rewrite this title The Biggest Problem With CrowdStrike Stock – Nanalyze

Embark on a corporate career of any kind and you’ll quickly become familiar with an acronym you won’t find in any company handbook. CYA stands for “cover your behind,” and the premise is simply this. Always make sure you’ve either sufficiently assumed responsibility or passed the buck to someone else with appropriate documentation. If the manure hits the spinning blades, your career will still be intact. For every Chief Technology Officer (CTO), there’s one domain you absolutely need to exercise some CYA over.

Let’s say you’re the CTO of a company that just experienced a major disruptive cybersecurity breach. It’s all over the morning news as you prepare an email to the CEO and Board of Directors, which goes something like this. “I’ve instructed the team to follow the business continuity plan we all signed off on, and I’ve escalated the issue to our vendor point of contact for a potential resolution and root cause analysis.” The simplicity of this response only works if one large vendor is responsible for ensuring all your firm’s primary cybersecurity needs. And today, there are five pure play cybersecurity companies leading the pack, at least when it comes to size.

Leaders Will Keep Leading

Remember that whole CYA thing? What do you think happens if you have three cybersecurity vendors? They’ll immediately start pointing fingers at everyone else. “Coexistence blah blah blah.” That’s why today’s CTOs are all looking to consolidate cybersecurity vendors, not expand them. It’s why we believe leaders in the cybersecurity space will continue to grow by increasing the breadth of their offerings through acquiring adjacent offerings.

In last year’s piece on CrowdStrike (CRWD), we talked about their propensity to acquire other cybersecurity companies, something that continues unabated. In the first few weeks of this year, over a billion dollars have already been spent to acquire two firms – SGNL (real-time identity authorization capabilities, especially for AI agents) and Seraphic Security (browser runtime security). With free cash flow of over $1 billion last year and $4.8 billion cash liquidity on their books, the party won’t need to end anytime soon.

With every acquisition, CrowdStrike adds more clients that can be upsold more platform “modules.” Each customer can consolidate vendors because the breadth of CrowdStrike’s platform keeps expanding. Around 25% of their clients utilize eight or more modules, with the platform offering anywhere from 22 to 30 modules. A look at top-line revenue growth shows acceptable, albeit decelerating, revenue growth expected for this year of 21%.

One reason for the recent deceleration might be last year’s major cybersecurity fiasco, which everyone has probably already forgotten about.

Cyber Egg on Cyber Face

The inadvertent release of a faulty configuration update by CrowdStrike for its Falcon sensor software on July 19, 2024, caused massive financial impacts when it shut down an estimated 8.5 million Windows devices globally. This is referred to as “The July 19 Incident” in their SEC filings, with an entire breakdown of outstanding lawsuits provided on pages 25-27 of their latest earnings report. Basically, they’ve been fighting the fires you’d expect them to, and we’re also provided with a balance of “amounts accrued and expenses incurred, net of insurance receivable recorded,” which currently totals around $25 million – a drop in a bucket, really. Turns out the CTO of CrowdStrike did some CYA by insuring some of that risk.

Settling lawsuits and pacifying the most upset customers (like Delta) is business as usual, but we’re more interested in the impacts which aren’t being discussed in the SEC filings – reputational impact, which could see customers fleeing for the exits. Migration off the CrowdStrike platform would likely be slowly, then, suddenly, which is why – coming up on two years later – we want to keep monitoring key metrics like “gross retention rate” which reflects customer cancels.

Sporadic Gross and Net Retention Rates

At the close of Fiscal 2025, CrowdStrike offered up their strong gross retention rate of 97% as evidence that the “cybersecurity fiasco” is largely behind them. Then in Q1-2026 (June 2025), the same number was provided with the same emphasis. And for the last few earnings reports, it’s just not provided at all. This is very frustrating coming from a company that used to chart both gross and net retention rates over time in a chart that was both rare and useful. Feast your eyes on this beauty.

They probably stopped providing the above chart because net retention rate (NRR) fell below their stated 120% benchmark. All the upselling and cross-selling that happens on a module-based platform is typically monitored via NRR which isn’t explicitly provided anymore, but was last measured at 112% (should be 120% for a healthy SaaS firm). One reason for this might be the introduction of a “Falcon Flex” pricing program where customers buy “credits” to use across any CrowdStrike platform module, something the company claims is driving revenue growth. Offering creative pricing plans increases breadth of usage, but without NRR, we can’t see if this allows customers to spend less or enables them to spend more.

Both net and gross retention rates need to be provided as they indicate how much damage CrowdStrike might be taking from their most formidable competitor. And it’s probably not who you think.

The 500-lb Gorilla

We always invest in leaders, and CrowdStrike is the second-largest pure-play publicly traded cybersecurity company out there based on market cap. In first place, you’ll find Palo Alto Networks (PANW) which has also seen revenue growth decelerate for four consecutive years.

But here’s the clincher. The biggest cybersecurity company isn’t one of the two names mentioned above.

If we look at total revenues, Microsoft (MSFT) absolutely dominates with $37 billion in cybersecurity revenues in Fiscal 2025. So they’re about twice the size of CrowdStrike and Palo Alto combined! Remember the old saying, “Nobody got fired for buying IBM?” The same can be said for one of the largest tech companies in the world. And speaking of IBM (IBM), they also have a burgeoning cybersecurity business which we know little about. So it’s entirely possible that large enterprises are surreptitiously eroding market share for pure-play cybersecurity companies like PANW and CRWD.

Meanwhile, all this uncertainty has led to volatility. CrowdStrike stock dropped by a third following their cybersecurity fiasco, though shares quickly recovered – up +77% compared to a Nasdaq return of +36% over the same time frame. But whether CrowdStrike stock is cheap or expensive always comes down to valuation.

Valuing CrowdStrike Stock

If you’re not familiar with our simple valuation ratio (SVR), then please start here. It’s a proprietary metric we use to value a company when price-to-earnings doesn’t make sense. It’s basically price-to-sales except we use last quarter revenue annualized, not trailing twelve months (TTM), to make the ratio more responsive.

In our tech stock catalog, we calculate a historical simple valuation ratio (SVR) for over 160 disruptive tech stocks. This is based on the average SVR over the past four quarters and provides us with an objective valuation target. For CrowdStrike, the average SVR is around 24.7, while the current SVR today sits at around 23.3. So basically, they’re under our target.

However, we also have one other SVR-related rule. We won’t add to any stock where the SVR is three times our catalog average, which is currently 7.6. So, at an SVR of 23.3, CrowdStrike shares are above that broader cutoff rule of 22.8. Clear as mud? If you’re a Nanalyze Premium subscriber who wants more help understanding this seemingly convoluted rules-based system, just reply to any email we send with your questions.

CrowdStrike shares – seemingly priced to perfection – are within striking distance based on our objective methodology but not quite there yet. (If we do add shares, we’ll let you know in the Nanalyze Market Open email.) This creates quite the dilemma for investors who want to invest in CrowdStrike but understandably find it too richly priced. You could always relax your SVR threshold a bit, but then make sure you apply that change across the board. Don’t just make an exception for one company. Or you can move forward with the belief that it doesn’t matter what price you invest in a company because it won’t matter much in the long run. That’s what we said about NVIDIA a decade ago, but that hardly makes it the right approach. Rules are meant to be followed and objectivity always makes life easier.

But who says CrowdStrike is the only option? You can invest in Palo Alto which sports a more reasonable SVR of just 13, or any other of the cybersecurity companies out there. Or just buy the Global X Cybersecurity ETF (BUG) and enjoy the same exposure without all that stressful decision making.

We used to hold BUG, but then pivoted into CrowdStrike when the valuation finally settled below our target as we had been monitoring their AI-first approach since they hit a $1 billion valuation nearly a decade ago. We also believed that investing in an ETF is an easy way out (because it truly is), and that our subscribers would rather we took the more difficult path of trying to find a winner in a saturated domain.

We know there will be earthquakes, but we don’t know when they’ll happen. When the market corrects, or at the tiniest sign of bad news, volatility starts moving in the other direction faster than you can imagine. We’re in the midst of a bull market that’s persisted for 16 years if you ignore the ‘Rona blip. Today’s young investors have never felt real pain. Not jumping into stocks that are objectively overvalued is a prudent approach to take during a raging bull market. If you invest in volatile companies, make sure you have the stomach for it.

Conclusion

The nature of being a stock picker is that company-specific risk will humble even the highest of convictions. We like cybersecurity because it is not a “nice to have.” Of the publicly traded cybersecurity leaders out there, we find CrowdStrike’s growth and breadth to be the most compelling at an acceptable valuation. But when they stopped charting net retention rate over time, we became concerned, and this is amplified in the face of a scandal that may have seen some customers leave for large competitors like Microsoft. The biggest concern about CrowdStrike right now is they’re not providing the key SaaS metrics we need to assess the health of their business. And we kind of need those for CYA reasons.