CrowdStrike Stock Breakdown

Get smarter on investing, business, and personal finance in 5 minutes.

Stock Breakdown

Only July 19th, 2024 planes were grounded, hospitals delayed procedures, and retailers couldn’t process transactions.

It is known as one of the largest IT outages ever with damages of over $10 billion.

And pissed off customers everywhere.

The cause?

A simple faulty software update from CrowdStrike.

While this certainly cost CrowdStrike some good will (and a negligible amount in monetary relief)…

It proved two things

1) how much of the enterprise world depends on CrowdStrike

2) How enterprises can’t escape CrowdStrike

Because despite the stock market lobbing 28% off CrowdStrike’s stock price, customers kept coming back.

As you can see, their revenues hardly registered an impact.

CrowdStrike is a cloud-native cybersecurity platform.

Whereas in the past companies relied heavily on firewalls to protect their networks, today's world looks very different.

Employees work remotely.

Applications live in the cloud.

Data moves across dozens of systems.

And attackers no longer need to break through the front door.

Instead, they steal credentials, compromise laptops, exploit cloud misconfigurations, and move laterally throughout an organization's infrastructure.

The old "castle and moat" approach to security no longer works.

CrowdStrike was built for this new reality.

Their flagship product, Falcon, is installed everywhere.

It lives directly on endpoints—the laptops, servers, cloud workloads, and devices employees use every day.

Instead of waiting for a known virus signature, Falcon continuously monitors activity across those devices.

If suspicious behavior is detected, CrowdStrike can alert security teams, isolate compromised machines, investigate the root cause, and help stop an attack before it spreads.

Think of it less like a wall protecting a castle and more like a network of security cameras, motion detectors, and guards monitoring every room inside the building.

The more devices protected by CrowdStrike, the more data it collects.

The more data it collects, the better it becomes at identifying threats.

This data advantage has become one of the company's greatest competitive strengths.

Today, CrowdStrike protects some of the world's largest enterprises and processes trillions of security events every week.

But endpoint protection is only where the story begins.

They are moving into identity protection, cloud security, security operations, threat intelligence, manages security services, and of course—AI.

We cover all of this and more in this weeks Five Minute Money.

Business.

CrowdStrike popularized EDR—End Point Detection and Response security.

What that means is they help companies:

1. Detect malware and ransomware

2. Stop suspicious activity on employee devices

3. Investigate cyber incidents

4. Isolate compromised machines

5. Monitor threats in real-time

6. Prevent attacks from spreading across the organization

Historically, cybersecurity was built around firewalls.

But in a cloud native work with employees having multiple devices, applications moving to the browser, and work from home, that no longer was effective.

So instead of just protecting the outside walls of the company, CrowdStrike protects the devices, identities, cloud workloads, and systems inside the company.

Their core product is Falcon and they generated $5.1 billion in revenue over the last 12 months.

Their ARR is still growing 24% and last disclosed net dollar retention was 115%. That means for every dollar of revenue they had from existing customers in the prior period, they spent 15% more.

While they have continued to grow revenues strongly, they are loss generating on a GAAP basis to the tune of -$220mn LTM.

They have two reportable revenue segments: 1) Subscription and 2) Professional Services.

Subscriptions.

This is basically the Falcon platform and is about 95% of revenues.

They sell their core products on a per device basis with Falcon Go at the low end costing $59.99/ year per device and Enterprise at $184.99/ year.

However, more modules can run the price up more. Some modules can be charged on a per active account basis and Charlotte AI is priced with monthly credits.

There are eight functions that are housed in here:

1) Endpoint Security – this is the classic CrowdStrike use case we mentioned earlier. It protects laptops, desktops, servers, and cloud workloads from malware, ransomware, and suspicious activity.

2) Identity Protection – this protects user accounts and credentials. Increasingly, hackers don’t need to break into a network. They just steal an employee’s password and log in like they belong there.

3) Cloud Security – this protects workloads running in AWS, Azure, Google Cloud, containers, and other cloud environments. As companies moved infrastructure to the cloud, attackers followed them there.

4) Exposure Management – this helps companies understand where they are vulnerable before an attacker exploits it. Think misconfigured cloud resources, unpatched software, exposed assets, or weak points in the security stack.

5) Next-Gen SIEM – SIEM stands for Security Information and Event Management. This is where security teams collect alerts and logs from across the business so they can figure out what is actually happening.

6) Threat Intelligence – this tracks hackers, ransomware groups, nation-state actors, and attack campaigns so customers can understand who is attacking them and how.

7) Data Protection – this helps companies protect sensitive data from being stolen, leaked, or misused.

8) Charlotte AI – this is CrowdStrike’s AI assistant that helps security analysts investigate incidents, summarize alerts, and recommend next steps.

While these are major product categories, they broadly trace to most of CrowdStrike most important modules. In total they have over 30 modules and the best customers subscribe to multiple.

Instead of needing multiple point solutions, customers can just rely on the Falcon Platform and add the security products they need.

Their best customers have over 8 modules and over half of their customers use at least 6.

Underpinning all of this are three key data graphs.

Threat Graph analyzes trillions of security events across CrowdStrike’s customer base.

· If a new attack shows up at one customer, CrowdStrike can use that data to identify similar behavior elsewhere.

Intel Graph connects information on attackers, tactics, malware, and campaigns.

· This helps customers understand not just that they were attacked, but who may be behind the attack and how that group operates.

Asset Graph maps a company’s environment across devices, users, applications, cloud workloads, and other assets.

· This helps customers understand what they own, how everything is connected, and where risks exist.

This is important because cybersecurity is increasingly a data problem.

By bringing all of this into one platform, customers can detect, investigate, and respond to threats faster than they could with a bunch of disconnected security tools.

Professional Services.

This is much smaller at about 5% of revenues.

Professional Services includes things like:

Incident response – helping customers after a cyberattack has already happened.

Proactive services – helping customers test their security before an attack occurs.

Managed security services – where CrowdStrike’s own experts monitor customer environments and hunt for threats.

Strategic advisory – helping companies design and improve their cybersecurity programs.

This part of the business is much lower margin than subscription software at just 18% gross margins versus subscriptions at 78%, but it is very strategically important.

When a company has a breach, CrowdStrike can come in, fix the problem, and then sell the Falcon platform to prevent the next one.

They famously were brought in to identify the hackers of Sony Pictures and the DNC (Democratic National Committee), but have helped a lot of other business with lower profiles too.

Once they helped them figure out how they got hacked, they can advise them on how the Falcon Platform can prevent future issues.

So essentially, Professional Services acts like a customer acquisition channel rather than a stand-alone profit center.

So with strong customer retention and a stellar reputation for best-in-class cyber security, who is competing against them?

Competitive Landscape.

CrowdStrike’s competitive vectors have moved because it no longer competes in just one market.

With Falcon now having 33 modules they also cover identity protection, cloud security, SIEM, data protection, threat intelligence, managed services, IT operations, and AI workflows.

This means their primary competition is on the platform level, not on a product by product basis.

You move to CrowdStrike to avoid having to patch together a bunch of point solutions. But they are not the only ones who have figured out that customers prefer a holistic solution.

We categorize competition into 3 buckets:

1. Platform competition

2. Point-solution competitors

3. Legacy players


1) Platform Rivals.

The most important competitors are the companies trying to become the broader cybersecurity platform.

This includes Microsoft, Palo Alto Networks, and SentinelOne.

Microsoft.

Microsoft is probably the scariest competitor.

Not because Defender is always the best product.

But because Microsoft has distribution.

Microsoft Defender for Endpoint is included in Microsoft 365 E5, and Microsoft also has Sentinel for SIEM, Defender for Cloud for cloud security, Entra for identity, and Defender XDR to bring security signals together.

Microsoft wins for lower TOC (total cost of ownership) and has a clear distribution advantage.

Microsoft Defender becomes just an add on item to an already large Microsoft bill—but is still cheaper than offloading Cyber security to Crowdstrike.

CrowdStrike is known as the best of breed platform with one lightweight agent, one platform, one data model, and that shows up in speed time it takes to run on various devices.

CrowdStrike wins because any bad cyber incident can be far more costly than any amount saved, but for many companies Microsoft is good enough.

Palo Alto Networks

Palo Alto Networks is the most credible cybersecurity platform rival.

They have a $235bn market cap, $10.6bn in revenues and are profitable with $1bn in EBIT.

But unlike CrowdStrike, Palo Alto did not start with endpoint security.

They started in network security and next-generation firewalls.

What that means is they helped companies control the traffic moving across their networks.

A firewall is basically a security checkpoint.

It decides what traffic is allowed in, what traffic is allowed out, and what should be blocked.

Old firewalls mostly looked at simple information like IP addresses and ports.

Palo Alto helped popularize the next-generation firewall, which goes deeper by understanding the application being used, the user behind the traffic, the content moving across the network, and whether that activity looks malicious.

This is still Palo Alto’s home turf—and it includes physical hardware and custom-built chips to scan the network traffic.

If CrowdStrike’s original strength was protecting the laptop, Palo Alto’s original strength was protecting the network.

But the two companies are now converging.

CrowdStrike is moving from endpoint into identity, cloud security, SIEM, and AI.

Palo Alto is moving from network security into endpoint, cloud security, SOC automation, SIEM, and managed security.

Their main competing products are the Cortex family and Prisma Cloud.

Cortex XDR competes in endpoint detection and response.

Cortex XSIAM competes in security operations, SIEM, and automation.

Prisma Cloud competes in cloud security.

Unit 42 competes in threat intelligence and incident response services.

Palo Alto is pushing the same “platformization” story as CrowdStrike:

Buy fewer tools and consolidate onto one platform because it is cheaper, simpler, and works better.

They have $8.1bn in Next-Generation Security ARR, including $1.6bn from recent acquisitions, which is larger than CrowdStrike.

CrowdStrike is stronger in endpoint.

Palo Alto is stronger in network security.

Cloud security is a dogfight.

And security operations (the AI-driven control center for IT teams) is becoming the new battle grounds.

CrowdStrike intentionally does not offer a firewall product because their entire architecture is built on the belief that the endpoint (like a remote employee's laptop) is the new perimeter.

Meanwhile, Palo Alto is quietly validating that exact thesis. Their aggressive Wall Street shift toward highlighting "Next-Gen ARR"—a metric specifically designed to exclude their traditional hardware-based networking sales—is a glaring acknowledgement from the legacy king of firewalls that physical firewall networks are officially a thing of the past.

However, Palo Alto’s willingness to forgo the old paradigm and quick adoption of new cloud-centric security makes them a formidable competitor—and their next Gen Security ARR is growing in the low 30%s.

2) Point-Solution Competitors.

These companies may not compete with all of CrowdStrike, but they can be very strong in a specific category.

Cloud Security

Cloud security is probably the most important battleground where CrowdStrike is more of the challenger than the incumbent.

Wiz is the big name here.

Google completed its $32 billion acquisition of Wiz in March 2026, making cloud security one of the most strategic areas in cybersecurity. Google says Wiz will remain a multicloud product under Google Cloud.

The reason Wiz grew so quickly is that it was built cloud-first.

Wiz historically has been stronger in cloud posture and visibility.

CrowdStrike’s strength is endpoint plus cloud workload telemetry plus real-time detection.

Other cloud security competitors include Orca, Sysdig, Aqua, and Prisma Cloud (Palo Alto)

However, for companies that want a full solution, Wiz will not be enough.

SIEM / Security Operations.

SIEM, as a reminder, stands for Security Information and Event Management.

This is where companies collect logs, alerts, and security data so analysts can investigate attacks.

CrowdStrike is trying to disrupt this market with Falcon Next-Gen SIEM.

The big legacy incumbent is Splunk, now owned by Cisco. Cisco acquired Splunk for approximately $28 billion in 2024.

Other competitors include Microsoft Sentinel, IBM QRadar, Elastic Security, Exabeam, Securonix, and Rapid7.

This is important because SIEM is often the “control room” for the security operations center.

If CrowdStrike wins here, Falcon becomes much more than endpoint protection.

It becomes the place where security teams do their work.

Identity Security

The competitors here include Microsoft Entra, Okta, CyberArk, SailPoint, and other identity security vendors.

CrowdStrike clearly sees this as strategic. In January 2026, CrowdStrike announced it would acquire SGNL to expand continuous identity protection across human, machine, and AI-agent identities.

This is important for the AI era.

If AI agents can access software, data, and workflows, then AI agents become identities that need to be secured.

That makes identity protection a natural extension of CrowdStrike’s platform.

3) Legacy Competitors.

The final bucket is legacy cybersecurity.

This includes Symantec, Carbon Black, Trellix, McAfee, FireEye, Trend Micro, and other older endpoint or antivirus vendors.

These companies are not irrelevant.

They still have installed bases.

They still renew contracts.

They still compete on price.

But strategically, they are mostly playing defense.

CrowdStrike’s whole original pitch was that traditional signature-based antivirus was not enough for modern attacks.

While some of them are trying to modernize, the issue is their architecture.

CrowdStrike was born cloud-native.

The legacy players have often had to stitch together older products, acquired assets, and on-premise architectures.

Palo Altos did it successfully, there isn’t much signs other players will have the same degree of success.

Now despite the competition though, there can be more than one winner.

The TAM is sufficient large for CrowdStrike to continue to grow before having to compete more directly against Palo Alto or Microsoft.

The AI Risk.

There are five key AI implications for CrowdStrike:

1) AI makes attackers faster

2) AI helps attackers find more security holes

3) AI agents become a new identity risk

4) Shadow AI creates data leakage risk

5) AI can be an opportunity with CrowdStrike’s own the AI-powered SOC

First, AI makes attackers faster.

CrowdStrike tracks something called “breakout time,” which is how long it takes an attacker to move from the first compromised machine to other systems inside a company.

The shorter the breakout time, the less time defenders have to respond.

CrowdStrike says break out times were days to hours and now are hours to seconds.

That is the core AI risk.

Humans cannot manually investigate every alert fast enough to stop machine-speed attacks.

Second, AI helps attackers find more holes.

AI can help scan code, cloud environments, identities, applications, and exposed assets faster than a human could.

This means companies may discover more vulnerabilities more quickly, but attackers can too.

That increases the importance of prioritization.

Security teams do not just need to know everything that is wrong.

They need to know what actually matters.

Third, AI agents create a new identity problem.

As companies deploy AI agents, those agents may get access to internal systems, customer data, codebases, financial information, and business workflows.

If an AI agent has permission to take actions across the enterprise, it needs to be monitored and governed like a human employee.

Otherwise, a manipulated or compromised AI agent becomes a new attack path.

Fourth is Unapproved AI Usage.

Employees are already using ChatGPT, Claude, Gemini, Copilot, and other tools at work.

Some of this is approved.

A lot of it is not.

An employee may paste proprietary code into an unauthorized chatbot.

A salesperson may upload customer data.

A developer may connect an AI tool to internal systems without IT knowing.

So AI is not just something CrowdStrike can use.

AI itself becomes something companies need to secure.

CrowdStrike’s response is to make Falcon the platform for the AI-powered Security Operations Center.

A SOC, or Security Operations Center, is where companies monitor threats, investigate alerts, and respond to attacks.

Historically, this was mostly humans looking at dashboards.

CrowdStrike’s vision is that the SOC becomes a mix of human analysts and AI agents.

Charlotte AI is their security assistant.

AgentWorks lets customers build custom security agents.

Charlotte Agentic SOAR (security, orchestration, automation, response) helps orchestrate those agents across security workflows.

And Falcon AIDR, or AI Detection and Response, is meant to help companies monitor AI usage, detect prompt injection, prevent data leakage, and govern AI agents.

This is where CrowdStrike’s data advantage matters.

Threat Graph analyzes trillions of security events across its customer base.

Intel Graph connects attackers, tactics, malware, and campaigns.

Asset Graph maps devices, users, applications, cloud workloads, and identities.

A startup can build an AI bot.

It cannot easily recreate CrowdStrike’s security data.

So the AI question is not simply good or bad.

AI makes cybersecurity faster, more complex, and more automated.

That could compress pricing if AI commoditizes security work.

But it could also make CrowdStrike’s data and platform more valuable.

AI is not an immediate existential threat.

It is a forcing function.

CrowdStrike either becomes the AI-native cybersecurity platform…

Or someone else does.

Valuation.

Today CrowdStrike trades at a $195 billion enterprise value at a stock price of $194.

With $5.1bn in trailing sales, that is a 38x times TTM multiple or 33x 2027 revenue estimates.

That is a very high multiple and they are not GAAP profitable.

Free cash flow is just under $300mn after subtracting stock based comp of ~$1.1bn.

You don’t want me to tell you what multiple of cash flow they trade at…

However, they have very ambitious growth targets.

They are targeting $20 billion in ARR by 2036— about 10 years out.

This is driven by a mix of new logo penetration…

And expanding modules with existing customers.

They didn’t put out 2036 margin targets, but their 2029 targets show a 36% free cash flow margin at the mid end.

Right now stock based comp is a whopping 22% of total revenues though, which even with some leverage would be an estimated ~15% free cash flow margin.

However, as the company doubles in size from there, and they lean more on AI, they theoretically should enjoy a lot of operating leverage (especially if AI enables a leaner workforce).

For our numbers we will assume a free cash flow margin range (after SBC) of 25% to 35%.

If they hit their revenue goal, that would be about $5bn to $7bn in free cash flow.

If they are still growing in the low double digits, a 25x-30x multiple is fair.

With 25% margins and a 25x-30x multiple, that gets us $125-150bn.

With a 35% margin that is $175-210bn.

An investor would have to believe in a high growth scenario exiting 2036 in order so support a high multiple and get a better return against their existing market cap of ~$195bn.

If they were still growing 20%, then a 35-40x multiple could be fair.

That yields us a valuation of $210bn to $280bn for 8% to 44% upside (with 35% margins).

An investor would also collect the cash they generate over the next 10 years, but that isn’t much as of now given where free cash flow is (after SBC) but could represent another ~1% of annualized return.

Perhaps though an investor is even more optimistic on what their cash flow margins could look like or believe growth would be even better.

Or with the stock up +50% YTD, they may want to wait for a better entry price.

For more on CrowdStrike, check out this video below.

Join the Newsletter

Subscribe to stay up to date!

    We respect your privacy. Unsubscribe at any time.

    Nothing in this newsletter is investment advice nor should be construed as such. Contributors to the newsletter may own securities discussed. Furthermore, accounts contributors advise on may also have positions in companies discussed. Please see our full disclaimers ​here​.

    Next
    Next

    Wealth Builder or Destroyer? Company Stock Explained