CrowdStrike Holdings, Inc. (CRWD)
NASDAQ: CRWD · Real-Time Price · USD
468.84
-7.69 (-1.61%)
May 6, 2026, 12:59 PM EDT - Market open
← View all transcripts
Investor Briefing
Oct 15, 2020
Welcome, everyone, and thank you for joining Cloudstrike's Investor Product Briefing on Cloud Workload Protection. During the era of social distancing, our goal is to hold additional informational based sessions for investors. Your feedback is welcome and please send comments to investors at crowdstrike.com. We have a great lineup for you. Today, you will hear brief presentations from George Peart, our Founder and CEO and Mike Stetonis, our Chief Technology Officer.
Then we will open up the session for Q and A. All participants will be in listen only mode until the Q and A session begins. If you wish to ask a question, please make sure your Zoom username is easily identifiable and use the raise your hand feature on the bottom of the meeting window. When you are selected for a question, please be prepared to turn on your video and unmute your microphone. Before we get started, I would like to note that we will not be providing any financial updates today and we ask that you be mindful of this during the Q and A session.
Today's presentations may contain forward looking statements, including CrowdStrike's current view of its industries, opportunities in select markets, performance, products and business outlook and other statements that are not historical facts. These statements are subject to risks and uncertainties that could cause actual results to differ materially from those expressed or implied by such statements and are not guarantees of future performance. Information concerning these risks and uncertainties is contained in CrowdStrike's most recent Form 10 ks and other filings with the SEC. All forward looking statements are based on management's estimates, projections and assumptions as of today, October 15, 2020, and CrowdStrike assumes no obligation to update them. Without further ado, I'd like to hand it over to George.
Thank you, Maria, and welcome everyone to our investor briefing on Cloud Workload Security. I think it's going to be a great and informative event. I'm doing this with Mike Santonis, who is our Worldwide Chief Technology Officer. So you're going to hear from him in just a bit. And there's really 3 key takeaways that I want to make sure that we leave you with.
Number 1, CrowdStrike is focused on protecting more than just endpoints. It's also about protecting workloads. We've done a lot of work in this area over the last couple of years, made tremendous strides in our capabilities and a lot of customers that are using our technology. And we believe this represents a 10x opportunity over the current TAM estimates, and we'll go through why we believe that. Number 2 is cloud workloads represent a 10x increase, a multiplier factor for every endpoint that we see in the enterprise.
So said another way, for every endpoint we see in the enterprise, we think there's 10 cloud workloads in the future. And number 3, Mike Santos will talk about specific capabilities that we've built, why our technology is superior to others and the success we've seen in the field. So before I get into the meat of the presentation, I really want to talk about endpoint security versus workload protection. And thinking about us just as an endpoint security company is really an outdated way to look at us. And the reason why I believe that is in 2,009, 2010, 2011, 2011, you had workstations and servers.
And that's where you get the term endpoint. But in today's environment, 2020 and beyond, it's really about workload protection and workstations and servers are really a subset of a workload. So what's a workload? A workload is network, compute and storage. It could be something in the data center, it could be a public cloud, private cloud, ephemeral, virtual instance, container or mobile and IoT.
So these are all workloads that can be protected by CrowdStrike. So that's why when we kind of frame up who we are, it goes well beyond just endpoints. And I think that's really why we're different than all the companies that came before us. Yes, we're a platform company, but this isn't a McAfee or Symantec 2.0. This is a platform company that has a much broader market opportunity because of all the various workloads that are out there.
So just to put it in perspective, over 1,000,000,000 PCs shipped worldwide in the last 4 years. Crossright protects fraction of those. We've been very successful in this area, but it's still a fraction. And just to juxtapose that, we see days where we protect over 1,000,000,000 containers on a daily basis, which is incredible. So just reframing it, I want you to think about workload protection and it's one of the reasons why we spend so much time and so much money investing in this area.
And Mike Santonis is going to go through a lot more detail on what we do and how we do it. So let's talk a little bit about containers and why they're going mainstream. You can see from the Gartner stat that more than 85% of global organizations will be running some containerized application in production. Most of the companies we talked to today have something in a container or have a plan to go to a container. And with COVID and digital transformation, it really has accelerated the move to the cloud and containers.
So you can see the use of Kubernetes in production massively up since 2018. And obviously, we can see just the level of use that Docker gets. So as companies begin their digital transformation, as I said before, a security transformation has to take place at the same time. And CrowdStrike is a perfect vendor. So we think about CrowdStrike as a cloud protection leader, you can just see the stats in terms of the sheer volume of data we handle.
And we handle this amount of data because as a cloud native company, we were born in the cloud, We deliver our technology for the cloud and it's the perfect solution to protect cloud environments, whether they're virtual or containerized. And on a weekly basis, we handle 4,000,000,000,000 high fidelity signals per week. We've got 14 petabytes of data, protect over 1,000,000,000 containers. These are ephemeral containers that go up and down on a daily basis. We've seen a 14x growth in protection for containers since March of 2020 and greater than 20% of all the servers we protect across our entire fleet of customers are in the public cloud.
So as a company that basically grew up in the cloud, we believe we are in the best position to protect our customers. They're looking for a single pane of glass that can not only protect their on premise servers and endpoints, but also all of their cloud workloads. And with this cloud environment, we also think there's a lot more complexity, probably 10x because customers don't control the infrastructure. So when we think about running in the public cloud, yes, it's a little bit easier, but we think the security is actually harder simply because you don't have all the instrumentation that you normally would have by being able to control the entire stack from the hardware all the way up through the operating system. So what's the balancing act?
Obviously, the leading companies have moved to a DevOps model, which is focused on speed, agility, number of releases per day and continuous integration and continuous deployment. So what that means is that security needs to actually keep up with DevOps. So we've seen SecOps be created and that's really groups of folks that are focused on visibility, security and compliance. And it's much more difficult in the cloud because again, you don't have your traditional tools in place. You don't control the infrastructure.
There's a little bit of a paradox because you want to be as fast as you can in getting all of your bills out. But at the same time, you have the security team wanting to slow things down a bit because they need visibility, security and compliance. And that friction leads to dissatisfaction. So the way we've built our technology, it makes it seamless to deploy. It doesn't get in the way of the DevOps team and the SecureOps team actually gets the visibility and security that they're looking for.
Let's go through cloud workloads and what we see being protected and not. And today, we believe cloud workloads are massively under protected. When we show up to an organization, it's almost like many, many years ago showing up to a company and AV wasn't installed 25, 30 years ago. People were just trying to figure out what AV was and to get it and how they would get it deployed. And we see the same dynamic in the cloud.
Most cloud workloads have no protection. And it really does represent a greenfield opportunity. So if you look at the numbers, I think that bears out what we see in the field. So the current cloud IT spend for IaaS and PaaS vendors according to IDC is $160,000,000,000 going to $217,000,000,000 in 2023. The cloud security spend is $1,200,000,000 going to $2,000,000,000 And that just seems really low to us.
If you just do the quick math, you've got 1.1% of the overall cloud IT spend on security going to 0.9%. In the current environment, given all the sophisticated attacks, given all the regulation, to me that makes no sense. It's insufficient security, it's insufficient in terms of investment and we think it's underrepresented. So let's go through what we believe the real opportunity is. If you took those same numbers, dollars 106,000,000,000 going to 217, and you said most organizations should spend between 5% to 10% according to IDC.
Gartner as well, they're in that 5.7% range. If you just apply that to the overall cloud IT spend, you would get a cloud security opportunity of 6.1% going to 12.4 percent. We think that's more representative. I think most people in the audience would believe 1.1% going to 0.9% for cloud security is just not realistic. And it's going to have to be higher than that.
So when you put that all together, where we are today and why we believe it's a 10x opportunity, current spend 1.2, we believe the real opportunity in 2023 is 12.4, Again, 10x opportunity, underrepresented and Krauschreich is the perfect company to take advantage of this wide open market. I'm going to turn this over to Mike Santonis, who is our CTO. Mike, he worked extensively with me when I was at McAfee. He's one of the smartest guys I know and he's going to talk to you through more about what we've built, our technology, our philosophy and where we are today and where we're going in the future. So Mike, take it away.
Thank you, George, and thank you all for joining us on the call today. When I joined CrowdStrike 4.5 years ago, one of the unique technologies that was really compelling to me was the CrowdStrike platform built in the cloud for the cloud and of course the problems then we could solve with that technology. I'm thrilled today to share the evolution of the technology to continue the vision for cloud security and to talk about the massive opportunity we have ahead. Let's first discuss some of the key challenges in cloud workload protection and then we'll outline the approach we've taken to protect workloads as well as the capabilities around cloud security that we unveiled earlier today. There are specific requirements to effectively secure the cloud and we'll tell you why we think we're uniquely positioned to win in this market.
Firstly, it is necessary to understand DevOps before we talk about the potential friction and some of the challenges between DevOps and SecOps. DevOps is a combination of tools, practices that together increase an organization's ability to deliver applications and services at high velocity. The key aim is to shorten the software development lifecycle and to provide continuous delivery. In the past, to bring a new application to market, we would see operations build infrastructure. We would see the team start to code.
That would take an incredible amount of time to take something to an infrastructure to the team to allow you to build an application and take it to market. With DevOps, the entire process is automated, allowing apps to be developed and deployed at a rapid rate. The reality is that DevOps and security teams do often struggle to align. It's not to say that DevOps doesn't understand security, absolutely they do, but it's this constant balancing act of ensuring services and apps are secure, but ensuring security does not get in the way. What we see in organizations is that DevOps and security teams often don't work together.
Security gets left out of the equation and we see applications and services in use that have very to little security included. In many cases, we actually find when we talk to end users that security teams didn't know what cloud or container environments are in use and this is ultimately where security incidents take place. This is where CrowdStrike can come in. When enabled by proper security solutions like what CrowdStrike can deliver, that friction goes away. We avoid security becoming left out of the CICD pipeline.
Security teams can begin to define security configurations that allow development teams to deploy continuously whilst meeting security and compliance needs. And this is critical for both teams. The new way of working means that DevOps teams can secure environments at every step in the CICD pipeline and security teams can comprehensively ensure security and compliance is carried through the entire development process. When talking about agile development and security, you'll hear the phrase, organizations should shift left. What this refers to is that you should integrate deployment and in this context security right from the start.
DevSecOp environments ensure that the velocity of new development isn't slowed down and the quality of new developments is maintained at a high level whilst ensuring security is included in every step of the way. This is increasingly critical as cloud is more rapidly adopted and it's critical to ensure that security is included from the get go. When we start to talk about cloud native technologies like containers that run-in multi cloud environments that are built on DevOps principles, you can't use traditional security technologies. That's one of the core reasons as to why we see security left behind. You can't have agile technology, you can't have the ability to push out applications and services rapidly whilst using legacy technologies.
You can't have one without the other. Traditional on premise security tools and methodologies are ill suited to protect cloud native developer driven and infrastructure agile and agnostic multi cloud environments. They don't scale. They are very difficult to deploy. And the reality is, is that the dev experience is very poor and this is when we start to see dev moving faster than security.
What's commonly seen today is hosted versions of on prem and legacy solution approaches. It's this halfway point that still requires additional infrastructure to be deployed at a minimum, a different agent to the core functionality that's offered by a traditional security capability and this adds complexity both during deployment and also during management when you try to operationalize the technology. The other challenge is when you have multiple solutions specific to environments and features, how do you know which one to use and how do you build this technology in a way that doesn't introduce additional friction to the environment? As mentioned, this doesn't work when you have agile development and when you're hunting for agents specific to certain environments to try to download them, to try to deploy, to integrate multiple solutions into CICD pipelines. And again, the reality is that security will ultimately get left behind.
If an organization doesn't put security first and doesn't have the ability to integrate, this is when operational complexity becomes the next problem that you'll deal with, especially in a time of need. Which solution do you go to when you are coming under attack? And that's again when you see a lot of these issues and incidents start to happen. Cloud native technologies need cloud native solutions like what CrowdStrike supplies. This means cloud native security requires a solution that has been designed in the cloud for the cloud.
A cloud native architecture is needed that can deal with ephemeral workloads, machines that are non persistent, storing telemetry data at the endpoints and querying when needed does not work. It needs to be kept off-site, it needs to be part of a graph based architecture. You need scalability. What this means is you need to be able to deal with billions of and trillions of events. You need to be able to scale up and scale down, but you don't have to be the one worrying about it.
Let the vendor deal with that like what we offer at CrowdStrike. It means an extremely lightweight presence. Organizations don't want to pay for a vendor's workload and inefficiencies in technology design. This means a cloud neutral approach, a truly multi cloud support ecosystem. And finally, this means a unified view, not a view from multiple systems, not a view that requires you to integrate and then try to unify and try to get any workload from anywhere working.
So let's take a deep dive into our approach. As mentioned previously, CrowdStrike Falcon was built in the cloud for the cloud. We have and we protect one of the largest security clouds in the world. We run thousands of microservices across multiple hybrid clouds and we correlate today over 4,000,000,000,000 signals from workloads spread around the world every single week. That ultimately means we are processing petabytes of data that requires best in class security.
Our strategy for cloud security is to build and bring to market the best capabilities to provide protection at runtime, attack surface monitoring, reduction in risk exposure and a focus on the adversary. And I want to step through a couple of those and provide examples as to what this means. So firstly, protecting at runtime. Our solution today provides best in class runtime security protection for all workloads and all workload environments, including containers and protection of the underlying hosts powering the container environment, which is critical. We provide attack surface monitoring.
So we monitor the attack surface and provide attack surface reduction and that's a key element to improve security posture. We've got a number of capabilities to provide visibility and alerting into common misconfigurations and we will continue to develop Falcon Spotlight, our vulnerability management features and technology to further expand the attack surface reduction offerings. Reducing risk of exposure is critical, especially when we talk about cloud technology. Misconfigurations remain one of the biggest challenges with cloud environments. A key focus of our approach is to reduce risk of exposure and this happens through cloud resource detailed discovery and remediation, unified visibility across multi cloud environments, misconfiguration management and remediation through to a reduction in alert fatigue and improved SOC productivity.
The last point that I'll make is a focus on the adversary. Everything that we do is underpinned by the industry's best threat hunting team, Overwatch and our CrowdStrike Intelligence team. But we're here today to talk about our new announcements, so let's get to it and go through a couple of those. This week, we announced the new Falcon Horizon module to protect multi cloud environments. I'm incredibly thrilled to talk about this new offering that automates cloud security management across the application development life cycle for any cloud.
This enables customers to securely deploy applications in the cloud with greater speed and efficiency. It provides visibility into your private, public, hybrid and multi cloud environments and enables security teams to proactively minimize threats and ensure continuous compliance and governance against organizational security policies. Doing so reduces complexity, it minimizes the impact of security incidents and it accelerates business performance. So let me go through the key deliverables and benefits of the Falcon Horizon module. Now to be clear, the Falcon Horizon cloud security posture management capability automates security management across the application development lifecycle, as mentioned for any cloud to allow you to securely deploy applications in the cloud with greater speed and efficiency as covered.
So the technology provides visibility and control into all cloud environments, as mentioned, public, private, hybrid and multi cloud environments, continuous discovery and visibility of cloud native assets providing context and insights into the overall security posture and the actions required to prevent potential security incidents, prevention of cloud misconfigurations, again, one of the biggest reasons why we see issues happening and we provide that by a real time monitoring of cloud resources to detect and to provide guided remediation for misconfigurations and vulnerabilities before they impact the business. We provide continuous monitoring for anomalies and suspicious activity across all cloud infrastructure and we correlate these insights with misconfigurations to accelerate response and optimize business performance. And finally, I talked about this earlier, a reduction in alert fatigue with targeted threat prevention. The solution integrates with SIEM solutions, enabling security teams to gain visibility, allowing them to prioritize threats, reduce alert fatigue by eliminating noise, enabling them to take immediate action. So if I summarize the unique value and what makes us unique, we provide unified visibility across all workloads.
We provide the ability to perform forensics and threat hunting on ephemeral workloads. You can see and investigate attacks that span multiple workload types and locations. We provide a true managed threat hunting capability in the cloud. We have integrated threat intelligence as part of this capability and we provide a single lightweight agent that is incredibly well suited for cloud workloads. I've talked about this a number of times.
This is really important point to keep making. The CrowdStrike Falcon platform being built in the cloud for the cloud. Our customers benefit from runtime security, from workload security, cloud security posture management, cloud threat hunting and forensics and to further eliminate blind spots and maintain compliance, we offer specialist services for the cloud, built on the capability that we've created inside CrowdStrike for many years now. We took the approach of providing cloud security using a single agent deployed on the host server, the worker node in container parlance that security is enabled and enforced at scale in production and it's a core requirement, it's a core ingredient of any container security solution. There's a lot of benefits to this approach.
We secure the host and all containers executing on the host via a single agent, the same agent we use for traditional workloads as well as cloud workloads. It means that there's no deployment necessary per container, which reduces the complexity, reduces the footprint size and the performance overhead, again, critical in cloud. It makes for frictionless deployment. Our security teams gain visibility into container environments without requiring cloud teams to adopt additional technologies and to deploy them and try to manage across multiple technologies. We think of this as container security at DevOps scale, which is critically important.
The Falcon technology provides full visibility into containers, activity. We provide information about container images and registries used and so on due to the rich visibility, which is consolidated and correlated in the threat graph. We provide easy to view dashboards showing all of this information that's being collected, registry information, container run times used. We provide the ability to search containers by container ID, search containers by host, find detailed container image information, understand container configuration and common misconfigurations as mentioned previously. Customers can take action on all of that information.
That's critically important to provide that capability. So people can do network containment, they can do that right from the alert unified workflow built into the platform. They can blacklist the container image in their container registry based on the container image that's been identified or through the alerts and the tools that we provide. One of the things that I really want to highlight is the threat graph. The fact that we track the signals and the metadata, the activity for each container instance, and we don't lose any of that fidelity or applicability, including in ephemeral workloads, environments that spin up and spin down within minutes and then are destroyed.
We track all of the environments. We store all of this telemetry in a persistent manner. We make it searchable, irrespective of whether the container instance is long running or it's been spun up and spun down and destroyed sometimes within seconds. So we uniquely track information and activity happening in the environment and we track all of this information all throughout any iteration that that environment may have. So it means that together with the customer, we have the ability to hunt and provide forensic capabilities for these environments.
And finally, CrowdStrike also provides a cloud security assessment service to help customers quickly perform a comprehensive security analysis of their cloud environment. We bring the power of the Falcon Horizon module and the expertise of our consultants to help identify misconfiguration issues and provide detailed guidance on the best methods to mitigate and resolve these issues. The benefits of that assessment module include thorough analysis of individual cloud based systems and the assessment of your entire environment to determine the full scope of potential attack. It provides a comprehensive analysis of internal and external components of all of your hosted infrastructure. We provide identification of potential issues and we'll provide detailed guidance and specific recommendations to improve your overall cloud security posture to help prevent, detect and rapidly recover from breaches.
I'm incredibly excited about bringing Pre EMP Security, the acquisition we just closed and the huge benefit that Pre EMP Technologies bring into this ecosystem and architecture. I talked about this earlier. Misconfiguration is a huge issue. We have the huge opportunity ahead of us to bring identity and workload security on premise and importantly, to bring identity to the cloud to ensure that when any user tries to access a new application, a new service, we can ensure they are approved and we can unify identity and workload security and bring this capability into the cloud security architecture that we now have and I've just taken you through and no one else has what we have. I'm incredibly excited about the opportunity to be able to do this on premise, in the cloud and across all environments.
George shared with you a TAM view of the massive opportunity cloud workloads presents. I'd like to supplement that with a few anecdotal case studies to illustrate what a cloud customer looks like and what the opportunity ultimately means. I'll go through a retail company, a web content company and a SaaS company. They're all a little bit different. The retail company, we've got an example of a company that we work with, a large employee base with around 75,000 employees, which means a large traditional footprint.
However, they also operate a large and very ephemeral cloud footprint with around 2 thirds of their environment being ephemeral, which we're defining here as cloud workloads that are up for less than 10 hours. A company like this may launch a product and see a surge in website traffic and purchasing activity that normalizes quickly after a few hours or days. Similarly, they could need to scale up for major shopping holidays and these ephemeral workloads can be up for a very short period of time, they'll scale up and scale down as needed. Previously, this customer was using a competitor's AV product to meet PCI compliance, but this was frustrating for the DevOps teams as a build would take an hour or more as a result, it was that legacy approach to security for the cloud and security effectively was removed. So they were taking applications and services to market in many cases without any security technology.
In contrast, a build with CrowdStrike and the CrowdStrike agent takes simply a few minutes without the complexity with the back end architecture coming along with that. We're protecting about 10% of the cloud workloads today compared to 100% of the traditional endpoints, which gives us a ratio of less than 1 cloud per endpoint, but it also means an incredibly large expansion opportunity, particularly as we hear demand from customers around offerings like Falcon Horizon. Because of that large footprint just expanding into 10% of their cloud workloads, it represents approximate 50% expansion of ARR on the account compared to if we just protected their traditional endpoints. If we are to expand to 100% of their workloads, we're talking about a cloud opportunity that could be as high as 10 times what we're seeing today in the account. I'll pivot now to a web content company, slightly different.
In this example here, smaller employee base, but a very large cloud footprint that we're covering 100% of. In this case, approximately 4 times the size of their traditional endpoint deployment and a similar uplift in ARR compared to if we were just protecting the traditional endpoints. Similar to the retail company, this organization sees a lot of peaks and valleys in website traffic and purchases, so they stay very ephemeral. Regardless of whether the workload is spun up for a minute or for an hour, this customer finds the visibility that CrowdStrike provides unmatched and extremely valuable for their organization. In fact, they do not spin up any workload that does not have CrowdStrike deployed, providing security and visibility into their environment.
Now let me talk about the SaaS company. When looking at a SaaS company, you'll see a very different set of dynamics. As we know with SaaS, you often have a lot of automation and leverage in the platform. Employee count can be relatively small compared to the size of their customer base that they're serving. This leads to a company with a relatively small number of traditional endpoints, but a huge cloud footprint, as you can see in the 36:one ratio.
The difference that while they may be growing the size of the overall cloud environment to meet their needs, the cloud instances themselves are long lived and working constantly. It's not economical in their case to be spinning environments up and down constantly. In this example here, you can see the cloud ARR opportunity could be significantly above that of the traditional endpoints. So what do these examples tell you? The expansion opportunity presented by cloud is apparent, but it varies quite a lot by industry size and application.
There are big cloud footprints out there that remain unprotected and we largely see this as a significantly greenfield opportunity. Customers don't want to pay for the security vendors' workloads. Performance and scalability are key as environments can be highly ephemeral, which I've talked about. This is why traditional security tools and cloud retrofit approaches to cloud security do not work and are at odds with DevOps teams and we see security being left behind. The same attributes that have made CrowdStrike successful in traditional endpoint security and workload security position us well to unify DevOps and SecOps into DevSecOps to fortify customers' cloud security posture and to stop breaches.
Let me summarize the key takeaways. CrowdStrike operates 1 of the world's largest security clouds. When we started building the security cloud, there were little to no security solutions available. We built to protect our cloud and we are now bringing battle tested and cloud scale security solutions to our customers. Building cloud security for the past decade, this is a huge advantage over other security companies.
Cloud security represents unique challenges that we are in a unique position to solve and we have real world experience protecting cloud workloads. The opportunity is tangible. It's extremely large and growing exponentially. Back to you, George, for the final wrap up.
All right. Thanks, Mike. I think it was a fantastic presentation and we'll get wrapped up here. So just to summarize, cloud security does represent a unique challenge and CrowdStrike is in a unique position to solve it. We've got the real world experience and the technology.
We've been doing this for many years to be able to protect these workloads. And we do it for many, many customers around the globe. And when we think about our 10x opportunity, what I want to leave you with is we believe that for every endpoint within an organization, there's at least 10x the cloud workloads that need to be protected. That's today and into the future. We also believe that there's a lot more right?
There's a lot of policies right? There's a lot of policies and there's a lot of infrastructure they don't control. So they have to go about it in a different way to actually solve it, which is one of the reasons why we've launched Falcon Horizon. And the last point here is really on the opportunity. If you look at the current market opportunity, dollars 1,200,000,000 again, we believe that's underrepresented.
We believe that's going to go to at least 12,000,000,000 dollars 10x because it's a greenfield opportunity and the current investment is so low in terms of overall spend. So with that, let's take some questions and we can go into more detail about our technology, about our success in this area or about our philosophy and where we are today and where we're going in the future.
Thank you, George. Let's get into some Q and A. As a reminder, we will not be providing any financial updates today. Please keep that in mind when asking your questions. Our first question will be from Sterling Auty of JPMorgan followed by Saket Kalia with Barclays.
Yes, thanks. Hi, guys. Thanks for taking the questions. Thanks for hosting Falcon. Just wondering when you look at your customer base, is there any sense and it might be tough, but what portion of your sorry, your customer base do you think Horizon and even forensics would be applicable?
So what kind of penetration do you think these new solutions can get within your existing customer base?
Yes, I'll start and Mike feel free to jump in. I think when you look at those two areas, there really aren't many customers that don't have something in the cloud. You could be a small SMB and maybe you don't have a bunch of cloud workloads. But when you look at enterprise and midsize companies, they all have a presence somewhere in the cloud. So we think it's a fantastic opportunity as they continue to move their infrastructure off.
Even small companies, they don't have IT teams anymore. They just basically put their servers in the cloud. They do all their backups and things of that nature. So I think through something like an AWS marketplace, it's a perfect opportunity even in a smaller company. When we think about forensics, this has been something that has been asked for a long time.
And for many years, we actually have built our own technology. We've used it in other parts of our business and we've now commercialized that. So this is not something that we just came up with overnight and there really came out of customers every time we use it. They said, hey, that's better than anything we've ever seen. When can we get it in Falcon?
So we're here now. And I think in terms of that market segment, it can go all the way down to a small SMB, particularly when you combine it with some of the managed offerings we have, right. If it's a Falcon Complete, it's not a problem. We can do the forensics for them using that technology. They can use it, they can log in.
So I think it's technology that's applicable across the board and we're really excited about both of those modules.
Great. Thank you. Thanks.
Great. Our next question is from Saket Kalia with Barclays.
Thanks for hosting the session. George, maybe for you. You mentioned that the cloud security market kind of reminds you of the AV market 25 plus years ago. And clearly, there were a catalyst or a series of catalysts that drove that adoption to probably near 100%. The question for you is, having seen that, what are going to be those catalysts now that are going to drive increased penetration of this cloud security spending market, which is clearly higher than what Gartner and IUC kind of predict.
Does that make sense?
Yes, it does. It's a good question. I think there's supply and demand. So when you look many years ago, look, I remember downloading McAfee from bulletin boards. It was freeware and you'd get your signature updates and things of that nature, right?
And that's sort of how people started using AV and the supply became available as it became commercialized. And then the demand is there because of all the viruses that had come out 30 years ago. People were getting crushed with Michelangelo and things of that nature. So when you look at today's environment, the technologies haven't been there. I mean, we're lucky in a position that our technology has been able to work across multiple clouds on prem, off prem.
Obviously, we've added capabilities since we started the company. And I think that's been a big barrier to companies deploying it. In fact, I've talked to company CIOs where they said, hey, look, we want to go to the cloud in a digital transformation, but we were held back because we had no way to check the compliance box on security. So I think you have a compliance need from a cloud perspective. You have technologies like ours that are available and the threats are ever increasing in the cloud environment.
And when we talk about Falcon Horizon, a lot of the breaches that you've seen are just misconfigurations. So those need to be addressed. So I think it we're still in the early innings. But if you can actually have technology that works at scale that doesn't impact the performance like ours does, you're going to have a lot of adoption.
Very helpful. Thanks.
Great. Next question is from Alex Henderson of Needham and that will be followed by a question from Brian Essex at Goldman Sachs.
George, thank you very much for the opportunity to ask a question. And I appreciate how much you've helped me move down the learning curve on this technology. You guys were more than generous with your time on it. It seems pretty clear to me that the adoption of Kubernetes is a key piece of this puzzle. It's our understanding that roughly 15% of workloads were new workloads were coming out as Kubernetes in 2019.
And we'd be interested in what's your estimate of what that would look like out 3 to 5 years. I'm hearing numbers of as much as 50%. And in an environment where there's 1,000,000,000 applications and according to IDC growing at 40% clip, that's an enormous growth rate. And so does that tapping into this 10x size market with that 100% type growth rate result in an ability to sustain your current growth rate? Is that how we should be thinking about this?
Because that's an enormous opportunity. And then the second piece of it is, I get that your position in run time is really powerful, but it seems like that position is unique in the sense that you're the only company that I'm aware of that's really doing it at the kernel level on the server. Can you expand those projects beyond the AWS to some of the other key clouds that you can get that kind of penetration across the multi cloud? Thanks.
Sure. I'll handle a few of them and then I'm going to turn it over to Mike. I mean, I think in general, when you look at how we operate at the kernel level and how we're able to protect all these containers at scale without getting in the way of the DevOps team. I think it's very effective and that will work across really almost any cloud provider. So the overall one of your big questions is in terms of growth rates and opportunity.
I'll focus on opportunity, not growth rates. But I don't know of any modern sort of cloud projects that aren't containerized, right. So that's really where the world is going. And even our 2nd generation of our cloud was all containerized. So I think it does bode well for us.
As we said before, one of our other calls in here, we protect 1,000,000,000 ephemeral cloud containers on a daily basis, and that's only going to continue to grow. So Mike, if you had some thoughts on Kubernetes and just our place and how we operate as quickly?
Yes, sure. Look, I think we're certainly seeing that growth in Kubernetes as well. All the customers that we speak to are really aggressively going down that path. So and we expect that to continue. What I would say to your question is, we look at the environment, I guess we break it down into 2 ways.
We look at runtime security and also the attack surface reduction. We focused on runtime security because ultimately that's where we're starting to see the activity. So where we see attacks target, living off the land techniques, when they use admin tools and it's not so much the vulnerabilities, for example, in the container images. So that's where we're focused, but what we're announcing today is a coverage across both runtime and reducing our attack surface because we are starting to see the demand move across. We're uniquely placed to be able to look at that CICD pipeline, starting to think about how we can integrate there and provide coverage across both areas.
Just to follow on that and then we can go to our next question. I would say we're probably a little like Google in that we've built a lot of these things already. So when we're coming out with products like forensics or we're coming out with our Horizon product, we built it for our own tech for our own cloud, right. So now we've basically packaged it up for our customers, we'll make it easy to use. But we have many years of actually using this technology in house.
Thank you. Thanks, Alex.
Our next question is from Brian Essex at Goldman Sachs.
Thanks, George, for doing this. It's very helpful. I just wanted to follow-up to the last question and just kind of if we can differentiate between runtime and test and development, How much of an opportunity do you see potentially going into test and development versus runtime? It seems like you're kind of very focused on that. I just want to kind of clarify how you think about that.
When we look at runtime, a lot of the runtime is either in the configuration or it's in the vulnerability. So as an example, in your runtime build, do you have a bunch of old libraries, you have vulnerabilities in the open source code. And I think Spotlight is the perfect technology to be able to look at those sort of runtime configurations as well as vulnerabilities. So I do think we have a great future opportunity there. But in terms of runtime, people it's runtime and visibility, right?
People want to understand, is there an issue in my container? And because the containers are ephemeral, they actually want to be able to track what happened there. And it's very difficult to do that in other technologies. And when you combine our insight with our AV technology and anti malware technology, we give you good visibility what happened. Even when the container is destroyed, we can tell you exactly what happened in it and we give you the protection.
So we thought that was the best place to start and there are plenty of other opportunities in the areas that you talked about and we've got technologies in those areas already.
Got it. Super. Thank you.
Thank you, Brian. Our next question is from Greg Moskowitz of Mizuho.
Hi, guys. Thanks for taking the question. Thank you for hosting the session. The cloud workload TAM analysis was very interesting, but the reality today, George, is that customers are spending about 6 times less on cloud security today than you think they should. So from a go to market standpoint, how is CrowdStrike going to educate customers about the importance of securing cloud workloads?
And more importantly, how long do you think it takes before this gap starts to significantly close?
It's a good question and there's only so much education we can do. I think the market continues to get educated. I think the compliance drivers, if you look at the financial services as an example, they can't put anything up without some level of protection. So I think you're going to have a natural kind of pull just with compliance and the fact that people are going through digital transformation. Somebody's got to check the box on compliance.
I think then working with any of the number of marketplaces that we work with on the cloud side is a good way to help educate people, right? Hey, I want to spin up a container, what am I going to use? Well, CrowdStrike is sitting right there in AWS marketplace. Fantastic. I can put it in, I can get exposed to it and we can do our education there.
And I think that's probably the most scalable way to do it. But just like cloud, when I started the company in 2011, nobody was doing endpoint delivered cloud security or cloud security delivered at the endpoint. So the idea for us is to look for the market to actually move in our direction. And we've always been a little bit early, but it's always worked out to our advantage.
That's great. Thanks, George.
Our next question will be from Andrew Nowinski with D. A. Davidson followed by Fatima Boolani of UBS.
Hey, thanks Maria. Good afternoon guys. Just one question on the cloud spend. So I know you said the opportunity is about 10x the size of endpoint spend in terms of the opportunity. I'm wondering based on some of your existing customers, I'd imagine you have customers where you are protecting both cloud workloads and endpoints.
Can you give us an idea on the revenue ratio of cloud spend versus endpoint spend at your existing customers now? And then as a follow-up to that, I was just wondering, you said in the past when you introduced new modules, they're high typically high margin because it's a software introduction. Is it fair to expect a margin expansion going forward given you introduced about 3 new modules today?
Yes. So let me try to hit that. So just to kind of clarify what we talked about in the example is a 10x of the existing cloud security spend, right? So when you look at what we see as a security spend, we think it's just underrepresented just with the simple math and it should be 10 times that. So that's different than the ratio of endpoints revenue to cloud.
What we do see and we're trying to put some sizing on this is that for every endpoint we see about 10 cloud workloads. That's just pure numbers. In terms of our opportunity there, we think it's because they're servers, we do think there is a great opportunity. Now ephemeral workloads come and go, you can't always build them at the same rate. But from the standpoint of our ability to actually capture that in the future in meaningful revenue trends, I think it's absolutely there.
We're seeing it now. Obviously, whenever we come out with a new module, I would say for the most part, it obviously, whenever we come out with a new module, I would say for the most part, it does represent new margin opportunity for us. And we would certainly see that with the modules that we introduced today. We've already basically collected the data. We know it's there.
So when we add a new module, most modules are pure margin on top of it because we're just pulling the data right out of Threat Graph and we created a workflow around. Thanks, George. Thanks.
Our next question is from Fatima Boolani of UBS, followed by Eric Suppiger of JMP.
A question on Horizon and a question on Spotlight. We'll give that product some love because we didn't get a chance to really talk about that too much. But just with Horizon, appreciate this makes your cloud security pillar more fulsome, but can you help drill into some of the technical differentiation and maybe some of the engineering nuances between your approach to CSPM and how some of your peers in the vulnerability management arena, in the network security arena and even web security arena are tackling this problem? And then a follow-up on Spotlight.
Sure. I think, Mike, that's a great question for you.
Yes, absolutely. So thanks for the question Fatima. Look, as part of as I mentioned in the session, as part of that overall strategy of leveraging the traditional technology that we have and extending that capability to allow us to cover these additional areas. As mentioned, one of the big challenges that we see today is the fact that dev is running a lot faster than security and a lot of the technology gets left behind. Part of that is because we're using a lot of the vendors use traditional approaches to security.
They're not multi cloud and it's just cumbersome. So if I think of our unique value proposition, it's visibility first, it's looking at our indicators of attack and looking at indicators of misconfiguration, it's having the ability to be multi cloud, doing artificial intelligence off that threat graph, covering the traditional cloud infrastructure as well as your newer containers and ephemeral workloads where we can start to do things like threat hunting and leverage those IOAs and IOMs even after these environments have spun down. But it's also being able to do that security load across on prem, hybrid, in the cloud and multi cloud environments. So I think we're extremely well placed, as we've mentioned, to cover all environments.
Fair enough. And just on Spotlight, with some of the enhancements and the increased breadth of operating system support that you guys announced during the conference, I get the sense there's more of an emphasis on cornering vulnerability based exploits. And so at a high level, how should this change the technical and in marketplace and even mind share aspirations that you have within the vulnerability management arena against some of the more traditional household names in that space?
Well, I'm sure George will have comments there being a topic that's near and dear to his heart. But this is an area that obviously we want to continue to focus on as part of being able to understand every workload that's in an environment, being able to defend against anyone trying to exploit it. And part of that is hygiene and part of that is vulnerability management. It's understanding across all of those workloads and that's part of the strategy that we have to make sure that over time, we are able to give our customers the ability to see where they're vulnerable, to allow them to isolate machines, to allow them through our store partners to roll out patches. But most importantly, if somebody does try to attack these environments that we can provide prevention very, very quickly and ensure that an organization isn't breached.
So it's a key part of that strategy, especially as we start to think about the cloud and we've talked about CICD and being able to move further to the left in that pipeline, Spotlight again becomes a critical component in this architecture.
Yes. And just to follow on that, I think there's an easy way to look at this and that is real time versus scanning. And what we find with existing cloud VM products or endpoint products that are delivered from the cloud from the VM folks is that just scanning. They're just looking for things and it takes forever and it kills the performance of the machines. Just about all the customers that we talk to that have those legacy VM agent technologies, they want to get rid of it because it just destroys the machine.
So again, it's really hard to build what we've built at scale to work in real time. And because we're pulling all the data off the threat graph, we don't have to really impact the performance of the cloud. It becomes a big data exercise. So that's a huge differentiation differentiating factor between us and others. And then on the network side, we feel that's commoditized.
I mean, there'll be plenty of network scanners that will find things out there. But reality is our customers see a lot of value in the workloads and the endpoints to get that real time vulnerability information.
Appreciate that. Thank you very much.
Thank you, Fatima. Our next question is from Eric Suppiger of JMP and that will be followed by Gray Powell of BTIG. Thank you.
Yes. Thanks for taking the question and thanks for the day. I'd be interested to know what the pricing dynamics are for securing containers and workloads in the cloud. If there's a 10x expansion of workloads versus on premise, are each of those equivalent in terms of the opportunity for you or how should we think of the price per workload?
It's not necessarily one to one because you have so many ephemeral workloads. So you have to look at the size of machine, the number of workloads that are running and then you also have to look at some metered billing type options, right, because the way people run their containers, they want to be able to flex and be elastic. So it's not necessarily a one to 1, but it does represent, I think, a large incremental opportunity just because they're not protected. So we'd like to provide some more color on that I think in the future. But at this point,
the
way we roll out and the way we charge has been more server based. We have introduced metered billing and it's really coming out with flexible models of billing that meet our customer demand and also gives us value that we believe the customers are getting because we're protecting so many ephemeral workloads per server.
So are you currently still evaluating the pricing strategy for containers?
Well, we have a pricing strategy, but again, a lot of it is server based and we're always looking to see what's the best way to price it, because we don't necessarily price it on every container, we price it on every server, but each server is different. We have some servers that run 142 quarters and some that run like 2. So I think there is an opportunity to look at that. But I think in general, where people are going is really into the metered billing type model. And how many containers are running, how long are they running, things of that nature.
And that's I think a pretty emerging area for everyone. So it's matching up how customers want to use their containers, but also the way they want to pay for the security. I think there's more work to be done in that area.
Okay. Then just expanding on the last question. In on premise, the vulnerability scanning can identify and scan devices that wouldn't have an endpoint agent. In the cloud, do you have that same dynamic or can CrowdStrike cover most of the devices that would be need vulnerability management in the cloud?
It's a good question. In general, if you have a device that's spun up and it's connected to your account, you kind of know what it is and we integrate with things like CloudTrail from AWS, so we know what's there. So we have an inventory. So it's a lot easier for us to cover everything that's there because you're not running IoT devices, an example, in the cloud, you kind of know what it is. Could there be some cases where you want to do external scanning?
Sure. And people are still able to do that. But I think there by and large, anything that comes up in the cloud, you'd be able to cover with a agent based VM type technology. Very good. Thank you.
Our next question is from Gray Powell of BTIG and that'll be followed by a question from Shaul Eyal of Oppenheimer.
Yes. So I think the math that you did on the adjustable market was pretty straightforward. I understand how you get to 12,400,000,000 dollars So I guess my question is, do you feel like you have the product set in place today to adjust that full market? Or is there something else that you guys need to introduce? And then I just had a quick follow-up.
Well, there's multiple pieces to it. So I think we have a pretty good start in terms of runtime, in terms of configuration. I think we talked a little bit about having visibility into some of the vulnerabilities in containers, our ability to block vulnerable containers before they get deployed, things of that nature. So it's ever evolving. It's really a journey, it's never a destination, but I think we've got a great suite of cloud technologies that can capture what people are looking for in terms of our customers.
And Mike, if you have any other thoughts of areas of focus for us.
Yes, I was just going to add that we have a very rich roadmap in terms of additional capabilities that we want to focus on in this area. I think I'll go back to the comments that I made earlier around covering runtime protection and then tax surface reduction. Obviously, the runtime protection is our natural core, our sweet spot, and we want to keep building out into that attack surface reduction area. So, security for the build pipeline, doing more vulnerability scans and config management. So we're certainly excited about where we are today and we sit really well in terms of customer requirements.
But as this area grows, we will continue to leverage that technology and keep building into that suite.
Okay, great. And then just one quick follow-up. I think Fatima touched on this earlier, but how does Falcon Horizon, how is that different from sort of the cloud posture management solutions from folks like Palo Alto's Prisma Cloud?
So I
can take
that one.
I mean, the first thing that I'd say, there's obviously a lot of technologies being announced in this area. When you're leaning towards a certain they're stronger in Kubernetes or they're stronger in other areas, some are really good with AWS, less so with Azure or GCP as an example, when you dig in their roadmap items. If I go back to those comments that I made earlier, for us, it's about covering that multi cloud, covering AI with the threat graph, having the ability to cover across runtime as well as the attack surface reduction. And the most important thing for me is making sure that we use it with the same infrastructure that we have for our traditional workloads and a lot of customers are actually dev, are pulling our technology into their process because we're helping them with fault finding, we're helping them through the dev process. So we're finding actually dev teams wanting to add, and as I mentioned in my SaaS example, we've got customers that won't publish any service without CrowdStrike and that's because it's a lot easier to use.
Thank you, Gary. Our next question is from Shaul Eyal with Oppenheimer.
Thank you, everybody. Thanks for hosting it. Good afternoon. Jules, thanks for the security DevOps discussion and the direction that CrowdStrike is taking towards this upcoming cycle tide. Given that SecDevOps is addressing a different audience, not your typical IT SecOp buyer, Do you see CrowdStrike going deeper into the SecDevOps through partnerships with some of the emerging players in the space?
Will it be more homegrown, maybe even an opportunity to look at it inorganically?
Well, there are different buyers and I think that's part of your question, right? You have the security buyer, you have the DevOps manager, you have sort of the security architect slash CTO. So you have to be able to target each one of those. And the way we're focused on going to our partnership type strategy, like in any else, I mean, we don't do our partnership type strategy, like in any else, I mean, we don't do everything. What we do, we do really well and we'll look to build, buy and partner.
We have obviously the CrowdStrike store, things that we built and I think Horizon is a great one. We looked at things like RedLock and Evident IO, which was part of the former question and they just didn't meet our needs for what we wanted. So that's why we built our own. So and there's potential acquisitions down the road in this space. I mean, there are a lot of companies that are focused on kind of solving small pieces of it.
And for us, I think having a one platform strategy with things that are totally integrated has been our focus. So we'll just evaluate it, but I do think there's some great opportunities for us as we look to buy or partner in this area. And certainly, we've shown that we're more than capable of building.
Thank you.
Thank you, Shaul. And our last question is Walter Pritchard from Citi.
Hey, how
are you doing George and Company? Two questions. 1, just around I think you highlighted the math is pretty clear around the cloud opportunity. I guess the only pushback there may be that you do have substantial deployments already in the cloud market with Capital One, lots of big companies putting mission critical workloads in there. Do you think at this point, they're just they're sort of using bespoke security or other things to just in this early stage of the market development?
And do you expect the market to switch over? I'm just trying to get a sense as to why we're not maybe seeing more deployments as a percentage of the cloud spend given the fairly robust volume of revenue in IaaS and PaaS? And then just had a quick follow-up.
I think a lot of the players have used just traditional existing sort of networking where you can create your own VPC and try to network things off, because that's all that was there, right. So they're getting that from the IS pass players, the hyperscalers. I think where we are now, again, it's a maturing market, still early innings, but it's a maturing market with us and others that are out there. And I think a lot of the players are looking real hard into what they can deploy. So if you think about just their viewpoints, right, assuming they can get by the compliance piece, it's been like we can't deploy stuff because we can't take existing technologies because they just break everything and they're not meant to work in that cloud environment.
They impact performance. They don't really work. They're hard to manage. And when you give them an alternative, I think people start taking a hard look at it. So just as I said, it's like the early innings of AV where I remember the days.
I mean, it's hard to believe, you probably remember it as well, Walter, where people didn't have AV on computers, right? There were days like that. And you would look back today and say, how can that possibly be? And it's the same thing in the cloud. People just roll it out, they put some firewalls around it.
I remember Cisco routers were your firewall, right? And people called it good until they had something better and we think we're that better.
And then just I know Bert is not here, we're not doing much on the financial side, but should we just think about disclosure here as being you're going to talk about percent of customers with certain number of modules and this is another module or given the 10x opportunity, do you expect to focus more on the sort of revenue as this product becomes more material?
Well, this it is another module. So certainly as we've done before, we continue to talk about the attach rates for the number of models that we have similar to what we've done. I certainly don't see that changing. And it's just another module. Again, our strategy is we've got the data and the threat graph.
We create new modules and workflows around it and then we monetize
it. Okay, great. Thanks, George.
Thank you.
All
right. So I will wrap up here. Thanks for a fantastic session here. I hope you enjoyed the earlier keynotes. I think there's a lot that's exciting about what we announced today.
Again, just execution on our strategy of creating new modules and taking advantage of the footprint we have. We haven't talked so much about preempt and we'll reserve that for a future meeting that I know Maria will help organize for us, but we're really excited about 0 Trust and what preempt actually brings to the cloud. Identity is critical in cloud environments, not only accessing those resources, but also machine to machine identity. And we're really excited about that. So when you look at kind of the full picture, the threats continue to get worse.
People are looking for cloud based solutions in a work from anywhere environment and as they go through their digital transformation with the security transformation. And we certainly believe we're the right company to take advantage of that. So with that, I'll get it wrapped up. I want to thank everyone. Stay safe and we'll talk soon.