CrowdStrike: Black Swan Swallowing Bright Prospects For 2024 (NASDAQ:CRWD)

Introduction and investment thesis

I had recently begun to write an article on CrowdStrike Holdings, Inc. (NASDAQ:CRWD), where I concluded, that the company shows exceptional fundamental resilience amid emerging uncertainty in the cybersecurity space. However, a defect in a software update on CrowdStrike’s Falcon platform that caused global IT outages has rewritten the whole story before the ink dried on my monitor.

Before the news came out that CrowdStrike’s faulty update caused global IT outages taking out airlines, TV shows, banks and several other businesses globally, the picture for 2024 looked quite encouraging. Recent earnings releases of major independent cybersecurity players have been met with disappointment from investors, but CrowdStrike has been an exception with its beat-and-raise quarter.

Although shares have been priced aggressively by the market, I believed that strong fundamentals could fuel further upside. However, after recent negative headlines came to light, I think shares could stay in the penalty box for a while. Besides negative publicity, I think CrowdStrike could potentially face negative financial consequences from businesses worldwide, which had to suspend their operations for hours. Until these issues settle, and the market gets a precise update on what to expect, uncertainty will prevail, which is the worst enemy of investors.

Faulty CrowdStrike software update takes Microsoft with it

One of the most widespread IT operation disruptions has emerged this morning, when several businesses including airlines, retailers, banks, brokerage houses using Windows began to report the “blue screen of death.” It has turned out that a faulty software update on CrowdStrike’s Falcon sensor can be linked to the outages. These sensors must be installed on customer’s endpoints to make the company’s software running. According to CrowdStrike, updates to the sensor are performed silently and automatically. This hasn’t been the case this time.

Although the story is still developing, it is already obvious that several businesses have been impacted globally in the current incident to a serious extent, making it a so-called “black swan” event. The U.S. federal airspace announced a nationwide ground stop of air traffic, while there have been several other interruptions in air travel worldwide. Radiotherapy services and surgeries had to be temporarily canceled or delayed in the U.K., Sky News had to interrupt its broadcast, and these are just a few examples.

Since the onset of the issue, CrowdStrike has managed to come up with a workaround to fix it and tried to revert the update where possible. According to a post by CEO George Kurtz on X:

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. This is not a security incident or a cyberattack. The issue has been identified, isolated and a fix has been deployed.

I think it’s especially disappointing in the current situation that CrowdStrike used to emphasize its advantage in total cost of operation of its Falcon platform. This means that even if customers pay a higher cybersecurity bill for the company than for many other competing products, its better efficiency in stopping breaches saves more for them than the additional operating costs of the platform.

Now, several customers who run Windows had to suspend their businesses temporarily due to the faulty update, so they suffered significant losses. After recent events, it will be difficult to sell new clients on the lower total cost of operation of the platform.

Furthermore, the fact that the incident impacted only Windows endpoints is also a major blow for CrowdStrike. Management regularly emphasizes the superiority of its security offering compared to the services of Microsoft (MSFT) and criticizes Microsoft Defender for its inefficiency in stopping breaches. After this incident, I believe they’ve lost some credibility in that regard as well, even if several independent surveys support the superiority of CrowdStrike’s platform.

Beside several negatives, it’s a relief that the issue doesn’t concern a security breach, which could have been the worst-case scenario. Still, the issue is a major blow for CrowdStrike, and the potential risk factors stemming from the incident are difficult to quantify now. As more and more incidents come to light on how the failed software update impacted the business operations of large companies, it could pressure shares for a while.

I don’t envy CrowdStrike’s salespeople in the current situation, and I’ll be curious about how this incident will impact the company’s fundamentals going forward. The company’s earnings call following the release of its Q2 FY25 results at the end of August will be quite interesting from this perspective. Until then, I think it could be wise not to buy into current weakness if it doesn’t get more pronounced.

Bright fundamental picture preceding the incident

Although fundamentals come to the background under these circumstances at the end, they determine in what direction shares are heading in the long run. CrowdStrike managed to positively surprise investors with another beat-and-raise quarters with Q1 FY25 earnings release bucking the negative trend of other cybersecurity competitors.

Among others, SentinelOne (S) slightly adjusted its full-year revenue guidance downward. Cloudflare (NET) management talked about increasing economic uncertainty compared to Q1, while Fortinet (FTNT) provided a soft billings guidance for its upcoming quarter. Palo Alto Networks (PANW) continued to struggle with the short-term impacts of its platformization efforts.

Meanwhile, CrowdStrike had managed to print another beat-and-raise quarter with continued acceleration in its Rule of 40 metric. Looking at the market reaction to these recent events shows that CrowdStrike’s performance stood out recently until the news of the faulty software update (which isn’t included on the chart below) came to daylight:

Palo Alto Networks has been an exception to this, as the damage in this case has been already done at the beginning of the year when the company first talked about its strategic shift.

Based on these trends, I believe that risk factors for cybersecurity stocks falling short of their estimates have increased recently, which is bad news for CrowdStrike as well. However, the fact that the company’s fundamentals continued to stay resilient when competitors began to struggle cements their market leading position, which suffered a setback due to recent events in the short term.

As several competitors witnessed continued top-line growth deceleration, the YOY ARR growth rate of CrowdStrike remained constant compared to the previous quarters at ~33-34%:

The closing ARR of $3.65 billion resulted in net new ARR of $212 million compared to the previous quarter, which has been a decrease compared to Q4, but in line with seasonal tendencies:

The YOY growth rate decreased to 22% after the exceptionally strong 27% last quarter, and management is guiding for at least double-digit YOY growth for the next quarter. As these guides turned out to be overly conservative over recent quarters, I believe a similar print to Q1 could be possible if recent events do not impact fundamentals to a greater extent.

Margins remained strong, with FCF margin coming in at 35%. This made CrowdStrike a Rule of 68 company. This quarter has marked the 3^rd quarter in a row when the company managed to increase its Rule of 40 metric:

As Q2 is seasonally the weakest quarter from an FCF margin perspective, I think there should be a short-term break in this trend. However, if the company manages to control the damage effectively from recent events, it could continue to go up in the back half of the year.

Finally, looking at remaining performance obligations, which are a good indicator of future revenue growth, we can see an encouraging trend as well:

Remaining performance obligations reached ~$4.7 billion at the end of the Q1 quarter (CrowdStrike only provides rounded numbers since Q2 FY24) showing a small increase compared to Q4 previous year. Looking at the seasonality of previous years, this could be regarded as a positive print. The YOY growth rate increased to somewhere around 42% from 30%+ levels in the previous quarters, which is also encouraging.

The main driver behind these positive trends have been the company’s successful consolidation efforts, which are evidenced in the fact that they are landing with more modules than ever before. Deals with 8 or modules increased 95% YOY in Q1 and customers who adopted already 7 or more make up 28% of total customers.

The most promising emerging modules include Cloud Security, Identity Security and Log-Scale Next-Gen SIEM, which I’ve summarized in the following table in my previous article on the company:

Beside these strong growth opportunities, there is Falcon for IT, which extends the company’s scope beyond cybersecurity to IT operations in general and could emerge as another leg of emerging products soon.

So, positive fundamentals at the company have remained on track, but the big question is how they can contain the damages from their recent PR nightmare. Looking at a recent example of Snowflake (SNOW), where hackers managed to steal Snowflake login details from companies via malware (not the direct responsibility of Snowflake) it took a few weeks until shares began to recover. I think it could be the same in this case, but investors should prepare for increased volatility as more news comes out.

Before this incident, I was an advocate for buying CRWD shares on any weakness. However, under current circumstances, I suggest taking a wait-and-see approach until it turns out whether CrowdStrike Holdings, Inc. has to take financial responsibility for operational disruptions at its customers. It is best to wait and see how they react to recent events regarding their buying behavior. I believe the current forward Price/Sales ratio of ~19, which is still above the lows of 17 in 2024, is not attractive enough to take these risks.