.

Yes, that makes sense. And so if there is a multiplication impact, I imagine at the same time, it's not 1:1 in terms of TAM. Meaning, if you move an endpoint to the cloud, that doesn't mean you're paying CrowdStrike 10x more. And so how do we think about those 2 factors offsetting each other? In other words, how much does the cloud expand the CrowdStrike TAM, or how do you think about that?

I think it massively expands the TAM for us, right? Because if you look at where the growth is in just protecting workloads today, certainly, endpoints and the ability to protect them, that isn't going down. But the proliferation of agent and non-agent and other technologies, look at things like enterprise attack surface management. And these were -- that's not even an agent, right? So these were things that people didn't even consider 5 years ago, but they're all now part of our cloud story and our cloud TAM. And the fact that you have to have or not have an agent is going to be almost irrelevant in the cloud because when you think about all of the various form factors and what needs to be protected today and have instrumentation and visibility and compliance, it's only getting bigger and bigger. And what I talk a lot about is that, the technology curve, as it gets more complicated, security has to parallel the slope of that technology curve. So if we just think about 30 years ago, you had a simple website and a firewall, really easy. And today, it's incredibly complex when we think about all of the different cloud environments, how to build, how to deploy, how to protect. And that's only going to get more complicated. And it only is going to allow us to create and sell more and differentiated technologies into those environments.

I want to pause for a moment and go to the audience. Any questions from the audience? Please.

Do we have a mic? Coming.

So it was interesting to hear about nonsecurity because you do have a lot of data and you've done this observability as a very common or a gradual adjacency. How are you thinking about it? I'm sure you've got this question quite a bit. Like how are you thinking? Because observability is very competitive, I don't believe you're looking at it that way. You're looking at it in a different way. Big picture, how are you looking at that?

Yes, it's a good question. So you have observability companies here. You have security companies here, right, which we are. And then you have the observability companies wanting to do a little bit more security and us doing a little bit more observability, right? I think those companies will always be sort of best-in-breed in pure observability. We're always going to be best-of-breed of pure security. But there is overlap in terms of collecting data. And I think we're in a good position to do that. A, we have an agent that already collects data, and we already have it in our cloud. It's already accurate, it's already kernel-based. And a lot of the performance data that you're looking for needs to be kind of in line in the kernel so that you can actually see what's going on in real time. So we have a lot of the underpinnings there. Then you have to create workflows around that. And with something like LogScale, it actually has the ability to create very unique workflows. And customers now, I think for the first time, are saying, "Okay. Well, we're already getting all this data from you. You now have LogScale. We can get a subset of the data we need. We can save a whole bunch of money because the real estate is already there." If the agent is already there, why do you want to put another one? So we can carve out a really nice niche in that area. And again, I'm not saying we're going to be a full-fledged observability company. I'm not saying that. But there definitely is overlap in the space. And the ability to collect data at scale and create usable workflows for customers is something that we can and we do, do today.

Any other questions from the audience? Please, in the back.

With the introduction of Charlotte AI and the shift from a dashboard user interface to a conversational user interface, with respect to the overlap of observability and security, like why doesn't that create a bigger jump ball in terms of your opportunities out there?

Yes. It certainly may. It certainly may. I think there's a lot of really interesting things that you can do with Charlotte. So we'll save some of that for Fal.Con.

So I'll end with 2 questions. The first is on the financial model and the company achieving its financial goals faster than I think you originally expected. What happens next? What is the ceiling on where EBIT margins can go over the long term?

Well, I appreciate the question. And Burt, our CFO, isn't here, so I know I'd have him whisper in my ear because he's always focused on flighting the business and making sure, operationally, that we're really focused on executing and delivering the right financial profile. We spend a lot of time on things like gross margin. You've seen the gross margin move over time. There isn't a day that goes by that we're not thinking about how to move gross margin, how to be more efficient, how do we collect data, how do we use it, how do you construct the cloud? There is a lot of DNA that is involved in making sure that you can run a very efficient cloud business. And I will say that is a barrier to entry because, if you do it for 10, 12 years, there's no compression algorithm for experience. So you have a lot of these smaller companies come up and their margin profile is terrible because they haven't figured it all out. So we think that having a view on gross margin, as well as operational efficiencies in sales and marketing, is a key way to deliver more leverage for the business. And again, Burt talked about getting to our long-term -- some of our long-term operating windows. And that's true, but it doesn't mean that we're going to stop looking and trying to figure out every way we could be more efficient, particularly around gross margin.

The second question I wanted to ask you is you have an amazing corporate development team that talks to a lot of start-ups. Help us separate some of the signal from the noise. When you meet with founders, what are the 1 or 2 questions that are top of mind for you to figure out whether they're building something real, and then whether they're a good fit for CrowdStrike?

Sure. It's a really good question and we're really active in talking to companies that are out there. We talk to a lot of them, and we really want to make sure we have our pulse on it. In fact, we have our own Falcon Fund, which invests in a lot of the companies. But what's important, and it doesn't take long and it takes me about a 5-minute conversation with a company is, A, who the founders are, what's their background? And B, what are they building? And a lot of what's being built today is, hey, we're going to connect to somebody else's API. We're going to get the data, put it in a data store, and create some workflows around it. Super easy to -- it's like 0 barrier to entry for that, right? The harder part is building real IP around things. I mean, yes, it took us 10, 12 years to get to where we're at, right? But the agent is really hard to replicate. If you're just connecting into somebody's APIs, anybody can connect into it. In fact, you can do like 5 of them at a time and still connect into them. There's no limit to that. And those sort of companies, they could be good acquisition candidates, they could be good features. The ones that really stand out are like core IP, great founding team, and then sort of a huge TAM and they're committed to seeing it through. The rest, the majority of what we see are just features that are going to either be bought or go away or be commoditized. And that's -- you just got to separate the wheat from the chaff there.

Thank you for your time. We appreciate all the insight.

Yes. Thanks so much.