Hello and welcome to CrowdStrike's Fiscal Second Quarter 2026 Financial Results Conference call. At this time all participants are in a listen only mode. After the speaker's presentation, we will conduct a question and answer session. Please be advised that today's conference is being recorded. I would now like to hand the call over to Maria Riley, Vice President of Investor Relations. Maria, please go ahead.
Good afternoon and thank you for your participation today. With me on the call are George Kurtz, Chief Executive Officer and founder of CrowdStrike, and Burt Podbere, Chief Financial Officer.
Before we get started, I would like to note that certain statements made during this conference call that are not historical facts, including those regarding our future plans, objectives, growth, including projections and expected performance, including our outlook for the third quarter and fiscal year 2026 and any assumptions for fiscal periods beyond that, are forward looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward looking statements represent our outlook only as of the date of this call. While we believe any forward looking statements we make are reasonable, actual results could differ materially because the statements are based on current expectations and are subject to risks and uncertainties. We do not undertake and expressly disclaim any obligation to update or alter our forward looking statements, whether as a result of new information, future events or otherwise.
Further information on these and other factors that could affect the company's financial results is included in the filings we make with the SEC from time to time, including the section titled Risk Factors in the company's core Quarterly and Annual reports. Additionally, unless otherwise stated excluding revenue, all financial measures disclosed on this call will be non-GAAP. A discussion of why we use non-GAAP financial measures and a reconciliation schedule showing GAAP vs non-GAAP results is currently available in our earnings release, which may be found on our Investor Relations website at ir.crowdstrike.com or on our Form 8-K filed with the SEC today. With that, I will now turn the call over to George.
Thank you Maria and thank you all for joining our Q2 FY 2026 earnings call. Reflecting on our second quarter, the key theme was reacceleration. We've talked about reacceleration coming in the back half of this fiscal year. It's here now. I'm proud of CrowdStrike's ability to deliver reacceleration, our return to year-over-year, net new ARR growth a quarter early. Our reacceleration is driven largely by AI necessitated demand for the Falcon platform and stellar execution across the business. Q2 was a robust quarter where we exceeded all guided metrics.
Highlights included: one, record Q2 net new ARR of $221 million, double digit millions ahead of our expectations, showcasing accelerating net new arrangements; two, ending ARR of $4.66 billion, growing more than 20% year-over-year; three, record Q2 free cash flow of $284 million or 24% of revenue; four, record operating income of $255 million or 22% of revenue; five, total revenue growth of 21% year-over-year, reaching $1.17 billion and exceeding the high end of our guidance; six, Cloud, Next-Gen Identity, and Next- Gen SIEM platform solutions are now more than $1.56 billion in ending ARR, growing more than 40% year-over-year; and seven, we surpassed the 1,000 Falcon Flex customer milestone, with the average Flex customer representing more than $1 million of ending ARR. Building on last quarter's Re-flex momentum, now more than 100 customers have already Re-Flexed. We're very pleased with adoption rates.
Seeing so many customers Re-Flex validates the Flex model and illustrates customers accelerating consolidation with CrowdStrike. Quarters like this one highlight our momentum and progress on the path to $10 billion in ending ARR. Setting new records, achieving net new ARR reacceleration sooner than anticipated, and rising competitive win rates highlight CrowdStrike leading the way in cybersecurity. Our innovative solutions are winning at scale, like exposure management, which surpassed $300 million in ending ARR and was named a leader in the 2025 IDC Worldwide Exposure Management MarketScape. CrowdStrike's market leadership was further reflected in Gartner's latest Magic Quadrant for endpoint protection platforms, where we were placed in the leader box for the sixth consecutive year. Our position was furthest right for completeness of vision and highest for ability to execute out of all vendors for the third year in a row.
In cybersecurity as well as the broader technology market, AI's impact is palpable as organizations of all sizes embrace AI transformation. I hear several thematic concerns from executives and boards. One, where is shadow AI emerging in my business?
Two.
How do I control what data enters AI systems? Three. How do I control what AI systems can do in my enterprise? Which ultimately leads to the focal question of four, how do I secure AI agents? AI has made the role of CISOs and CEOs more complicated than ever. Answering these four questions is far too difficult, expensive, nuanced, conditional, and incomplete. At the same time, adversaries are now using AI, democratizing destruction at mass scale. Our threat intelligence research uncovered Famous Chollima , a North Korean nexus group using GenAI to infiltrate more than 320 enterprises by automating fabricated resumes and conducting deepfake interviews. The threat is real.
CrowdStrike's role in the agentic era is staying ahead of AI-armed threat actors to secure AI at every layer, beginning with the AI model itself, to the workloads and hosts on which they run, to the actual human and agentic identities, to the end user devices accessing these systems and applications. In this time of societal and technological revolution, we secure where AI happens. Enterprises are quickly realizing AI security is not a network problem. AI doesn't happen in transit. Model creation and AI development happens in the cloud and in the data center, AI adoption happens at the endpoint on the computing device itself, and AI access happens by users with human and increasingly non-human machine identities. CrowdStrike secures each of these attack surfaces. We deliver AI for security, where we revolutionize security operations with our own SOC agent, Charlotte.
We also deliver security for AI, helping the world securely adopt the power of agentic outcomes. This combination, grounded in our data foundation, is a competitive moat. You can't just stitch or acquire a unified AI-native platform. AI security's primary enforcement mechanism is not and will not be the firewall. AI security must be on the devices, workloads, data, and identities anywhere, everywhere, and always on. AI security, and now enterprise security in the agentic era, is fundamentally a data, speed, and enforcement problem, one that CrowdStrike solves today and is uniquely positioned to solve tomorrow. Driving adoption of the Falcon platform as the operating system of cybersecurity is our Next-Gen SIEM. Every day, customers are discovering the power of our native hyperscale data foundation to solve their most complex security and IT problems.
Falcon Next-Gen SIEM had a stellar Q2 with year-over-year growth of more than 95% and ending ARR of more than $430 million. Next-Gen SIEM is becoming synonymous with AI SOC transformation, akin to upgrading from a typewriter to a computer, unlocking new capabilities, cost efficiencies, and agentic speed. A leading Global 2000 communications platform chose Next-Gen SIEM in a highly competitive seven-figure legacy SIEM replacement. Synthesizing EDR and third-party data proved easier, faster, and more effective than going with a network-first SIEM product. We're not stopping. Today we're incredibly excited to announce our intent to acquire Onum, a leading data pipeline platform built on a proprietary stateless in-memory architecture. We believe Onum is the perfect complement to Next-Gen SIEM. It offers unparalleled speed, scale, and efficiency in onboarding to Next-Gen SIEM while giving customers control of their data.
Onum will bring Falcon's AI-powered detections closer to third-party data sources in-pipeline, starting analysis before data even enters the Falcon platform. Here's why Onum stood out to us. 1. Speed: Onum delivers five times more events per second than its nearest competitor and processes data in real time versus legacy batch and store methods. 2. Cost: Onum smart filtering reduces data storage costs by 50%. 3. Superior outcomes: Onum's real-time pipeline detection starts before data enters the Falcon platform, delivering up to 70% faster incident response with 40% less ingestion overhead. If our Next-Gen SIEM is the engine that powers the modern SOC, then data is the fuel that makes the engine run. Onum is both the pipeline and the filter, streaming high-quality filtered fuel quickly into the engine to drive robust, efficient, and superior performance.
With Onum, CrowdStrike will align with each stage of the AI lifecycle: ingestion and detection of data, filtration and optimization of data, as well as actioning and enforcement to produce high-fidelity autonomous outcomes across security and non-security use cases. Before migrating data into Next-Gen SIEM was a long pole in the displacement tent, often requiring third-party tools. Our acquisition of Onum is a direct response to a growing chorus of frustration with the incomplete data and punitive costs from today's third-party tools. We're forging a new path. Onum and Next-Gen SIEM will enable CrowdStrike customers to focus on earlier in-pipeline detection, blazing fast data streaming, and high-fidelity data filtration, optimizing the agentic Next-Gen SIEM experience. Most importantly, the acquisition of Onum will give our customers control of their security, observability, and IT data, uniquely positioning CrowdStrike as our customers' data foundation.
With our performant data platform as its foundation, CrowdStrike is rapidly expanding our pace of AI innovation. Charlotte is our agentic SOC analyst automating actions and now end-to-end autonomous workflows across the SOC. Charlotte had a record quarter, growing more than 85% over Q1. We're embedding Charlotte across the entirety of the Falcon platform, empowering customers to achieve their agentic security goals out of the box with immediate ROI. Charlotte is constantly learning and improving as we train it on our market-leading threat intelligence, battleground incident response, and scaled Falcon Complete MDR analyst behavior. As one of cybersecurity's largest MDRs, our Falcon Complete SOC data is akin to the encyclopedia of threat telemetry, resulting in a powerful cybersecurity AI feedback loop. Our unique cyber data advantage coupled with our data science expertise create a reinforcement learning flywheel, continuously adapting and improving autonomous detection and response.
The outcome is Charlotte turning our data moat into a fortified and dynamic AI wall. Our customers are facing AI disruption, which is driving our Next-Gen Identity business. As agentic identities proliferate, customers require an identity security solution to safely leverage agentic AI, preventing exploitation, misuse, and breaches. We recently announced the launch of Next-Gen Identity protection, which extends our best-in-class identity protection to non-human identities or NHI, SaaS applications, and most importantly AI agents, including Falcon Shield. Our Next-Gen Identity protection business exceeded $435 million of ending ARR in Q2, growing more than 21% year-over-year. Based on customer demand and seeing another opportunity to innovate, we launched our own PAM offering in Q1. Elevated uncertainty around the future of legacy PAM tools is driving heightened interest in our Next-Gen PAM solution.
Driven by the excitement for Next-Gen Identity protection and Next-Gen privileged access, these new solutions significantly expand our identity opportunity. A leading global consulting firm decided to replace their legacy PAM after years of frustration with cost, limited efficacy, and point product woes. Our ability to deliver privileged account password rotation, privileged user identification and risk assessment, privileged escalation detection, user risk profile insights, and flexible MFA controls for different departments helped this customer consolidate with confidence. With nothing new to deploy, this customer seamlessly met all device trust, escalating privilege, and cyber insurance requirements. Moving to our cloud business, the rapid adoption of AI has placed a spotlight on the importance of securing cloud infrastructure at runtime. While out-of-band posture tools can lend an overall view of security health, they are incapable of stopping breaches.
CrowdStrike is a leader in cloud runtime protection, with the largest and most sophisticated enterprises trusting us to protect their most critical production environments. With the need to secure AI as a backdrop, we delivered impressive net new ARR in cloud. This past quarter, total cloud ending ARR exceeded $700 million, growing more than 35% year-over-year. A Fortune 500 energy supplier selected Falcon Cloud Security in a seven-figure win. The ease of adoption for our single platform approach and having ASPM already natively integrated drove this win. Our ASPM reduced months of manual work into minutes through this upsell. Falcon Cloud Security consolidated more than 10 point products across CNAPP, CSPM, ASPM, CDR, and container security. Contributing to our platform growth is our revolutionary Falcon Flex model, helping customers accelerate and maximize Falcon platform adoption.
In Q2, we crossed 1,000 Falcon Flex customers, adding more than 220 new Flex customers. Not only are we and our partners successfully landing new Flex deals, we also continue to see increases in one platform adoption. Utilization of Flex contracts is more than 75% across the Flex customer base. Re-Flexes: we more than doubled the number of Re-Flexed accounts to nearly 10% of all Flex customers in just an average of five months from their initial Flex subscriptions. This cohort of Flex customers found themselves wanting more modules and more consolidation. Re-Flexes on average are yielding a nearly 50% uplift in Flex customer ending ARR, illustrating the strength of the Falcon platform and the power of our game-changing licensing model. Re-Flex activity gives us conviction in our net new ARR acceleration, highlighting the difference between a one-time ELA and the recurring Flex model.
A lighthouse example of the Re-Flex motion was with a Fortune 500 software firm which completed an eight-figure Re-Flex 18 months prior to their initial Flex subscription expiration. This customer decided to take their next strategic step with CrowdStrike, enabling them to modernize their SOC by replacing a legacy SIEM and a hyperscaler SIEM. They also adopted Charlotte agent to identify threat hunting and SOC operations. What was recently a very successful Flex has become an even more impressive Re-Flex. Consolidation isn't just a phenomenon with our customers, we also see it with our ecosystem partners. Diverse partner types are continuing to standardize on Falcon as their cybersecurity platform of choice. Take Red Canary, an MDR focused on the mid-market to small enterprise.
Recently acquired by Zscaler, one of our strategic technology partners, Red Canary decided to consolidate and migrate their legacy point product EDR install base of more than 100,000 endpoints across hundreds of customers onto Falcon through a multimillion dollar Q2 transaction. Red Canary is migrating these customers to CrowdStrike where they will enjoy Red Canary's MDR services delivered on the Falcon platform. Red Canary is just one of the many MSSPs who build their business on CrowdStrike. Further into the SMB market, Amazon Business Prime selected CrowdStrike Falcon Go for millions of businesses around the world. Business Prime members now receive Falcon Go as part of their subscription, opening a significant sub-100 user TAM. This partnership highlights our ability to strategically monetize new markets and migrate underserved segments from legacy ineffective technologies. Lastly, industry stalwarts like NVIDIA continue to choose CrowdStrike as their cybersecurity partner of choice.
With our recently announced integration of Falcon Cloud Security with NVIDIA Universal LLM, NIM Microservices, and NeMo Safety, NVIDIA customers now benefit from full AI lifecycle protection for over 100,000 LLMs through Falcon. Partners sourced over 60% of Q2 new business, highlighting our ecosystem's competitive advantage and leadership across all customer segments. I started my remarks talking about acceleration. AI is accelerating every aspect of our society and revolutionizing the way we work, but it's also accelerating the adversary. I know all too well that there is no peacetime in cybersecurity. The adversary never rests. The world is soon to embark on the largest arms race ever, the arms race over AI superiority. The world's AI infrastructure necessitates protection from development to deployment, from cloud to endpoint, and from human to agent. CrowdStrike isn't just a passenger in this revolution, we're driving it.
We're becoming the foundation of our customers' AI future, delivering the security platform that makes AI transformation possible. Looking forward, AI-driven market demand and customer-driven consolidation brought together by our revolutionary Flex licensing model drive my belief in sustained growth. In light of the demand environment and our platform superiority, our guidance now assumes back half Net New ARR will grow at least 40% versus last year. With that, I'll turn the call over to Burt Podbere, CrowdStrike CFO.
Thank you George and good afternoon everyone. We delivered a strong second quarter, exceeding expectations across all guided metrics. We achieved record Q2 net new ARR of $221 million and net new ARR re-acceleration a quarter ahead of our expectations, growing ending ARR to $4.66 billion, up 20% over last year. Market demand for our AI-native Falcon platform and Falcon Flex subscription model drove strength across the business. The number of deals with total deal value over $10 million doubled year-over-year and we reached a new milestone of 800 customers with ending ARR exceeding $1 million. As George highlighted, customers are increasingly consolidating their security operations onto the Falcon platform as they modernize their security stack for the AI era. This momentum is reflected in our module adoption metrics with 48%, 33%, and 23% of subscription customers adopting six, seven, and eight or more modules, respectively.
Most notably, among our customers with over $100,000 in ending ARR, we reached a new milestone with 60% adopting eight or more modules, demonstrating the power of our platform consolidation strategy. Looking into the back half of the year, the combination of strong Falcon Flex momentum, record Q3 pipeline, and increasing demand for our AI-powered innovations reinforces our conviction in driving year-over-year growth acceleration in both net new ARR and ending ARR. Moreover, we have a clear line of sight to well exceed the $5 billion ending ARR milestone by fiscal year end, achieving the ambitious goal we set in 2022 as we execute on our path to $10 billion in ending ARR by FY 2031. Moving to the P&L, total revenue exceeded our guidance range and grew 21% over Q2 of last year to reach $1.17 billion.
Subscription revenue grew 20% over Q2 of last year to reach $1.10 billion and professional services revenue was a record $66.0 million. The geographic mix of second quarter revenue consisted of approximately 67% from the U.S. and 33% from international geographies, with both U.S. and EMEA year-over-year growth accelerating compared to Q1. Total non-GAAP gross margin was 78% and non-GAAP subscription gross margin remained best in class at 80% of revenue. Total non-GAAP operating expenses in the second quarter were $652.5 million or 56% of revenue. In the second quarter, non-GAAP operating income was a record $255.0 million and operating margin was 22%, exceeding our guidance. Strong top line performance and efficiency gains from our strategic plan drove the outperformance in profitability, highlighting our commitment to profitable growth as we accelerate net new ARR growth and execute on the path to achieving our target operating model.
GAAP net loss attributable to CrowdStrike was $77.7 million and included $35.7 million of expenses for outage and related matters and $38.4 million of strategic plan related charges. Non-GAAP net income attributable to CrowdStrike was a record $237.4 million or $0.93 on a diluted per share basis, exceeding our guidance in Q2. Our long-term projected non-GAAP tax rate decreased to 21% from 22.5%, reflecting recent changes in tax legislation and resulting in a $0.03 benefit on a diluted per share basis. Moving to cash, our cash and cash equivalents grew to a record $4.97 billion. We generated record Q2 cash flow from operations of $332.8 million and record Q2 free cash flow of $283.6 million, or 24% of revenue. Expenses for outage related and strategic plan costs impacted Q2 free cash flow by approximately $29 million.
Moving to our outlook and modeling notes, our leadership is showcased by our record Q2 performance, strong Falcon Flex adoption and expansion, continued strong retention rates, and broad success across our AI-powered Falcon platform. This momentum further bolsters our conviction in continued net new ARR acceleration for the back half of FY 2026. While we do not guide to ending ARR or net new ARR, our revenue guidance includes the following assumptions: high single-digit sequential net new ARR growth Q2 to Q3 and at least 40% year-over-year net new ARR growth for the back half of the fiscal year, bringing ending ARR growth for FY 2026 to more than 22%. Our revenue guidance also assumes a wider than typical range for professional services given the strong Q2 performance.
Additionally, as we discussed last quarter, as a result of our successful CCP and related partner programs, our ARR to subscription revenue assumptions include a separation of $10 million- $15 million per quarter through Q4. When this impact begins to subside, we ask that you please reflect this when updating your models. Moving to cash, payments related to strategic plan costs are expected to be de minimis in Q3, and we expect to make Q3 cash payments of approximately $51 million in connection with outage related costs. As previously discussed, we expect to exit this fiscal year with a free cash flow margin of 27% in Q4, expanding to more than 30% for the full year FY 2027.
Moving to our outlook for the third quarter of FY 2026, we expect total revenue to be in the range of $1.208 billion- $1.218 billion , reflecting a year-over-year growth rate of 20%- 21%. We expect non-GAAP income from operations to be in the range of $256.0 million- $262.0 million and non-GAAP net income attributable to CrowdStrike to be in the range of $238.1 million- $242.8 million. We expect diluted non-GAAP net income per share attributable to CrowdStrike to be approximately $0.93- $0.95, utilizing a 21% tax rate and weighted average share count of approximately 257 million shares on a diluted basis for the full fiscal year 2026. We currently expect total revenue to be in the range of $4.7495 billion- $4.8055 billion, reflecting a growth rate of 20%- 22% over the prior fiscal year.
Non-GAAP income from operations is expected to be between $1.0001 billion and $1.0401 billion. We expect fiscal 2026 non-GAAP net income attributable to CrowdStrike to be between $922.4 million and $954.0 million. Utilizing a 21% tax rate and approximately 256 million weighted average shares on a diluted basis, we expect non-GAAP net income per share attributable to CrowdStrike to be in the range of $3.60- $3.72. Finally, Falcon 2025 begins on Monday, September 15th. With over 100 sponsors and over 8,000 attendees, Falcon is going to be our largest customer event yet. We will hold an investor briefing during the conference on Wednesday, September 17th. The briefing will be webcast live on our investor relations website and we look forward to seeing many of you there. George and I will now take your questions.
Thank you. If you would like to ask a question, please click on the Raise hand button, which can be found on the bar on the bottom of your Zoom window. You may remove yourself from the queue at any time by lowering your hand. When it is your turn, you will hear your name called and receive a message on your screen notifying you that you may unmute yourself. In the interest of time, participants will be limited to one question. Our first question comes from Andy Nowinski with Wells Fargo. Please unmute your line.
Okay. Good afternoon. Thank you for taking the question.
I'm really impressed with the many new products you launched this quarter, particularly on the identity side. I do have a question around.
The revenue guidance that you gave for.
Both Q3 and the full year. I'm wondering if the partner rebate program.
You talked about last quarter, you know.
Remains in effect for the remainder of the year, or if it goes beyond that. Is that $10 million- $15 million per quarter that you just mentioned? Is that factored in?
Into your revenue guidance, or is there?
More to it than just the partner rebate program?
Thank you.
Thanks, Andy. It's Burt. First, let me start off by saying that ARR is the best leading indicator of our business. We've used it since we went public. George and I talk about it all the time. First and foremost, we're very pleased with net new ARR performance in the quarter as well as our record Q3 pipeline. Second, our guidance now assumes back half, net new ARR will grow at least 40% versus last year with high single digit sequential net new ARR growth in Q2 to Q3 and ending ARR growth for FY 2026 to be more than 22%. Finally, we did give a wider range than typical for pro services and for partner rebates. Last year after the outage, we made an investment in our partners through these programs and that has paid off and has helped us sustain our high retention rates and accelerating net new arrangements.
As previously stated, we expect the impact of CCP and special partner programs to subside starting in Q4 of FY 2026. We would do this all again, Andy, 100% of the time. Making those investments really paid off for us.
Layla, we can go to our next question.
Your next question will come from Matt Hedberg with RBC.
Great. Thanks for taking my question, guys. You know, George, it was really interesting to hear you talk about identity. It seems like you're having a lot of success there with Shield and even some legacy displacements as well as your PAM acquisition. Now, given the announced, [hello, Alpha Cyber Work deal], can you talk a little bit more holistically about how you're thinking about targeting the identity market versus some of the pure plays and just kind of, you know, how you see this market evolving over time?
Thank you for that. When you look at identity, this is something that we were well ahead of the curve in identifying in 2020, which is why we did the Preempt acquisition. We took the time, we've integrated it. It's a key part of our platform and our fabric today. Our customers love it and they want more. They've been asking us for years to come out with a PAM solution, which we did in Q1. They're looking for alternatives and they're looking for a Next-Gen technology that isn't just legacy stitched together. From the standpoint of identity, we've identified it very early as a key element to solving the security breach problems that are out there. With the announcement we made this quarter in terms of our Next-Gen Identity, which includes Shield, the uptake has been fantastic. We look at the breaches that are happening today.
A huge part of that is in the enterprise SaaS market. Our product Shield combined with our other identity solutions are key in helping prevent these. I think we're in the perfect spot and we're in a position where customers are demanding alternatives to legacy solutions and we're going to continue to evolve. The good news is we've been in the market since 2020. We've recognized identity is critical very early on.
Layla will take the next question.
Your next question will come from Saket Kalia with Barclays. Please go ahead.
Okay, great. Hey guys, thanks for taking my question here. A nice quarter. Thank you, George, maybe for you. Thanks a lot for that comment on just the second half, net new ARR growth of 40%. That's great to hear and I think very useful. Maybe the question is, what are you seeing from the customers who bought those customer care packages, you know, that of course offered those customers great value in the wake of the outage? How do you maybe think about that net retention in the second half? Just as importantly, how helpful can Falcon Flex be in that process? Does that make sense?
Yeah, it's a great question. I have to go to the historical numbers on our renewal rates for modules. 95% + of the time a customer will renew a module once they adopt it. I got to start with that. Obviously, CCP was a new element for us, right? When you look at the value that we provide in these modules and once customers see it integrated into the platform and into their workflows, 95% + they're going to renew it. We feel confident that we'll see the CCP packages roll into renewals. We've spent the last number of months working with customers and making sure that we've got the right level of success there. I feel good about that. That will take place in Q3 and Q4.
You know, overall, when you've got the right platform, solving real problems that are out there, that's a good thing for us and it's a good thing for customers. Flex, of course, is a big part of that. Remember our CCP program, a lot of it was delivered through Flex, so we were able to seed the market much more rapidly in the Flex licensing mechanism than we would have. We leveraged this CCP program to actually seed Flex and now we have the ability to Re-Flex them on those CCP packages as they burn off.
Layla, we'll take our next question.
Your next question will come from Brian Essex with JPMorgan.
Great. Thank you very much for taking the question. You know, George, I had a question for you. On Onum, it looks like this is pushing in the direction of real-time analysis on streaming data. I'd love to get your sense of how this, how you envision this competing against legacy solutions and also how you think it will either complement or potentially cannibalize what you're seeing on live scale. In other words, from a practical standpoint, how do you anticipate customers utilizing this platform relative to what they're already using on a Next-Gen SIEM basis?
First, let me say how excited I am about this acquisition. This is something I think is really going to supercharge our Next-Gen SIEM business, which includes LogScale and something customers have been asking for. They're looking for a modern pipeline technology that will be able to get data, whether it's security data or IT data, from one place to another. The amazing thing about the technology is the in-pipeline detection, so we can begin doing detections at the point really of forwarding for third-party data, which is critical and it gives us tremendous flexibility and it's a great value prop for customers. Less data to move around and, you know, quick results if you will. I think what's important, and I want to reiterate, is our pricing in Next-Gen SIEM is very disruptive. Why is that? We actually don't charge customers for data that CrowdStrike generates.
This is why we're seeing so many displacements. If you think about legacy SIEMs, people have to take data out of our platform and put it somewhere else and pay for it. They actually don't have to do that with CrowdStrike. They only pay for the ingest of the third-party data. Now we have other ways to monetize retention and those sort of things, but between Onum and between the way we actually price and the way we can run it because the technology is very scalable, we again think this is a tremendous value for customers and will be disruptive to the market.
We'll take the next question.
Your next question will come from Gabriela Borges with Goldman Sachs.
Hi, good afternoon. Thank you, George. I actually wanted to revisit some of the dynamics of competition on EDR. In particular, one of the things we see in technology is invariably CrowdStrike has been really good at innovating with some of the leading edge modules that you've introduced over the years. Maybe just remind us, how do you feel about EDR? Are you seeing within the Flex contracts equal interest in EDR or are customers, maybe, is it all else equal with modules between EDR and newer stuff? To what extent are you still landing customers in EDR? Thank you.
Two things are important. One is to realize that the modern SOC is built on EDR and it's built on SIEM, and in our case, Next-Gen SIEM. Without that EDR data, it becomes very difficult to manage and execute on Next-Gen SIEM and all the AI elements on top of it. We're the leader, as many third-party organizations have pointed to in that space. We've pioneered it and we continue to innovate, which is really important. The thing to remember is, when you look at EDR, it's a way to get telemetry into the platform, but then you have all of the other AI elements across the platform. It also then allows the collect-once, reuse-many philosophy that we have, so we can light up all the other modules.
I think a key element is, and customers are seeing this, there is a huge difference in the service layer that we put on top of EDR. Things like OverWatch or Complete—competitors are not even close in this area. What we're focused on is stopping the breach, and it's a combination of our technology and the service overlay, which is highly automated. Between those, people are really seeing the distinction. When you wrap it with Next-Gen SIEM and Charlotte AI agent on top of it, it's really a winning combination. We're the leader in it, we continue to invest, and we continue to innovate, and that's a core part of our DNA.
Leila, we'll take your next question.
Your next question will come from Joe Gallo with Jefferies.
Hey guys, thanks for the question. It was awesome to see the $700 million in cloud ARR growing 35%. Can you just talk through an update on that competitive environment? Has that stabilized and where are customers in the journey to vendor consolidation for Cloud Security? Thank you.
Sure. It's still in the early days. You know, when you look at Cloud Security, there are really two paths to go down. Right. CSPM, which is really more of a kind of a vulnerability exposure policy, doesn't really do any enforcement, and that was an easy button for a lot of customers, and certainly vendors had success in that area. I think what people have realized as the market matures a bit is you really need cloud workload protection, which is something that CrowdStrike helped to pioneer, and we have leading technology in that area. When you combine that with ASPM, or DSPM, or SaaS security posture management and all of the other technologies, we have a very fulsome offering underpinned by cloud workload protection. Given the disruption in the market, we've seen tremendous interest and conversions with customers. It's still very early innings.
We are very excited about being one of the largest cloud security providers in the market by revenue, and we continue to invest and innovate there, and I think it's the perfect time, given the market dynamics, to take advantage of it.
Layla will take the next question.
Your next question will come from Mike Cikos with Needham. Mike, your line is open. Feel free to unmute.
Layla, maybe we can go to the next question and come back to Mike.
Sure. We'll go to Tal Liani with Bank of America.
Yes, hi, can you hear me?
Yes. Hi, Tal.
Perfect. Hi. If you wouldn't tell me that ARR is going to grow 40% a year, 40% year-over-year in the second half, I would have told you that . Growth is clearly decelerating because you're growing. ARR is growing on a constant basis, 5% around 5% a quarter on a sequential basis. That translates into deceleration on a year-over-year basis. You started with about 32% last year and every quarter it slows down to about 20%. Now you're giving this guidance of 40% growth in the second half and the question is what drives it and how sustainable is it? When you think kind of beyond just the year-over-year impact of the CCP, sorry, and what happened last year, how sustainable is this acceleration of growth? Thanks.
Yeah, I'll start and then George can kick in. There are a lot of factors that give us confidence in the back half. We talk about how we're a consolidator that continues AI, that's a big piece of who we are. I think that when you combine those two with the strength of the platform, these are the things that give customers confidence in going with us, certainly as we move through our journey. The biggest piece that I see out there for us in terms of how we're going to continue to reaccelerate growth is this opportunity for customers to lean in more with us with Flex. Flex has been extremely well received. Customers are able to easily implement it. It's very easy to procure and at the end of the day it allows customers to be able to use Flex as they need it.
We've already given out a lot of stats with respect to how fast they're burning through their Flex licenses, which has been fantastic for them and fantastic for us. With that, I'll turn it over to George.
I think Burt covered the financial mechanics around that. What I would comment on is what I hear in the field. I spend day and night with customers and it's all about how we're solving problems that can't be solved by other companies. How we are the number one security product for stopping breaches in some of the largest enterprises around the world and how customers want to go in more with us and consolidate around CrowdStrike. I look at the feedback that I get and I look at the threat environment. We have one of the largest incident response practices in the world and we're helping non-customers clean up breaches from other technologies that they thought they were getting a good deal on. As I've said in the past, a good deal on a leaky lifeboat isn't really a good deal.
When you look at the end goal of saving time, money, and consolidation with the right outcome of stopping breaches, that's what our customers are buying and that's what I'm hearing. That's why I get confident in the back half.
We will take the next question.
For our next question, we will return to Mike Cikos with Needham. Your line is open, Mike.
Hi, this is Jeff Hobson on for Mike. Can you guys hear me okay?
Yep.
Perfect. Congrats on the impressive Charlotte AI agent growth. I was just looking for any insights to specific features that may have pushed customers to adopt or I guess on the flip side, any hurdles that are keeping some organizations on the sidelines. As you know, some are still hesitant to adopt AI overall.
If you look at Charlotte and its maturation, as with many technologies, these technologies mature very quickly. We've invested a lot into Charlotte and the fact is we spent a lot of time early on on the architecture. It's not a chatbot. It is something as an orchestration layer that is wired into all of our modules, it's wired into our workflows, and it was really designed for agentic security and security use cases. Customers are solving problems. What do I mean by that? Tasks that would take four days to actually investigate and understand and kind of piece things together are now taking an hour. The ability to have Charlotte write reports automatically for you, the ability for Charlotte to triage and act autonomously as a tier one analyst, this is what gets customers excited and this is really what's powering the Next-Gen SOC.
Customers are seeing every release, more and more features and more and more capabilities, and just like any gen AI product, it keeps getting more mature and better and better.
Great. Thank you, George. We'll go to the next question.
Your next question will come from Jonathan Ruykhaver with Cantor Fitzgerald.
Yeah, hi. My question is when I look at the cloud native attack surface, to me it seems like it starts in code with misconfigurations. You have open source vulnerabilities, insecure secrets. All those issues originate in the development stage and we've seen CNAPPs move left. They capture issues obviously in runtime, but it's often too late. I'd love to hear your strategy, George, or your view on where CNAPPs move to. When you look at Shift Lab, will we see further move beyond just AppSec, container scanning, et cetera?
If you could move left and capture these issues before they're put in production, it's going to be a good thing. We've spent time in that area and have technologies, our ASPM technology covers a lot of that, our container scanning to understand vulnerabilities and open source before things are published, you know, understanding what the golden images are and providing some guardrails around that. We've invested in those areas, we continue to invest in those areas. I think a big part of it is going to be the AI story of understanding how all these interdependencies work in the build environments, in code and obviously in sort of these interactions with MCP type services. This is something that we continue to invest in and I think the AI elements we've already built are going to be extremely helpful to solve these challenges in the future.
Layla will take the next question.
Your next question will come from Shaul Eyal with TD Cowen.
Hi, good afternoon. George or Burt, a question which is not being asked frequently on your conference calls in recent quarters. $5 billion on your balance sheet. You guys focus predominantly on those tuck-in acquisitions. We've just seen another one announced this evening. Those have been expanding the platform really nicely. Indeed, we see the great results of those historical investments. It would appear as if nothing transformational is on the horizon and indeed there's no need for that right now. What's the current thinking of that utilization? Pretty much steady as she goes. More tuck-ins. How are you guys thinking about it, you know, for the second half and obviously for calendar 2026 and beyond?
As you pointed out, we have an incredible balance sheet. Myself and Mike Sentonas and the team have spent a lot of time looking at the market, looking at the different segments that are out there and really thinking about strategically, you know, where we need to go. We certainly have a history of buying acquisitions and taking the time to integrate them. This is a hallmark of what we do and a proven track record of not just stitching things together. We are very thoughtful about these acquisitions. We have a certain sweet spot, which you've seen, doesn't mean that we can't go outside of that. We have to find the right team, the right technology, the right company that makes sense for CrowdStrike. Our number one goal is to be thoughtful, make sure that it's a fantastic user experience for our customer.
We're not just trying to buy ARR for the sake of ARR. It's got to make sense and it's got to be something that we can execute on and feel really good about.
With that, we'll take our next question.
Our next question will come from Ittai Kidron with Oppenheimer.
Hi guys, and congrats again on a good quarter. I wanted to go back to Gabriella's question on your core EDR business. If you take a look at your ARR and you exclude your Fab 3, your SIEM, Identity, and Cloud Security, and you look at the ARR growth of your core business, it seems like it's significantly decelerated. Was growing 18%+ a year ago, it's growing 11% now. How should we think about your core business growth going forward? Do you expect stability there? Are there any potential accelerators in that business or just given the size, we should expect that business to continue to decelerate going forward?
Yeah, I don't look at it as core. I look at it as platform. The platform piece actually sets up all the other modules. When you look at the three that you just articulated, whether it's Identity, Cloud, Next-Gen SIEM, it's all predicated on getting the telemetry into the cloud, which starts with EDR. We feel really good about that. I think when you look across the entire platform, you need to look at it as a platform, not separate kind of things out. From my perspective, we continue to innovate there and we continue to drive new business. I think people again looking for the best technologies with the right outcome. Stopping the breach. Choose CrowdStrike. That's what we've seen time and time again.
We'll take the next question.
Your next question will come from Roger Boyd with UBS.
Can you hear me okay?
Yes.
Awesome. Thanks for taking the question, George. I wonder if you could compare and contrast your businesses in SIEM and Identity. Both are roughly similar scale, but the growth rates are pretty different. How much of that difference would you attribute to the M&A disruption you've seen in the SIEM market? Given what's happening in the identity market as well as your expanded portfolio there, what's the level of conviction in re-accelerating that identity business from here? Thanks.
Sure. Identity is a key area for us, as I talked about. Obviously, we've got the Next-Gen offering that we announced, and I guess the positive news is that identity was a very popular choice for CCP packages. You'll see a little bit of impact from that. I think when you look at identity, it is something that is going to continue to be adopted by customers. There's still a lot of white space out there, and I think when you look at the SIEM market itself, we're in the perfect spot. Customers are coming to us, they've come to us for years saying we want something different, we're locked into a vendor, we're being charged too much. Give us something that's better, faster, cheaper, that's integrated into your platform. As I mentioned earlier, it's pretty disruptive.
Customers are not paying to take data out of our platform and putting it somewhere else. They actually get it, and they're only paying for data they put in. I feel really good about both of those businesses. When you put them together and you look at how we're solving problems—Identity, Next-Gen SIEM, Cloud—I mean, these are all critical elements to the future of the company, and I think we've got really good performance around it.
We will move to the next question.
Your next question will come from Jonathan Ho with William Blair.
Hi, good evening, and let me congratulate you on a strong quarter as well. When we look at cybersecurity to protect agentic AI, you have many of the pieces to help customers solve the AI challenge. Yet spending in AI remains fairly fragmented. What are customers buying today, and specific to agentic AI, what categories are you most excited about right now?
Customers are in the early journey of how they leverage AI, and it's moving from, hey, this is really a cool technology to how do we implement it and implement it securely and do it in a way that actually accrues value back to the business. If we believe in AI and we think there's going to be more AI in the future, in the next year, three or five years, then security is a necessity. You're not going to have more AI without security. What that looks like is everything from helping organizations create secure models to deploying those models to creating guardrails, to creating visibility into these AI agents and protecting them. If you look at what CrowdStrike does, we're the leader in agent security and protecting computers and workloads, which is essentially protecting users' identities, data, workflows. An AI agent is just a superhuman.
We're in the perfect situation to be able to capture protecting all of these super AI agents in the future, and that's a big part of our strategy. We're working on what's here today and we're also working on the future of protecting these agents.
We will move to the next question.
Your next question will come from Adam Borg with Stifel.
Awesome. Thanks so much for taking the question. Maybe just on exposure management. It was great to hear crossing the $300 million threshold. We'd love to hear the traction you're seeing. Is this really living alongside what you'll call the traditional VM or exposure vendors, or is this displacing them? Any thoughts here would be really helpful. Thanks.
Yeah, it's an exciting business for me. I mean it's one. You know, in a prior life I started a company called Foundstone in vulnerability management space. To see where it's evolved and now into exposure management is exciting. We've got so many assets in terms of, you know, agent vulnerability management and one of the things that may have passed them by is that we a few quarters ago added network vulnerability management and we can do that right from our agents across the network. That's been very well received and we've got attack surface management and a host of sort of risk management technologies bundled in there. I think we're really hitting the sweet spot in the market. I think again it goes to customers want to consolidate and we've got some great big wins out of it.
I guess the final piece is it's been recognized as a leader in the inaugural IDC MarketScape. All good things and certainly a needed technology. It may sometimes feel a little sleepy, but it's a really rapidly growing business for CrowdStrike.
Thank you. We'll take our last question.
Your last question will come from Adam Tindle with Raymond James.
Okay, thanks. Save the best for last. I wanted to continue on the acceleration theme. The net new ARR guidance implies another record of net new ARR for Q3. I guess the first one for Burt. If you could just talk around assumptions for public sector given that's Fed fiscal year end and then separately, you previously talked about net new ARR accelerating again in fiscal 2027. I wonder if that still holds for George. Real quick, since I'm last here, bigger picture. If I look at your back half guide for net new ARR, you're going to be run rating over $1 billion on that metric. It's a huge milestone. I just wonder how you're thinking bigger picture about structural changes or things that you need to do to manage an organization of that size. Thank you.
Hey, it's Burt. I'll take the first part. As we've stated many times, Fed today is not a big piece of our business, but there's a great opportunity for us. The Fed has come out and said they want to run like in the private sector, they want to consolidate, they want to reduce costs, they.
Want to become more efficient.
That plays right into our sweet spot. We feel that there's a Fed opportunity out there for us. Those deals take time and we're patient and we want to land the right deals at the right time. We're excited about that opportunity for us. At the end of the day, we've got great certifications with the federal government and we'll take advantage of it. In terms of FY 2027, we'll give more comments about FY 2027 at the end of our Q4, but we're excited about just the 40% acceleration, net new ARR in the back half. That to us should signal to you that we have a lot of confidence in the business and we've got a lot of things that I talked about earlier that give us that confidence in the business. George, if you have anything else.
I guess I would add there's always ways to optimize. I think when you look at go to market and you look at how we've evolved from selling modules into selling Flex and platform and activation, we've got to organize for success to make sure that we continue to work with our customers around this consolidation journey and activating more Flex. I think we've done a good job of that. There are different ways to help optimize that. We have to take those learnings and apply it to our partner and channel community. We're always looking at, again, how do we optimize and how do you take the platform vision that we have and the execution that we see in the field from a selling perspective and make it as impactful as we can. I think that will be something we continue to look at.
That concludes the question and answer session for today. I'll hand it back to George for closing remarks.
All right.
Thanks, Maria. Thank you all for joining us today. We look forward to seeing you soon at Falcon 2025. Thank you.