Thesis
The cybersecurity industry will continue to grow quickly and outperform the market in the coming years. Investors looking to buy into the industry today should look at CrowdStrike (CRWD) competitors such as SentinelOne (NYSE:S), in part because their offerings could see increased demand due to fallout from the recent CrowdStrike outage.
Author’s Note: I wrote an investment thesis for CrowdStrike in 2021, and it’s been a great performer since then. If you’re not familiar with CrowdStrike and its competitors in endpoint protection, I recommend reading that article first. This article can be considered a revision of that thesis.
A Lesson From History
On Friday morning, CrowdStrike was on the front page of every major newspaper, but not for a good reason. They released a software update that caused a major technology outage, grounding flights and causing hospitals, banks, governments, and other businesses to report various issues. It’s worth noting that the outage only impacted Microsoft (MSFT) devices.
It’s difficult to think of another technology outage of this scale in recent history, even outside of cybersecurity. However, CrowdStrike certainly isn’t the first cybersecurity company to disappoint its customers. In my view, this incident has some similarities to an incident reported by fellow cybersecurity company Okta (OKTA) in March of 2022.
Back then, Okta announced that approximately 2.5% of its customers had their private data stolen from Okta’s database by hackers. This damaged Okta’s brand as a trusted cybersecurity company; a result that naturally follows whenever a cybersecurity company gets breached, especially if they don’t quickly mitigate the issue and notify their customers.
In contrast, CrowdStrike has claimed that Friday’s mostly-resolved incident was simply a bug they released by mistake, not a cybersecurity breach. However, the Washington Post reported that some independent cybersecurity experts were unconvinced that it was accidental. Either way, it’s inevitable that such a major incident will have a negative impact on CrowdStrike’s brand. Even if it was an accident, it makes CrowdStrike’s quality control processes and internal controls look unacceptable.
After both aforementioned incidents, investors reacted quickly. Okta’s stock fell by around 6% the morning after its breach was announced, while CrowdStrike stock dropped by 11% on Friday. The long-term impact on CrowdStrike’s stock is unknown, but a history lesson from Okta doesn’t bode well. The following chart compares Okta’s performance since it was breached to its peers’ performance:
Stock | Δ Stock Price (since 3/22) | Δ Revenue (since 3/22) | Δ Revenue (2020) |
OKTA | -44% | 62% | 42% |
CRWD | 37% | 114% | 82% |
ZS | -18% | 116% | 56% |
PANW | 59% | 51% | 17% |
FTNT | -12% | 40% | 29% |
S | -46% | 184% | 101% |
SPY | 21% | – | – |
Source: Seeking Alpha
At first glance, Okta’s 62% revenue growth since its breach looks respectable. However, Okta was once regarded as a high-growth darling. Its growth prior to the breach was comparable to fast-growing peers like Zscaler, while its growth afterwards has been more comparable to that of mature cybersecurity companies like Palo Alto Networks.
This shift in expectations was reflected in the stock price; Okta’s stock has fallen by 44% since its breach, due in part to multiple compression. During this same time period, the S&P rose by 21% and many cybersecurity peers did even better.
Of course, there were many factors at play during this time period besides the breach. CrowdStrike and most other cybersecurity companies have always scored well on the Rule of 40, and have been profitable in recent quarters. On the other hand, Okta has never been profitable regardless of how fast it’s been growing. Additionally, Okta exists in a niche subsector of cybersecurity which may naturally experience different levels of demand than other subsectors.
While many factors certainly contributed to Okta’s slowing growth and general underperformance, it’s reasonable to speculate based on the timing that their breach – and the resulting damage to their brand – was one factor.
It’s far from a foregone conclusion that CrowdStrike will suffer a similar fate, but it’s not out of the question. While the cybersecurity industry has been consolidating, it’s still fiercely competitive, and there’s no doubt that the sales teams of CrowdStrike’s competitors will use this incident to their advantage.
Competition in Endpoint Protection
CrowdStrike made its name in endpoint protection, a cybersecurity niche focused on protecting individual devices like computers and tablets. According to the analyst firm Gartner, CrowdStrike was best-in-class in 2023:
While CrowdStrike may be number one, many companies are classified as leaders, including Microsoft, Trend Micro (OTCPK:TMICY), SentinelOne, and Palo Alto Networks. In this competitive landscape, these competitors could benefit from CrowdStrike’s mis-steps.
In my view, the recent incident was a black swan event; the chance of CrowdStrike causing another similar incident in the future is quite low. However, that could be a difficult case to make to upset customers whose businesses were severely impacted. It’s very possible that some of CrowdStrike’s existing customers will switch to competitors out of frustration, and it could also be a lot easier for competitors to win new customers in the near term.
CrowdStrike Downgraded to Hold
Perhaps the most extreme reaction to the CrowdStrike incident would be to short the company’s stock. The fallout from this incident could include slowing revenue growth and legal issues, so it’s certainly not out of the question that CrowdStrike stock could continue to fall.
However, the cybersecurity industry overall has grown rapidly over the years and will likely continue to do so going forward. Even if CrowdStrike begins to underperform peers as a result of this incident, that doesn’t mean its stock will go down. Overall, I’d much rather be long cybersecurity than short cybersecurity, regardless of the company (and shorting stocks is very risky in general, regardless of industry).
On the other extreme, one could look at the double-digit dip in CrowdStrike’s stock after the incident as a buying opportunity. Eventually, this incident will be old news, and from a financial standpoint, it’s possible that CrowdStrike will continue to thrive as if nothing happened. While I think this is a reasonably likely outcome, CrowdStrike’s stock is priced as if this is a guarantee. Even after the 10% dip on Friday, CrowdStrike is still the most expensive stock in the cybersecurity industry.
Stock | P/S | Revenue Growth (yoy) |
CRWD | 21 | 34% |
MSFT | 14 | 14% |
PANW | 14 | 20% |
S | 10 | 41% |
TMICY | 4 | 10% |
Source: Seeking Alpha
CrowdStrike is currently far pricier than competitors, a valuation which was arguably justified in light of its market leadership and best-in-class combination of growth and profitability. However, I believe that the recent incident adds significant risk to CrowdStrike and warrants a larger re-rating. At this point, it’s still possible that CrowdStrike will follow in Okta’s footsteps and see its growth slow to be more in line with more mature competitors.
Even without factoring in the recent incident, CrowdStrike was at risk of slowing growth due to the law of large numbers. This is because, at over $3 billion in sales over the past year, CrowdStrike is already a large company. It’s very rare for a company of this size to grow revenue at 30%+ per year for very long. Once growth slows – whether due to the incident or general maturation – it will be difficult for CrowdStrike stock to outperform from its current valuation. Based on these risks, I consider CrowdStrike a hold at current prices.
SentinelOne becomes a strong buy
SentinelOne stands out as the most asymmetric – and perhaps best – investment opportunity in cybersecurity for those who deem CrowdStrike unappealing at this point. This is for three reasons.
First, SentinelOne’s business is most similar to CrowdStrike’s, given its focus on endpoint protection. The other competitors listed in the prior section are large and diversified, meaning that only a small portion of their businesses are positioned to directly benefit from CrowdStrike’s struggles. (It should be noted that SentinelOne technically offers extended detection and response, which is similar to endpoint protection but includes additional surfaces such as cloud. Regardless of the terminology, their offerings are similar to CrowdStrike’s.)
Second, SentinelOne’s stock has been trading flat for over a year despite improving financials. Aside from its consistently best-in-class revenue growth (which is admittedly a low bar given that the company has only 1/5th of CrowdStrike’s revenue), the company just posted its first quarter with positive free cash flow per share. Its -45% profit margin is still abysmal, but margins have been consistently moving in the right direction. Even in the worst case, if SentinelOne can’t scale to be a viable business on its own, it could still be a great acquisition for a larger cybersecurity company.
Lastly, recent macro trends are tailwinds for SentinelOne. The company has long been touting the benefits of integrating artificial intelligence with cybersecurity, and recently any company that simply mentions AI has seen its stock price increase. Whether this is rational or not is a question for another article, but it’s not something that SentinelOne investors should complain about, given that the stock has yet to see an “AI bump” of its own. Similarly, while it’s hard to spin SentinelOne’s lack of profitability as a positive, it will be less of a negative in an environment with falling interest rates. In particular, in this environment, it doesn’t make sense to me that a company like SentinelOne – growing quickly with a solid balance sheet – has a lower P/S ratio than most of its slower growing competitors.
Of course, there’s no doubt that SentinelOne is a risky investment given that it’s relatively new to public markets, has been unsuccessful in them so far, suffers from a severe lack of profitability, and has been out-grown by CrowdStrike since it was founded. These risks kept me on the sidelines until the CrowdStrike outage. But I’m betting that the outage will be a catalyst for SentinelOne to improve its growth rates and, eventually, its margins and stock price.
Other investment options
Investors who deem SentinelOne too risky can look at Palo Alto Networks instead. This company has been making big moves in endpoint protection recently, which could prove timely given CrowdStrike’s issues. It’s now a leader in the Gartner magic quadrant, when it wasn’t even included in the quadrant two years ago.
Outside of endpoint protection, Palo Alto Networks is a blue chip cybersecurity company which has diverse and comprehensive offerings. This means that, unlike SentinelOne, it’s positioned to continue succeeding whether or not there’s more fallout from CrowdStrike. After all, it’s an established company which has been successful for longer than CrowdStrike or SentinelOne have existed.
The main reason I have a slight preference for SentinelOne over Palo Alto Networks is simply valuation. Palo Alto Networks’ valuation is reasonable, but its P/S ratio is a bit high relative to its historical average (although the same can be said for the market overall). Meanwhile, its revenue growth has been stable for years, but is currently on the lower end of its historical range.
Of course, it’s worth mentioning the other leaders in Gartner’s magic quadrant as well, namely Trend Micro and Microsoft. However, these companies are not growing very quickly relative to the overall cybersecurity industry. And Microsoft is far from a pure play on cybersecurity. While I’ve long recommended Microsoft stock and will continue to do so, I wouldn’t consider it a cybersecurity investment.
Conclusion
A look at a past incident impacting cybersecurity companies revealed that investors should be careful about “buying the dip” and dismissing the recent CrowdStrike outage. While it’s very possible that CrowdStrike will continue to be a successful business and investment, competitors like SentinelOne look more appealing at this point. They’ll directly benefit from CrowdStrike’s mis-steps, and their stock is currently at a more attractive valuation.
Read the full article here
Leave a Reply