Like many good ideas, CrowdStrike, a seller of subscription-based software that protects companies from breaches, began as a few notes scribbled on a napkin in a hotel lobby.
The idea was to leverage new technology to create an endpoint protection platform powered by artificial intelligence that would blow incumbent solutions out of the water. McAfee, Palo Alto Networks and Symantec, long-time leaders in the space, had been too slow to embrace new technologies and companies were suffering, the CrowdStrike founding team surmised.
Co-founders George Kurtz and Dmitri Alperovitch, a pair of former McAfee executives, weren’t strangers to legacy cybersecurity tools. McAfee had for years been a dominant player in endpoint protection and antivirus. At least, until the emergence of cloud computing.
Since 2012, CrowdStrike’s Falcon Endpoint Protection platform has been pushing those incumbents into a new era of endpoint protection. By helping enterprises across the globe battle increasingly complex attack scenarios more efficiently, CrowdStrike, as well as other fast-growing cybersecurity upstarts, has redefined company security standards much like Salesforce redefined how companies communicate with customers.
“I think we had the foresight that [CrowdStrike] was going to be a foundational element for security,” CrowdStrike chief executive officer George Kurtz told TechCrunch this morning. The full conversation can be read further below.
CrowdStrike co-founder and CEO George Kurtz.
Kurtz emphasized that because CrowdStrike has been a cloud-native business from the get-go — making a comparison to Salesforce — defeating years-old companies who aren’t able to transition to the cloud has been much easier: “What I have found is that [incumbents] can’t make their numbers and make the transition to [the cloud] at the same time,” he added.
CrowdStrike’s success can also be attributed to the undying support of venture capitalists, who’ve become progressively more interested in cybersecurity. In total, CrowdStrike has raised $481 million in venture capital funding, most recently at a valuation of $3.35 billion, from top-tier investors including Warburg Pincus, which owned a 30.2% pre-IPO stake, Accel (20.2%) and CapitalG (11.1%), according to the company’s IPO prospectus.
For context, $5.3 billion was invested in companies focused on protecting networks, systems and data across the world in 2019, despite fewer deals done during the year, reports TechCrunch’s security editor Zack Whittaker. That’s an increase of 20% — $4.4 billion — from 2017, and nearly double the funds invested in 2016.
Today, CrowdStrike (NASDAQ: CRWD) completed an initial public offering on the Nasdaq in what was just the second cybersecurity IPO of the year. It followed just Israel’s Tufin Software Technologies, which made an April exit. Last year saw the IPOs of cybersecurity businesses Zscaler, Carbon Black and Tenable, which have all traded upward since their debuts.
CrowdStrike, after pricing its IPO at $34 per share Tuesday evening and raising $612 million in the process (a whole lot more than the planned $378 million), popped 90% Wednesday morning with an initial share price of $63.50. A bona fide success, CrowdStrike boasted an initial market cap of $11.4 billion, nearly 4 times that of its last private valuation, at market close.
For the company, IPO success of that scale wasn’t guaranteed. Enterprise IPOs have performed well in 2019, as Wall Street continues to make public displays of affection for software stocks like Zoom and PagerDuty but there are fewer proof points for the cybersecurity sector specifically. IoT security company ForeScout Technologies, for example, raised $116 million in an October 2017 that valued the company at roughly $800 million, down from a unicorn valuation a year earlier.
Top-line revenue growth and a rapidly growing market for endpoint security, which is expected to be worth $20 billion in the next five years, seems to have piqued Wall Street’s interest. Plus, the cybersecurity market, in general, is said to be worth more than $140 billion in 2019.
CrowdStrike’s revenues have grown at an impressive rate from $53 million in 2017 to $119 million in 2018 to $250 million in the year ending January 31, 2019. Its spending, like many companies that come out of Silicon Valley, is far outweighing its gross profit. Most recently, CrowdStrike posted a gross profit of $163 million on total operating expenses of about $300 million.
CrowdStrike, again like most companies to come out of Silicon Valley, is not profitable. Its total losses are increasing year-over-year from $91 million in 2017 to $135 million in 2018 to $140 million in 2019. it expects to lose between $26.5 million and $25.7 million on an operating basis in the most recent quarter. Kurtz attributes this to the business’s focus on long-term growth.
Kurtz began work on Sunnyvale-based CrowdStrike in 2012 after beginning his career as a CPA at Price Waterhouse, writing a book on internet security titled “Hacking Exposed: Network Security Secrets & Solutions,” then launching FoundStone, which sold to McAfee in 2004 in a deal worth $86 million. Kurtz then spent the next seven years as a general manager at McAfee, eventually becoming chief technology officer.
CrowdStrike has a long road ahead to win the endpoint security market. The data it continues to accumulate gives it a nice moat but it will have to work hard to stay ahead of competitors. Startups have realized the opportunity for innovative security tools and continued support from venture capitalists is creating an increasingly crowded market.
We chatted briefly with the CrowdStrike co-founder and CEO just after he rang the Nasdaq opening bell about staying ahead of the competition, fighting incumbents, creating a sustainable culture and more. The following conversation has been edited for brevity and clarity.
Kate Clark: Congratulations on the IPO. Let me start off by asking why you decided 2019 was the year to take CrowdStrike public?
George Kurtz: I think a big part of what we have been able to do is be patient in building out our platform and make sure we were thoughtful about our next move. We had great investors. We certainly could have raised more money from those investors but we thought it was right from a maturity perspective for the company to go out to the public markets and raise money that way.
Clark: CrowdStrike saw quite the pop this morning, trading 90% higher than its IPO price. Was CrowdStrike underpriced?
Kurtz: I think it’s one of those areas where you are looking long-term. We aren’t going to focus on where the price is today. We are looking long-term and we’re focused on preventing breaches for our customers. It’s going to be a good outcome and ultimately, we are taking a long-term view.
CrowdStrike’s executive team celebrates its Nasdaq IPO.
Clark: Did you expect this outcome when you scribbled down notes for a cloud-native security platform on a napkin all those years ago?
Kurtz: We knew CrowdStrike was going to be something special a couple of years into it. You never know when you first get a company started but I did feel it was going to be bigger than my first company. [Kurtz founded Foundstone in 1999 and later sold to McAfee in 2004]. I think we had the foresight that the company was going to be a foundational element for security. Then the market began to see we were building something special in the cloud era. You’ve got Salesforce — there is no security cloud or cloud platform company. Once we saw that, we knew had a special company on our hands. For me, it’s been a once in a lifetime opportunity.
Clark: According to recent reports, Cisco considered a pre-IPO acquisition of CrowdStrike after Qatalyst “informally shopped” CrowdStrike around about six months ago. Is this true?
Kurtz: I can’t comment on rumors. We have from the beginning believed we could be a public company and we’re here today and it’s a great day for us. We will continue to evolve our platform over time.
Clark: CrowdStrike isn’t profitable yet, as is the case for many Silicon Valley companies when they go public. Still, are you prepared for the heightened critique of CrowdStrike’s financials?
Kurtz: That was part of the thought process before going public. We have run this private company like a public company for many years. You look at things like sales and marketing expenses and we spend a lot of time on unit economics. What I can tell you is it’s a greenfield opportunity because there are so many potential customers that are underserved or under protected by the solutions they have now.
Clark: There is steep competition in the space. You know that better than anyone coming from McAfee, how will you beat out the competition?
Kurtz: You can’t have a real market without competition. We expect competition to be there, we spend a lot of time building what we believe is better architecture and years of capturing this data has allowed us to evolve this technology. We believe CrowdStrike is the best in the industry. If you look at incumbents as an example, they continually suffer from the innovator’s dilemma. The story in our space is really like from Siebel vs. Salesforce. It’s that classic innovator’s dilemma. They could adjust their business and move from the cloud. Salesforce had that opportunity because they built it from scratch.
Clark: In a recent story, Forbes wrote: “If CRWD can’t turn its data into a real competitive advantage, it may struggle to stay ahead of competitors that can afford to spend significantly more on R&D.” What do you have to say to that?
Kurtz: I would refer you back to incumbent players. They have had plenty of money for many years. Reality is, many of them are actually cutting their R&D budget and they aren’t investing in technology. The challenge they have is they can’t make the structural shift and just start from scratch to build this architecture out. Money isn’t the issue, it’s actually the DNA of the company that is the issue. Either they are a cloud company or they build software, that’s totally DNA in how you run your business and how you think about going to market. Things like subscription revenue and annual recurring revenue as opposed to annual licenses with maintenance; what I have found is that they can’t make their numbers and make the transition to a cloud platform at the same time.
Clark: Dual-class stock structures are becoming more common, especially for venture-backed technology companies. For those that aren’t familiar, issuing dual-class shares means a company can issue the public shares with little to no voting rights, while executives and VCs can hold shares that give them more voting power or often majority control of the company. In CrowdStrike’s case, it’s offering Class A shares with one vote each to the public and class B shares with 10 votes each to insiders. Why did you decide on a dual-class stock?
Kurtz: Like you said, it’s more common today with founder-led companies. If you look at our investor base, Warburg Pincus, Accel, they have given us the ability to think long term and to be sure we are focused on delivering the best value for shareholders and providing the best technology to prevent breaches from our customers. Having that structure does allow us that long-term flexibility to make sure we can deliver on what we intend to build.
Clark: Many argue that giving insiders majority control of the company “violates the principles of corporate democracy and the precept of ‘one share one vote.‘”
Kurtz: I guess what I would say is founder-led companies, folks who have started with 25 slides to building these out to public companies, investors are looking at those type of companies and getting comfortable with dual-class because we are playing for the long term. There is a lot more to go and a lot more opportunity for us.
Clark: Finally, how have you and will you continue to prioritize building a healthy culture at scale?
Kurtz: Great question and it goes back to our founding. We have spent a long time training and hiring the right people. There is a mission element to what we do. What I like to say is we don’t have a mission statement, we are on a mission and the mission is to stop breaches. That is really exciting to a lot of our employees. We are trying to change the world and prevent bad people from doing bad things. That mission-focused culture has done a lot for us to maintain employees over a long period of time.