CrowdStrike’s CEO on how to IPO, direct listings and what’s ahead for SaaS startups

A few days before Christmas, TechCrunch caught up with CrowdStrike CEO George Kurtz to chat about his company’s public offering, direct listings and his expectations for the 2020 IPO market. We also spoke about CrowdStrike’s product niche — endpoint security — and a bit more on why he views his company as the Salesforce of security.

The conversation is timely. Of the 2019 IPO cohort, CrowdStrike’s IPO stands out as one of the year’s most successful debuts. As 2020’s IPO cycle is expected to be both busy and inclusive of some of the private market’s biggest names, Kurtz’s views are useful to understand. After all, his SaaS security company enjoyed a strong pricing cycle, a better-than-expected IPO fundraising haul and strong value appreciation after its debut.

Notably, CrowdStrike didn’t opt to pursue a direct listing; after chatting with the CEO of recent IPO concerning why his SaaS company also decided on a traditional flotation, we wanted to hear from Kurtz as well. The security CEO called the current conversation around direct listings a “great debate,” before explaining his perspective.

Pulling from a longer conversation, what follows are Kurtz’s four tips for companies gearing up for a public offering, why his company elected choose a traditional public offering over a more exotic method, comments on endpoint security and where CrowdStrike fits inside its market, and, finally, quick notes on upcoming debuts.

The following interview has been condensed and edited for clarity.

How to go public successfully

Share often

What’s most important is the fact that when we IPO’d in June of 2019, we started the process three years earlier. And that is the number one thing that I can point to. When [CrowdStrike CFO Burt Podbere] and I went on the road show everybody knew us, all the buy side investors we had met with for three years, the sell side analysts knew us. The biggest thing that I would say is you can’t go on a road show and have someone not know your company, or not know you, or your CFO.

And we would share — as a private company, you share less — but we would share tidbits of information. And we built a level of consistency over time, where we would share something, and then they would see it come true. And we would share something else, and they would see it come true. And we did that over three years. So we built, I believe, trust with the street, in anticipation of, at some point in the future, an IPO.

Practice early

We spent a lot of time running the company as if it was public, even when we were private. We had our own earnings call as a private company. We would write it up and we would script it.

You’ve seen other companies out there, if they don’t get their house in order it’s very hard to go [public]. And we believe we had our house in order. We ran it that way [which] allowed us to think and operate like a public company, which you want to get out of the way before you come become public. If there’s a takeaway here for folks that are thinking about [going public], run it and act like a public company before you’re public, including simulated earnings calls. And once you become public, you already have that muscle memory.

Raw numbers matter

The third piece is [that] you [have to] look at the numbers. We are in rarified air. At the time of IPO we were the fastest growing SaaS company to IPO ever at scale. So we had the numbers, we had the growth rate, but it really was a combination of preparation beforehand, operating like a public company, […] and then we had the numbers to back it up.

TAM is key, even at scale

One last point, we had the [total addressable market, or TAM] as well. We have the TAM as part of our story; security and where we play is a massive opportunity. So we had that market opportunity as well.

On this topic, Kurtz told TechCrunch two interesting things earlier in the conversation. First that what many people consider as “endpoint security” is too constrained, that the category includes “traditional endpoints plus things like mobile, plus things like containers, IoT devices, serverless, ephemeral cloud instances, [and] on and on.” The more things that fit under the umbrella of endpoint security, CrowdStrike’s focus, the bigger its market is.

Kurtz also discussed how the cloud migration — something that builds TAM for his company’s business — is still in “the early innings,” going on to say that in time “you’re going to start to see more critical workloads migrate to the cloud.” That should generate even more TAM for CrowdStrike and its competitors, like Carbon Black and Tanium.

Why CrowdStrike opted for a traditional IPO instead of a direct listing

It’s a great debate to have. I’ll start with we were happy with the outcome of our IPO. And part of why we did the IPO was to raise primary capital. As you know, in a direct listing, day one you’re not raising primary capital. They haven’t changed the rules around that, and, we would have had to do another round and then take the company public, […] or try to do another listing for primary shares [later on].

So you can go at it different ways but […] until they address the fact that you can’t sell primary shares in a direct listing makes it difficult if you want to raise a bunch of money. So I think that that was important for us; we [wanted] to have a big balance sheet [so] we went the traditional IPO route.

Platforms and Salesforce

During our discussion about CrowdStrike and its position in the market, Kurtz made an interesting analogy to Salesforce that was worth sharing. We’ve included some introductory context to help frame the idea. The CEO initially describes how his company’s service architecture allows it to sell more product to existing customers over time. This is then threaded to what he calls “the power of the platform.” (For more on Salesforce’s own platform history, check this.)

Given our single agent architecture, the whole idea of the business model is that we collect data one time. And then we add modules. Once we pay for the first module, all the other modules are pretty much pure margin because we’ve already collected the data and it becomes just selling another workflow.

But if you had, say, two of the modules for CrowdStrike and you wanted to try another module, you can go to the CrowdStrike store, you can click trial, and you will be provisioned for a 15-day trial in the application automatically. And you actually get to try that module with your own data. I mean, what better way to sell a customer than to actually have them try the thing with their own data without actually rolling anything out? So in their personal environment, without rolling another agent out, without doing anything, because we have the data, we just expose another workflow.

And that is the power of the platform. And no one has done that in security, no one may have the capability to do that. And that’s why we believe we are the Salesforce of security because we have the ability to do these sorts of things. And that drives net retention.

2020’s IPO market

My last question of the interview was cut off due to technical issues, so I asked it via email directly following the conversation. Here it is:

What is Kurtz’s view on the 2020 IPO market for SaaS companies; will the IPO market be as welcoming for modern software companies, or, perhaps, will there be a slightly higher focus on either slimming GAAP losses or rising cash generation by companies hoping to debut?

SaaS overall will remain a strong category for investors across the board because the cloud is the foundation of modern business and we are only in the early innings of adoption. It is rare to find an enterprise company today that is not reliant on such technologies as Salesforce, Workday, ServiceNow, etc. Also, given how SaaS companies operate — easy deployment, quickly scalable, ARR model — they provide the opportunity for recurring revenue growth and increased market share. In the endpoint security space, we saw massive consolidation this year, driven by the accelerated adoption of the cloud. It underscored that companies that are not cloud native are losing in this transition as it’s really hard to build and operate from the cloud unless you start from ground zero as CrowdStrike did.

Also, you can’t undervalue the importance of strong company fundamentals, including managing losses. These metrics, along with growth and market TAM, are indicators of performance that investors will continue to look for.