News

CrowdStrike Holdings, Inc. (CRWD) Annual William Blair Growth Stock Conference (Transcript)

News Room

Published

June 8, 2023

CrowdStrike Holdings, Inc. (NASDAQ:CRWD) Annual William Blair Growth Stock Conference Call June 8, 2023 12:20 PM ET

Company Participants

Michael Sentonas – President

Conference Call Participants

Jonathan Ho – William Blair

Jonathan Ho

Hello, everyone and thank you for joining us for our Growth Stock Conference and today’s session with CrowdStrike. My name is Jonathan Ho and I’m the cybersecurity analyst for William Blair & Company that covers CrowdStrike. With us today is Mike Sentonas, the President of CrowdStrike.

Before we begin, I am required to inform you that a complete list of research disclosures or conflicts of interest is available at our website at www.williamblair.com. Mike, thank you for joining us today at our conference. Just given your role as President, today’s discussion will focus a little bit more on the high-level product and strategy of the company, with an emphasis on digging in a little bit deeper on the technical side as well.

So just to maybe level set the audience. Can you maybe give us a little bit of an overview or background on the history of CrowdStrike? What’s some of the problems CrowdStrike is trying to solve and how you’ve been able to disrupt the cybersecurity industry?

Michael Sentonas

Yes, for sure. Thank you for having me and thanks, all, for coming on to the session. Look, for those people that don’t know CrowdStrike, cybersecurity vendor, started in 2011 in an era where there were a number of different cybersecurity companies in the industry. And if you go back to that time, there were no shortage of products that people could buy but the thesis of starting a company was that globally, people are spending billions of dollars in cybersecurity and getting compromised.

Why? The technologies that were out there weren’t doing a good enough job. They’re largely built on signature technology which is very reactive. If you don’t have a signature for a particular technique that the adversary is using, the adversary can compromise you and unfortunately, it ends in disaster, a lot of complexity. George Kurtz, Co-Founder and CEO of CrowdStrike talks about an experience where he was sitting on a plane and he was at McAfee at the time and he saw somebody open his laptop and it took like 10 minutes for the machine to become operational whilst it was trying to boot up because of the security software.

So a combination of technology that didn’t work, combination of attacks that were happening with such frequency that the traditional products wouldn’t work and just generally a lot of dissatisfaction with a lot of the technologies that were out there. So the concept of CrowdStrike was to build a technology that is built on a platform, a single agent for everything inside the organization. The concept at the time was to leverage artificial intelligence. Like you may be shocked, artificial intelligence was not invented in November of last year.

CrowdStrike was built in to leverage the AI built into everything that it did at the time. So the problem when CrowdStrike started was really focused on solving an endpoint detection and response use case. So sitting underneath the traditional product, sitting underneath the McAfee’s, your Symantec’s, your Trend’s and others. And telling the end user what was left behind or highlighting the techniques that the adversary was using that those products were technically not capable of solving. And over time, it was using that same agent to build a next-gen antivirus capability to then build a cybersecurity hygiene capability, a vulnerability management capability.

So where we are today, we are a platform with 1 agent for everything that we do. We have 23 modules that sit on top of that agent. We have a services business that helps people with instant response, with compromise assessment, with tabletop exercises. We have a managed service component where we will deploy and manage our technology on behalf of our business. We are a channel-first company, so we work with channel partners around the world to take our products to market.

And we continue to innovate with those core principles in mind, leveraging AI to build models to help us solve problems for our customers. We’ve really anchored on focusing on workload security and identity and data and connecting those 3 things. And we’ll continue to build out that capability, as we continue to solve more problems for our customers; [indiscernible] back in 5 minutes.

Jonathan Ho

Absolutely, absolutely. That’s a great summary. And I always find it interesting that CrowdStrike was founded with this principle of stopping breaches. So it’s not about a single product but it’s really about the platform that you guys have built over time.

Michael Sentonas

It’s a unique difference and it’s one thing that is worth spending 30, 60 seconds on because people say, “Well, what do you mean when you say stopping breaches? Isn’t an average security vendor focused on stopping breaches?” Well, kind of. People solve — are building products to solve ransomware, to solve an e-mail problem or to solve various issues that you may have that fall into that cybersecurity realm. CrowdStrike stopping breaches, the premise is that you will have lots of little things that happen along the way that result in the big breach that causes you significant damage. And our goal is effectively to stop you being breached and really to ensure that any trade craft that the adversary uses, whether it’s malware, whether it’s non-malware, we cover all of those techniques to make sure that ultimately, you do not get breached.

Jonathan Ho

Excellent, excellent. One of the recent announcements that you’ve made in the AI space and I know the AI question has been asked at all of these presentations. But I think it’s definitely very interesting that you have this Charlotte product. Can you give us a little bit of an overview of what Charlotte is and sort of the core value proposition? And what is it doing maybe differently relative to other solutions that are out there?

Michael Sentonas

Yes. So as I’ve mentioned a little bit tongue in cheek, AI is not a new technology. It’s not a new trend. We’ve been leveraging AI to build capability into our product to be able to defend against techniques that adversaries use without having to worry about every single technique or have signatures that come out constantly during the day which is just a rat race that you’ll never win. So we believe that we’ve been doing this for 11 years, we’ve been building out this capability longer than 11 years. We’ve been building out this capability that gives us a competitive differentiator because now we’re starting to combine things that we’ve been doing for over a decade. The data sets that we’ve been building, the annotated data sets about the trade craft that the adversary is using, together with large language models, to provide our customers the capability to have a virtual SOC assistant.

So what’s different about what you’re hearing a lot of people that are talking about building products on top of whether it’s Anthropic or OpenAI, they’re really building a lot of chatbot capabilities. And I can give — I’m sure everybody has experience with chatbots that you have on certain websites that are really frustrating. And you typically not — you’re having these one — ask a question, get a response. It’s not a good response. It’s not the response you wanted. You get frustrated. You’re typing in live agent and you’re trying to break out of it to speak to somebody.

That’s the experience that we don’t want our customers to have. We want them to have the experience of a virtual SOC assistant. And we’ve called the SOC assistant, Charlotte. We have a Super Bowl ad. If you saw our Super Bowl ad, you would have been introduced to Charlotte. It was a project that we’ve been working on for a little while. And the goal for us is that you can interact with Charlotte. “Hey Charlotte, where are my machines? What’s my most vulnerable machine? What’s the adversary that wants to take out my organization?” And Charlotte not only gives the response but actually remediates part of that with you.

We passionately believe that today, to solve cybersecurity issues, it’s a combination of technology and automation, together with the human. The human is not absent. And Charlotte will help. It will help accelerate. She’ll help remediate some of those challenges, make your level 1 SOC analyst level 2 or level 3 but doesn’t do away with them. You do things faster more intelligently. So we’ve announced Charlotte. We’re going to be doing previews of Charlotte. We’re going to close beta. But it builds on over 10 years’ worth of AI work that we’ve been doing.

Jonathan Ho

Excellent. One thing about the generative AI models and AI in general is that we think that the actual AI model itself is somewhat of a commodity, whether it’s that sort of the chatbots or the other capabilities. So what is it about maybe the CrowdStrike data set that’s unique? And what is it that makes it, say, more valuable than that of a hyperscaler or a traditional legacy security company?

Michael Sentonas

I do love the question. And firstly, I don’t want to discredit the work that the large language model vendors are doing, what they’re doing. It’s incredibly innovative. But to your point, you see some of the examples where you’re asking some of these chatbots questions and you get random weird responses. You’ve heard about hallucinations and other things where you’re not getting the response you expect. That’s obviously something that we want to avoid in security. That’s not going to help anybody.

So your question around data sets, the reason why I love it is because that’s a big part of the research that we’ve been doing and it’s a big part of what we built for over a decade. It’s those data sets that we’ve created. It’s the attack change, it’s the annotations that we’ve put in. We actually analyzed over 3 trillion events. Let me rephrase that. We analyzed over 1 trillion events daily over 7 trillion a week. And it’s all of that data that goes into our platform and it’s all of that learning that goes into our platform that is going to generate those outcomes that are meaningful.

So it’s knowing the trade craft that the adversary is using, putting that together with the large language models, that’s going to give us a unique differentiator. We’ve been doing it for over a decade, as I said. And every day, the collective — as we add more customers, as we put in more research, you’re getting more outcome from those models.

Jonathan Ho

Yes. So going back to your comments around level 1 and level 2 SOC analysts and getting folks that maybe have had lower skill levels to become more productive and increasing the productivity of your high skilled workers. Can you talk a little bit about how these LLMs and Charlotte and other capabilities can democratize cybersecurity and drive better outcomes?

Michael Sentonas

Well, the thing is that the goal here is to be able to have somebody remediate their environment and stop breaches and not necessarily need to be the expert. And not need to be a cyber-threat intelligence expert and not need to be a threat hunting expert, to be able to interact with natural language and to be able to say, “Hey, where are my machines that are being attacked?” or every time — every month when we have Zero-Day Tuesday, Microsoft announces vulnerabilities and exploits that are going around the world to not go through the panic that every organization faces trying to work out. Where am I vulnerable? What’s being exploited? What should I fix first? To be able to say to Charlotte, “Hey, what’s the latest vulnerability that I should be worried about? What are the machines? Can you help me fix that? Which is the machine that has the most activity? What’s the one that is — the one that I need to patch first?” And so have the ability to ask the question and go all the way through to remediation in a simple to easy way.

You look at, for example, people were talking about threat hunting. It’s not easy. I’ve been doing this for a very long time. I’ve been looking at Splunk for a very long time. It’s just — it’s natural to me. But if you’re new to cyber, that can be very complex. So it’s reducing that. The thing that I would caution people to think about is these same technologies also have the ability to democratize trade craft for the adversary. So once where you had an adversary that was very capable, that was a nation-state adversary. It’s not that far away or unrealistic to think that somebody could be sitting on a beach in Hawaii and having the same trade craft accessible to them that a nation-state in Russia, Iran other countries that maybe want to carry out some attacks, they have that at their fingertips. So we’ve got to make sure that we talk about both sides of that coin.

Jonathan Ho

Absolutely. I think it’s going to drive demand as well as pressure things from the adversarial sides as well. Just maybe shifting gears a little bit to sort of the Microsoft question. This is something that comes up in a lot of our discussions. But this is something where we wanted to understand a little bit better on the technical side. What are some of the differentiators between your solution and the core Microsoft offering? And I know this spans multiple product segments. But if you want to maybe give us a sense of that, that would be great.

Michael Sentonas

It does. I mean, look, go back to the comments that I made, the opening comments that I made. The whole challenge, the reason why CrowdStrike exists is because legacy technology does a terrible job of keeping customers, keeping organizations, keeping governments safe. If that technology worked, you wouldn’t need a lot of other technologies, whether it’s e-mail security, web and others and we know this.

So when we built the company and we built the capability, it was to ensure that we don’t rely and don’t have any signatures at all. We use AI. We use math models which means they’re very — it’s a product that’s very easy to deploy. It’s very easy to operationalize and it’s very easy to keep you safe and secure, whether you are the largest organization in the world, whether you’re the smallest, whether you’re a government. So when you say how we’re different to Microsoft, Microsoft traditionally is a signature-based technology. And of course, they’ve made a lot of architectural improvements and I don’t want to take that away from them. But the reality is it’s still predicated on a lot of that legacy tech and legacy approaches.

So we have a lot of organizations that contact us that get compromised using Microsoft technology that ask us for assistance, whether it’s because their operating systems are vulnerable every month, they have vulnerabilities that are being exploited by adversaries or it’s because they rolled out security technologies that were too hard to use, that were too reactive, that required updates, that required multiple consoles. We’re seeing organizations that are saying to us, “Hey, this concept of E5 which we thought was free, actually is becoming very expensive. The number of full-time employees I need to manage that tech is more expensive than just buying your license.”

So whilst there’s a lot of interest and look, they’re going to be successful, they’re embedded into the operating system. They have an advantage from that perspective and that’s a different conversation but people are also coming back to us and saying, “Hey, we went to E5. We went that for security. We got breached. So can you help us with an incident response and can we keep Microsoft in there for the long term?” So very different technology, a lot cheaper to run CrowdStrike as compared to Microsoft. We don’t have the complexity of multiple consoles and it’s hard.

Even trying to navigate, you need 2 MBA students to try to help you understand how to navigate the licensing before you actually use the product. And that’s the — we try to remove that friction. We try to make it easy. Security is about trust. It’s about speed. It’s about being able to meet the adversary very quickly.

Jonathan Ho

Absolutely. Maybe stepping back a little bit and talking about the evolution of the space. We’re hearing more and more about managed detection and response, XDR which is extended detection and response as well as more sort of holistic capabilities being baked into the products. Can you talk a little bit about that evolution path from EDR and where you see CrowdStrike headed?

Michael Sentonas

So there are a couple of different technologies, managed detection response and XDR are a couple of different things, right? You can have managed XDR and you can have self-managed XDR. You can have EDR that you manage. You can have MDR which is a capability that you get to manage to outcome from the vendor. More and more, we see a lot of organizations that don’t have the skills. They don’t have the cost or the budget to be able to have the security technology plus the staff to be able to run it.

So they come to CrowdStrike and they say, “Hey, we want the best in the industry but we want the best in the industry to deploy it and run it.” Now we can do that a couple of different ways. We work with our channel partners. We have many channel partners that take a CrowdStrike product to market as part of a service, as part of a larger offering but it’s powered by CrowdStrike or we can do it and we focus on what we have. We don’t do everything. We’re very focused in terms of what we have. But they use us for that capability which we will complete.

We do threat hunting on behalf of our customers. Threat hunting is not easy. So we put together the technology that blocks all of the malware, all of the techniques that you can block but there’s a whole range, taking the marketing out of it. There’s a whole bunch of techniques that do not use malware that has — it’s just leveraging compromised capabilities in the operating system or using trade craft that is using legitimate tools but in a malicious way. We have the ability to put technology together with people to give that outcome and we do threat hunting for our customers. So we offer that as a managed service.

Like I said, all the way through to offering, the capability end-to-end, we’ll deploy it, we’ll operationalize it, we’ll manage it. At the end of the week, you don’t get — I was going to say phone book but you don’t get phone books anymore. A big ream of paper that tells you all the thousand things that you need to fix. We told the customer all the things that we fixed on their behalf. But like I said, we do with our partners as well.

The trend around XDR is a relatively new one — new-ish one. Obviously, everyone has moved from talking about XDR to AI at the moment but a lot of marketing hype around XDR as well. A lot of people basically saying, “Well, EDR is not enough. You need to get telemetry from multiple different sources, primary vendors, third-party vendors.” The reality is what they’re all talking about is to understand where an adversary is attacking you, you need to be able to get technology from or telemetry from all parts of the organization from e-mail, from web.

And that’s — there are things that we’ve been doing for a long time. Forrester has called this out as being a mature vendor in this space because we enrich the data that we have with that telemetry from third parties. But we believe that to have an effective XDR solution, you have to be the world’s best EDR because you’re taking a couple of additional bits of telemetry from different parts of these other products and pulling it all together to give a better outcome. It’s not the same just to be quickly.

Without going too technical, a lot of people that talk about XDR, what they’re talking about is security incident and event monitoring, putting in more telemetry from more systems into a big data warehouse to be able to ask queries. That is not XDR. That is a SIEM. XDR is about taking that telemetry to give you the ability to do workflow and response.

Jonathan Ho

Excellent, excellent. I mean, it’s interesting that you can provide all of these capabilities and match what the user needs at the end of the day, whether it’s from skill shortages or from the ability to just take all of this information and have that broader context. So it’s definitely exciting to see sort of the opportunity set ahead. Maybe talking a little bit about the broader platform strategy for CrowdStrike; we’ve seen the company push more into the cloud. How do you translate some of the success that you’ve had on the endpoint into the cloud world?

Michael Sentonas

Well, I mean, the important thing to start off with is cloud is not new for us. CrowdStrike was born in the cloud and we don’t have an on-premise version of CrowdStrike. We don’t have a hosted version of CrowdStrike. A lot of the legacy vendors that we compete against, their move to the cloud is to virtualize or host a lot of their traditional legacy products in the cloud. You’re still an on-prem product. You’re still a hosted on-prem product. A lot of our next-gen competitors that say we’re cloud, if you ask them quietly, hey, I don’t — I want an [indiscernible] product, they can sell you an on-premise version of the product. They’re not native cloud. It’s very easy to say that, to claim that. We are a cloud product. We have one cloud. We obviously have a Europe cloud and a North American cloud and a cloud but we are a cloud product.

So when you say kind of you’ll move to the cloud, well, if you’re taking in 1 trillion telemetry events every 24 hours, I don’t have a commercially available infrastructure that I can go and buy to pull together and build a CrowdStrike. We’ve built that capability from the ground up. So we have a lot of interesting knowledge and IP around what it takes to build a cloud the size that we have and to secure it. We’re focused traditionally on the runtime side of things. That’s where we’ve built our capabilities. Think of an agent protecting the underlying infrastructure, protecting a container, protecting the cloud workload. And more recently, we’ve moved into, how do you protect code? How do you protect environments where you can’t deploy in agents, the agentless side of things? Where there’s other vendors but we’re demonstrating the ability to do the runtime together with the agentless piece and bring together one offering called cloud security for our customers.

Jonathan Ho

That makes a ton of sense. Just one final question for me before we open it up to the audience. Can you talk a little bit about where you’re differentiated in the cloud when it comes to public cloud security? So we’re talking about sort of the CSPM side of things and CWPP. What gives you the right to win against some of the incumbents and fast-growth start-ups that are there as well?

Michael Sentonas

Well, like I said, we focus on the runtime side of things which I would argue is hard. It’s a lot harder. It’s a complex problem. But you need both. One of the things that when I was — I’ve been CTO of CrowdStrike for 3 ideas. One of the things that I’ve been talking about from a technical perspective is you need agent and agentless security. And it’s something that we’ve been very strong to really vocal, if you will, to educate people that you need both. The agent helps you solve security use cases. The agentless and I’m giving you a very quick because we’re going to run out of time, I’m giving you a quick explanation. The agentless helps you with reporting, compliance reporting, visualizing misconfigurations and how — what — who’s accessing your cloud infrastructure.

The reality is you need both. And what you’re seeing in the marketplace is some people will argue passionately that you need an agent which is wrong. You need both. Some people will argue that agentless will solve the world’s problems which again, is wrong and you need both. And that’s been validated because you’ve seen some of the people on the agentless side announce partnerships with the agent vendors because they don’t have an agent and vice versa. We’ve been doing both. But the focus initially was on the runtime and now we’re focusing on the agentless piece. The reason why you see a lot of startups and innovation in the agentless side is because it’s easier. It’s not trivializing the work. A lot of them have done great work but it’s a lot easier to get access to an API and build a nice user interface, a nice workflow and solve some real problems. Don’t get me wrong.

Again, they’ve done great work. But it’s not hard to do that. You can have multiple vendors sitting side-by-side. We can sit side-by-side and replace them as well. It’s a lot harder for them to build an agent. We’ve been doing it for over a decade. You get an agent in any infrastructure and you cause havoc. So a lot easier, I would argue, for us to go into their world than them to come into ours.

Jonathan Ho

Absolutely, absolutely. I’ll open it up to the audience if there’s any questions that we can take. Got a lot of good information today. Got to have some questions. Don’t be shy. Go ahead.

Unidentified Analyst

How much demand [indiscernible]?

Michael Sentonas

Yes. So the question is to talk a little bit about the opportunity in IoT and where we are in that journey. Interestingly, we are deployed in a significant number of environments that it’s the IoT use cases. We’ve got organizations that use CrowdStrike that have mine sites around the world and we’re on devices that are operating heavy machinery. We’ve got — we’re deployed on trains. We’ve got incredible opportunity in manufacturing. So we’re heavily deployed in a lot of IoT use cases, ICS use cases, OT use cases.

We’ve got a very famous company that we do business with, the Mercedes Formula One team and we do some interesting work with them inside solving some use cases for them. So we’re very progressed. But what we’re building out is more capability in ICS and OT. We’ve announced a really interesting partnership with Clarity that we’re doing some great work with them and we’re building some of our own capability. And we’ll continue to build CrowdStrike products as well as partnerships to solve some of those use cases.

Jonathan Ho