Welcome everyone, and thank you for joining CrowdStrike's Investor Briefing today. I am Maria Riley, Vice President of Investor Relations. We have a great lineup, and we hope you find this session informative. Today, you will hear presentations from George Kurtz, our founder and CEO, Michael Sentonas, our CTO, and Burt Podbere, our CFO.
Then we will open up the session for Q&A. All participants will be in listen-only mode until the Q&A session begins. If you wish to ask a question, please make sure your Zoom username is easily identifiable and use the Raise Your Hand feature on the bottom of the meeting window. When you are selected for a question, please be prepared to turn on your video and unmute your microphone. There may be a slight delay as you are prompted into the live queue.
Before we get started, let me remind you of our safe harbor and the risks associated with forward-looking statements. For additional information, please see the risk factors in our SEC filings regarding any forward-looking statements. Additionally, unless otherwise stated, excluding revenue, all financial measures discussed in this presentation will be non-GAAP.
Please refer to our disclosures on why we use non-GAAP financial measures and a reconciliation table showing GAAP versus non-GAAP measures referenced today in the appendix of the presentation, which will be posted on our investor relations website shortly following the conclusion of the webcast. With that, I will hand it over to George.
Thank you, Maria, and thank you all for joining. When I founded CrowdStrike over 10 years ago, we started with a clear vision, a defined mission, and 25 PowerPoint slides. In fact, here are a couple of screenshots from my original pitch deck. Even back then, our vision was founded on a few key principles that we refused to compromise on and have served as our beacon from inception to today as we've led the cybersecurity industry into a new era.
These imperatives included, first, a cloud-native architecture, building the security cloud. Ten years ago, staying true to our cloud-native vision meant turning down on-premises business and educating prospects on the value, speed, and efficacy the cloud had to offer. Whereas competitors, including next-gen vendors, compromised by building their products to be on-premises first.
Today, these same vendors still struggle with cloud-hosted or hybrid models, whereas Falcon has demonstrated an exceptional ability to scale. Second is an intelligent, single lightweight agent architecture driven by AI, not signatures. It was also critical to design an agent that could easily be installed, did not require a reboot, and had its own AI engine to operate whether it was online or offline. Third, our mission still is today based on the customer outcome, stopping breaches.
Committing to these key tenets in the very early days of our company was not always the easy choice, but we knew it was the right choice, the choice that would provide our customers with protection, performance, and value never before seen in security. The path that would enable CrowdStrike to drive long-term success by creating a true platform with a fundamental architectural advantage that still holds true today.
As a result, in just a little over 10 years' time, we have built a leading platform that stands in a league of its own with capabilities that extend far beyond next-gen AV and EDR. As you've heard me say before, CrowdStrike is not just an endpoint company. We have grown our platform from 10 modules at the time of IPO in 2019 to 22 modules today, covering endpoint and cloud security, XDR, managed services, threat intelligence, security and IT operations, identity protection, log management, and data protection.
In today's session, we will discuss that while the competitive landscape was cluttered 10, five, and even two years ago, today CrowdStrike stands in a class of its own. We will also demonstrate key attributes built into the Falcon platform that drives superior customer outcomes, as well as frictionless in-app trials and adoption of new modules.
Lastly, we will explore why we believe our growth journey is still in the early innings as we continue to gain share in the traditional endpoint market and expand within adjacencies. After today's presentation, we hope you come away with a deeper understanding of why we believ e CrowdStrike is a generational platform company built on a single agent and possesses a fundamental architectural advantage and strong competitive moat over others in the market today.
Additionally, CrowdStrike employs a highly leverageable model that we believe is capable of delivering sustained high growth at scale, combined with the profitability and free cash flow investors would expect from a leading SaaS pioneer. First, let's take a look at our market share and how it has evolved. Over the past several years, CrowdStrike has grown its market share in a growing market.
In calendar 2019, the year we went public, IDC estimated that we had approximately 7.9% share of the modern endpoint market. In just 12 months' time, the industry saw major changes, with several vendors being acquired in rapid succession. At the same time, CrowdStrike grew rapidly, gained tremendous market share, and was named the leader in the market with 12.2% share.
As of mid-year 2021, CrowdStrike continued to command the number one position with market share growing to 14.2%. Even with these fantastic market share gains, we continue to see meaningful opportunities ahead. CrowdStrike has a long, impressive history of accolades from industry analysts. This includes leading the pack in Forrester Endpoint-Focused Waves, and this year is no exception.
Building on our strong showing in prior endpoint waves, in 2022, Falcon earned a leader position in the Forrester Wave for endpoint detection and response, which was published yesterday. In the newest wave, Forrester ranks CrowdStrike above all other vendors with the strongest scores for current offering and strategy.
This is just one of the many points of industry recognition we have received, which also include CrowdStrike's leader placement in Gartner's May 2021 Magic Quadrant for Endpoint Protection Platforms and our rank as number one vendor across all three buying profiles as defined in Gartner's late st EPP Critical Capabilities report.
Additionally, we are quickly gaining recognition for our cloud security modules, as recently evidenced in Forrester's Cloud Workload Security Wave. We consistently have our technology tested and evaluated by working with SE Labs, AV-Comparatives, MITRE, and many other independent third parties.
We believe Falcon is the most tested offering in the space, and the numbers speak for themselves. Many of these are real-world tests that take false positive rates into consideration, where others take more of an evaluation view. We are scoring 100% in detection of attacks in SE Labs EDR test, 99.9% protection rate in AV-Comparatives real-world test, and on the just-released MITRE evaluation, we led the evaluation with 100% automated prevention.
Let's take a moment to dive deeper into those recently announced MITRE results. We're not surprised by our 100% prevention rate because it is the same as what we do with SE Labs in other tests. Let me share a little bit of backstory of this year's evaluation process that highlights the power of the Falcon platform and our identity protection module.
Upon initiation of the test, Falcon quickly identified that a breach password was being used on an account that had been compromised. This prevented the MITRE evaluator from gaining access to the environment altogether. In other words, we stopped the would-be attacker before it could even gain access, redefining what it means to stop the breach.
In order for the test to continue, we were asked to disable our identity protection capabilities, and we still achieved 100% prevention across all nine steps. In addition to creating a best-in-class platform that has earned a market-leading position, we believe we have built a durable growth engine, profitable business model with the ability of generating phenomenal free cash flow. We consider the combination of these attributes as the winning formula for a SaaS pioneer.
Let's take a look at how our free cash flow margin stacks up to other public software companies with a similar scale and growth. As of January 31, 2022, there were a total of 43 public enterprise software companies with more than $1 billion in the last twelve months revenue, and just five of those companies were growing at an LTM rate of 60% or more, including CrowdStrike, Datadog, Snowflake, Toast, and Twilio.
Of those five companies, only CrowdStrike delivered 30% LTM free cash flow margin, with the second closest company delivering 24%. We believe that we are just getting started with a vision of achieving $5 billion+ in ending ARR within FY 2026. We expect to achieve this by executing and continuing to focus on customer outcomes, our technology and platform, our people, and executing on our market opportunity.
Over the past few years, we have rapidly innovated and expanded our capabilities and TAM beyond that of traditional endpoint security. Let's take a look at how our TAM has evolved. In the time of our IPO in 2019, we had a $25 billion TAM. Last year, with our portfolio at the time, we estimated that our TAM was $36 billion, and we saw that growing to $44 billion in CY 2023.
Now we estimate that the TAM of our current portfolio has grown to $58 billion. That spans across corporate workload security, managed security services, security and vulnerability management, IT operations management, log management, identity protection, data protection, and threat intelligence services, and we see that growing to $71 billion in CY 2024.
That also includes the SIEM market, which we believe will be consumed by XDR as well as DLP and related technologies, as well as our newest complete offering for Falcon Cloud Workload Protection and Identity Threat Protection. Longer term, we believe there is a path to growing our TAM to $126 billion in CY 2025 by focusing on a couple of areas.
First, it's our organic TAM growth from our existing modules. Second, it's a very innovative product roadmap that extends beyond endpoint. The third pillar includes future initiatives. These are an area of the market with large TAMs, aging technology, and high customer dissatisfaction. Our longer-term initiatives include adjacencies within the observability space that we're not currently servicing today.
Lastly, our cloud security opportunity, which we are really excited about with $106 million in Q4 ending ARR and 8% of Q4 net new ARR derived from modules being used in the public cloud environments. From a TAM perspective, you can see why we have a long runway ahead, especially as we continue to innovate on the platform and execute on our product roadmap to address more customer needs and drive successful customer outcomes.
To be clear, our goal is to continue executing on this market opportunity with one single agent coupled with a unified backend. As we discussed this time last year, we believe we are also very early in our customer acquisition journey with legacy cybersecurity companies measuring their customer base in the tens to hundreds of thousands of customers at their peak.
This year, we'd like to double-click on that. When we look at four major market segments by customer size, we believe we have a long runway within each segment. Given we started in the enterprise and large accounts, it is no surprise this is where we have the deepest penetration. We define the enterprise vertical as companies with at least 7,500 employees.
We have demonstrated great success in this vertical and estimate that we are at 35% logo penetration with lots of room to continue to add new logos. Beyond the enterprise, we have even more room to grow our customer base and estimate that to date, we have just penetrated 3% in the corporate or mid-market segments, which we define as companies with 251 to 7,499 employees.
In the SMB segment, where there is a tremendous number of smaller companies, we estimate that we have penetrated less than 1% of the market on a logo basis. Additionally, we leverage our MSSP partner ecosystem to serve this part of the market, which is not reflected in our penetration estimates presented today. The public sector, which we define as federal, state, and local governments and education institutions within and outside of the U.S., is another area where we see significant opportunity.
On a global basis, we estimate that we are less than 1% penetrated. As we previously have discussed, we believe we are just getting started within the U.S. Fed opportunity. To date, our footprint in the U.S. Fed has predominantly been in the civilian agencies as we work towards increasing our IL certification.
Our win in Q3 with CISA covered initial lands with multiple agencies, and we believe this marquee win will lead to future opportunities. Just announced, we have now received provisional IL4 status that opens up incremental opportunities to CrowdStrike in the U.S. Department of Defense and Defense Industrial Base. In summary, we see a multi-year and long path in driving customer adoption across all of these customer segments.
As I mentioned in my opening, the architectural choices we made in the early days of the company still set us apart from other vendors we see in the market. Let's briefly review a few key characteristics that set CrowdStrike apart. A single agent design that is very lightweight. It is not uncommon for us to replace multiple agents on initial deployment and grow that over time.
Agent bloat is a real concern for CIOs and chief information security officers, and probably underappreciated by non-operators. Our ability to collect data once and reuse many times to solve a growing number of use cases is a key contributor to our success in the market and enables us to scale into multiple 100,000-seat environments with few, if any, operational challenges.
Low friction deployment and scalability. Even today, I'm still fascinated by our speed and ability to seamlessly deploy our sensor across very large and complex environments, whether they are traditional endpoints, hybrid server environments or public clouds. The time we took to eliminate requiring a reboot to deploy the agent continues to significantly differentiate CrowdStrike in the field.
Collecting and streaming the data in real-time, this is a huge advantage over competitors that operate in batch mode and struggle with storing data on the endpoint, which makes their sensor heavy and a drain on performance. Streaming data to the Threat Graph in real-time also enables us to see and hunt for threats faster and provide greater protection for customers. All of this is powered by our unified backend Threat Graph. I'd also like to note that we built Threat Graph from the ground up without relying on a third party. It is proprietary to CrowdStrike.
History has shown that as both legacy and next gen competitors have tried to re-architect in mid-flight in an attempt to emulate what we have, it has only opened up their customer base to disruption as they try to shift them off older offerings, giving Falcon the opportunity to shine and take market share.
Just as we ushered the industry into a new era back in 2011 with cloud-native endpoint visibility and protection, we are once again reshaping how companies should be thinking about security and Zero Trust in particular. Enterprise risk is coalescing around three critical areas, workloads, identity, and data. All areas where we have been investing, innovating, and see as core to CrowdStrike's mission. Why is this important?
In our view, vendors that have tried to push a Zero Trust strategy have done so with an incomplete picture of the customer environment, often resulting in significant user friction that drives hostility and distrust among employees, while also exposing key gaps in their defenses.
For us, Zero Trust is more than just a trendy buzzword. It's about delivering improved protection while limiting friction, the same tenets we have always focused on as a company. By combining the workload with identity and now data, we are able to build a more complete picture of enterprise risk. At the same time, with these three pillars, we'll be able to take prescriptive, targeted action ranging from host containment to user containment to data security that limits a malicious actor's ability to exfiltrate potentially sensitive information.
Importantly, with this evolution, we have not lost our sight of the key pillars of our success, namely a frictionless go-to-market motion that allows customers to benefit from our solutions without jumping through hoops. More specifically, we remain firmly committed to our single agent offering, coupled with a unified back-end.
This is the power of the Falcon platform. We have put as much thought into our go-to-market as we have into our technology, creating a new paradigm for enterprise cybersecurity sales that is designed to drive new customer acquisition, module adoption, sales velocity, and rapid response to customers as their needs change and evolve. It all starts with our world-class sales team that has excelled quarter after quarter and includes field sales, inside sales, and specialist overlay teams. We also partner with strategic services teams.
This group includes incident response partners such as CrowdStrike's own leading professional services team that use Falcon to respond to breaches. CrowdStrike's professional services group is a very strategic part of our business as incident response engagements with our customers new to CrowdStrike drive new subscription ARR.
I'm also pleased to say that just this morning, we announced a new strategic partnership with Mandiant, bringing the power of the CrowdStrike Falcon platform to Mandiant services, enabling Falcon to be used in Mandiant's incident response activities and proactive consulting services. Earlier this year, Deloitte selected the Falcon platform as a core enabling technology for multiple services in the MXDR suite, including incident response. With these partnerships and CrowdStrike's own professional services team, Falcon can be leveraged by the top three vendors named as leaders in the latest Forrester Wave Cybersecurity Incident Response Services.
We believe this speaks to Falcon's power and growing position within the cybersecurity fabric. As a channel-first company, we have a robust partner ecosystem that includes public cloud marketplaces, global system integrators, and value-added resellers. Our alliances also extend to technology partnerships and MSSPs, where we are seeing strong growth. The innovations and investments we have made in order to integrate, automate, and operationalize MSSPs have been very well received. We are seeing a lot of traction with MSSPs as they utilize Falcon to serve smaller customers.
For example, we expanded our relationship with Orange Cyberdefense based in France, and Falcon is now being used to power Orange's downmarket offering, servicing SMB accounts of all sizes. We have also built a powerful e-commerce engine, enabling the platform to sell itself. This would not have been feasible to achieve without the architectural choices we made in CrowdStrike's early days.
This particular go-to-market motion requires an incredibly high level of transparency with customers and is tightly aligned with our commitment to drive frictionless adoption and customer outcomes. To best show you the power of the platform and frictionless value proposition that Falcon provides from a technology perspective and sales engine view, Michael Sentonas and I will walk you through an end-to-end customer journey from cloud runtime protection to vulnerability management, to Fusion, automated workflow, to identity and XDR and Humio, all within the platform with a single agent.
Now, this is a real-world scenario where an organization came to CrowdStrike. They were looking for help to assist them to meet their cloud compliance requirements, and they had a significant DevOps environment in the cloud. They wanted us to secure these apps that were published in the cloud.
I think this really will give you a sense for how integrated the platform is, the power of the platform, and how all the modules link together and create a multiplier effect once a customer is using the single agent architecture. Mike, I'll turn it over to you.
Thanks, George. This customer has deployed the Falcon sensor to their cloud and is enrolling all of their accounts via our Horizon Cloud Security Posture Management solution. This enables agent and agentless discovery of all assets, which is really important, and enables the organization to be able to set up services to see what's going on with all clouds, AWS, Azure, and GCP.
What you can see here is we can see, we're looking at all cloud workloads. We're doing asset discovery. You've got all the assets on the screen here in a nice dashboard and a nice overview of all the services, all agentless on the screen as part of our CSPM solution. As I said, one of the big differentiators here is our multi-cloud support, giving you flexibility so you can choose what you wanna see.
This is a DevOps team here going about their day, looking at their environment, making sure they get full visibility into everything that is running in the environment. What we're gonna do is start to pivot over the general dashboard to drill down on some of the assets to show the visibility that an organization would get and how their entire cloud ecosystem has been configured and how it's running inside the environment.
I wanna really stress that this was a sale to the DevOps team with security. They had a compliance mandate, but it was really catering to the DevOps team, which was critical to make sure they were on board with this technical solution that we put in place.
What you can see here is an environment where the DevOps team are publishing apps to the Internet. They wanna be secure. Obviously, every DevOps team wants secure code, secure apps. You can see on this screen very easily the misconfigurations, what we call indicators of misconfiguration, 'cause that's where the biggest issues are.
When you're publishing so quickly, when you're pushing apps to the cloud, a lot of misconfigurations come in, and you wanna get on top of this before they become a security issue. You wanna find those configuration problems, you wanna remediate them, and you wanna make sure that the apps that go into the cloud are safe and secure.
This assessment screen here shows you all of the EC2 assets that are running public global IP addresses in their virtual private clouds, and that's not necessarily what you want because what could happen here with this sort of a misconfiguration, if there's an open service, this may allow an attacker into the environment. As mentioned, this hasn't happened yet.
You wanna get on top of this before this becomes an issue. What you can see here in real-time is managed and unmanaged assets. We can see systems that are running the CrowdStrike Falcon agent, and we can also see systems that don't have the agent because of our cloud security posture management solution, and then we can start to get the best of both worlds.
Now, we get so much more visibility than a traditional CSPM solution because we do have the Falcon sensor on some of the systems. Our runtime capability give us an amazing view. We get that full visibility across all the environments, and we can actually start to go really quickly to get a list of unmanaged systems, get the Falcon agent that is out there.
Well, what we can do here is we can actually modify the filter, and we can have a look at managed assets and start to drill in and get some additional functionality and visibility around what those managed assets are doing. Let's pick the systems here, that are on the top here using this filter button. We'll go and drill down into the managed assets, and we'll see what this shows us.
Mike, let's be clear on what module we're looking at here.
This is part of the CSPM, so Cloud Security Posture Management, what we call Horizon.
Horizon, right. I just wanna add in, when we think about the Horizon module, this is something that we actually built many years ago internally because we couldn't find a solution that fit our needs as one of the largest cloud providers of security technology.
We built this, and then we commercialized it out to our customers. What we're seeing here is something that's been battle-tested and used by our own teams, and I think it's a great way to showcase our innovation internally and then bringing that to market for our customers.
As we can see here on the screen, we've pivoted into the managed systems. We can start to have a look at these devices that are running the sensor. Gives us additional visibility. As mentioned, we get the best of both worlds. We can see here the security groups that these machines belong to, how they've been configured.
We can start to drill into them and start to look for different events, different security issues, different configuration challenges. We get security and non-security use cases as part of this configuration screen. Now we pivot over to the incident workbench. I really wanted to show you this screen because we're gonna keep flipping in and out of this screen right here.
This is where we can start to have a look at these cloud environments, at these systems, look to see how they're communicating with other devices on the network. As mentioned, we're gonna keep popping into this screen. We'll drill in, we'll drill back out, we'll go to the other configuration options. We've gone in to have a look at one of the managed systems.
It looks innocent enough, but when we click onto that system to start to review there, we can start to see this issue. You can see along the top there, all the way onto the right of the screen, we've got some red. Obviously, red is bad in this particular example here.
When we start to have a look at these issues, and we look at the incident workbench, we can see that this machine is a cloud Linux system. It's a container server. There's an exploit here. There's a serious incident that's involving other systems. We can see that the exploit has been triggered.
We wanna start to turn our attention and work out what happened, and then we wanna remediate. Now, just to call it out for the demo, we could simply reset the container image here. As mentioned, it's a cloud container, so we could reset that container image and stop it from running.
At this point, from a demo perspective, we wanna start to triage the image. We wanna start to have a look at this issue, and we can go and have a look at our asset inventory, which is what you can see here, to look and try to understand a little bit more about the system, and we can do this with our image assessment capabilities, one of the CSPM features in the product.
You can see here, this is the image that we're running. This is the image assessment interface. As I said, remember, this is an image running on a container, so this could be running on lots of systems, and it could be running across lots of different clouds.
From a DevOps perspective, this is a significant issue because this container could be widely used and could be causing us a whole range of issues in our application environment. You can see here there's 53 vulnerabilities in total. We can drill in to see more about the vulnerability. We can see the CVE details. We have the full vulnerability assessment of the container, and we can do things like notify the developer team to tell them to address it.
You can set a policy flag in the container image, or you can even prevent it from being loaded and running. You've got full control to prevent future security issues. We've stumbled obviously across this one container, but the thing that we wanna do here is check to see where is it running.
Remember I said this container could be running across different clouds. It could be even running on-premise systems inside my environment. We can pivot over to our container inventory. We can see very quickly when we start to drill in details about that particular issue.
I can see here that we're running on six hosts over the last seven days, and it's running on multiple different clouds, and some of those systems are actually running right now. We can see here that we've been running in AWS, we've been running in Azure, we've been running in GCP, the live systems, as mentioned. We started with an initial vulnerable image, and now we can see what the potential blast radius looks like.
We can see how quickly this could really escalate into a full-blown issue inside our organization because we've got published apps that are running live now.
Not only are we seeing some of the policy issues and some of the vulnerabilities, but there's a rich level of asset information here, and that's super important, as we've talked about, as we've expanded the platform and we think about security and IT hygiene.
It's a critical asset information that's not only used from a security perspective, but it's used by the DevOps team, and it's used by the IT operations team. If they don't know what assets they have and they don't know the state they're in, it's very hard to secure those. In many cases, we've become the source of truth for this asset information, which is incredibly powerful for both the security team as well as the DevOps team in managing these assets.
Yeah, that's right, George. You can get all of this information really, really quickly. We make it simple. We're gonna go back here to the incident workbench, and I'm gonna keep coming back to this. It's a great place to visualize all the items, all the things that we're talking about, and to see the environment. We can see here on the top, we've go
t a Windows server. We've looked at Linux before. It's another cloud workload, but this time it is running Windows. We can see that credentials were used to move laterally on the system. Similar to that previous process, we wanna have a look and see if there's vulnerabilities on the system, and we wanna use Spotlight to do that. This customer hasn't, at this point in time, purchased Spotlight.
They wanna make sure that they can turn it on. They wanna do an in-app trial request to get Spotlight working and to start going through the process of getting all the vulnerability data and then really start to build out a picture of what's going on inside their environment. We're gonna go ahead and turn on that free trial. An organization can simply go to the CrowdStrike store, and they can click Try it free, and we're gonna turn it on in the back end.
I think this is a really important point, Mike. When we think about the in-app trial, it really highlights the business model that CrowdStrike has. As we've talked in the past, it's a single-agent architecture, a single data store with our graph technology, Threat Graph, and then the modules take advantage of that data we've already collected.
The beauty of what we've built, and we spent several years building a very efficient e-commerce platform behind the scenes that allows a customer, with a single click, to actually try another module with the data they've already collected. Again, no new agent needs to be deployed, and it's really friction-free and allows us to continue to cross-sell and drive up our net retention rates.
I want to show that example of what George is talking about when he talks about friction-free. What you can see here on the bottom right-hand part of the screen, we've superimposed the system, the Windows server, and we've popped open the Task Manager, and I've highlighted the CrowdStrike Falcon service.
The reason why I did that is I want you to see that as we turn on Spotlight for the customer and we start to turn on the features, nothing happens to the endpoint. You don't see it change in size, you don't see memory utilization go up. The reason for that is the Falcon sensor is already on the machine. We're leveraging data that we already collected previously. All of the work is happening in the back end.
Very quickly, the organization can see the vulnerabilities running inside their environment. They can look at the one system, and they can see that we've identified a couple of vulnerabilities that are on this machine. Typical Patch Tuesday scenario when an organization has to quickly work out where they're vulnerable. We can see here that there's a couple of recent patches that have been released.
What's great about Spotlight is we can very quickly, from within this screen, push out the patch. We can identify the exact patch, we can deploy it here direct from the interface. The customer doesn't have to go anywhere else in the system. Then we can go back to the incident workbench screen, and we can see that we've patched the machine, the patch is running, there's no action required. As mentioned before, there's some credential theft that happened. We can get on with solving the core part of the problem.
Mike, I just wanna highlight the fact that you said we can roll out the patch. Tell us a little bit more about that capability. I think that's one that many folks don't realize we have the capabilities to actually do.
It's a really good point. When you think about what happens when there is that Patch Tuesday situation, every organization struggles with trying to work out what to patch and what is the most critical vulnerability that they need to solve very quickly. Then they have to go through the process of preparing the patch, getting it out, using different systems.
That all takes time. We know in security that time can be a problem. You need to bridge the time and close that gap as quickly as possible. With the platform, with Real Time Response and the capability built into the back end of the Falcon system, you can pick the patch, you can roll it out, you can do it on that system, and just get on with securing the rest of the organization friction-free.
It's driving home that point that you mentioned earlier, George. Let's pivot back to the incident workbench. The organization is not running the identity suite of products that we have here, so we're gonna go back and we're gonna request the trial. You can see the same scenario that we talked about before on the bottom right hand of the screen.
We're gonna show you the same system, the same Falcon sensor running. No impact to the end user. That's the example of just driving that point home again. We've added yet another module on top of the platform, and we have all of this new capability that is running just simply by saying, try it. You request the trial, it gets approved in the back end, it's automatically running. It literally is as simple as that, taking that friction out of the entire process.
Mike, I wanna just remind the viewers here that this technology came from an acquisition we did called Preempt. I was so excited about this acquisition when we did it. I'm even more excited that it's fully integrated, and it really is one of our hyper-growth modules. The uptake from customers has just been dramatic in how we've been able to solve some really hard problems. One of the areas that I want you to talk about was the MITRE ATT&CK framework testing and just how powerful this technology has been. Can you take us through what happened there?
Yeah, for sure, George. This is such a great story, talking about MITRE and the fourth round of testing. Just as a quick reminder, the results have just come out. We've come out on top for prevention, 100% prevention, because there's a great story about the power of our identity protection capability.
As part of round four, MITRE uses the tradecraft and the techniques from two adversaries in that particular evaluation. Those adversaries heavily rely on credentials, and we showed you in this demo, we're gonna show you the example of the platform. MITRE leveraged the tradecraft, and straight out of the box, our identity protection capabilities triggered and stopped the attack. That's why we say we stop breaches. The evaluators couldn't continue any further.
They actually had to ask us to turn off the identity protection capability to allow them to try to run the rest of the tradecraft, and we still blocked and had 100% prevention for the techniques that they used in the attack. It just demonstrates the power of our identity protection capabilities. It demonstrates the power of having it integrated so it's not a third-party product, it's not a network device, it's not another system, and it's just an in-app trial. Get it running, get it deployed, and that's why customers love it.
It's not a deception technology. It was built from the beginning to be an identity solution. I love the fact that we spent the time and effort, which is part of our philosophy, to get it integrated into our platform, which makes it so much easier for customers to use, not some bolt-on. Again, when we think about this, we're the only platform, the only vendor that was tested that has this integrated identity protection. I think it's a true testament to what we've built when the evaluators have to stop the test, call you up and say, "Can you please turn off your prevention capabilities so we can continue the test?" It's a great story.
We now pivot over to the identity protection screen. We've got all of the information on the account that was used in this lateral movement scenario. If the adversary is using the account, that means it's obviously compromised. We don't know how that happened just yet, but let's introduce some policies to start to triage and start to get on top of this issue. I'll show you how simple it is. There's a couple of ways that we can do this. We could disable the account very quickly. Not great from a demo perspective.
We're gonna take a little bit more of a careful surgical approach, and I'm gonna enable multi-factor authentication so that any time we detect the account being used or being used on a system that it's never interacted with before, we'll trigger a multi-factor authentication request to the end user. Let's pivot over to a system.
What we'll do to make it really simple to follow, we're gonna log into a normal system, so a system that we use all the time to show you that there's no issue. As part of the policy, we're gonna log in, we connect. No problems at all. You'll see that on the screen here.
What I now wanna do is just make that slight pivot and go and log on to a new system in the environment. We're gonna authenticate, we're gonna use the correct password. What you're gonna see, because it's a system that we've never used before, it triggers the MFA event.
You can see that we've implemented those restrictions, we've stopped the logon, and we've taken care of the first Windows system, and we're starting to get on top of this issue now. We've dealt with the vulnerability, we've now dealt with the credentialing issue, and you've seen how simple it was to roll out this capability without impacting the end user experience with another agent. There's been no reboots in any of these scenarios at all.
Mike, that's a really powerful feature to actually create an MFA request. Can you talk about the brains behind that? How does that actually happen within the product itself?
There's a number of features here, but what's really core to the back end is we're leveraging our AI models to start to track information about systems that we've connected to previously, systems that we've never been to. We're taking into consideration the user and their privileges, and based on the policy that you picked, you can pretty simply roll out rules that force you to have that multi-factor authentication event pop up when it's a new system or when you're going to a new part of the network. Really simple to use.
We wanna make sure that the user experience is simple, but we also wanna make the policies easy to use, which is why we leverage AI in the back end, and we do a lot of that work in the cloud so that the security team is not spending time with complex systems and complex policies. You saw how easy it was to roll out that capability.
Mike, this goes to the heart of what Zero Trust is making it easy for the users to get to where they wanna go without them thinking about it and letting CrowdStrike do the hard work and leveraging our AI expertise to really drive that level of protection.
It's a big part of what we try to strive for, George. You know, when we talk about this all the time, security has to be easy. It's a complex problem, but you have to make it easy for the organization that's using the product to be able to deploy it. You have to make it easy for them to operationalize, and you need to make it easy for the end user.
We keep talking about it, but you've seen an example here where we're working on the cloud. We're rolling out Spotlight for vulnerability management. We're rolling out the identity and Zero Trust capabilities. Nothing changed in terms of the end user experience, so you don't get that pushback from the business, and that's so critical. It's easy to say, it's really hard to do, and you've seen it how simple it is as part of the demo so far.
Mike, I think that really lends a comment around the architecture. The architecture we have is very unique. Why is that? It's a collect once, reuse many, right? We've collected this information with a single agent. We've put it into our Threat Graph, and then we've enabled all the other modules to leverage that information in real time.
I wanna keep going on that theme, George. Let's look at the architecture and what you can do. Let's pivot a little bit and bring in the concept of systems management and show you how powerful the platform is. Let's come back to the incident workbench. We can see we've got another system here. In this particular system, this particular example, what I'm gonna show you is a system that is running the Falcon sensor. It's running in a detection-only mode, so we've got the EDR capabilities.
For the example of this demo, no prevention has been turned on. What I wanna show you in this particular example, and it's a common one, a new piece of ransomware is being run inside the organization, and because this system is in detect-only mode, we're gonna see it run.
We can see it a little bit here in the incident workbench. Let's pivot over to the actual system itself. The thing that you'll see, very, very quickly is that we've got some files that get encrypted. Typical example, if you've never seen ransomware work, this is exactly what it looks like. Your system starts to get encrypted. Eventually you get a pop-up.
That's how they ask you for ransom. I'm using a favorite here, an oldie but a goodie, using WannaCry. This is what WannaCry actually looked like. For this demonstration here, we can see because it was in detection, we allowed it to run. We obviously could have prevented that, just to be clear. Luckily for this organization, they're using CrowdStrike Falcon platform.
They're using Fusion and Real Time Response because they are capabilities that are available to all customers, all organizations that use the platform. At any given time, the organization can simply just do some systems management and actually just roll back.
They can roll back to the previous system restore point, and they can get the machine up and running as quickly as possible. Let's go and do that now. Let's pivot back, and you can see straightaway the system is now running. We kinda didn't do anything, and that's the whole point of this demo because now what I wanna show you is the power of Fusion.
Mike, let me make sure I got this. This is actually rolling back after a ransomware attack. Obviously we were at detect mode and not preventing it for the demo. There seems to be a lot of FUD that CrowdStrike doesn't have rollback. Talk a little bit about that.
We absolutely have rollback, and we have so much more, and it's such a basic example. I'm gonna show you so much more with what we can do with Fusion, and you can see here on the screen our no-code security automation. Rollback is the simplest of examples. What's cool about this is you don't require any coding to stitch together any workflow.
This is a workflow that just successfully executed. You saw it automatically roll the system back because we detected some encryption events that ran on that system. That's the point. It's going back to that frictionless process that we have. This workflow is a three-part workflow. Let's make it a little bit more complex. You can see the three branches here. The top is the incident response forensics. We do a memory dump.
I told you it was gonna be so much more than rolling back. We do a memory dump, and we get a log with all of the service information very, very quickly, and we send it over to ServiceNow as well. In the middle, we get additional context for this malware. We get information from other third parties. I mean, you could even call that XDR, right?
You're getting third-party data, you're enriching the context, and then we're escalating that information to the SOC team. At the bottom is the rollback of the ransomware. What's cool here is we saw some encryption, we executed the rollback. You didn't need a detection, you didn't need anything else. When a lot of the other organizations talk about things like rollback, there's a lot of complexities, there's a lot of requirements.
For us, it was just really simple. We finished off at the end pushing out patches as part of this entire workbook. This is in the platform for every organization to use.
Mike, that's a really important point 'cause I think it goes to the philosophy of CrowdStrike, which is if we're gonna implement something, it's not a checkbox feature, it's thought through. It's something that all customers can use, and it's much more user-friendly and feature-rich, if you will, in its capabilities. Rather than a one-off rollback, we've actually built a complete no-code workflow that drives automation into what my view is the most automated platform on the planet.
Well, let me really drive home the point that you just made, George. I wanna show you how simple it is. Here's another example. You can see how powerful it is and the no-code automation. Let's build out the last few steps of this workbook here. You can pick the steps and simply just drag them over. You can add the rollback workflow that I talked about.
You can kill processes, you can roll out patches. There's no need for playbooks, there's no need for complexity. Just super easy to use, and it's available for all of our customers, and it's available as part of their license entitlements with the platform.
I think that's the beauty of it. It's built natively into the platform. It's elegant in how it works. It wasn't a bolt-on from an acquisition, and it really extends the power of response when we think about the whole XDR model.
We're back at the incident workbench. We've dealt with our cloud issues. We've patched our systems. We remediated this identity problem that we had. We rolled back a machine that was in detection mode only. There's really one question left here: How did this all happen? Obviously, in an enterprise organization, there's a number of systems beyond just the endpoint.
Let's start to look at the environment and start to bring in telemetry from third-party systems. This is the first time that we're gonna pivot over and have a look at Falcon XDR. Here we can see Falcon XDR, and you can notice a couple of things here. You can see some additional data from a number of third-party systems to figure out what happened.
We can see we've got a couple of alerts here from our original Windows systems. When we look at the details, of course, we can see all of the telemetry, the rich telemetry coming from the Falcon platform and the Falcon endpoint.
We can see identity here and all of that telemetry there. What we're also doing is bringing in telemetry from third-party vendors, part of the CrowdXDR Alliance. In this case here, we've got Corelight network detection and response because we're looking to see what's going on from a network activity perspective. We can see very, very quickly that we've got an encrypted tunnel. We can see failed login attempts and more.
If we want, we can make this even easier 'cause you can imagine when you've got Proofpoint and you've got Cloudflare and Zscaler, and you've got a whole range of other different solutions, you may wanna graphically represent and have a look at. You know, if your thing is getting visual representation, we can do that. We've got a whole range of things that are going on here.
We've got a whole range of indicators. Why don't we look at the graph? We can see here how all of these systems and all of these events are related to each other. As you can imagine, when there's a lot of different systems, there's a lot of different vendors playing, this visual representation is just so critical. It's extending the concept of the incident workbench now to Falcon XDR.
The last thing that I wanted to show you here is to just hop over and show you the quick raw XDR event source. So I'm not gonna go too much detail into what you can see here, but hopefully you saw the Humio logo. What I'm just showing you here is a combination of CrowdStrike's Falcon data together with third-party vendor data, all within the Humio back end, 'cause I just wanted to show you the integration that's already gone into the Falcon XDR platform.
I think this is really a compelling offering here for a variety of reasons. One, we've been asked for some period of time to be able to enrich the data that we have with other third parties, and we now have a way to do that, a very effective and elegant way to create a really storyline or a narrative around how the attack flows.
Obviously it starts with EDR, as we talked about when we think about XDR, we and others believe, like Forrester, that we have the best EDR technology. Once you have that information to enrich it with other third parties at scale and provide a storyline of what happened is very, very impactful for the security operations team and overall CISOs in the organization.
I think this is one of the areas, as we continue to pioneer XDR, we continue to build this out, and really leverage the power of the Threat Graph and the Humio technology that drives from the back-end components of this.
You made some really interesting comments there, George, and I think one of the things that we've just walked through in a very short period of time is we've looked at EDR data. Now we passionately believe to have world-class XDR, you need world-class EDR, and you need that third-party telemetry. The reason why Forrester called us out as being a mature vendor in the XDR space well before we launched Falcon XDR was because we had cloud data, we had identity data, we had vulnerability management data.
We just walked through that and show you how easy it is to get all of that capability deployed to the endpoint, how easy it is from a SOC perspective. If you look at the definition of XDR from a Gartner perspective, from a Forrester perspective, we meet all of those definitions.
For us, Falcon XDR needs to be so much more, and that's why I wanted to show you that graphical representation to show you third-party data coming from Corelight. You can build detections off all of that data. You can build response all of that data. You saw the workflow, the no-code automation from Fusion. Now that is what XDR is. It's way more than just SIEM or way more than just log management.
I wanna be clear that what we just showed was XDR. There's some underlying components that we were able to use from Humio, but that is not Humio. Right? That's Falcon XDR.
It's great timing to now take a look at Humio and have a look a little bit of a demonstration of the technology that we are so excited about. You know, we've really changed the game with Humio. We've completely reengineered log management from the ground up to take advantage of today's modern technologies.
Add to that data streaming, add to that index free architectures, which allows us to collect structured and unstructured data to store it in memory, to store it in the platform, to make exploring and investigating anything blazing fast, even at massive scale. We're gonna go into a demonstration here. I wanna show you a couple of use cases, and I think you're gonna be really as excited as we were to bring Humio into CrowdStrike.
The first thing that I wanna look at here, we've got some great dashboards set up, make it really easy to use, make it easy for the SOC team, for the DevOps team, because there's different groups that use the Humio platform to solve different problems. The first thing that I'm gonna look at is Humio for Falcon. We launched Humio for Falcon as a specially bundled way to analyze Falcon data.
We give our customers data retention as part of the platform, as part of the Falcon platform. Now with Humio for Falcon, we give our customers a very cost-effective way to search for a year, for two years, for five years worth of their EDR data with the power of Humio. We've made it really easy to store data for as long as you want.
You simply just paste your API key into Humio, and your Falcon data is immediately pulled into Humio, and it's available for real-time analytics or long-term historic searches with Humio's power and intuitive query language. It's as simple as that, what we just walked you through.
Now you can start to see here the dashboard that shows you the high level overview of detection alerts that are coming into the Humio platform. We've pre-built some of these dashboards and these quick searches as part of the capabilities, so you can do a simple hash search if you like. If you wanna look for a file, let's paste the hash here and apply that. We can see here we've got one host that has that file on there.
We can keep drilling down here and say, "Okay, let's widen the scope from one day and increase this to look at a year's worth of data." You can see how quickly that responded to tell me that we had three different hosts in the past year compared to one in the past day. Incredible speed as part of this platform.
Mike, you really nailed it when you talked about speed and flexibility. One of the beauties of the technology is compression algorithms, which far exceeds the competitors in the market. What's the benefit of that to the customer? The benefit is cost.
Humio is a very disruptive technology, not only from a speed and performance perspective, but from a cost perspective, which we've heard time and time again from customers using competing products, that they're just paying too much. They can't budget for the cost. The reality is they wanna log more data, not less data. That's why we think Humio is gonna be very disruptive to this market.
I wanna really show you the speed and the flexibility and how simple it is to use the Humio platform. Let's have a look at one of the biggest security issues that we've seen in recent years and dive into Log4j. I wanna look at Log4j and show you how easy it was for one of our customers to look for Log4j issues.
We know how complex Log4j was, the proliferation of supply chain attacks in particular have forced all of us to take a wider timeframe view of how adversaries infiltrate the targets. With Log4j, organizations were trying quickly to see as far back as they could possibly go what was going on inside their organization. I'm gonna show you here how quickly it is to search for the presence of Log4j.
Just simply say command line, Log4j, hit Enter, and we'll populate all of that information very, very quickly. What I'm showing you here, let's cast a wide net. Let's look for the last one year of data, and instantly it is back. You know, let's make it a little bit nicer to read. Let's group the data. Let's graphically represent the data.
What you can see here is I'm not looking at the last day, I'm looking at the last year, and I can see all of the different files on all the different command line operations seen in our environment in the last year. I've just pretty much got a list of all the machines that I need to go and fix inside my environment that had a Log4j issue, graphically represented, command line representation.
It's up to you how you wanna do that. Organizations like to work differently. SOC teams, incident responders like to work differently. We give you that flexibility, and it's up to you how you wanna represent that data.
Mike, in my travels, as you know, I speak to a lot of customers, as do you. I can tell you, I've heard resoundingly that CrowdStrike, our platform, including Humio, was absolutely critical to finding and remedying Log4j. Of all the technologies that these organizations had in their environment, the de facto go-to technology was Falcon, including the Humio technology.
You can see why, right? Because we just had a look at a year's worth of data. We just did a quick sweep of the environment to look for Log4j issues. It was like three seconds. We had a list of all of the systems, the command lines. Print it out, go remediate, and move on. That's how quick it needs to be to solve these sorts of issues.
I wanna show one more example here. Now, this is a cool use case. This time it's a DevOps team using Humio. Here we've got our Kubernetes cluster feeding Humio. Every time you know, Kubernetes cluster, we've got a website running off this, we've got web pages, we've got web apps. Every time we see a user grabbing a page on my website, we can see the page being accessed in Humio.
We've got a dashboard here to track the website use. I can see what my most popular web pages are. I can see where my users are going on my website. I can also keep an eye on how many Kubernetes pods are needed to run this environment. I'm now looking at traffic patterns. I can troubleshoot my entire web app from this one location, and you can see how incredibly easy it is to use and how feature-rich the example is, the amount of information that we have.
This was just a simple example to show you how we can manage our environment. If we start to see problems, we can see them here very quickly. If we start to see our pods degrade or the pods go offline, we can manage it very quickly.
If we make a change to our web environment, and suddenly we start losing connections, we can see that very quickly. We've got a security use case, we've got a long-term storage use case, and we've just looked at the DevOps team using the Humio platform to run their web apps and to do all of their troubleshooting, just really simply.
Mike, I think it's important to highlight a large portion of our sales of Humio have been to the DevOps team for use cases that are outside of security, and you can see why, how easy it is to get this information. The fact that index-free real-time ingestion is a huge differentiator from other technologies to get that real-time visibility that's needed for critical applications.
Let me try to pull all this together. We showed an organization that started their journey with CrowdStrike solving a cloud requirement within their DevOps team. This is a great example of how we started with asset identification and vulnerability information and image assessment that triggered the deployment of the Falcon sensor capabilities across the entire enterprise.
We showed that deploying new modules, what it truly looks like and how friction-free it is with no impact to the memory, to the system, and ultimately to the end user. We solved vulnerability issues with Falcon Spotlight, including rolling out a patch. We solved identity problems dealing with a compromised credential and enforced MFA.
Our MFA enforcement can be within our own technology or leveraging integrations that we have with other partners like Okta and Ping. We actually did a no-code security automation workflow using Falcon Fusion to trigger a system rollback. We looked at Falcon XDR and brought in third-party telemetry. We leveraged our deep AI expertise to be able to correlate that information together and extend out the detection across just EDR data into XDR data. We finished with Humio.
Humio for Falcon with unlimited data retention for our customers, an example of the flexibility to search anything in real time and get immediate answers. We showed how customers used Humio to actually solve a really complex and hard problem with Log4j. Really, we've become the system of record for security and a critical system for DevOps.
In summary, we believe CrowdStrike has a fundamental technology advantage that drives success in the field and success with customers. I could not be more excited about the journey CrowdStrike is on and our future prospects. We believe we have created a once in a generation cloud platform for cybersecurity that offers a solid glide path to solving a growing list of customer needs, all from a single agent, providing durable growth for many years to come. If there's one takeaway from my presentation, here it is.
This is just the beginning of our journey, both within traditional endpoint security and in emerging product categories. It's been a pleasure to chat with you today, and I look forward to your questions following Burt's presentation. With that, I will hand it over to Burt.
Thank you, George and Mike, and hello, everyone. We've got a lot of exciting content to cover with you today, so let's jump right in. First, let's set the stage for what we have achieved to date. It has been another phenomenal year of milestones for CrowdStrike. We delivered an exceptional year in FY 2022, setting new records in multiple areas.
After surpassing $1 billion in ending ARR in FY 2021, in just one year, we added another $681 million of net new ARR, growing ending ARR 65% to exceed $1.7 billion, marking an incredible year of growth at scale for CrowdStrike. We delivered another record year for net new logos, which increased 44% year-over-year with over 6,400 net new subscription customers.
As we have delivered exceptional growth at scale, we have continued to achieve strong unit economics and maintain an exceptional margin profile. Non-GAAP subscription gross margin remains steady at 79% and within our target model as we invested for future growth and brought new telemetry into the platform such as Identity and Humio.
In FY 2021, we achieved non-GAAP profitability for the first time with operating margins of 7% for the year. In FY 2022, we nearly doubled that, ending the year at 13.5% operating margin and exiting Q4 at 19%, setting a new record for CrowdStrike.
We also delivered 30% free cash flow margin, and when excluding a one-time IP transfer tax payment related to the Humio acquisition, free cash flow margin would have been even higher at 35% of revenue and over $500 million only a few years after going public. These milestones demonstrate the power of our model, and as George mentioned, we believe at this scale and trajectory makes us a truly generational software company.
Taking a longer view of our growth trajectory to date, you can see sustained high growth at scale as reflected in our five-year CAGRs, which are in the high- and mid-90% range for ending ARR and total revenue, respectively, and over 100% for subscription revenue.
We continue to see strong growth in both domestic and international markets with a long runway to continue gaining customers and market share as George outlined. Our professional services revenue contributed 6% of our total FY 2022 revenue and continued to grow nicely. Professional services is a highly strategic driver of new platform business for us, demonstrated by the increasing contribution to Falcon platform subscription business.
Among organizations who first became a customer after February 1, 2020, for each dollar spent by those customers on their initial engagement for our incident response or proactive services, as of January 31, 2022, we derived an average of $5.71 in ARR from those subscription contracts, up from $5.51 reported last year and $3.73 the year before that.
This small but highly strategic portion of our business has been extremely successful, not only by itself, but in driving software platform cross-sell opportunities for us. Last year, we outlined the illustrative math to get us to $3 billion or more in ARR by FY 2025, which by itself would put us among the top SaaS companies only a few years out from our IPO.
Now let's walk through the simple math that illustrates our path to achieving the even bigger milestone of $5 billion or more in ending ARR. As you all know about me, I prefer to illustrate things as simple as possible.
With our FY 2022 ending ARR growing 65% to exceed $1.7 billion as the starting point and applying just a 10% CAGR to net new ARR, you can easily see the path to achieving and exceeding $5 billion in ending ARR by the end of fiscal year 2026.
While I would reiterate that this math is intended to be illustrative and not guidance, given the growth at scale we have achieved to date, our growing market leadership, the significant opportunity ahead, and our meaningful technology differentiation, this gives us confidence as we set our sights well past $3 billion and aim to grow this company to $5 billion in ARR and beyond.
Not only does this math illustrate how we could achieve $5 billion by FY 2026, using this framework also accelerates the achievement of the $3 billion ARR milestone from FY 2025 into FY 2024, a year ahead of the framework that we walked through last year. After achieving our first $1 billion in ARR in FY 2021 in just under 10 years since the founding of the company, we are now talking about tripling that number in three years and 5x'ing it in five years.
This is truly exceptional growth at scale that demonstrates the power of our platform and the exceptional model we've built. As George outlined earlier, we believe this makes us a truly generational software company and shows how Falcon fundamentally stands in a league of its own.
Now let's dive into some of our growth dynamics that are helping us drive towards these ARR milestones. Importantly, our growth drivers have not fundamentally changed, but we continue to invest heavily in them as we execute on our strategic initiatives and transform the security industry.
We intend to continue to take market share by landing customers at a rapid pace across all facets of the business market, capitalize on our increased momentum with partners, expand our wallet share by driving module adoption with new and existing customers alike, entering into new adjacencies, and maintaining our strong retention rates. I'll take you through some new and updated metrics that demonstrate how we are doing all of these things. While we don't manage the business to specific net new logo targets, we are continuing to win customers at a rapid pace.
Our win rates remain high, and we believe that we are clearly gaining share. We've made phenomenal progress in our net new logo acquisition, with subscription customers growing 65% to reach 16,325 total customers in FY 2022.
As George pointed out, we believe we have only scratched the surface in terms of the number of companies that are out there. There are many more customers to win globally. Beginning at the top of the market, we've seen phenomenal success in the enterprise in the past year. Within the U.S., we ended the year with 65 of the Fortune 100, more than half of the Fortune 500, and 15 of the top 20 banks, all meaningful improvements over the prior year.
One thing I'd like to highlight is that in all the Fortune categories, the year-over-year ending ARR growth from each of these cohorts well exceeded the year-over-year growth in customer counts, showing that we continue to drive meaningful expansion within top enterprise accounts. Taking a more global view, we also ended FY 2022 with over 500 of the Global 2000, a 35% increase over the prior year as we continue to invest in expanding our international footprint.
In addition to winning customers at a fast pace, we are also seeing continued strong success with our top accounts and growing the minimum spend required. The minimum ARR to make it to our top 25 is now $4.6 million, a 28% increase over the prior year and 10x what it was five years ago.
$2.2 million is required to be a top 100 customer, a 38% increase over the prior year, and 13x what it was five years ago. To be a top 400 customer, a minimum of $775,000, a 62% increase over last year and a significant increase over just $10,000 in FY 2017.
We are continuing to land bigger deals and are expanding significantly in our existing customers as we innovate on the platform and increase our coverage over the key areas of enterprise risk. Demonstrating our progress in FY 2022, the number of customers with more than $1 million in ARR stood at 302, a five-year CAGR of 98% and 72% growth from last year.
The number of customers with ARR between $100,000 and $1 million stood at 2,482, a 5-year CAGR of 75% and 58% growth from last year. The enterprise isn't by any means our only focus. We are seeing success across the market as well.
Smaller accounts with ARR below $100,000 stood at 13,541, representing the bulk of our subscription customer base with a five-year CAGR of 116% and 66% growth from last year, showing that we are seeing strong growth across the spectrum of customer accounts. We also service this part of the market through our growing MSSP channel, and customers served through MSSPs are excluded from our logo metrics.
As we flip to an ending ARR view of those same cohorts, you can see exceptional growth across all categories. You can also more clearly see the dynamic we have discussed a number of times, where we see the bulk of new logo acquisition coming from the lower end of the market, whereas the bulk of ARR dollars is derived from the higher end of the market.
Regardless, we see strong growth across all three categories, with the greater than $1 million ARR category growing 66% year-over-year with a five-year CAGR of 125%, the 100,000 to 1 million category growing 58% year-over-year with a five-year CAGR of 80%, and the less than $100,000 ARR category growing 78% year-over-year with a five-year CAGR of 98%.
Module adoption is another area where our trends continue to be exceptional, showing that customers are adopting more of the platform than ever. Just as we are winning new logos and driving increased ARR across all segments, we are also driving module adoption across the market. Since the prior year, customers across every cohort have increased the average number of modules that they are using, which is reflected in the increase of our percent of module adoption stats that we speak to every quarter.
Increased module adoption, regardless of the customer size, demonstrate the applicability of the platform across the market. You can see that our metrics on customers adopting four, five, and six or more modules have been on a steady march upward quarter after quarter. This demonstrates clear buy-in on the platform strategy by customers.
As you've heard me talk about before, it will not be long before we retire our four or more category and replace it with the seven or more category. These module adoption stats are some of my favorites as CFO, as it clearly punctuates the world-class nature of the Falcon platform and drives the power of our model that allows us to deliver profitable growth.
Moving to our module growth dynamics, when we look at the year-over-year growth rate of customers subscribing to each module, we are seeing tremendous success. Customer accounts for our longer standing popular modules are all growing at a similar rate to our overall customer base, which was 65% year-over-year at the end of Q4. These include Device Control, Discover, Falcon X, Insight, OverWatch, and Prevent. Even more exciting are the hyper-growth modules that are growing at rates significantly faster than our overall customer base.
These hyper-growth modules include a much larger list than last year. Falcon Complete and Falcon Spotlight have retained their spot in this category as they continue to see rapid adoption. This category now also includes our cloud modules, identity modules, and firewall management. Again, these are all modules where customer counts are growing far in excess of the 65% growth we are seeing in our overall customer base.
Our specialty modules have remained unchanged with Sandbox and Search, which is to be expected given many of the capabilities of these modules can be acquired through our Falcon X offering. Finally, given the rate at which we have expanded the platform, we have a whole set of new modules where we do not yet have a year-over-year comparison as they are new to the market. We expect big things from these modules.
For example, Log Management stems from our Humio acquisition, which closed in Q1 of FY 2022, but we've already discussed seeing significant customer interest and multiple seven-figure deals in FY 2022. We also expect XDR to be a big area for us over time, as we believe our offering is significantly differentiated from the many marketing buzzword copycats that exist in the market and builds upon our market-leading EDR solution.
Of course, SecureCircle is our most recent acquisition, which closed in the fourth quarter of FY 2022. We see a significant opportunity for disruption in the legacy DLP market as many customers are unhappy with the existing offerings there. Of course, as we see module adoption increasing across all of our cohorts, we are also landing bigger.
The average module count of a new customer has increased from a little over four modules last year to nearly five this year, and has grown 135% over the last five years. We see this dynamic increasing for a number of reasons. First, as our brand recognition grows, customers are increasingly likely to embrace the platform more fully in the initial land, especially as these customers are in desperate need of agent consolidation as they move away from bloated legacy providers.
Second, our platform is easy to deploy and easy to manage with a stunning user interface. Third, we are providing compelling value to customers as we expand the platform to cover new adjacencies and non-security use cases.
This goes back to the power of the platform as customers can run more and more of their processes through Falcon and build a virtuous cycle as they only get more visibility and use out of their data. Moving to our dollar-based net retention rate. We remained above our benchmark throughout FY 2022, which further demonstrates the success of our land and expand strategy, especially in light of our growing scale.
Similarly, our growth retention rate remained best in class throughout FY 2022, exiting the year at 98.1%, which is the highest we've seen since going public. We've seen meaningful contributions to DBNR from both the expansion of the number of sensors as customers increase Falcon's footprint across their environment and from cross-selling as customers purchase additional modules.
In FY 2022, we saw close to a 50/50 split between expansion and module cross-sell, compared with an approximately 60/40 split in FY 2021 as customers are landing bigger with more endpoints across the estate and expanding with more modules. As we land bigger and see increasing module adoption across the board, there are some competing dynamics within our dollar-based net retention, but we continue to expect that we will remain above the 120% benchmark in the near term.
This is no small feat given our increasing scale and increasing customer land sizes, and speaks to our significant upsell and cross-sell motion, as George mentioned earlier. Tying this all together, George demonstrated the new logo opportunity earlier, and as we've just walked through, we are seeing tremendous growth in new logos and module adoption across all account sizes.
Now I will dive into the significant runway for growth available to us within our existing customer base. The significant platform expansion we have delivered in the past year doesn't just expand our overall total addressable market opportunity, but also our total opportunity within our own existing customer base.
Looking at this from a white space perspective, the question is, what does our total addressable market look like within our own customer base? In FY 2021, we achieved over $1 billion in ending ARR with a healthy net retention rate as our up-sell and cross-selling motions are very mature.
Expanding on that cohort, if our FY 2021 customers adopted the entire platform that was available to them at the time with the same number of endpoints and consistent ASPs, the full platform opportunity would be equal to more than 2.5x FY 2021 ending ARR, showing a significant runway to add net new ARR from within our existing accounts.
With the addition of new Falcon modules in new adjacencies such as identity and log management, this methodology would value the full FY 2022 platform opportunity of the customer base at approximately $7 billion. More than 4x our FY 2021 ending ARR and approximately 150% growth in opportunity from the prior year.
While we don't assume that every customer will adopt the full Falcon platform, the magnitude of expansion in the total opportunity speaks to the extent to which we are increasing the value we can provide to our customers and the rate at which we are expanding the capabilities of the platform. Emerging product areas are important contributions to our growth. As we discussed a few weeks ago, both our public cloud deployments and emerging product areas are contributing meaningfully to our business.
Starting with the public cloud, we previously disclosed in Q4. We surpassed the $100 million ending ARR milestone for deployments of Falcon in the public cloud, growing 20% quarter-over-quarter. Recall that this represents a deployment view and refers to any module deployed in the public cloud. Today, we have over 5,000 customers who have deployed Falcon in a public cloud environment.
That represents nearly a third of our customer base at the end of FY 2022. While we view that as a great start, we think there's a lot of headroom within those accounts, within the rest of the CrowdStrike customer base, and of course, with new logos.
I'd also like to note that the landing dynamics in the cloud generally start with smaller initial deployments and offer larger workload expansion opportunities, which is very different from what we see in traditional endpoint, where we are generally deployed wall-to-wall out of the gate. Another area where we see a lot of opportunity is our emerging products that address the use cases outside of traditional endpoint security and includes D iscover, Spotlight, Identity, and Log Management, which all meaningfully contribute to this group.
In Q4, we disclosed that this bundle of modules reached $157 million in ending ARR and had grown more than 100% year-over-year. Our modules in this category that have been in the market the longest are Discover and Spotlight, which represent a bigger portion of this group in terms of ARR and are growing nicely above our corporate average for ARR.
Our identity modules are rapidly catching up and are seeing hypergrowth with more than 350% year-over-year ARR growth as of Q4 FY 2022. Our log management offering is also performing extremely well.
While this module doesn't have a year-over-year comparison because the acquisition closed in Q1 of FY 2022, analyzing the growth from the starting point of the ARR we acquired in Q1, we have seen more than 400% growth across FY 2022, an absolutely phenomenal initial year for this new business. This does not include any contribution from our recently launched XDR module, where we see another exciting avenue of future growth.
Our success to date in these adjacent areas demonstrate that CrowdStrike is much more than an endpoint company and instead a true extensible cloud platform with significant growth opportunities in front of us as we expand to new markets. Pivoting to a different growth avenue for us, as we outlined during the Q4 earnings call, FY 2022 was another record quarter for the expansion of our partner ecosystem.
During the year, PartnerSource ending ARR grew 83% year-over-year, with our MSSP business growing more than 200% and ARR growth from the AWS marketplace grew over 100%. As a channel-first company, our partner ecosystem is an important driver of growth and helps us efficiently reach more of the market.
In FY 2022, more than 90% of our customer transactions involved a partner in the sales process. As the growth in our PartnerSource ARR demonstrates, we are continuing to see the benefits of our strong engagement with the channel as they increasingly bring us business. Diving deeper into the AWS marketplace, you can see just how meaningful these dollars are to us now. Last year, we called out that our ARR had well exceeded $50 million, representing a sizable channel.
As you can see with the more than 100% growth, we now see ending ARR well in excess of $100 million from this channel. This really speaks to the success of our partnership with the world's largest public cloud provider and highlights the value our partnership is providing to both companies as well as our shared customers.
We've covered quite a bit in a short period of time, so let's take a moment to recap the opportunities in front of us that give us a clear vision to $5 billion and beyond in ending ARR. First, while we have shown incredible growth to a significant scale, we believe we are still in the early innings of CrowdStrike's journey with our best days ahead.
As we have shown, there is significant headroom to acquire new logos, expand within our existing customer base, and innovate on the platform to address entirely new areas organically and through thoughtful and deliberate M&A.
Second, we see multiple avenues to drive sustained long-term growth, leveraging our existing business, which is fueled by strong secular tailwinds, our true cloud-native platform, and our efficient go-to-market engine that is winning customers of all sizes. We have delivered strong growth both in the U.S. and abroad.
With more than 70% of our revenue coming from the U.S., we see significant opportunities as we look to expand our international presence. Third, we see tremendous opportunities in the public cloud and in the areas outside of traditional EDR.
Finally, our ability to rapidly innovate and bring new modules to market enables us to naturally expand into new adjacencies, grow our TAM, and drive module adoption with both new and existing customers. Our extensible platform also enables us to relatively quickly integrate new or acquired technologies and enter markets that are poised for disruption, as you've seen with our success with both the Preempt and Humio acquisitions, and we intend to do the same with SecureCircle.
So far, I have focused on growth, but as George Kurtz outlined at the very beginning of today's briefing, we have created a platform and business model designed to deliver growth, non-GAAP operating income, and free cash flow. We are committed to profitable growth, and it has never been a growth at any cost endeavor for us.
We have incredible leverage in our model, and I'll talk through how we think about what we have achieved to date and what we see in the future. Take non-GAAP growth margin. This is an area that you all know I am extremely proud of with the progress we've made. One of the things that makes us a truly unique business is the harmony between our technology and our business model.
You've heard me say that we collect data once and reuse it many times, but this is a fundamental driver to our model that is inherent to our architecture and can only be achieved with a truly cloud-native approach. While many legacy and next gen players are supporting hybrid and on-prem versions with multiple data stores, we can deliver real scalability as we add customers and expand the platform.
Of course, on a non-GAAP operating margin, we have seen a steady progression in margin expansion, ending the fiscal year at approximately 14% and exiting the year at approximately 19% in Q4. On a dollar basis, our non-GAAP operating profit grew more than 200% in FY 2022 as we recognize the benefits of the significant leverage in our model.
I'm incredibly pleased with our margin performance. The net effect of this is the incredible amount of cash that the business model delivers. We have grown from $12 million of free cash flow in FY 2020, the year of our IPO, to well over $400 million in free cash flow at 30% of revenue in FY 2022.
Adjusted for the one-time tax payment we made in FY 2022 related to the acquisition of Humio, our free cash flow was 35% of revenue and over $0.5 billion . Of course, all of this ties back to what you have heard me talk about a lot recently, which is the efficient growth at scale, which is a top priority for us. You can see this in our exceptional unit economics that have remained best in class for many consecutive quarters.
We are highly efficient, and these are strong indicators that we have significant headroom to invest more, and we plan to do that across sales and marketing, R&D, and CapEx. Which leads me to our discussion on the target model. Looking at all of this in the context of our target model, we have made significant steps towards achieving our target model.
In our last two reported fiscal years, subscription gross margin, R&D, G&A, and free cash flow margin were all within our target ranges. I think it is clear from our phenomenal performance in Q4 and fiscal year 2022 that our model is highly leverageable. We are operating very efficiently as a company and achieving a high ROI on our investments.
We believe our business model is capable of delivering our target model's operating income in the near term, but we do not think that would be the best course of action given the massive market opportunity we see at hand and our strategic position within the ecosystem. As we presented to you today, we have our sights on building an even bigger company, and we are bullish on our opportunities and ability to execute on our vision.
As such, we are continuing to increase investments in key areas, including building out our global footprint, which includes sales, partners, and platform. Investing in newer market areas such as identity protection, log management, and XDR. Innovating on the platform as we bring new modules to market, execute on our longer-term TAM opportunity, and resume travel and in-person events.
As our FY 2023 guidance reflects, we expect to deliver increased leverage and 30% free cash flow margin even as we grow and aggressively invest in the business. As reflected with green boxes on this slide, we expect to maintain subscription gross margin, G&A, and free cash flow margin within our target range from FY 2022 to FY 2025. On an annual basis, excluding any potential M&A.
Looking beyond FY 2023, we plan to deliver incremental leverage each year as we work toward consistently delivering operating margin on our target model of 20%-22% starting in Q1 of FY 2025. Additionally, longer term, we see room to exceed these targets beyond FY 2025. In summary, I've never been more excited about the opportunities for CrowdStrike, and I firmly believe that our best days are ahead. I look forward to continuing to rapidly expand and scale. Thank you very much. I will now turn it over to Maria to open up Q&A.
Thank you, Burt. We will now open up the Q&A to our covering analysts. As a reminder, if you wish to ask a question, please make sure your Zoom username is easily identifiable and use the Raise Your Hand feature on the bottom of the meeting window. When you are selected for a question, please be prepared to turn on your video and unmute your microphone. There might be a slight delay as you are prompted into the live queue. Our first question is from Saket Kalia of Barclays.
Okay, great. Maria, and team, can you hear me and see me?
We got you.
Yep, you're there.
Okay.
Hey, Saket.
Excellent. Hey, George. Hey, Maria. Hey, Burt. Thank you so much for hosting this session and for taking my questions here. Maybe George, I can start with you and Mike as well. You know, I wanna go back to one of the things you said in the very beginning of the session, which is about the SIEM market over the long term potentially being consumed by XDR.
Understanding it's early, George, can you just talk about that process a little bit? Do you think that XDR coexists with a SIEM? Do you think that XDR outrightly replaces it? And again, understanding that it's early, how have some of those early conversations been?
Well, it's a good question, and I think there's gonna be an evolution before it gets, you know, consumed by XDR. Ultimately, I do think that's the technology that will win out. You have to look at SIEM and its intended goal. It was intended to find advanced threats that couldn't be found before, you know, and that was well before EDR.
When you think about XDR, if you can find advanced threats across multiple domains, meaning the endpoint, firewalls, email, identity, et cetera, you're gonna get to the same outcome. Then you're creating the automation around that with things like Fusion that gives you the response. You know, if that is the use case, I think that's ultimately XDR.
There's certainly always gonna be a use case for log everything, save the data, ask questions, some of the things that we went through in the demo. Mike, I don't know if you wanna add anything to that.
Yeah. The only thing I would add today is we coexist today, Saket, and I think, you know, organizations are looking to Humio as a better way to do log management, to do SIEM. But I think, you know, over time, we'll see organizations will look to XDR if you know, take into consideration the comments that George has made when you look at our strategy to easily identify advanced threats. Over time, I think we'll see a lot of people really look to XDR as a more secure and more elegant option.
Got it. Burt, if I can ask a follow-up for you. Really appreciate the $5 billion target in FY 2026. You know, a lot of great detail on modules and especially the emerging modules, right? I think that was something that surprised us in the last call as well. I think we said, you know, it works out to about 8% or 9% of total ARR that's coming from those emerging modules. Burt, maybe the question for you is. How do you think about that mix as you look out to that $5 billion, and what modules do you envision making up the biggest parts of that anecdotally?
Yeah, Saket, great to see you. Great question. First, let me just reiterate that the $5 billion, of course, it's not guidance, it's just an illustrative view of what the possibilities are. Having said that, when you look at the you know, emerging product modules that we highlighted on the earnings call and then even again today, I think that you know, first of all, they're all meaningful in that number. As we march to $5 billion and beyond, I think they're all gonna play a significant role.
If you just dissect them, you can see, you know, a situation where, you know, Humio or log management, or identity, any one of those can be as big as the AV market was, or even SecureCircle, which wasn't in that group, but, you know, clearly is gonna be emerging tech for us. That can also be as big as our AV market was. You've got three, you know, different markets that we can go after that were as big as the core that we have today. Pretty exciting stuff, you know, as I look at it.
Agreed. Thanks very much for taking my questions.
Thank you.
Thanks, Saket. Our next question is from Matt Hedberg of RBC. He will be followed by Alex Henderson from Needham.
Hey, guys. Can you hear me?
Yep.
Great. Great presentation. I love the detail. Maybe one... George or Mike, you know, I think when we look at, I guess, a follow-up from Saket's question, when we look at Humio and log management, you know, can you talk about your opportunity to move beyond that, you know, into maybe even other aspects of observability.
Well, the good news is we're already there. Many of the sales of Humio are not security related, and that came from the DNA of the Humio team. They were solving some pretty big problems around observability, understanding the system performance, understanding you know, again, things around cloud clusters and pods and things of that nature.
At the end of the day, it really is a data platform that can consume any sort of digital exhaust, which would be log information. You know, you can go across the OS, you can go up the applications, you can talk about performance. Anything that can be logged can be put into Humio, and then obviously workflows created around that.
Obviously, we're early on our journey, but the technology does that today, and many of our customers actually use it for non-security use cases. We actually can go back to them and sell it for security use cases, which we're excited about. That's something that we're gonna continue to build out over time. When we think about security, observability, IT hygiene, asset information, those all converge together into this data platform.
That's great. Maybe just one more quick product question. Michael, super helpful to have you on the call as well. You know, when we think about data protection with Falcon FileVantage and SecureCircle, you know, how are customers potentially looking at leveraging that, you know, to maybe prevent what happened to Square recently with an internal data leak?
Yeah, I mean, there's a couple things to look at there. Obviously, FileVantage, the part that I love about that is there's so many organizations, very regulated, they need a file integrity monitoring solution. They get access, you know, hopefully, as you saw from the demo, really easy to try a new module, to try a new capability to leverage the same existing agents.
Removing friction means people get access to the product really quickly. I see as we work through integration with SecureCircle, and we continue to innovate in that space, we'll see the same thing where organizations, it's such a need. It's a huge requirement for every organization on the planet. People that have deployed Falcon can go and do the in-app trial. They can request the product.
They can see it working inside their environment, and they can use it in production. I'm really excited about it because it's a huge customer need, and we remove the friction and the complexity from getting access to the product.
Super helpful, guys. Thanks.
Great. Our next question is from Alex Henderson of Needham & Company, and he will be followed by a question from Brian Essex of Goldman Sachs. Alex?
Good morning. Or good afternoon. I was hoping you could talk a little bit about the Mandiant partnership that you talked about in the press releases today. Particularly in the context of if they're reselling your product as part of their process. They go in, they find, you know, issues using your technology. Does that lead to the same type of upsell tha t you get when you're doing your own services?
Then second, along the same lines, if they're going over to Google, does that mean that there's an opportunity for your technology to be used in the container space in a bigger way as a result of that partnership? How important is that relationship going to be?
Well, first, we're really excited about it. We got a lot of respect for the team. Kevin and I used to work together at Foundstone way back when, so we know each other really well and certainly both companies are mission focused. When we think about the opportunity here, obviously, leveraging, you know, the best technology in the market, not just me saying that.
You know, you look at Forrester, we're clearly the leader there. That's the type of technology that's been battle tested in incident response engagements, right? We've done it ourselves. We know how it works. We know how to deploy it at scale. That is, it's much more efficient than any other technology out there, period. We think that's a great opportunity.
As Burt talked about, in our own business, we convert a dollar of services into $5.71 of subscription revenue. We certainly see that as a multiplier effect that's gonna be able to unlock that within the Mandiant customer base as well.
You know, it allows future opportunities for other services that they have. I think it's really the start of a great relationship. We're excited about the Google acquisition. We know them well. They were an investor in CrowdStrike. We have a lot of respect for them. We partner with them now, and I think this is just the beginning.
Will you get that same uplift if they sell their you know manual services and discovery services and use your technology to help them in that process? Will you get that $5 of upsell or no?
Well, we don't know how many dollars it's gonna be, but we certainly believe it's gonna be a multiplier effect, right? We know our own metrics. At the end of the day, yes, the technology typically is used. It solves a really acute pain point in an incident response engagement, and it's left behind. The customer does not want to get rid of it once they see CrowdStrike in motion.
Right. Right.
In my opinion, I believe there's gonna be a multiplier effect.
What about on the cloud, container side, the runtime side? Is there an opportunity, as a result of that relationship to get further leverage on the cloud growth in that space?
Absolutely. When you look at Google, and you look at some of the things that we've already done with their workspace environment and being able to help protect customers, we think it is a great opportunity to continue to drive solutions with Google as well as leveraging Mandiant through that process.
Great. I'll let you off the hook this time, Burt. Thanks, guys.
Thank you, Alex.
Thank you.
Great. Thanks. Our next question is from Shaul Eyal of TD Cowen.
All right, you're up.
Hi, Shaul. Are you there?
Oh, yeah. Yes, I am.
Okay.
Yeah. Thank you, guys. Kudos on the presentation. Really impressive. My question is about your move to new market adjacencies. Without a doubt, it has been working flawlessly. As you move into further adjacencies, do you see as you guys knocking on some new doors, are you selling to the same audience? Or in some cases, they're like, you know, new faces that you need to interact with and maybe that could be creating the need for, you know, new education in that respect.
Yeah, it is a good question, and certainly when you look at how the company's evolved, you know, core security has been our market. We've expanded into other adjacencies outside that. Things like vulnerability management, IT hygiene. Obviously in the cloud world, it's the DevOps team. We went through that demo. That was actually a DevOps sale.
Certainly security was there to support it because of the compliance need and obviously the security need of it. When we think about that, we spend a lot of time in the enablement of the sales teams. There's some specialization that allow us to focus on things like the DevOps teams, right? It's different than just the security team. We're already doing that today. We're gonna continue to build that out with enablement as well as specialization.
that also means in the partner network, you know, Humio brought new sets of partners to us because of the way they went to market, and we continue to expand that out beyond just what I would say, core security sellers. You will definitely see that over time, evolve in the messaging and the selling motion, as well as in the channel relationships that we have.
Got it. That's it from me. Appreciate it. Thank you so much. Good luck.
Thank you.
Great. Thanks, Shaul. Our next question is from Patrick Colville of Deutsche Bank. Patrick, are you there?
There we go.
Okay.
Thank you. Thanks for being patient. I've got two questions, if I may. The first one is about Federal. I mean, at the top of the presentation, you kind of brought up the Federal opportunity. You know, mentioned that principally thus far it's been within civilian agencies.
You mentioned you just announced, I believe IL4 status and then the incremental opportunities in the DoD. Just, I mean, I guess help us understand what exactly this new status allows and then why specifically call out the DoD, you know, rather than the other agencies. What's, you know, why is that one that kind of piqued your interest?
Well, yeah. When you look at where we were at, and we've in the past talked about the CISA win, what we've done in civilian, what I would call also a license to hunt. As your question is centered around things like the DoD. As you sell into t he DoD, they have different security impact requirements, which are higher than IL3, things of that nature.
As you go up the stack, you unlock more available market and those are in the higher levels of security requirements, right? Civilian has less security requirements, still strict, but it's less than, say, DoD. As you go up the stack, you get more opportunities to sell into those markets.
This again is just part of our very methodical and thoughtful approach over many years to be able to unlock the potential of selling into the federal market. By the way, when you have these sort of certifications, it does help in the commercial space as well because people know the level of rigor that you put into the technology.
Got it. Can I just double-click on, or I guess a clarification, really. I mean, the deal with CISA has been kind of very important. If the DoD was to procure, would they procure via CISA, or would that be a separate procurement contract? Just to help us understand. Then I guess the reason I ask that is because, you know, one of the kind of big takes from the fiscal 2022 omnibus spending package was the increase in CISA's budget. Just, yeah, that would be kind of helpful to just finish up on that.
Yeah. Hi, Patrick. It's Michael. There's a couple of things that I'll just quickly add to your question, and to your previous one as well. I mean, I think at the end of the day, what we've shown and what we've talked about on the previous calls as well, is that we're now securing some of the U.S.'s most critical endpoints and workloads.
It's not only just the DoD, it's Department of Homeland Security, through Cybersecurity and Infrastructure Security Agency through CISA, as you mentioned, as well as a heap of other federal civilian agencies, the Center for Internet Security, and this continues to grow.
I think a big part of that is the work that we're doing with things like IL4, the work that we're doing to show how the technology can help operationalize the executive order. I think, you know, what we continue to do in this space and some of the work that we're doing partnering and being one of the CISA's founding partners with the JCDC program, is just gonna keep adding to that. CISA is looking to operationalize the executive order in a number of different agencies, and we'll work with them, and we'll work with the others, as I talked about.
Yeah, there's really multiple budgets that are available to us beyond just CISA, so hopefully that directly gets to the heart of the question.
Yeah, it does. Okay, great. Thank you so much for today. I mean, this has been a real excellent couple of hours.
Great. Thank you.
Thanks. Our next question is from Roger Boyd of UBS.
Oh, terrific. Can you hear me?
Yeah. We can.
Awesome. Thanks again. A tremendous amount of information went into this, so much appreciated. Maybe just going back to ITP identity security, some really impressive stuff there and frictionless technology. Can you just talk about where that spend is coming from to sell that product, where the friction is?
I know you've spoken a lot of times about the fact that CrowdStrike is not becoming an IDP or an authentication broker, but where does that spend come from and where is the friction to getting that ITP solution sold?
Yeah. Hey, Roger. I mean, we're incredibly excited about the work that we're doing in this particular space, and customers just get so much value from this. You know, fully integrated. It's an area that solves a problem that every organization is dealing with day in, day out. You would have seen some of our threat reports where we talk about 62% of the attacks not using malware at all, and a lot of the attacks heavily leverage identity as a big part of it.
You heard George talk about it early on when we were talking about MITRE testing, where it started off with an identity-based problem. It's a huge requirement for every single organization, and it's part of the security team requirements.
As you mentioned, we're not trying to be the IDP. We solve a different problem. There's a part for both vendors or both areas to coexist. As you saw in the demonstration, we're enabling multi-factor authentication, working with Duo. We work with Okta.
We're working with Ping and a whole bunch of others. We want to create that ecosystem, and we want to do it in a way where the end user is not the systems integrator. You know, we want to make it work out of the box. You heard that, you know, really come through a number of different times during the demo.
Makes sense. Just a quick follow-up. I know Falcon X Recon is on that new module list, but I wonder if you could just talk about the interest you're seeing in dark web monitoring, given the security community has been running on high alert for the past few months.
Yeah, it certainly has been a high alert. You know, that the module released with an incredible amount of interest. A lot of people really, to your point, you know, wanting to understand what's going on in the dark web, and that has certainly continued.
There's some real innovative capabilities that we've built in with Recon. When you look at the Threat Graph that we talked about today, you know, well over 1 trillion telemetry signals coming in every 24 hours. When you look at the reach of the platform that we have, we can provide a lot of information and put it at the fingertips of the organization. Certainly a lot of interest in Recon.
I don't see that slowing down anytime soon, obviously, with everything going on in the world, because again, it just solves a problem that organizations face, large and small.
Great stuff. Thanks, everyone.
Thanks.
Okay, thanks, Roger. Our next question is from Trevor Walsh of JMP, and our last question will be from Mark Tsang of Citi.
Hey, y'all. Can you hear me okay?
Yep.
Yes.
Great. Good to see you all. I just kind of wanted to dig in a little bit about the free trial in-app. I thought that was really cool. Maybe best for Burt for the first part. Do you have any metrics around just kind of what the conversion rate from that capability is and what that looks like that you can share?
Yeah. Typically we don't, you know, share the specific data about the free trial. What we can tell you is that it's been a big piece of our go-to-market, certainly on the SMB side of the house. It's another one of those things which really, you know, George thought about, you know, in the early days to kinda, you know, mix the two notions of a SolarWinds plus, you know, an Atlassian put together and that really kind of drives the logos as well as the frictionless way that we can sell. It's one of those techniques that we've developed internally, and that's been really successful in terms of the uptick. I'm not sure if, George, you have anything else on that.
Yeah. Be quick because I know we have limited time, but there is a lot of effort that went into building the e-commerce platform. This is not just like a website. There's a full e-commerce platform behind what we built. This is the reason when you look at our sales efficiencies, the magic numbers, the conversions, the number of modules per customer.
You know, it's all part of the business model, and the platform is designed to sell itself to our customers. As Mike showed, you click a button and another module's enabled. There's zero friction to it. I think that is really an underappreciated aspect of our business. There's a lot of IP that we built behind the scenes there.
Great. Awesome. I know we're short on time, so thanks. Appreciate the question.
Thank you.
Thanks, Trevor. Our next question, and our last question is from Mark Tsang of Citi. Mark, are you there?
Hello, can you guys hear me?
Yeah.
Yes, we got you.
Great. Thanks, guys. So good afternoon. Thanks for taking our questions and thanks for, you know, the great details on the long-term views. Maybe just an aspect of, you know, question on the pricing strategy for cloud-focused solutions going forward, just given, you know, the more transitory nature of containers workload that Falcon Cloud Workload Protection protects on the public cloud.
But then near term, can you give a sense of, you know, how sticky the current pricing structure can hold, particularly in, you know, the context of what we've really seen recently transpire with, you know, the consumption-based and usage-based models? Thanks.
Yeah, it's a good question. From a pricing perspective, again, you know, we're selling on the value of what we're delivering, but you know, we have to offer a flexible consumption-type model. We have to offer the flexibility to procure our product, which is different than the price itself.
You know, we're getting value for the price that our customers are getting value for what we're charging, and you know, we're quite happy with that. We do have the ability to license based upon, you know, modules and use, you know, for the year, if you will. We have the ability to license in ephemeral workload, so you consume it, you pay, and you know, the billing's integrated.
We have pooling options that allow you to, you know, procure, you know, X number of sort of, modules and IPs, and then you can rotate things around. We've come up with some flexible ways for customers to procure. We talked about AWS as an example.
Customers can use EDP to actually procure our technology. You saw the incredible stat and the growth in that business. We got a lot of flexibility, and you know, we're evolving with the cloud providers as they come up with new business models as well. All right.
Great.
Thank you.
Thanks, Mark. George, how about some closing remarks?
Yeah. I wanna thank everyone. I know we spent a little over two hours here, and everyone is certainly busy, so to carve out some time is certainly appreciated. Hopefully, we've given you an appreciation for the type of business we've built here. As we talked about earlier, generational type business.
When you look at the metrics in where we are in our journey as a company, 10 years, public company for a couple years, we are in rarefied air, and it's part of the DNA that we not only focus on the technology, but also on the business model. You know, one of the areas that Burt and I are so proud of is the free cash flow and profitability, you know, growth and profitability put together.
With that, we just wanted to give you a view of how we think about the long term. We spend a lot of time, and we're very deliberate on how we plan next modules and what we do and the markets that we attack. I think between the endpoints and workloads, the identity, the data piece we've outlined, we have a massive opportunity in front of us, and I couldn't be more excited. With that, we'll get things wrapped up. I wanna thank everyone. Maria, I'll turn it back to you.
Thank you, George. Everyone, that concludes our presentation today. Thank you all for joining. See you next time.
Thank you.