How Crowdstrike fails
Repost of my first ever article on failure modes for cybersecurity companies
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
It’s been a busy start to the year with traveling, performance reviews, and planning, so I didn’t get a chance to write this week. I un-paywalled my first article discussing failure modes for public cybersecurity companies.
I was inspired by recent posts from Benn’s Substack. For those of you who are unfamiliar, he regularly writes about topics in the data world. I’m a fan because 1. I work at a data company, 2. he is a fan of this data company (dbt Labs), and 3. his articles have strong analysis and provide his honest opinions. He recently wrote a few newsletters that run through a thought exercise on how certain prominent data companies, such as dbt Labs, Fivetran, and Snowflake will fail. The most interesting part is that he loves these companies and doesn’t believe they will fail overnight or anytime soon. Rather, he tells a story of how they slowly become irrelevant.
I thought this was an interesting take as it mixes his beliefs on upcoming trends with speculation on why these trends might not work out the way he believes.
Inspired by that, I decided to write one on one of my favorite security companies — Crowdstrike. For context and disclaimer, I currently do not use the Crowdstrike product but might use their services in the future. I do not have a financial position and do not plan to start any in the next 72 hours.
The rise of next-gen security
Crowdstrike started in 2011 and had a strong focus on services, namely incident response. Honestly, their initial product was okay, and nothing to phone home about. However, their incident response service was the best in the business with Mandiant as the only viable competitor. I would argue they are still the best in the business.
The giant at the time, Symantec, was a formidable player with a giant cash war chest. At the time, no one imagined anyone challenging them. However, the endpoint protection space took off around 2014 with the breaches of major corporations like Home Depot, Target, etc. that were the result of endpoint breaches and malware. Crowdstrike was called in to deal with many of the high-profile cases, pushing their own product as a way to have Crowdstrike-like services around the clock without actually having the service. Crowdstrike’s analytics easily caught more issues than Symantec’s outdated and noisy signature-based endpoint methodology.
Amazingly, the services were value-add to the product. Such a playbook is a company and investor’s dream; when it works, it works. In fact, FireEye thought a similar strategy would boost its growth and improve its product as it acquired Mandiant in late 2013, but that met a much different fate, which I will describe later.
I wish the story ended there. Many other companies saw the opportunity given the size of the endpoint security market, which is 100% of all companies! Players, such as Cylance, SentinelOne, CounterTack, Carbon Black, etc. entered the market and caused Crowdstrike some grief. These companies pumped the marketing and sales machines. Crowdstrike also joined the GTM arms race, losing focus on its key differentiator, its superior product.
Realizing it lost its way, Crowdstrike returned to its roots and focused on its Falcon product. It created the best-in-market agent and analytics that were able to catch and respond to potential incidents faster than its competitors. No matter how much its competitors pumped the sales and marketing engine, security teams started to realize in bake-offs that Crowdstrike was definitely the superior product for protecting their endpoints, and the agents were much less intrusive. An added bonus is that during an incident, Crowdstrike’s IR team could get up to speed more quickly by already having access to the agent’s telemetry.
It’s been an upward trend for them ever since. They went public and continue to capture market share from legacy players as many of the other players with inferior products have fizzled away. Now, it has become a formidable player, if not the main one.
Expanding its footprint
Crowdstrike has mostly been immune from the cloud migration movement (shifting of IT to DevOps/engineering) and the rise of the security engineer. The reason is seemingly obvious. Everyone, even in the cloud world, will still use laptops, and IT will continue to manage these laptops. I don’t see a world where engineers own this IT task. Consequently, it makes sense for software installed on these devices to be managed by IT. It will not suffer the fate of Palo Alto Networks, which needed to re-invent itself from a firewall company to a cloud security company through acquisitions. In fact, Crowdstrike benefits from the cloud as its main platform is SaaS and uses analytics combined across all its customers’ agents to provide better detection, not having to rely on the inferior signature-based methods used by a now mostly irrelevant Symantec.
If you look at the numbers that Crowdstrike reports, you wonder: where is the failure mode? The financials are great, but how sustainable are they? It looks like history repeating itself with the likes of FireEye and Symantec. Crowdstrike’s growth will plateau if it’s a one-trick pony. As a result, they have tried to expand into adjacencies through acquisitions, such as PAM and logging, hoping to turn its endpoint protection play into a platform play. This way, it can continue to enjoy its growth and as a result, its amazing multiple on the public markets.
Facing new challenges
Let’s say Crowdstrike continues its current strategy. This is how the future unfolds.
It never enjoys the success that Palo Alto Networks did through its recent cloud security acquisitions. Crowdstrike spends most of its profits gained from its great products and services on acquisitions rather than re-investing into its core offerings. The services manage to survive, but other companies and startups make ground and chip away at Crowdstrike’s lead. Crowdstrike acquires companies that are either mediocre or don’t contribute well to the platform.
To make the situation worse, the cloud GTM motion never works out. The Crowdstrike sales team has enjoyed the luxury of selling to IT and IT security, but now with the new acquisitions, they are facing a new GTM challenge around selling to DevOps and security engineers, which is something that they don’t have muscle. These are similar to challenges to how other legacy players who have seen the security engineer and DevOps evolution and their increased ownership of traditional IT and security operations-owned products. They continue to spend heavily to figure out that motion as well as make product modifications, de-emphasizing their core product.
They end up in a situation similar to RSA, Mandiant, or Proofpoint. RSA had many useful independent products but not a strong “better together” platform story. Mandiant’s products, which were the original FireEye products, had a lot of legacy customers and enjoyed great cash flow. Like all three companies, Crowdstrike has saturated the market and faces slowing growth, making it hard for them to enjoy great multiples.
The end
The story of a great tech company ends here and falls into the typical zombie tech story: cash flow is great, but growth is slow. The public market loses interest and doesn’t want the cash flow to be ruined by more acquisitions. Like Mandiant, the product division is sold off to a private equity firm like Thoma Bravo or Vista to bundle with their existing portfolio. The services continue to do well but don’t justify the company staying public, and they are sold off to a large tech company looking to get into security or a security company like Palo Alto Networks looking to improve its services division.
Crowdstrike remains a strong incident response brand, but the product has been renamed.
Conclusion
Without a doubt, Crowdstrike is an amazing story with amazing products and services. No one can question that. If they do, they are either confused or in denial. However, every tech company faces challenges throughout its journey. The question is if it will overcome them, namely figuring out cloud GTM as Palo Alto Networks struggled to do but eventually figured out, and this post just provides a scenario on how I believe they might not overcome them.
Regardless, here is an indisputable fact: Crowdstrike will be an important part of security history and a name that will be around for most of my lifetime.