CrowdStrike is finding massive traction in areas outside its core endpoint security products, setting up the company to become a major player in other key security segments such as identity protection as well as in IT categories beyond cybersecurity.
Already one of the biggest names in cybersecurity for the past decade, CrowdStrike now aspires to become a more important player in areas within the wider IT landscape such as data observability and IT operations, CrowdStrike co-founder and CEO George Kurtz told Protocol in a recent interview.
“I would say down the road, we will be known for more than just security. And we’re starting to see that today,” Kurtz said.
CrowdStrike brings plenty of credibility from its work in cybersecurity to its effort to penetrate the broader IT space, according to equity research analysts who spoke with Protocol. The company recently disclosed surpassing $2 billion in annual recurring revenue, just 18 months after reaching $1 billion. And even with CrowdStrike’s scale, it’s continued to generate revenue growth in the vicinity of 60% year-over-year in recent quarters.
In a highly fragmented market like cybersecurity, this type of traction for a vendor is unique, said Joshua Tilton, senior vice president for equity research at Wolfe Research. “They’re sustaining [rapid] growth and profitability, which is very rare in this space.”
At the root of CrowdStrike’s surge in adoption is its cloud-native software platform, which allows security teams to easily introduce new capabilities without needing to install another piece of software on user devices or operate an additional product with a separate interface. Instead, CrowdStrike provides a single interface for all of its services and requires just one software agent to be installed on end-user devices.
As a result, CrowdStrike can tell existing customers who are considering a new capability, “‘You already have our agent — turn it on, try it out,’” Kurtz said. “‘And if you like it, keep it on.’ It’s that easy.”
For years, Kurtz has touted the potential for CrowdStrike to serve as the “Salesforce of security” thanks to this cloud-based platform strategy. But at a time when cybersecurity teams are looking to consolidate on fewer vendors and are short on the staff needed to operate tools, CrowdStrike’s approach is increasingly resonating with customers, analysts told Protocol.
The company has now expanded well beyond endpoint detection and response, a category it pioneered to improve detection of malicious activity and attacks (such as ransomware and other malware) on devices such as PCs. Along with endpoint protection, CrowdStrike now offers security across cloud workloads, identity credentials, and security and IT operations.
The cloud-native platform concept is still early on for cybersecurity, but if CrowdStrike’s momentum continues, it’s poised to potentially become the first “fully integrated, software-based platform” in the security industry, Tilton said. That’s in contrast to other platform security vendors that are hampered by architectures that predated the cloud, or that rely on hardware for some of their functionality.
“CrowdStrike’s DNA is that they’ve come as a cloud-native company with a focus on security from day one,” said Shaul Eyal, managing director at Cowen. “It does provide them with an edge.”
Even with CrowdStrike’s advantages, there are no guarantees it will maintain a leading position in a market as large and competitive as endpoint security. There, the company faces a fierce challenge from Microsoft and its Defender product. It’s a topic that Kurtz is outspoken as ever about.
In regards to Microsoft, “if you are coming out with zero-day vulnerabilities on a weekly basis, which are being exploited, that doesn’t build trust with customers,” Kurtz said.
“I’m not saying they’re not going to win deals. Because they’re Microsoft, sure, they’re going to win some deals,” he said. “But we do see deals boomerang back our way when someone has an issue. Many of the breaches that we actually respond to [are for customers with] Microsoft endpoint technologies in use.”
Even so, Microsoft brings plenty of advantages of its own in terms of its security approach, analysts told Protocol. Much of the business world counts itself as part of the Microsoft customer base already, and the company has seen major success in bundling its Defender security product into its higher-tier Office 365 productivity suite, known as E5. As of Microsoft’s quarter that ended June 30, seats in Office 365 E5 climbed 60% year-over-year, the company reported.
And for every CISO who thinks it doesn’t make sense to trust Microsoft on security due to vulnerabilities in its software products, there is another CISO who thinks Microsoft’s ubiquity in IT is exactly why the tech giant is worth leveraging for security, Tilton said.
Beyond the successful bundling strategy, Microsoft has overall done “an exceptional job of elevating security within their product portfolio,” said Gregg Moskowitz, managing director and senior enterprise software analyst at Mizuho Securities USA.
Still, “we do typically hear that Microsoft has limitations when it comes to what an enterprise’s requirements are across some of these cybersecurity areas,” including on endpoint, Moskowitz said. At the same time, “we do believe Microsoft’s going to get a lot stronger over time,” he said.
IDC figures have shown CrowdStrike in the lead on endpoint security market share, with 12.6% of the market in 2021, compared to 11.2% for Microsoft. CrowdStrike’s growth of 68% in the market last year, however, was surpassed by Microsoft’s growth of nearly 82%, according to the IDC figures.
Still, Kurtz argued that CrowdStrike has the leg up in endpoint for plenty of other reasons beyond the lack of the same security baggage via vulnerability issues at Microsoft.
The chief advantage goes back to CrowdStrike’s single-agent architecture, which he said requires fewer staff to operate and has a lower impact on user devices. That translates to better performance and less use of memory because the product does not rely on analyzing digital patterns, known as signatures, for signs of an attack.
I would say down the road, we will be known for more than just security. And we’re starting to see that today.
All of these factors need to be considered when doing the math around how much it will cost to implement an endpoint security product into an operation, Kurtz said. Based on that math, “we are significantly cheaper to operationalize than Microsoft,” he said.
CrowdStrike has particularly stood out with customers when it comes to the lower performance impact from its Falcon product line, said John Aplin, an executive security adviser at IT services provider World Wide Technology.
The company recently worked with one of the largest U.S. banks to select a new endpoint security product, and the choice came down to CrowdStrike or Microsoft Defender, he said. While the bank was initially tempted to utilize its E5 licensing and go with Defender, Aplin said, extensive testing revealed Falcon’s comparatively lighter-weight impact on devices, prompting the customer to pick CrowdStrike.
Performance impact is not a trivial thing when customers are often running 40 to 70 different security tools, he said. So while being able to provide reliable security is obviously important, the “operational effectiveness” in areas such as performance impact on devices is “where CrowdStrike always wins,” he said.
The reputation for trustworthy security that CrowdStrike has built since its founding in 2011 shouldn’t be minimized as a factor either, according to Wolfe Research’s Tilton.
By and large, CISOs make purchasing decisions “based on the amount of minutes of sleep at night” they expect to get from a product, he said. CrowdStrike’s “first-mover” advantage in endpoint detection and response is a huge one, and its brand awareness is virtually unmatched in security, probably on par only with that of Palo Alto Networks, Tilton said.
While some smaller challengers, chiefly SentinelOne, have made headway in the endpoint security space, they have an uphill battle, he said. In endpoint security, “the CISO has to have a good reason to not buy CrowdStrike.”
Beyond the endpoint
In categories outside of endpoint security, CrowdStrike doesn’t yet enjoy the same stature. But in some areas, such as identity security, it’s on track to get there quickly.
Misuse of credentials has emerged as the biggest source of breaches by far as workers have moved outside of the protections of the office firewall, according to Verizon. While CrowdStrike isn’t trying to compete with identity management vendors such as Okta or Ping Identity, the company does believe it’s found a sweet spot in helping customers to counter identity-based threats, Kurtz said.
Following its fall 2020 acquisition of identity security vendor Preempt Security, CrowdStrike has added identity protection and detection capabilities to its platform, and customer adoption has been “like a rocket ship,” Kurtz said. During CrowdStrike’s fiscal second quarter, ended July 31, customer subscriptions to the company’s identity protection module doubled from the previous quarter.
That’s a “stunning level of adoption from customers,” Mizuho’s Moskowitz said. Given that CrowdStrike paid $96 million for Preempt, “that’s clearly one of the best small to midsize acquisitions that we’ve seen in software in recent years,” he said.
CrowdStrike refers to its various add-on security capabilities as modules, and currently has 22 in total, up from 11 in late 2019. A forthcoming module based on the company’s planned acquisition of startup Reposify will be aimed at spotting exposed internet assets for customers, bringing CrowdStrike into the very buzzy market for “external attack surface management.”
Besides identity protection, the company’s other fastest-growing module at the moment is data observability, based on its early 2021 acquisition of Humio, which was recently rebranded to Falcon LogScale. And while highly applicable to security, observability focuses on tracking and assessing many types of IT data. Observability enables customers to “do things that are not just security-related,” Kurtz said, such as deploying software patches and taking other actions to improve IT hygiene.
George Kurtz, CEO of CrowdStrike.
Photo: Michael Short/Bloomberg via Getty Images
In total, CrowdStrike reported that it was generating $2.14 billion in annual recurring revenue as of its latest quarter, with its “emerging products” category contributing $219 million. ARR for those emerging products — which include identity protection and observability, but not more-established areas for CrowdStrike, such as workload protection — surged 129% from the same period a year before.
Looking ahead, “we’ll continue to solve problems that are outside of core endpoint protection and workload protection, but are related, in the IT world,” Kurtz said.
Even within cybersecurity itself, CrowdStrike’s emphasis on observability “shows that the industry is starting to recognize that cybersecurity is a data problem,” said Deepak Jeevankumar, a managing director at Dell Technologies Capital, who had led an investment by the firm into Humio.
CrowdStrike has no ambitions to get into areas such as network or email security, Kurtz noted. But if a certain business challenge involves collecting and evaluating data from endpoints or workloads, whether that’s IT or security data, “we can do that,” he said.
Application security is another future area of interest, Kurtz said. Given the criticality of many business applications, “understanding their security, who’s using them, how they’re being used — that’s important for organizations of many sizes to have that level of visibility and protection.”
Within security, CrowdStrike is also notably embracing an approach that’s come to be known as extended detection and response, or XDR, for correlating data feeds from a variety of different security tools. CrowdStrike’s XDR approach taps into data both from its own products and from third-party tools, including vendors in its CrowdXDR Alliance that have technical integrations with CrowdStrike.
While XDR is no doubt an industry buzzword, it’s the most effective way yet to put the pieces together and understand how a cyberattack occurred, Kurtz said. “Before XDR, we were sort of blind to how [an attacker] got to the endpoint,” he said. “Now we’re able to tell the whole story.”
CrowdStrike offers a number of managed security services as well, which the vendor was quick to recognize as an important option amid the cybersecurity talent shortage, according to Peter Firstbrook, vice president and analyst at Gartner.
“CrowdStrike actually perfected this,” Firstbrook said. “They ran into this roadblock early. Customers said, ‘Look, this [technology] is really cool. But we don’t have anybody that can manage it.’”
Ultimately, CrowdStrike is well positioned at a time when CISOs are fed up with going to dozens of different vendors to meet their security needs, Cowen’s Eyal said. The current refrain from CISOs is, “‘We want to deal with the Costco or the Walmart, the big supermarket, for all of our security needs,'” he said. In that respect, “the platform approach is absolutely going to be benefiting [vendors] like CrowdStrike.”
Over the years, Kurtz said he hasn’t backed away from comparing CrowdStrike with Salesforce for a good reason: It’s a meaningful comparison, which has only gotten more so as time has gone on.
“I’ve said this since I started the company, that we wanted to be that ‘Salesforce of security’ — to have a true cloud platform that would allow customers to do more things with a single-agent architecture,” he said. “We haven’t really deviated from that.”