After the fateful July Friday when hospitals, airports, major companies, banks, and even public transit came to a halt because of a Crowdstrike Falcon patch deployed overnight that day, investors have wondered what the effects might be on the business. Will customers scramble to jump ship and avoid Crowdstrike (NASDAQ:CRWD) altogether, or will everyone forget it after a few months and go on like nothing happened? Or, perhaps, it’s too much effort and cost to do anything about, so they won’t bother.
Well, to start, the question hasn’t had enough time to be answered.
I saw victory laps taken across Seeking Alpha after the earnings report from contributors, with the conclusion, “Everything seemed fine.” Even Wall Street analysts are pumping the stock (and I don’t use that term freely or frequently), saying the same thing.
Coming back to reality, earnings were a month and a week removed from the incident. The problem is enterprise software and its sales cycles don’t generally work this quickly.
Now, before I go deeper into this, to be fair, Crowdstrike may never see a material impact in terms of customers fleeing or new sales vanishing because the outage spooked users. Nothing may materialize outside of contractual payouts for downtime. That being said, the situation has not finished playing out, and thus, the jury is still very much out.
But I do see smoke rising.
How Enterprise Software Sales Look From The Inside
If you’re a customer looking to buy enterprise software – anything from cybersecurity with Crowdstrike to HR software like Workday (WDAY) and Salesforce (CRM) to server infrastructure support like RedHat (IBM) and VMware (AVGO) – the sales cycle takes quarters, not days or even weeks to complete. Because these types of software cost tens of thousands of dollars and easily hundreds of thousands of dollars for even small purchases, companies take time to understand what the software provides, how it can be implemented, what the ROI is, and what it won’t be able to do. Furthermore, the price of the software is sometimes only part of the cost of purchasing it. The labor of the customer’s employees and their time to implement it may rival or exceed the software cost in the first year.
The other side of the coin is investigating competitors and their products.
A company might engage Crowdstrike and look for what it can and can’t offer. But then it’ll go to other competing software companies offering similar features and investigate the same questions. Once a shortlist of top software candidates is made, the top one, and, generally, two, are re-engaged to perform a POC – a proof of concept. This is when a sandbox is stood up free of charge (I have seen paid-for POCs, but it’s rare), and the product is installed into a sandbox/development environment (typically with reduced features or scalability) at the customer or in the cloud and integrated into the other sandboxes and/or tested on endpoints mimicking the customer’s production environment.
The POC process separates the sales team from the tech team. It’s not too different from a car salesman saying they can give you all the bells and whistles as he puts numbers on a blank piece of paper. But later in the process, the finance manager says, “Well, actually, you can’t have that and this over here? That costs more. Oh, you’re not getting that interest rate; it’s actually 75 basis points higher due to this and that.”
There have been many times when software was promised to be compatible with my infrastructure but turned out not to be so turnkey after all. This creates delays until a solution can be found either through customization or supplementing it with another software. Granted, sometimes the sales team doesn’t always have accurate answers and is often why they have a tech-oriented colleague on these initial customer calls. Even then, nuances or misunderstood requirements slip through the cracks. But, ultimately, if a solution can’t be found and it’s a roadblock, the result of the POC is the product isn’t going to work; the customer moves on.
POCs can often last 4-6 months and sometimes longer. After its completion, the customer brings together all managerial levels to review the POC results and decide whether to buy the product. Once a decision is made, it can take 6-8 weeks to get a PO (purchase order) in to pay for the software and obtain the requisite license or key.
Therefore, from the start of an engagement with a company like Crowdstrike to making a decision takes, at best, two quarters. More often than not, this process can take up to three quarters or longer, depending on the environment’s complexity and the customer’s needs.
To this point, what I’ve outlined tackles the purchasing process for a company where there’s generally a new need for a product. In Crowdstrike’s sector, this is when an endpoint security solution didn’t exist prior.
However, if, say, Crowdstrike is already installed in the customer’s environment, and the customer decides it wants to switch to a competitor’s product, not only does this process go through the 2-3 quarter process I outlined, but the extra steps required to move off of the old software and onto a new vendor’s software (known as “rip-and-replace” deals) can add complexity. This includes testing the new software and transitioning the customer’s environment from one solution to another without creating gaps during the switch or compatibility issues if the two software reside on the same endpoint.
Many times, this becomes a 3-4 quarter process. Yes, I’m talking 9 to 12 months.
Now, this isn’t all customers, and this isn’t all software infrastructure designs. With much of the software available today, vendors have SaaS (software-as-a-service) provisions or other cloud capability to ease the integration or transition process. However, for endpoint security, there’s no way around the fact the software solution must eventually be tested on and rolled out to the endpoints in the customer’s environment. While the central configuration can live in the cloud, the agents on the endpoints have to be at the edge. Furthermore, specifically with endpoint security, many compatibility tests must be run as network ports and resource allocations can’t interfere with already installed software or the very product the customer produces.
The bottom line is no one has even walked through this process since the Crowdstrike outage; it’s just not possible. At best, a customer could be but a month in if an exec came into work the following Monday and said, “Jerry, find me a way off of Crowdstrike,” or “Tanya, stop the Crowdstrike POC and call up our second vendor choice.”
How This Plays Out For Each Customer Cohort
Allow me to walk through the different customer groups in the sales cycle. We can then see which customers show up in the financials and which ones require more time before effects are seen.
The first domino to fall would be prospective customers early in the sales cycle. These are the ones most easily able to walk away; they have no significant investment yet (no POC stood up) and are only in the discovery process of the product. These customers won’t show up in the financials from the July quarter and aren’t factored into any sort of guidance – they’re just too early in the sales cycle to consider them for potential future revenue. The only way they appear in the fundamentals of Crowdstrike is through the slowing of new logos over the coming quarters. Fundamentally speaking, it’s a much more “silent” situation to investors.
The second domino to fall is the customers in the POC phase who have invested some effort into understanding if Crowdstrike will work for them (the Tanyas). This group may be considered for revenue two quarters out. This group can cause a longer sales cycle as they pause the POC to understand how Crowdstrike will deal with the outage and prevent it from happening again. These are the “we’re being cautious and taking the wait-and-see approach” customers. Generally speaking, though, when it comes to cybersecurity, there is little time to wait; thus, other vendors/competitors are being explored simultaneously.
The third domino to fall is the customer group nearing the finish line and ready to make a purchase. This group falls into this quarter’s revenue guidance, if not next (contained in yearly guidance). This would be the “put on the brakes” group, and a decision to go with Crowdstrike hinges on the level of comfort the customer’s leadership has in the product and how Crowdstrike handled the situation. This group would be the first one to impact the financials.
The final domino to fall is the group that already has Crowdstrike products installed in their environment (the Jerrys). This is the group that may have been affected by the outage. This customer cohort contains a subset of customers who may desire the most to rip-and-replace but are likely the most locked in. Generally, subscription contracts are for a year or more (more generally aligning to customer contracts with their clients if that’s the scenario). So, if a customer in this group wanted to ditch Crowdstrike, they might be locked in for up to another nine months.
However, it doesn’t mean they aren’t already pursuing other competitors. As it turns out, one of its competitors, SentinelOne (S), is finding its phones ringing off the hook. It also means they may no longer be considering upscaling or adding to their current Crowdstrike implementation. This is the most motivated group but the most locked-in group from a baseline perspective, and why much of the fallout from the outage may not come to pass until two or three quarters from now. The most immediate effects are any larger purchases for more endpoint licenses or other products in Crowdstrike’s portfolio.
So, the summary is twofold. This situation can affect the front-end and back-end sales cycles. The front end is at the top of the sales funnel with prospective customers who may begin to shy away from looking at Crowdstrike’s products or are now going down their software candidate list while still proving out the software in their environments. In other words, the competitive landscape just got tougher for Crowdstrike to win new logos. The back end of the sales cycle is customer retention and keeping the revenue they’ve already fought for and won. This fallout can last a while as renewals of contracts come up over the coming year. This back-end scenario won’t rear its head until six months from now at the earliest because current customers won’t have enough time to rip and replace Crowdstrike from their infrastructure until then as they wait for their contracts to expire and a replacement is aligned.
Matching The Scenarios To The Earnings Report
So, considering the third domino is the first to affect the company’s outlook, I look at yearly revenue guidance as the barometer. No matter what management says, the revenue numbers are what they are. Outside of some topline accounting charges due to the outage directly, there’s no reason for revenue not to be maintained or increased from the guide it provided before.
Management provided FY revenue guidance of $3.896B with the following caveat:
CrowdStrike’s revenue guidance for the fiscal year 2025 includes an estimated $30 million subscription revenue impact in each of the remaining fiscal quarters as a result of incentives related to our customer commitment package. In addition, fiscal year 2025 revenue guidance includes an estimated impact in the high-single digit millions to professional services revenue in the second half of fiscal year 2025 as a result of incentives related to our customer commitment package.
– Crowdstrike’s FQ2 ’25 Earnings Press Release
So, backing in the $60M (two quarters multiplied by $30M) plus $8M for the professional services impact, guidance would have otherwise been $3.964B. This compared to analyst estimates at the time of $3.96B. However, compared to prior company full-year guidance for FY25, it was down from $3.993B – a roughly $30M decrease from one quarter to the next and $12M below the low end of that guidance range.
I would expect this kind of impact if things were not headed in the right direction immediately following this incident. The third domino cohort is directly responsible for this alongside current customers who are not taking upsells on current products or cross-sells into other Crowdstrike products. While small in dollar terms, the window since the outage makes it proportional.
While the rest of the cohorts I’ve explained will need more time to work through Crowdstrike’s financials, this start – even after backing in the charges the company is taking (one-time items) – means a number of potential customers have slowed their purchase process with the company or abandoned it entirely.
Crowdstrike may never see a material impact beyond this, but the crack in the armor of a reduced full-year guide – in line with the timeline I’d expect for the particular cohort of customers – is strike one.
The Bug Heard ‘Round The World
With one particular competitor finding a lot of interest in starting the discovery and POC process, Crowdstrike, at best, will be dealing with an increased competitive landscape. Any new wins will be hard-fought, whereas that may not have been the case a quarter ago. You may think because SentinelOne didn’t up guidance materially, the posturing is just that – posturing. But for the same reason Crowdstrike hasn’t seen a materially negative impact to date is the same reason SentinelOne hasn’t seen a materially positive effect.
This adds to the argument there hasn’t been enough time to see this play out. Victory laps this early aren’t necessarily in danger of not aging well; they simply aren’t well thought out, nor do they have the inside information on how these software sales cycles work. It’s not a matter of right or wrong; it’s a matter of a misinformed thesis and story timeline.
Read the full article here