CrowdStrike and the Bundling of Cybersecurity

CrowdStrike is bundling the cybersecurity ecosystem in a way that's never been done before. This article examines their strategy, its impact on the industry, and their future growth potential.
CrowdStrike and the Bundling of Cybersecurity

CrowdStrike announced Q3 fiscal year earnings last week. They're the final company in my brief series of analyzing strategy for public cybersecurity companies this earnings period.

Among many well-hyped cybersecurity companies, CrowdStrike is one of the four outliers (along with Cloudflare, Zscaler, and Okta). To nobody's surprise, their recent earnings and growth announcement was excellent. From Yahoo:

CrowdStrike Holdings CRWD reported third-quarter fiscal 2022 results, wherein non-GAAP earnings jumped over two fold to 17 cents per share from 8 cents posted in the year-ago quarter. The bottom-line figure surpassed the Zacks Consensus Estimate of 10 cents.

CrowdStrike added $170 million to its net new annual recurring revenue (ARR) in the quarter, reaching total ARR to $1.51 billion, up 67% from the year-ago quarter’s levels.

During the third quarter, CrowdStrike witnessed growing demand for its identity protection and Zero Trust, Humio and cloud security modules.

Earnings aside, the strategic impact of CrowdStrike is much bigger than any single quarterly announcement. CrowdStrike is driving the movement towards bundling large parts of the cybersecurity ecosystem — a massive change for an industry that has seen relatively little bundling compared to tech at large.

Unlike media examples where huge markets were unlocked by unbundling, CrowdStrike didn't reach its current position by doing so. They built a product that was 10x better than existing endpoint protection products. It was a Blue Ocean Strategy — they created and won an uncontested market space hiding in plain sight.

The trick wasn't to build another signature-based endpoint protection platform. It was to follow the trend of increasing sophistication by attackers and build a product that recognized attack patterns. They also took advantage of the cloud mega-trend and re-imagined what an endpoint security product built for the cloud would look like.

This was all made possible by the unique expertise of CEO George Kurtz — a rare individual with both a successful exit and experience leading a legacy endpoint protection platform for several years as the CTO. He knew exactly where legacy products were lacking and where the market was headed. The result was CrowdStrike, the most valuable cybersecurity company today.

This article takes a deeper look into their current strategy and growth potential for the future.

Bundling and Unbundling

There's a punchy saying in business you've probably heard before, just not in the context of cybersecurity. It's from Jim Barksdale, the CEO of Netscape at the time it was coined:

"There’s only two ways I know of to make money: bundling and unbundling."

The classic case study is the consumption of music. People used to buy albums (bundles of songs). Napster and illicit file sharing services made individual songs available for download (unbundling of albums). Apple's iTunes made the behavior legal with purchases of individual songs. Now, Spotify is re-bundling distribution by selling subscriptions to access millions of songs.

Cybersecurity has never been bundled before — certainly not in the same way as media examples like music, newspapers, and TV. There is no dominant or monopolistic company in the ecosystem, despite participation from major tech companies and over 30 public companies.

However, the change is underway. Customers want bundling. Take a look through InfoSec Twitter or LinkedIn on any given day, and you're bound to find someone ranting ad nauseam about topics like vendor fatigue, agent bloat, or the explosion of acronyms in the industry. These are all symptoms of the upstream customer desire for bundling.

The solution to vendor fatigue is bundling. Exactly CrowdStrike's strategy. I briefly talked about a centralized product strategy when covering Qualys. The theme has re-emerged again with CrowdStrike in a much bigger way — one that's achievable given their momentum, growth, and leadership.

While the strategy itself is no secret, a few dots need to be connected between the idea of a bundling strategy and CrowdStrike's specific implementation of it.

No company calls their strategy "bundling," as Jim Barksdale astutely noted in a Harvard Business Review (HBR) interview with Marc Andreessen:

Well, most companies when they’re building strategies don’t ever use the term bundling. They just think of adding strategic advantages to their products. If they can add it to their core, they add it, and try to be as efficient as they can be, because there are efficiencies in bundling.

And there are synergies related to bundling. You don’t have to redo a lot of the core services when you put products together. But, I doubt most strategies were ever built using the term, “Let’s bundle.” Or, “Let’s unbundle.” That’s not a strategic term, really, it’s just an observation I made.

Several terms that CrowdStrike CEO George Kurtz used on the earnings call are indicative of the bundling strategy at CrowdStrike: "consolidation," "platform," and "modules."

Kurtz specifically mentioned consolidation twice on the earnings call. First, when talking about agent fatigue:

A big part of what we're doing is being able to consolidate other vendors. Agent consolidation, agent fatigue is a big issue that's out there. And obviously, we have a broad platform that's differentiated and works, and that's the key aspect of the platform that it actually works.

And second, when talking about a specific example for CrowdStrike's File Integrity Monitoring (FIM) module:

And again, it goes to our strategy of consolidating agents and getting rid of other technologies that are costly and complex and weigh the system down.

When you think about FIM, it's a pure and simple compliance requirement. When you think about things like PCI and in the financial services industry, you have to understand what files change and who changed them and implement controls around that. So we've been able to do a lot of that for a long time.

We've enhanced some features, put it into a module. And it's been extremely well received because it is literally a check box for just about any company that's out there, given the current regulatory frameworks and the various standards that exist.

CrowdStrike's leadership also has a strong level of conviction about their platform strategy. When asked by an analyst about being perceived as an endpoint security company (an un-bundled node in the cybersecurity ecosystem), Kurtz was emphatic about the bigger picture:

I think if folks are looking at us as just an endpoint company, pigeonholed endpoint company, they're really missing the big picture. I mean that's as simple as I could say it.

He also gave an interesting metaphor and touted the company's module count:

We've proven that we are a platform company, as I said before, the Salesforce of security, 21 modules.

Just as Salesforce bundled a large set of sales and marketing tech, CrowdStrike is bundling a large set of cybersecurity tech. Additional data about customer purchasing shows that the strategy is starting to work. From George Kurtz:

Our module adoption rates demonstrate the flywheel effect of our platform in motion with subscription customers that have adopted four or more modules, five or more modules and six or more modules increasing to 68%, 55% and 32%, respectively, in the third quarter. We believe high adoption rates of our modules drive high retention rates and reflect our growing position as the trusted platform of record with the average number of modules per customer also increasing quarter after quarter.

These stats are particularly incredible because CrowdStrike currently has 14,687 total customers. When you have 68% of your customers using 4+ modules, and that number is growing rapidly every quarter, your bundling strategy is definitely working.

So, why is CrowdStrike's bundling strategy working so well? In the HBR interview with Barksdale, Marc Andreessen described underlying technology changes as the primary driver behind bundling within industries:

I think a lot of it is based on the underlying technology change. The way I think about it is — at least in the world that I work in, sort of tech and Internet media — bundles emerge as a consequence of the current technology.

In the case of CrowdStrike and this portion of the cybersecurity ecosystem, there are two underlying technology changes driving the bundling. Cloud computing is driving this change at the macro level, and eXtended Detection and Response (XDR) is driving the change at a micro level. We'll focus on trends in XDR next.

EDR as the Foundation for XDR

Bundling is starting to become possible because XDR is reframing an important part of the product space, both including and adjacent to Endpoint Detection and Response (EDR).

The next stage in the evolution of EDR is XDR. The major innovations of XDR are its focus on endpoints, scoped data collections across multiple security tools, and automated incident detection and response workflows. The focus on endpoints is the starting point for CrowdStrike's potential success in this market.

Forrester analyst Allie Mellen stated in a recent report on XDR, "good XDR lives and dies by the foundation of a good EDR." CrowdStrike definitively has that foundation. From the 2021 Gartner Magic Quadrant for Endpoint Protection:

CrowdStrike has a strong reputation in the market as the single solution for endpoint security for organizations looking to consolidate their EPP and EDR agents/solutions. Falcon X threat intelligence and Threat Graph cloud-based data analytics provide the ability to detect advanced threats and analyze user and device data to spot anomalous activity.

George Kurtz certainly agrees. He added some additional commentary on the evolution from EDR to XDR during the earnings call:

So when we think about XDR, you have to start with the best EDR in the market, which is ours. It's been validated by Gartner and others and IDC, I mean, down the list. And the extension of EDR is XDR, right? And as a company who pretty much pioneered cloud-delivered endpoint security with Threat Graph and the massive data moat that we have by combining that with some of the technology we acquired from Humio and our Threat Graph.

I think we're in a unique position to be able to drive additional threat detection outcomes as well as the declaration of the threat narrative, right, the attack narrative. And that's independent of Humio as a stand-alone log management observability platform.

So we're really driving a lot of innovation in this area. And to your point, if you are just kind of a SIEM vendor now trying to glom on to XDR as an acronym, it's not going to work. You have to start with the best EDR in the world. And in my opinion, that's CrowdStrike.

Building an XDR product from a solid EDR foundation is a distinct advantage over other new entrants to the XDR market. For example, Qualys has an endpoint detection product that isn't yet included in the Gartner Magic Quadrant for Endpoint Protection. Analyst reports aren't everything, but not being included is telling if EDR is truly the foundation of XDR. In the case of Qualys, they're building from the best starting point they have — vulnerability management — but it feels like they're on the outside looking in.

The architecture for XDR fits CrowdStrike's bundling strategy perfectly. Along with Microsoft, CrowdStrike leads the EDR market by a lot. They can use their market-leading position in EDR to reach the next level of bundling with XDR as a major driver.

Falcon XDR and Acquisitions

CrowdStrike is primarily executing its bundling strategy through acquisitions. They've acquired several companies in the past year, including:

The acquisitions were all made for relatively nominal amounts, ranging from $100-400 million. Along with homegrown products like FileVantage for FIM, the Falcon platform now offers 21 total modules for purchase.

Longer term, CrowdStrike's bundling strategy is headed towards even more modules built on top of a combined Threat Graph and Humio data infrastructure. From CrowdStrike's 2021 Investor Product Briefing:

The diagram doesn't include details down to the module level, but the concept is clear: protect every endpoint with a single agent, process and analyze data from the agents in Threat Graph and Humio, and integrate the data with tools across multiple cybersecurity domains.

In addition to the existing Falcon modules, the emerging stars of the platform are the recent acquisitions.

Humio and Falcon XDR

On the earnings call, George Kurtz described Humio as a critical component of Falcon XDR:

Falcon XDR leverages the technology we acquired from Humio and extends CrowdStrike's industry-leading endpoint detection and response capabilities to deliver real-time detection and automated response across the entire security stack.

CrowdStrike's commentary about the acquisition heavily emphasizes the technology aspects of Humio: speed, index-free searching, and high volume data storage. Like many modern observability platforms, Humio wasn't built explicitly for security.

While security makes up a majority of the primary use cases, some confusion occasionally creeps in with a pure security company as the new owner. In response to a question about the fit between Humio and Falcon XDR on the earnings call, George Kurtz described the opportunity like this:

You can connect it to whatever you want to connect it to, and you can drive observability information from things that are outside just core security, things like connecting it to your HR system, to your performance management systems, to all the various workflows in your environment. That's not the use case of XDR. Security use cases XDR and Humio goes way beyond that.

While true, potential buyers may question why they need Humio to connect to areas outside of core security. Given CrowdStrike's focus on security, savvy buyers will be skeptical about the level of commitment to product development outside of security.

Longer term, it seems more likely that Humio's technology platform will be tightly integrated with Threat Graph data and narrowed to focus on cybersecurity use cases.

Preempt and Identity Protection

CrowdStrike's acquisition of Preempt is an interesting opportunity. From an industry perspective, the perplexing part about Preempt is why none of the large companies in the Access Control market either built or acquired a product like this.

CrowdStrike has been lurking around identity and access recently, including an investment in JumpCloud's Series F round from their Falcon Fund. It's unlikely CrowdStrike will ever fully enter the Access Control market and compete head-on. However, it's both possible and encouraging to see them including targeted areas of the ecosystem in their platform.

Preempt was a relatively good deal at a $98m acquisition price (on $27.5 million in funding). It had lots of upside to be gained from piggybacking on Crowdstrike's sales and marketing engine. CrowdStrike identified and seized the opportunity for this nascent market segment before other companies made a serious effort.

Post-acquisition, CrowdStrike categorized the product as "identity protection" and re-branded Preempt to Falcon Identity Protection. Generally speaking, I would call Preempt an identity analytics product. Its primarily focus is on threat detection in authentication platforms like Active Directory and integrated Single Sign-On (SSO) products.

The identity analytics space blurs the line between access control and threat detection. As you'd expect, the product includes detective analysis of events and log data. The preventive analysis features are far more exciting: the product also does analysis of account permissions and enables policy creation to help remediate potential issues before they happen.

The acquisition and strategy appears to be working. Specific numbers weren't provided, but George Kurtz talked about positive momentum on the earnings call:

Demand is broad-based across the board, and it really hit an inflection point. We've seen massive growth in it, as we said, more than all Preempt had as a stand-alone company. And the thing is we took the time and effort to do the integration right. Customers see the value of a single integrated agent. They understand that identity is critical to security.

He's absolutely right in saying identity is critical to security. I previously said this about the big opportunity for identity in both Zero Trust and XDR — two of CrowdStrike's high potential growth areas:

The big opportunity is that identity isn't truly integrated with the rest of security. The systems and data still remain silo'ed in many organizations. CrowdStrike is starting to change that paradigm by adding identity analytics to its platform.

This feels like a smart acquisition for CrowdStrike and a missed opportunity for Okta, SailPoint, and other identity-focused companies. Identity analytics has long been a forgotten feature that no product has truly solved at scale — especially not as a standalone company like Preempt was. The market hasn't been won yet, but a company like CrowdStrike putting its resources into it is a big step forward.

Protecting Cloud Assets

CrowdStrike's biggest area of exposure is in the emerging markets for protecting cloud assets: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). The combined markets are a strategic growth area where CrowdStrike could struggle if they don't keep pace with product innovations from startup companies.

When asked about growth in this area on the earnings call, the answer given was relatively opaque:

So when we think about our Cloud Workload Protection, so right now, what we can tell you is that it's growing, it's continuing to grow, and we've seen growth in the amount of opportunities that are available to us in the cloud. Right now, we -- what we do talk about is the fact that 25% of our servers that we protect are in the cloud. So that's just giving you an indication of where we're going. Maybe George has a couple of other comments on that.

Endpoint computing isn't going away any time soon. However, the number of assets to protect is growing more quickly in the cloud. Well-funded cloud startups like Wiz and Orca Security are rapidly gaining traction and building great products. The competition in this part of the cybersecurity ecosystem is intense.

CrowdStrike's leadership team feels they are well-positioned and offered some insightful commentary about the product space. From George Kurtz:

I think it's a largely greenfield opportunity. Obviously, you have a lot of early-stage companies out there, but this is so early in the life cycle, and it's a massive opportunity for all the players that are out there.

We think we're in a great position because a lot of the players actually don't have the run time protection, which is important. You have to tie those two together. It just -- it isn't just about connecting, getting information from APIs, right? And although we do that in a differentiated way because we've basically ported some of our indicator of attack technology across that agentless technology, tying them together, I think, is really important for customers.

CrowdStrike is in a unique position because they have runtime (also referred to as containers or workloads) protection and are already established leaders in endpoint security, including servers. The main challenges for CrowdStrike are whether offering both workload protection and CSPM together is valuable enough, and whether their product innovation can keep up with the startups who are exclusively focused on CSPM.

Future Growth Potential

CrowdStrike is already the most valuable pure cybersecurity company. The future is looking bright, too. George Kurtz described his thoughts on growth opportunities like this:

And when you look at the market in its totality, right, you have things like cloud adoption, cloud expansion, massive opportunity, and we've proven that with servers and what we're doing there.

When you look at the legacy players that are out there, the replacements, the Symantecs, the McAfees, Microsofts, et cetera, massive opportunity for us, that's a long tail. You don't do that in one year. So we see that as a big driver for next year.

And as I pointed out, even -- I mean, it's a smaller base, but even the next-gen players, we see those as opportunities as customers get dissatisfied as I pointed out with some of the players that are out there.

So -- and you got to bifurcate a bit into pure endpoint and cloud, and I see both as massive opportunities because, again, if you look at our overall customer count, it's fantastic, but it's still small in the grand scheme of customers that are out there. And there's still a lot of legacy technologies that are out there that are and will be displaced.

CrowdStrike's 2021 Investor Product Briefling provides relevant data about exactly how much market share from legacy technologies is still left to be gained:

Even as the dominant leaders of the EDR market, CrowdStrike and Microsoft combined still only hold 22% of the market share. CrowdStrike's bundling strategy and growth potential look even better when you add in the potential revenue from additional markets beyond EDR.

Their strategy for the future is clear: invest in growth and innovation. From CrowdStrike's CFO:

We want to invest aggressively. We're not going to move away from that strategy.

And then in R&D, I think in investing in innovation is key and core to who we are. So I think that we're going to continue to keep our eye on that and invest in exactly what I talked about to be able to go after that massive opportunity that we see ahead of us. So that's how we think about it.

Bundling large parts of the cybersecurity ecosystem might be possible after all — and if it is, CrowdStrike will be leading the way.

Earnings
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.