CrowdStrike Holdings, Inc. (CRWD) Investor Briefing (Transcript)
CrowdStrike Holdings, Inc. (NASDAQ:CRWD) Investor Briefing April 4, 2023 4:00 PM ET
Company Participants
Maria Riley - VP, IR
George Kurtz - President, CEO and Co-Founder
Michael Sentonas - President
Cristian Rodriguez - Chief Technology Officer, Americas
Tim Parisi - Senior Director of Professional Services
Burt Podbere - CFO
Daniel Bernard - Chief Business Officer
Conference Call Participants
Saket Kalia - Barclays
Sterling Auty - MoffettNathanson
Joel Fishbein - Truist
John DiFucci - Guggenheim
Alex Henderson - Needham
Brian Essex - JP Morgan
Andrew Nowinski - Wells Fargo
Jonathan Ho - William Blair
Keith Bachman - BMO.
Patrick Colville - Scotiabank
Roger Boyd - UBS
Maria Riley
Welcome, everyone, and thank you for joining CrowdStrike Investor Briefing today. I am Maria Riley, Vice President of Investor Relations.
We have a great lineup and we hope you find this session informative. Today you will hear presentations from George Kurtz, our Co-Founder and CEO; Michael Sentonas, President; and Burt Podbere, our CFO. Then we will open up the session for Q&A.
All participants will be in listen-only mode until the Q&A session begins. [Operator Instructions].
Before we get started, let me remind you of our Safe Harbor and the risks associated with forward-looking statements. For additional information please see the risk factors in our SEC filings.
Additionally, unless otherwise stated, excluding revenue, all financial measures discussed in this presentation will be non-GAAP. Please refer to our disclosures on why we use non-GAAP financial measures and a reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures in the appendix of the presentation, which will be posted on our Investor Relations website shortly following conclusion of the webcast.
With that, I'll hand it over to George.
George Kurtz
Thank you, Maria, and thanks everyone for joining us today. We're going to discuss the evolution of Endpoint Security and how CrowdStrike has revolutionized modern security as we know it. You're also going to hear from Michael Sentonas for insights around key product areas and some brief product demos. And finally Burt is going to dive into our financial metrics and discuss how we plan to grow the company profitably and at scale.
So let's dive into it. I wanted to spend some time to talk about the modern XDR platform, and how CrowdStrike has really redefined what the modern XDR platform is all about. But before I do that, I wanted to take you through memory lane and just talk about how Endpoint has been viewed for many years, even to this day. If we think about the first antivirus product, it was actually created in 1987, signature-based focused on blocking malware. We still see legacy technologies using this approach today, whether it's Microsoft, Symantec, McAfee, Trellix, based on signatures. And we know that there's a difference between stopping breaches and stopping malware.
So when I started CrowdStrike, we first started with Endpoint detection and response and delivered that from the cloud, focused on stopping breaches using a lightweight agent, AI-powered prevention, a single console in our ThreatGraph. We added Next-Gen AV, again, leveraging AI. And in 2011 and 2012, these were really cutting edge technology, and advancements in security. And today, it's actually kind of funny to see people get a smile when they go into ChatGPT and ask it a question. We were leveraging AI before it was fashionable.
Fast forward to today we've got the modern XDR platform, which is really focused on taking data from our first party sources, combining it with third party sources, and again, leveraging the single agent architecture to stop breaches. The fact is, our technology is easy to use. It works, it saves money, it saves time and reduces complexity. So when we think about CrowdStrike redefining the modern security, we have to first recognize that legacy AV is a commodity. That signature-based protection is a commodity. Even rebranded signature-based protection is a commodity. But stopping breaches will never be a commodity. And that's what we're focused on at CrowdStrike, stopping the breach.
So let's talk about the Falcon platform. It evolved from one module to 23 focused on endpoint protection. Over the years, we've added identity protection, cloud workload protection, observability, security and IT Ops and more. And this really forms the foundation for modern XDR security, pioneered and defined by CrowdStrike.
Just to give you an idea of why the endpoint is the epicenter of the enterprise, it's because 80% of the most valuable security data collected comes from the endpoint. This is where productivity happens. This is where the attackers are actually focusing their efforts, whether it's a traditional endpoint like a laptop, or whether it's a workload that is running in the cloud.
So let's talk a little bit about the endpoint and how the adversary goes about their business. 90% of successful cybersecurity attacks and 70% of successful data breaches originate at the endpoint. This is why we say it's the tip of the spear for these breaches. And just to give you some more stats, 80% of attacks use compromised identities and 71% of attacks are now malware free. This is why a legacy signature-based approach is set up for failure. It's the reason why McAfee and Symantec were never able to make this jump, including Microsoft, into protecting and preventing breaches rather than identifying malware.
On the subject of Microsoft, 900-plus Microsoft vulnerabilities in 2022. And this is really a windfall for the adversary. This is where they're targeting these desktops, these servers, these cloud environments, because they're rich with vulnerabilities. And the challenge is actually being able to identify, prioritize, and protect against these vulnerabilities. Which again, CrowdStrike is focused on. And as I always like to say, the most valuable real estate in all of security is the Endpoint.
And if there's one takeaway from this talk it's to realize that your view of the Endpoint, thinking of it as just Endpoint protection is limited. I really want you to think outside the box of the Endpoint as a form factor that opens up all these additional adjacencies within the platform. When we think about the platform, not only is it focused on protecting endpoints and workloads, but we've added capabilities around observability and IT Ops and identity protection and cloud security and threat intelligence.
The Falcon platform has become the defining ecosystem of cybersecurity. We've made stopping breaches a team sport, where every type of partner that works through or alongside CrowdStrike helps customers win. Our thousands of partners help businesses of all sizes achieve superior outcomes. We're continuing to increase our partner focus to scale in every segment, particularly in the SMB space.
So let's talk a little bit about CrowdStrike versus Microsoft. Why does CrowdStrike work? Why are we different? Eight out of ten times when an enterprise customer tests CrowdStrike, they choose CrowdStrike over Microsoft, eight out of ten times? Well, why is that? There's a few problems with Microsoft that I've boiled down into the three C's, starting with coverage, complexity and catastrophe.
So let's talk about coverage. CrowdStrike relies on advanced AI without the use of signatures. This is one of the areas that we helped pioneer. Microsoft still relies on AV signature technology. In fact, it gets updated six or seven times a day with new signatures. This is the same failed model that McAfee and Symantec have been using for the past 25 years.
The second area is complexity. CrowdStrike has one console, one agent and a lower TCO Microsoft customers have up to nine consoles, multiple agents and a higher TCO. This level of complexity is going to drive up additional costs within the environment in managing, maintaining and certainly adding additional headcount to any Microsoft instance.
And the last area is catastrophe. Microsoft Windows represents 95% of the compromised endpoints CrowdStrike actually investigates and remediates during our incident response engagements, 95%. And further to that the IR team during an investigation of customers that have been breached, 75% of the time, is Defender that has been bypassed. So you can see this is a recipe for disaster, leveraging signature-based AV, which equals one thing and that's being breached.
So when we think about the legacy technologies that are in this environment, I talked about IDC. We're ranked number one at 17.7%. But what's important to realize is that other next-gen vendors in the top 10 have a combined 7.4% of market share. And the legacy vendors in the top 10 still have a 46.7% combined market share. So when I look at this, it just screams opportunity for CrowdStrike in the long tail of replacing many of these legacy vendors that still remain in the market today.
So where's our TAM today defined by IDC in terms of modern endpoint security markets, $20 billion, but again, endpoint opens up adjacencies into many other markets, things like FIM which were never considered endpoint are actually part of our overall offering because we can deliver it through the form factor that we call endpoint.
So as we think about this $20 billion to modern Endpoint Security TAM, when you add in all of the other areas that we cover, you can see how our TAM has grown from $20 billion of core endpoint protection to $98 billion when you combine all the other modules that we have. And in fact that will be then growing through organic TAM growth, our product roadmap, cloud opportunities and future initiatives to a whopping $158 billion potential TAM in CY26.
Before I hand it over to Mike, I want to leave you with a few points. Our single XDR agent underpins everything that we do, and is essential to understanding our business. You can think of our agent as a form factor that delivers security and non-security outcomes to our customers that go well beyond the traditional definition of endpoint security. So while we may periodically report on the success of individual modules or categories of modules, core, emerging cloud, etc., there really is no distinction between core emerging and cloud in the minds of our customer, because they're buying the Falcon platform and that's why we win.
So thank you for your time and we look forward to answering your questions at the end.
Michael Sentonas
Thanks, George. It's clear we are building a generational company with a generational platform to support our customers. Today, I'll be detailing what we believe makes CrowdStrike the most highly differentiated cybersecurity company in the market with a deep competitive moat and sustainable innovation across all foundational aspects of cybersecurity.
I'll cover how we protect identities with Falcon Identity Protection, safeguard the cloud with Falcon Cloud Security, and importantly, where we are taking CrowdStrike into the future with extended detection response or XDR as my friends in marketing like to call it. In each of these areas, I'll highlight what makes us different, and take you far beyond slides with hands on demos that demonstrate our unique capabilities.
So let's start with our platform. From the beginning, we had the foresight to build our platform on the most critical real estate in the enterprise, the endpoint. Today our unified agent elegantly delivers integrated capabilities across the endpoint, cloud and across identities. That single agent architecture is infinitely extensible to deliver new capabilities that removes the need for multiple point products and agents, which is just so incredible to all of our customers.
We use the same agent as the delivery system across the platform, including our foundational modules. EPP, which includes Falcon Prevent, Falcon Insight, Falcon Intelligence and Falcon Overwatch, our emerging and cloud modules, which include Falcon Identity Protection, Discover, Spotlight, Log Scale, and Falcon Cloud Security.
Now one of the key differences with CrowdStrike is how each module is deeply integrated with each other, and delivered as part of our unified platform. We like to call it our simple and elegant platform solution. So with our platform, you have one agent to deploy and manage, one console to use with deeply integrated intelligence, context and coordinated actions, not stitched together acquisitions, or crude licensing bundles, which is ultimately what leads to people having complexity and getting breached.
Our focus is, and always will be how we deliver a superior experience for our customers. And that drives down the cost and effort of stopping breaches. To achieve this, we created a fundamentally differentiated agent that delivers comprehensive coverage across all critical environments, including endpoint, cloud and identity, as well as precise detection, investigative context and response capabilities with over 1000 unique attributes collected, which is unique in the industry.
It can be easily deployed across hundreds or hundreds of thousands of agents in days, not weeks or months like other competitive solutions from other vendors. Our agent was architected from the ground up to deploy without requiring reboots, which can be operationally crippling in the cloud, or verticals like manufacturing, banking and finance. And finally, our agent cloud architecture ensures that every agent is always up to date with the latest protection. It doesn't require a massive tuning burden, and doesn't blue screen endpoints with failed updates, which happens a lot across the industry.
Our customers telling me, one of the most important things to me, that CrowdStrike simply just works, and we can rely on CrowdStrike every time. As part of this platform, we constantly strive to deliver better security value, simplicity of operations and economic value for our customers.
Let's turn to how we extended our unified agent into a completely new environment while still preserving its key differentiating attributes, protecting identities with Falcon Identity Protection. This is a unique offering that completely reshaped how organizations stopped modern attacks, which increasingly abused valid identities and credentials as their primary point of entry.
In the past, organizations were faced with an impossible choice when considering how to protect their Active Directory, neither needing to roll out yet another agent, creating crippling complexity and cost, roll out yet another point product on a server with more to deploy and operate, or worst yet, try to deploy an agent on a domain controller which could take months or years to deploy with all the required testing and change control.
This is one of the key differentiators here at CrowdStrike. We brought our unified agent and cloud architecture to identity protection. All customers need to do is simply turn it on. The agent is already there. And this is a foundational element this elegance has helped Falcon Identity Protection continue to rapidly scale now contributing over $100 million in ending ARR to the business as of the end of FY23.
Now before we see Identity Protection in action, let me set some foundation context. When talking with customers, they often ask me how CrowdStrike fits into their identity ecosystem. And I've talked about this with you all before. First you have to create an identity. So you create identities of the accounts you need to manage, and you do it in Microsoft Azure Active Directory, or a juror ID as an example. Then you need to manage those identities ensure the right user can access the right application with identity and access management tools like Okta, Ping, or Duo, all of which we have tight partnerships with.
But then the most important thing is you need to secure those identities. And to do that organizations turn to CrowdStrike. So lots of logins and accounts to various apps and sites, go to an identity provider like an IAM to manage, and then you turn to CrowdStrike for the security. So with that in mind, I'd like to bring in Christian Rodriguez, our newly appointed Chief Technology Officer for the Americas to run the demo. Let's see how identity protection works.
Cristian Rodriguez
Thanks, Mike. One of the major benefits of our Falcon Identity Protection module is that it's already integrated with Falcon, meaning if you have Falcon deployed on your domain controllers, instant visibility of your authentication activity is already there. Because of this, securing your Active Directory is a frictionless deployment model.
Let's start out with the overview dashboard, where we help IDP analysts gain instant visibility into both on premise and cloud-based Active Directory activity. This helps identify areas such as shadow administrators, stale accounts, shared credentials and other AD attack paths. More importantly, this highlights the riskiest identities for both user and service accounts given a combination of event triggers.
The triggers listed in this instance are categorized in a way to help reduce risk by monitoring authentication traffic in real time, and applying behavioral analysis for credential weakness, access deviations and password compromises with dynamic risk scores. In this example, an alert for a user with a risk score of 8.5 gives a Falcon IDP analyst a quick view into areas such as the users group membership, log on activity, authentication types and anomalous logon locations.
Let's take a closer look at their activity. Starting out with assets, administrators have visibility into all of the systems a user may have logged on to. Applications, as the name implies, includes a list of all web applications or on-premise applications that may have been accessed by this user. And finally, top destinations includes a list of network resources requested by this user over the past 90 days. By reviewing the activity log, administrators gain complete visibility into location information, login type, source and destination data including access via SSL VPN, and RDP across on-premise and cloud deployments.
With a robust integration ecosystem into third party tools, including orchestration and MFA providers, Falcon identity protection allows administrators to efficiently enforce conditional access MFA policies against a variety of systems, services and applications. One example of conditional access policies may include the use of MFA for remote desktop requests to systems considered critical to a business.
Another example may include the use of conditional access enforcement for file servers hosting sensitive data, or intellectual property. This use case can be applied to a standard policy for validating and tracking user access to company files, and identifying outliers within those types of access requests. For RPC calls, the same can apply where conditional access policies can limit who accesses what system via tools such as Microsoft MMC.
A common requirement for enterprises may include the use of tracking and re-authenticating users accessing specific applications and with Falcon identity protection, enterprises can define conditional access policies tied to those application types. MFA enforcement can then be applied via tools like Okta, Ping Identity and RADIUS.
Lastly, for non-Windows systems, Falcon identity protection can still enforce a conditional access policy using our unique ability to analyze authentications in real time, even if Falcon is not installed in the system in question.
With 80% of attacks being attributed to compromised credentials, Falcon Identity Protection is built for hyper accurate detection of identity based threats, in addition to adaptive authentication mechanisms. I'll hand it back to you, Mike.
Michael Sentonas
Incredible, absolutely incredible. Now you can see the simplicity and elegance of our unified agent, delivering a highly differentiated security capability by leveraging the foundational elements of the CrowdStrike Falcon platform in harmony with a fully integrated technology from the preempt acquisition.
Now let's turn from identity to the cloud. Just like attackers are compromising identities to breach organization, we know and we've seen in our engagements that cloud attacks have skyrocketed, and that's not going to slow down. Based on our unique visibility into the threat landscape and the ground truth from incident response engagements, we reported in the CrowdStrike Global Threat Report, a 95% increase in cloud exploitation.
We also have observed how adversaries are moving between the endpoint in the cloud starting on one and moving to the other. So from cloud to endpoint, but importantly, from endpoint to cloud as part of a coordinated attack. Meaning if your endpoint and your cloud security solutions aren't working together, your organization is wide open for a breach. To solve this growing problem we released Falcon Cloud Security, a fully integrated agent and agentless cloud protection solution that the industry typically calls cloud native application protection platforms, or CNAPP for sure.
In typical fashion, we started with the hardest problem first, stopping breaches in the cloud by extending our agents to workloads to containers and server-less applications with cloud workload protection platforms, or CWPP. You can think about this as securing the runtime environment. Runtime protection is how you stop an active breach in the cloud, just as we do on a corporate endpoint as an example. You have to be on the device or on the workload to find and stop the attack. Otherwise, at best, you're detecting a breach with no ability to do anything about it. And you typically detect that issue very slow.
The hardest part and one most vendors actually fail out is building an agent that is easy to deploy, easy to manage, and doesn't require a reboot, without introducing significant complexity into an environment. Without these key values you can't build it into your DevOps or DevSecOps processes. And we took over a decade of work building the world's best agent and brought it to the cloud.
Now from there, we extended our platforms with native agentless capabilities to solve essentially for human error. That's where cloud security posture management and Cloud Identity entitlement management capability come in to safeguard against misconfiguration accidental exposure, and other human errors such as default admin passwords, over permissive entitlements as an example.
An agentless cloud security solution is absolutely critical to fully protect your cloud environment. With only an agentless approach every one has access to the same API making standalone agentless vendors, essentially a commodity to incredibly easily rip out and replace. Organizations need the tight native integration of an agent and an agentless solution that spans runtime to CSPM, CIEM, to stop breaches from both adversaries and human error.
Our unique agent and agentless approach has been validated by customers that get benefit from this architecture everyday inside their organization. But it's also been validated by vendors that try and fail to match this architecture by forming loose partnerships. They serve to do one thing, and that's to add multiple products and complexity into their end user environment, which always result in missed attacks, and slow threat detection and response. So let's see this in action.
Cristian Rodriguez
Thanks again, Mike. We do have really great options for our customers cloud security requirements, including both an agent and agentless configuration. And to your point, we did start with the difficult part. And that's basically with Falcon running within a cloud workload for optimal protection. By creating a container version of the sensor this agent-based option for cloud workload protection gives you full visibility across process data tied to detection and prevention events.
The detection view that most CrowdStrike admins are familiar with, represents malicious activity within the container. One major difference is the included workload embedded data in the detection event itself. For example, worker node and container ID information are present. Getting deeper into detection events also yields valuable cloud data for efficient correlation to the cloud environment this system is tied to. This also includes CSPM data which we will revisit later.
For the sake of this demo, let's investigate this container in our container view. The detection container view gives you visibility against advanced threats we protect against. With this view, analysts have a much deeper look into the actual image of the container, in addition to the actual configurations across the cloud environment it sits in. This may also include vulnerabilities tied to the image.
Let's take a quick look. Analysts need a quick way to understand which images are impacted by the most severe vulnerabilities. And by drilling into these alerts analysts are presented with a full breakdown of the vulnerabilities driven by CrowdStrike proprietary adversary first expert AI system. To get a larger view into impact analysis, analysts also have access to a full packages view. This view allows admins using registry connections to get a full assessment on images and repositories with the respective vulnerability data if found.
The beauty of the Cloud Overview dashboard allows an administrator to see a fully consolidated view of not only the images that we detected and the respective vulnerabilities, but also the detections themselves, and also IOM policies, which we'll cover in the next CSPM module. So Mike, in contrast to what we've just seen, where Falcon can run as a container service, real runtime protection, in addition to image assessments with registry connections. We also do a full cloud security posture management assessment of your cloud assets across multiple cloud security and solution providers.
So in events where an organization may have access to AWS, Azure, or GCP, or a combination thereof, it's very important to get a full view into all of those assets, in addition to understanding configurations or misconfigurations across those services that are within those cloud providers.
In this next section, we're going to cover a little more on how administrators can easily get access to those configurations, the services that are running within these cloud services, and ultimately, how to quickly remediate against those threats that could ultimately take advantage of those misconfigurations in these cloud environments.
Let's take a deeper look. Most cloud providers have a plethora of services that enterprises take advantage of. With CrowdStrike cloud asset view, admins get a full breakdown of each service and their respective asset IDs with asset detailed data. This gives full visibility into services that may be considered orphaned, unauthorized, underutilized, but more importantly misconfigured. And we do that via a series of CrowdStrike indicators of misconfiguration, or what we call IOM [ph].
Let's take a deeper look at an asset ID. Interacting with an asset allows an analyst to graph the relationships of services and asset properties across an interactive map. This helps in understanding service and configuration associations between compute instances in this example, but also gives analysts a workflow and understanding the classifications of a misconfiguration.
We can see here that a global ingress configuration setting is being flagged for further review. But an analyst may also want to assess where else this misconfiguration is present. The results of this expanded query gives an analyst a full view into every instance that meets this misconfiguration or IOM, in addition to an understanding on where the runtime iteration of Falcon is actively running.
We classify these systems with a managed or unmanaged label. Many of these indicators of misconfiguration are tied to CIS benchmarks, PCI benchmarks and NIST. And with a direct tie into Falcon analysts can pivot directly into the detection UI for active runtime detections. These are just a few features in our cloud native application protection platform.
Mike I hand it back to you.
Michael Sentonas
Beyond cloud, we are also extending our platform with other agentless capabilities, including one I'm incredibly excited to be talking about today, Falcon Surface, our attack surface management module. As part of our focus on simplicity, and workflow elegance, we rapidly integrated our recent acquisition of Reposify into the Falcon platform, which has been incredibly well received by all of our customers.
We bought Reposify, to give our customers an outside in view of their enterprise, letting them see their organization, from an attackers point of view to understand their points of weakness and vulnerability. It's an easy and effective way to get even more visibility that can immediately be turned into action.
So let's see how we take a company's domain and quickly turn it into an actionable way to reduce business risk with Falcon Surface.
Cristian Rodriguez
Falcon Surface gives enterprises this real time view into the risk that's associated with their attack surface outside of their managed network. Consider assets like a neglected Dev Server, or maybe a subsidiary's misconfigured and expose sensitive database or an orphan cloud instance. Another example could be Cloud Services or CMS systems. Or maybe there was a misconfiguration on your firewall or router, which ultimately exposed the system to the internet.
Enterprises using Falcon Surface are provided with the discovery path to help them easily understand why the asset is associated with the organization and the logic behind it. This may include a full breakdown of subsidiary connections and associations, which otherwise could take months to map out manually. Many times these assets are orphaned or undermanaged when it comes to areas such as patching or major OS updates, which will ultimately lead to a larger likelihood of these systems being targeted by adversaries, given how easy they are to exploit.
Without having to know all of your domains CrowdStrike Surface automatically streamlines asset identification by giving enterprises a sorted inventory by platform type, exposed service type and vulnerability type using this proprietary internet scanning algorithm. Asset information includes a fingerprint of each system, which details data points, such as the operating system, the services that are running on that system and of course, the respective versions.
Let's take a look at this company subsidiary which currently holds a grade of F for security posture. Security and vulnerability analysts will have quick access to a list of services and the respective assets they belong to, with varying levels of risk severities defined. This helps prioritize a response to the systems imposing the most risk at any given moment. And the details of each service not only includes their risk rating, but also the respective CBE, CVSS [ph] scores and types. But more importantly, the proper remediation steps required to reduce the risk of the system in question, which allows defenders to see their exposure before adversaries do.
With a plethora of filtering options at your fingertips analysts have an easy way to prioritize and monitor risk and measure the impact of subsidiary posture across brands and locations in an automated way. And with a variety of integration options alerting can be done natively via email or via integrations with the likes of Slack, JIRA, and ServiceNow.
Michael Sentonas
Kudos to the team who rapidly integrated Reposify into our platform. It's a testament to the platform's extensibility. And our commitment to keep pushing to the boundaries of security innovation. We've talked a lot about today. So let's look into tomorrow. Part of what has made CrowdStrike unique from the beginning is that we've never shied away from solving the hard problems for our customers.
We anchor our strategy on what makes the biggest impact for their security posture and gives them the best outcome. And that's how we've been approaching XDR. As our friend Allie Mellen at Forrester says, "Good XDR lives and dies by the foundation of a good EDR." And we believe we have the best EDR in the world. We've taken the foundational security and operational outcomes from pioneering the EDR category and brought them to every attack surface across the enterprise. And it's all delivered from the agent at its core.
That future is here with our customers today with how they are using our modern XDR platform to see more across every attack surface, giving them the ability to investigate faster by focusing on a unified analyst experience and respond conclusively across CrowdStrike as well as third party products. It's actually the dream of every SOC [ph] team collapse these endless consoles and tools into one. And here at CrowdStrike we're delivering it from the strongest foundation possible, a unified agent with the richest deepest EDR telemetry. And now with data at the heart of XDR. Falcon LogScale is part of our customers' XDR journey, offering them a modern log management system to collect everything, query all of it in seconds, and keep it forever at an economical cost.
So let's explore where we are today with our modern XDR platform
Cristian Rodriguez
CrowdStrike's extended detection and response capabilities go way beyond the endpoint using integrations with vendors such as Okta, which allow analysts ingest single sign on logs, and trigger Okta response workflows, such as resetting authentication factors. And other integration may be tied to messaging services like Slack, which allows security teams to centralize alerts and deploy customized workflows. And for the vast number of partners leveraging web hooks CrowdStrike XDR allows automated workflow customization with a simple web hook integration interface.
CrowdStrike's XDR platform allows administrators and elastic collect data from previously siloed security tools across an organization's technology stack for easier and faster investigation. The platform allows responders and analysts to collect security telemetry from not only Falcon, but also cloud workloads and network tools and services such as email gateways, web proxy, CAD-B [ph], and NDRs.
For today's demo, we're highlighting an integration workflow with the likes of Corelight Falcon, Falcon Identity, Zscaler and Mimecast email security. By streamlining views such as impacted hosts, analysts and threat hunters can focus on high priority threats and responses. A good example of that would be containing multiple systems to isolate a threat or prevent lateral movement. In this example, response actions can be focused on the identity of the user in question.
This includes adding the user to a restricted group within Zscalar's web enforcement policy, or adding the user to a watch list for further analysis within CrowdStrike Identity Protection module. And with seamless integration into single sign on vendors like Okta, options may include forcing a password reset for the next time that user attempts to authenticate. And with our ever growing ecosystem of partner integrations, additional telemetry enrichment is natively presented within an incident with vendors such as OPSWAT, and Virustotal.
One of the main benefits of our XDR platform lies within the threat context and telemetry correlation for fast and efficient root cause analysis. Easy to digest indicator views guide an analyst through an entire investigation and remediation process. This includes giving visibility across multiple detection tool layers, and analysts may want to understand the context behind a spearfishing attachment by reviewing the data from their respective email gateway.
More importantly, if there's any correlation of activity tied to that user, a CrowdStrike identity policy trigger can bring more awareness into potential credential abuse. A responder may also need to explore a timeline perspective of these events, which will quickly provide a chronological representation of each event from each disparate log source correlated any logical root cause analysis view.
And finally, analysts have the option for a graphical representation of an incident. Using graph technology responders now have cross domain attack path views via an interactive map of the entities involved in the XDR event. This allows analysts to quickly streamline triage approaches by investigating all facets of an attack. This may include pulling additional contextual data like parent processes or additional relevant indicators to the investigation.
Using Falcon Fusion CrowdStrike's native orchestration tool responders also have the ability to automate complex workflows in an effort to speed up incident triaging. Workflow options are vast. With our growing ecosystem of partner tools Falcon Fusion seamlessly integrates into partner applications to enrich notifications, detections and active response logic. And with Falcon LogScale as the underlying data repository analysts have access to a feature rich query language for complex queries across large datasets in lightning fast speed.
That's the future of cybersecurity. Best of all, that is here today. Now to round this out, let's end where we started. Customers choose CrowdStrike because we stop breaches. We're easy to deploy, easy to manage and deliver significantly better economic outcomes. And we're incredibly proud to have been recognized directly by our customers as being number one in APP and EDR across leading independent customer review sites, including G2, Peer Spot, and TrustRadius.
We've been recognized by leading third party testing firms such as MITRE, where we achieved the highest detection coverage out of all vendors tested in the MITRE attack, managed services evaluations. We've been recognized by SE labs, where we achieved 100% ransomware prevention, which is incredible. These are only a few accolades our platform has achieved, but they're incredibly important ones to me. The reason for that is they represent the voice of our customer.
To bring our values to life I want to take you through a few stories of why CrowdStrike replaced Microsoft Defender. As you heard from George, trusting Microsoft for your security leaves you with compromise, complexity, and in many cases catastrophe. So let's dig into why to customers switch from Microsoft to CrowdStrike as their cybersecurity partner.
Let's start with how we provide superior security. A large school district moved from Microsoft Defender due to its inability to detect, let alone stop a large scale malware attack across the district. In this case, Defender was fully up to date. The attack resulted in thousands of lost productivity hours as the school reimaged almost 6,000 machines, grinding productivity and student activities to an absolute hole.
Not only this, but Microsoft produced ten times the amount of noisy detections that further burdened their overwhelmed security team with false positives. With CrowdStrike, we replaced Defender districtwide to immediate prevention, and cut their triage time from 20 minutes per detection to less than five. And we are incredibly proud to have given this customer confidence and peace of mind when they need it, giving them the hours of time back so they can avoid catastrophe.
Our next Microsoft replacement focuses on a U.S. state with multiple agencies that upgraded over 60,000 agents from Microsoft Defender to CrowdStrike. This customer had dozens of operating system editions and operating system versions, including about 30% of their estate, running versions that were out of support or outdated. What does this mean? It means that they couldn't even get the latest protections.
Since Microsoft Defender is bound to the operating system, it requires the latest version with the right support and licensing for consistent protection. And what we hear from customers is that it takes more time figuring out Microsoft licensing, and dealing with constant operating system updates than actually spending time protecting their organization.
How does that differ with CrowdStrike?? With CrowdStrike, the customer was able to deploy consistent, best-in-class protection across their entire estate that was always up to date, and worked regardless of operating system version. We delivered this through our unified agent, which means we cut complexity while giving them better security. And the customer was able to save $6.4 million over three years by avoiding the hidden costs of Microsoft Defender, including the operational complexity of upgrading their operating systems, licensing support, and the right versions and dealing with the potential of a breach.
We heard George talk about how we went against Microsoft. To close out the three C's of Microsoft, let me bring in and introduce Tim Parisi, Senior Director of Professional Services at CrowdStrike to share an incredibly compelling story about a former Microsoft customer that brought in CrowdStrike services to remediate an incident.
This global services firm used Microsoft Defender, but its lack of coverage and overall complexity ultimately led to a breach.
Welcome, Tim. Why don't you give us a quick background on yourself and your role here at CrowdStrike?
Tim Parisi
Absolutely, Mike. I've been at CrowdStrike for six years. I have over 15 years of experience leading incident response investigations for companies who fell victim to state sponsored or e-crime attacks, many of which have made the headlines. As part of these investigations, my team and I helped organizations during their toughest times to contain the threat and identify the who, what, when and how the breach?
Michael Sentonas
Well, we're lucky to have you in the team here at CrowdStrike. Our customers get incredible value from what you all do every day. I want to jump into a case study and ask a couple of questions if I can. And I think I'd like start at the top. You see this every day. You understand this better than everybody.
Customer environments can be incredibly complex. There's different operating systems, there's legacy technology. I'd love to hear your perspective on why comprehensive coverage is just so important to alerting and why it's so important to being able to stop adversaries. And why in this example here, lack of coverage led to this breach.
Tim Parisi
Sure. Well, in this case, the customer was using a managed detection and response or MDR provider for short, to perform an investigation of activity shown by the Microsoft Defender console. In this particular case, the alerts from Defender for endpoints and identity were not unified. And they didn't provide actionable information for the MDR provider to understand what was happening. So as a result, they failed to thoroughly investigate and even escalate security alerts. And in an incident response situation, comprehensive coverage of those tooling and alerts across the environment is critical. Otherwise, you get detection gaps like we saw here.
Michael Sentonas
So this customer used Microsoft Defender for endpoint and Microsoft Defender for Identity, but they still missed the attack. So why is that given they used both?
Tim Parisi
Yeah, you know, in a breach situation, every second counts, as we say and complexity is the enemy of speed. So in this case, Microsoft Defender for identity alerts were actually in a separate area of the Defender suite. And none of the alerts were linked to Defender for identity. So none of that EDR data was correlating nicely with identity. And it just created mass confusion for the client and for the MDR, unfortunately.
Michael Sentonas
So you talked about alerts, let's just touch on that a little bit. Is it common for a company of this size to have upwards of hundreds of alerts a day? How do they deal with that?
Tim Parisi
Yeah, so a company of this particular case, I classify as a medium to large size organization. Typically what we run into on the front lines, you're seeing companies encounter hundreds, if not thousands of alerts, and they're very security tuning consoles. And it ultimately results in what we call alert fatigue. And these organizations ignore alerts that shouldn't be ignored and miss alerts that really shouldn't be missed, just within all that noise. And so, unfortunately, that's what we saw here.
Michael Sentonas
All right. So let's really get to the crux of the issue here. How do we help the new organization ultimately remediate the breach? And how did we protect the customer? And talk a little bit about, really what we did as part of this engagement?
Tim Parisi
Yeah, well, we started by using security tooling that sets us and the customer up for success. And that's the Falcon platform. This customer had deployed Falcon to roughly 7,000 systems in 36 hours and with our unified sensor at both insight XDR and Identity Threat Protection modules enabled via one agents pulling unified data into one console. This allowed our incident responders to execute a rapid response plan containing and eradicating the adversary within hours while not disrupting business operations.
Inside XDR allowed us to investigate and remediate the endpoints while Identity Threat Protection allowed for seamless visibility and easy controls into Active Directory. So correlating this detection data from Falcon, we leveraged our threat Intel team, and we quickly identified the adversary was a state sponsored group from China. They placed multiple web shells on servers running Microsoft's Internet Information Services for environment persistence. They use what we refer to as living off the land techniques, which means using native Microsoft tools to carry out the attack while staying under the radar.
So in this case, the adversary used native tools such as MS Build to invoke malware to compromise endpoints running the Windows operating system, all while not alerting Microsoft Defender. They were even able to steal all Active Directory accounts and corresponding password hashes despite using Microsoft defender for identity. And when the dust settled, our team found the adversary had remained in the environment for approximately one year, which is disappointing given the investment this customer made in the best of suite Microsoft security. But at the end of the day, I'm glad we're able to clean up the mess and help the customer evict the adversary.
Michael Sentonas
Thanks, Tim. A great example of how catastrophic a breach can be. And a powerful example of the efficacy of the Falcon platform, as well as the value that our professional services group can provide to our customers in these worst case scenarios and in their time of need. Today, we've been able to highlight the unique and differentiating innovations of the Falcon platform across Falcon Identity Protection, Falcon Cloud Security, Falcon surface and XDR. This is only a glimpse of the sustainable innovation the team is driving every single day here at CrowdStrike. But I felt it was important to carve out our time, and show you what our customers experience and why they trust CrowdStrike with their cybersecurity requirements.
We're proud to be building the world's best modern XDR platform with the agent as a delivery system for new modules. And at the end of the day, here is what matters. We deliver better security that's easier to manage, it's easier to operate with much better return on investment. That's why CrowdStrike continues to grow. It's why we are continuing to take share. And I'm incredibly excited to share more with all of you in the future.
So thank you for me. Thank you for all of your attention today and your engagement. I look forward to your questions at the end. And with that, I'd now like to introduce Burt Podbere, our Chief Financial Officer
Burt Podbere
Thank you, Mike. And thank you everyone for joining us today. First, let's set the stage with what we achieved to date. It has been another year of milestones for CrowdStrike, setting new records in multiple areas even as the macro environment changed. This year, we added $828 million of net new air our growing ending air are 48% to reach $2.56 billion, marking another year of incredible growth at an ever growing scale for CrowdStrike.
We delivered another record year for net new logos with over 6,600 net new subscription customers, bringing our total reported customers served to over 23,000. We also continue to achieve strong unit economics and drive increased leverage.
Non-GAAP subscription gross margin of 78% remained within our target model. Even as we invested for future growth and brought new capabilities into the platform. We grew operating margin by 235 basis points, delivering 15.9% operating margin for the year. We also delivered at least 30% free cash flow margin for the third consecutive year. And for fiscal year 2023 we achieved the rule of 85 on a free cash flow basis.
Taking a longer review of our growth trajectory to date, you can see sustained high growth at scale, as reflected in our five year CAGRs, which are around 80% for ending ARR and total revenue with subscription revenue at 87%. We continue to see strong growth in both domestic and international markets, with a long runway to continue gaining customers, expanding adoption of the Falcon platform and growing our market share.
Our professional services revenue contributed 6% of our total FY23 revenue and continued to grow nicely. Looking deeper into the strategic nature of our professional service group, it continues to drive new platform or subscription business. Among organizations who first become a customer after February 1, 2021, for each dollar spent by those customers on their initial engagement for our incident response or proactive services, as of January 31, 2023 we derived an average of $6.07 in ARR from those subscription contracts up from $5.71 and $5.51 in the previously reported years.
This small but highly strategic portion of our business has been extremely successful, not only by itself, but in driving software platform cross sell opportunities for us. As we discussed on our earnings call, we remain steadfast in our vision to grow ending ARR to $5 billion or more by the end of fiscal year 2026, even as we expect to continue encountering macro environment headwinds in the near term, including a 10% year-over-year headwind to net new ARR in the first half of this fiscal year.
Despite these near term factors, we see an achievable path to reaching $5 billion or more in ending ARR by the end of FY26. Let's take a closer look. You all know I prefer to illustrate things as simply as possible. In that vein for illustrative purposes, I would like to show you the minimum net new ARR required to get us there. In FY23, we added $828 million in net new ARR, bringing the ending ARR to more than $2.5 billion.
While I'm not providing explicit guidance on how exactly we expect to get to $5 billion, and I'm not even suggesting this would be a likely scenario, building on that strong foundation if we just repeat what we did in FY23, and add $828 million in net new ARR in each of the next three fiscal years, we would end FY26 with $5 billion or more in ending ARR.
Now let me reiterate that I'm not suggesting or guiding that net new ARR will remain at $828 million for the next three years. As we discussed on our earnings call, our assumptions to have FY24 and net new ARR assumption of roughly in line to very modestly up year-over-year with consistent macro impacts that we saw in the back half of FY23. Beyond FY24 we assume net new ARR to return to year-over-year growth assuming macro conditions remain consistent.
Now let's take this illustration one step further and take a peek at the minimum dollar base net retention rate required in each of these years. If all we did was deliver $828 million in net new ARR for each of them. Last year, a little over half of net new ARR was derived from expansion. If we play that forward and assume a consistent ratio of new versus expansion business the next three years that would mean we would only need to have a net retention rate of 117% in FY24, a 113% in FY25, and 110% in FY26.
In FY24, we expect to achieve $1 based net retention rate at or above our 120% benchmark. So take the numbers you see on this slide as they are intended, a simple illustration of the minimum required. Our best-in-class gross retention rate, strong dollar based expansion rate, growing customer base, and our meaningful technology differentiation give us confidence in our ability to reach our vision and profitably grow this company to $5 billion in ARR and beyond.
Now let's dive into some of our growth dynamics that are helping us drive towards these ARR milestones. Our growth drivers have not fundamentally changed, but we continue to thoughtfully and strategically invest in them as we execute on our strategic initiatives, and transform the security industry.
We intend to continue to take market share by landing customers at a rapid pace across all facets of the business market, capitalize on our increased momentum with partners, expand our wallet share by driving module adoption, with new and existing customers alike, entering into new adjacencies and maintaining our strong retention rates.
We expect to continue driving success in the enterprise by landing and expanding within large enterprises. At the same time, we expect to grow our market presence among smaller companies. I'll take you through some updated metrics that demonstrate how we're you're doing all of these things. While we don't manage the business to specific net new logo targets, we are continuing to win customers at a rapid pace. Our win rates remain high, and we believe that we are clearly gaining share.
We've made phenomenal progress in our net new logo acquisition with subscription customers growing 41% to reach 23,019 total customers in FY23. This does not include the end customers that are served through our MSSP channel, which we estimate are over 18,000 and counting. We believe we have only scratched the surface in terms of number of companies that are out there. While we have achieved tremendous success to date, there are many more customers to win globally in the enterprise, midmarket and SMB.
Let's take a look at the growth of the minimum spend required among our top accounts. The minimum ARR to make it to our top 25 is now $7.2 million, a 57% increase over the prior year and 7x over five years ago. $2.9 million is required to be a top 100 customer, a 32% increase over the prior year and 10x over five years ago, and to be a top 400 customer a minimum of $1.1 million, a 42% increase over last year, and a significant increase over just $60,000 in FY18. Let's take a moment to let that sink in.
Just five years ago, we only had 400 customers with greater than $60,000 in ARR. Now a customer needs to spend more than $1 million to be considered a top 400 customer. I believe this is just one trend that demonstrates the immense success of the Falcon platform. Our ability to not only rapidly innovate and expand the definition of endpoint security, but also drive adoption and deliver real value to customers.
But the enterprise isn't by any means our only focus or our only area of success. We are driving growth across the market as well. Demonstrating our progress in FY23, the number of customers with more than $1 million in ARR stood at 436, a five year CAGR of 71% and 44% growth from last year. The number of customers with ARR between $100,000 and $1 million stood at 3,553, a five year CAGR of 68% and 43% growth from last year. And finally, smaller accounts with ARR below $100,000 stood at 19,030 representing the bulk of our subscription customer base, with a five year CAGR of 82% and 41% growth from last year showing that we are seeing strong growth across the spectrum of customer accounts.
And as we move to an ending ARR view of those same groups you can see exceptional growth across all categories. You can also more clearly see the dynamic we have discussed a number of times, where we see the bulk of new logo acquisition coming from the lower end of the market, whereas the bulk of ARR dollars is derived from the higher end of the market.
Regardless, we see strong growth across all three categories, with the greater than $1 million ARR category growing 57% year-over-year, with a five year CAGR of 87%, the $100,000 to $1 million category growing 43% year-over-year, with a five year CAGR of 71%. And the less than $100,000 ARR category growing 37% year-over-year, with a five year CAGR of 79%.
Module adoption is another area where our trends continue to be exceptional, showing that customers are adopting more of the platform than ever. Just as we are winning new logos and driving increased ARR across all segments we are also driving module adoption across the market. Customers across every group have increased the average number of modules that they are using, which is reflected in the increase of our percent of module adoption stats that we speak to every quarter.
Increased module adoption, regardless of the customer size demonstrates the applicability of the platform across the market. We also continue landing new customers with more modules. The average module count of a new customer has increased from 4.7 modules last year to 4.8 this year, and this has grown 118% over the last five years. We see this dynamic increasing for a number of reasons, including as our brand recognition grows, customers are increasingly likely to embrace the platform more fully in the initial land, especially as customers look to consolidate vendors, streamline operations and reduce headcount.
Second, we are providing compelling value to customers, as we expand the platform to cover new adjacencies and non-security use cases. This goes back to the power of the platform as customers can run more and more of their processes through Falcon and build a virtuous cycle as they only get more visibility and value out of their data. And you can see that our metrics on customers adopting five, six and seven or more modules have been on a steady march upward quarter-after-quarter. This demonstrates clear buy in on the platform strategy by customers as we redefine endpoint security and solve more and more use cases with our single agent platform.
Another area where we see a lot of opportunity for growth is with our emerging group. Modules in this group were once considered adjacencies. But as George and Mike discussed with our unique XDR agent as the delivery system, we have made them deeply integrated critical capabilities accessible on the Falcon platform. This group currently includes our discover spotlight, identity and log management, which are all meaningful contributors. Ending ARR for modules for this group grew 116% to $339 million in ending ARR in FY23, and over 4,500 Customers have adopted two or more of these modules.
In order to address the growing problem of identity-based attacks we think every organization should add identity threat protection to their arsenal to fight cyber adversaries. In FY23, our identity modules grew to become the largest contributor to ARR within the emerging group category, with over $100 million of ending ARR and largescale posted over 200%, ending ARR growth. Our success to date in these areas demonstrate that Falcon is a true extensible cloud platform, with significant growth opportunities in front of us as we add new capabilities to the platform and continue to redefine the very essence of integrated security.
We believe this truly differentiates us from any other competitor in the market today, provides a wide competitive moat and drives customer retention. Given the rapid evolution of the threat landscape it's important for customers to have a platform that can dynamically address new threat vectors, such as public cloud environments, new and growing threat vectors represent new growth opportunities for the Falcon platform. For example, ending ARR from deployments of Falcon in the public cloud grew 111% year-over-year, surpassing the $200 million milestone. Recall that this represents a deployment view and refers to any module deployed in the public cloud.
Today we have over 7,000 customers who have deployed Falcon in a public cloud environment. That represents nearly a third of our customer base at the end of FY23. And while we view that as a great start, we think there's a lot of headroom within these accounts, within the rest of the CrowdStrike, customer base, and of course with new logos. I'd also like to note that the landing dynamics in the cloud generally start with smaller initial deployments and offer larger workload expansion opportunities, which is very different from what we see in traditional endpoint, where we are generally deployed wall to wall out of the gate.
As you heard George discussed earlier, our partner ecosystem is a critical part of our go-to-market motion across all segments of the market, and a significant area of investment and growth for CrowdStrike. In FY23, we saw our partner sourced ARR increase year-over-year by more than 50%. To illustrate how partnerships can act as a force multiplier for our and our partners' growth, I'll dive into a brief example of a partner case study.
The partner in this example is a major IT services provider with deep roots in storage, compute, data center and networking. They produce approximately $15 billion in revenue with 1000s of global customers. Many of the world's largest organizations turn to this partner for key technology strategy projects. In just the last 18 months, they've closed more than $200 million worth of CrowdStrike Falcon deals.
In only a short time together, we built a scaled global practice focusing on legacy AV replacement, XDR projects driving vendor consolidation, identity and cloud security and logs, you know projects. Together, we're bringing the Falcon platform and capabilities to both new accounts and existing customers.
While we're still in the early innings of this partnership. Our work together exemplifies CrowdStrike's leadership, and shows why our partner focus go to market creates a win-win-win, where customers win, partners win and CrowdStrike wins.
Moving to our dollar based net retention rate, we remained above our benchmark throughout FY23, which further demonstrates the success of our land and expand strategy, especially in light of our growing scale. Similarly, our gross retention rate remained best in class throughout FY23, exiting the year at 98.0%. We've seen meaningful contributions to DBNR from both the expansion of the number of centers as customers increase Falcon's footprint across their environment, and from cross selling as customers purchase additional modules.
In FY23, we once again saw close to a 5050 split between expansion and module cross sell, similar to the prior year. Now let's dive into the significant runway for growth available to us within our existing customer base and existing modules. Looking at this from a whitespace perspective, the question is what does our total addressable market look like within our own customer base? In FY22, we achieved $1.7 billion in ending ARR, with a healthy net retention rate, as our upsell and cross selling motions are very mature.
Expanding on that cohort, if our FY22 customers adopted the entire platform that was available to them at the time with the same number of endpoints and consistent ASPs, the platform opportunity would be equal to more than four times FY22, ending ARR for an $8.7 billion combined opportunity showing a significant runway to add net new air are from within our existing accounts.
Using the same methodology for FY23, the incremental FY23 platform opportunity of the customer base is that approximately $9.6 billion for a combined $12.2 billion opportunity, approximately 3.7 times our FY23, ending ARR and approximately 37% growth in opportunity from the prior year. And looking one layer deeper, the whitespace opportunity is roughly split between three categories. First, faster growing modules, including seen CNAPP Identity and LogScale. Second managed services. And third, all other modules on the modern XDR Falcon platform.
While we don't assume that every customer will adopt the full Falcon platform, the magnitude of expansion in the total opportunity speaks to the extent to which we are increasing the value we can provide to our customers and the rate at which we are expanding the capabilities of the platform. So far I have focused on growth, but as our efficiency and profitability metrics reflect, we are not a growth at all cost company or management team. We have made incredible progress on our march to our target model and still have incredible leverage to realize.
Let's take a look at gross margin. One of the core benefits of the immense differentiation we have in the Falcon platform is a very strong and defensible stance with regard to ISPs. So when we think about quarter-to-quarter fluctuation in gross margin, it is not so much about pricing. It's more about enhancements on the optimization of infrastructure, or incremental new data that we are collecting or integration of newly acquired technologies.
We've been doing a lot of investing in our own infrastructure. And in Q1, we're expecting to see up to one percentage point incremental increase in our subscription, gross margin, as some of the fruits of our labor are going to pay off. On the COGs side of the house the drivers are continued public cloud and data center workload optimization, public cloud cost optimization, as we scale and ongoing integration of redundant infrastructure associated with the acquisition of LogScale.
We've been investing for years in our private cloud. And we've made some great strides there. And over time, we look forward to being able to get to the top end of our long term range because of those investments that we're making today. We believe it's not all going to come at once, but it will come over time.
We have seen a steady progression in operating margin expansion, ending the fiscal year at approximately 16%. On a dollar basis, our non-GAAP operating profit grew more than 80% in FY23 as we recognized the benefits of the significant leverage in our model.
I'm incredibly pleased with our margin performance, especially in combination with our scale, continued investment in innovation, and the aggressive hiring plan that we executed in FY23, in which we grew the size of our team by 46%, year-over-year. The net effect of this is the incredible amount of cash that the business model delivers. We have grown from $12 million of free cash flow in FY20, the year of our IPO, to well over $600 million in free cash flow at 30% of revenue in FY23.
We believe that we have a model capable of delivering durable free cash flow margin of at least 30% FY20 was our first year to generate positive free cash flow with our margin for that year at 3%. In each of the three years since then, we have delivered 30% or greater free cash flow margin. While we expect there to be seasonality in free cash flow on a quarter to quarter basis one of our key targets in managing the business is to deliver at least 30% free cash flow for the year.
The top line, increased gross margin, operating efficiencies and increased interest yields are positive drivers to free cash flow margin. These can be offset by duration, such as when multi year lands renew with shorter terms, flexible payment terms as we partner with our customers, and increase CapEx and cash outlays for taxes. For FY24 our free cash flow margin target of 30% is inclusive of estimated full year impacts from billings duration and cash taxes balanced by the positive tailwinds of increased operating leverage higher interest income and lower CapEx.
Looking into FY25, we've used 30% free cash flow margin as our starting point and see a path to delivering between 30% and 32% free cash flow margin for the year. And looking one year beyond that into FY26 we see 32% free cash flow margin as our starting point, up 200 basis points from the prior years starting point.
Looking at all of this in the context of our target model, we've made significant progress in our last three reported fiscal years subscription, gross margin, R&D, G&A, and free cash flow margin were all within our target ranges. And I think it is clear from our phenomenal performance in Q4 and fiscal year 2023 that our model is highly leverageable. And we are operating very efficiently as a company achieving a high ROI on our investments.
We believe our business model is capable of delivering our target operating income target in the near term. But we do not think that would be the best course of action given the massive market opportunity we see at hand and our strategic position within the ecosystem.
We are an innovation company. And as we presented to you today, we have our sights on building an even bigger company and we are bullish on our opportunities and ability to execute on our vision. As such, we are continuing to increase investments in key areas, including building out our global footprint, which includes sales partners, channels and international markets. Investing in our modern XDR platform including data protection, identity protection, log management, observability and XDR.
As our FY24 guidance reflects, we expect to deliver increased leverage and approximately 30% free cash flow margin, even as we grow and aggressively invest in the business. And as highlighted with the green boxes on this slide, we expect to maintain subscription, gross margin sales and marketing, R&D, G&A and free cash flow margin within our target range on an annual basis, excluding any potential M&A.
We expect to achieve our operating margin target model sometime within FY25. While we expect to see fluctuations on a quarter to quarter basis, we expect to realize more of the benefits from the investments we are making today in COGs optimization, that will translate to gross margin in FY25. What is nice about scale and an efficient go to market engine is even small, incremental refinements in gross margin can lead to meaningful operating margin uplift.
Additionally, longer term we see room to exceed these targets beyond FY25. And this is just the beginning. We have our sights set on a much larger goal of reaching $10 billion in ending ARR. The investments we are making today are designed to flight the company for success to reach our goal of growing to $10 billion and beyond.
Here are the areas that really excite me and we believe have the biggest opportunity for growth on the Falcon modern XDR platform as we look ahead, log scale data protection, CNAPP, identity theft protection, and continuing to capture market share from legacy vendors. Bringing this all together, I'd like to end on what I personally believe, puts CrowdStrike in a league of its own. This time last year we shared with you that CrowdStrike has the winning formula of rapid growth at scale and strong free cash flow.
We showed that while there were over 40 public enterprise software companies with over 1 billion in LTM revenue, only five had a growth rate greater than 60%. And only CrowdStrike had both of those attributes and delivered a 30% free cash flow margin. This year, as we surpassed the $2 billion LTM revenue milestone CrowdStrike remains in a league of its own. Based on the most recently reported figures, there were only 26 public enterprise software companies with more than $2 billion in last 12 month revenue. And just two of those companies were growing at an LTM rate of 50% or more. Those included CrowdStrike and Snowflake, and only CrowdStrike delivered this scale and growth in combination with a 30% LTM free cash flow margin. A truly remarkable feat that every CrowdStrike should be very proud about.
In summary, I've never been more excited about the opportunities for CrowdStrike. I look forward to continuing to profitably scale our business and invest in our opportunities. Thank you very much.
Before we open it up to Q&A, I will turn it over to George and Daniel to discuss our partner program in more detail.
George Kurtz
Thanks, Burt. And before we open the call for questions from the audience, I thought our audience would like to hear from Daniel Bernard, our Chief Business Officer to get his take on our partner initiatives and SMB program. And Daniel, you recently joined us from SentinelOne. So tell us about your new role at CrowdStrike.
Daniel Bernard
George, thanks. It's a pleasure to be here and greet you and greet everybody. As Chief Business Officer here at CrowdStrike, I'm looking after our partner community. It's a vast network of thousands of resellers, technology alliance partners, system integrators and the long tail of MSPs that we can really mobilize to transform our business and change cybersecurity as a whole. In addition, SMB is also something that I'm looking after. Huge opportunity in the TAM to go and disrupt it, just like we've been doing in the enterprise for so long.
We're well on our way. But there's a lot of TAM out there for us to replace legacy products and bring the power of the Falcon platform to SMBs at scale all around all around the world.
George Kurtz
And what are you hearing from the partner community?
Daniel Bernard
Yeah, I think what we're hearing from the partner community, and you and I've been out on the road, visiting these folks quite a bit the last couple of weeks is really some consistent information. One CrowdStrike is the technology that customers want, that customers need. Two, customers need consolidation. They're looking for platforms that enable leaving many different point products and optimizing workflows, optimizing, spend, and optimizing capabilities. And three, we've got the programs, the plan right here to help partners be successful.
At the end of the day, what partners are keen to do is help customers stop the breach, we're the technology to enable that, we're the technology to build a business around, we're the technology that can really transform this market. And the partners are just craving to work with CrowdStrike and sell the modules, sell the story and sell the outcomes.
George Kurtz
And you're right, traveling around and meeting with many of the partners with you, it's been just a just great feedback in how many partners want to continue to work with us and new partners want to work with us. One of our best biggest and greatest partners is AWS. And they've grown to be one -- we've grown to be one of the top ISPs for them. Can you provide some insight on how things are going with AWS?
Daniel Bernard
Sure, well, we don't really break out individual partners' specific information. But CrowdStrike was super early to invest with AWS and build out a cloud first go to market to help customers that were using us on endpoint transition to helping secure the cloud. What I can say is, we're seeing huge momentum with AWS. The amount of partners' sourced revenue that they're bringing to the table for us is unprecedented. AWS would tell you that we're one of their most successful ISV partners, security partners. We'd say the same.
And really the results of taking the partner community leveraging that with the AWS Marketplace, and unlocks a huge TAM, deal velocity, and amazing results for our sellers, even more results for our customers that are looking to use their AWS spend credits on the latest and greatest cybersecurity. That's right here. That's right here on the Falcon platform.
George Kurtz
Now there's been a lot of excitement about the Dell announcement. So can you share with the audience the different ways we're working with Dell, and how it expands our market reach?
Daniel Bernard
Sure, I'm really excited about the Dell announcement. I've worked with Dell a number of times in my career, and in the long term, this is a game changer for CrowdStrike. What Dell does, for us is a number of different things. One, it brings us to new markets new tabs globally. This is a global partnership. Dell sells us on the box that's with PCs, for businesses of all sizes. Dell also has the ability to sell the entire Falcon platform bring that to market to customers. In addition, Dell has a managed service to help companies optimize how they want to consume cybersecurity. We're there as well.
And last but not least down in the SMB space, new packaging models that we're able to trial with Dell, such as a monthly subscription device-as-a-service, all these different routes to markets, all these different geos, all these different customer outcomes are all serviced through Dell, which really represents about 30% of the PC market today. Huge opportunity for us, and we're just getting started.
George Kurtz
And lastly, let's dive into SMB opportunities. We've talked a lot about that recently. It's not something that we just started, been working on it for many years. How do you think about that opportunity to penetrate the SMB and drive better outcomes for customers in what I would call a traditionally under protected and very fragmented market?
Daniel Bernard
Yeah, I think let's first start talking about the market. This is a market that's significantly still using legacy V subpar products. And if you look at it first, do we have the right technology, product market fit with solutions like Falcon Go, super easy to deploy, no updates required, no interoperability, set it forget it. This is something that's perfect for SMB customers. Two, the routes to market and optimizing those. And I think to what you were just talking about, this is something that CrowdStrike, and specifically you were thinking about earlier on, that Atlassian model.
Go to crowdstrike.com, you can click on the Buy button, you can buy the software anytime, you can try it anytime. And we're the only company in the market that does that. So we make it extremely easy for customers of all sizes, specifically SMB to get started and see success right away. But then you look at partnerships like what we're doing with Dell, you look at the power of some of our partners that really serve the small and medium business, you look at what we're doing in the MSP space. This is the technology that can solve the problem that can stop the breach that can transform cybersecurity. And there's a compelling event out there right now,
What is the compelling event? It's cyber insurance. Every business, large, large companies, small companies, businesses of all sizes, they're being asked to make sure that they adhere to certain cybersecurity standards, that they optimize and transform their cybersecurity stack so that they can qualify for insurance. Cyber insurance is something that's on everybody's mind. Businesses of all sizes, specifically SMBs. They all know somebody or maybe it was them that was impacted by a breach.
The market is ready for this transformation. We have the technology to do it. And there's a lot of TAM out there for us to go address in the SMB.
George Kurtz
Well, thank you, Daniel. Really excited to have you on the team. So let's turn the call over to Maria for our Q&A session.
Question-and-Answer Session
A - Maria Riley
Thank you, George. We will now take questions from our covering analysts. [Operator Instructions]. We ask that you limit your questions to one and return to the queue. Our first question is from Saket Kalia of Barclays. He will be followed by Sterling Auty of MoffettNathanson. Saket, please proceed.
Saket Kalia
Okay, great. Hey, Maria. Can you hear me okay, and see me okay?
Maria Riley
Yes, Saket.
Saket Kalia
Okay, great. Awesome. Well, hey, thanks, everyone for taking my question here and for hosting the session. George, I want to pick up just off that last topic that you were talking about with Dan, on SMB. And maybe just connect that a little bit back to some of the really helpful stuff you gave on just the competition with Microsoft. I think the 80% win rate in the enterprise was great to see. But George, maybe you could just talk a little bit about how that compares in the SMB, and how Falcon Go can perhaps replicate some of that down market as well?
George Kurtz
Well, Saket, I think it's very similar in the SMB space. Customers that have been using a variety of technologies, whether it's Microsoft or other legacy technologies have had issues. They've had ransomware issues. They continually struggle with a lot of this security implementation. So when we have the opportunity to show them and get engaged with them with Falcon, more times than not, we're going to win.
And one of the other areas for smaller SMB, when you talk about Falcon Go is also being able to upsell them into Falcon Complete. We have so many small businesses that have a lot of risk. They can't get insurance, they need insurance. And they turn to something like Falcon Complete, which is an absolute game changer. And that's really, I think, a huge opportunity for us. It's much differentiated than anything Microsoft or others offer in the market today. And it's set up based upon the platform architecture that we have.
Saket Kalia
Makes sense. Thanks, guys.
George Kurtz
Thank you.
Maria Riley
Thank you Saket. Our next question is from Sterling Auty of MoffettNathanson. He will be followed by Joel Fishbein of Truist. Sterling, please proceed.
Sterling Auty
All right, thanks, guys. I wanted to ask about cloud. The couple of hundred million in ARR, I think Burt, you mentioned that you land small and grow with the workloads. I'm curious about what the opportunity is to actually penetrate existing workloads, or are you really tied to just new workloads, which unfortunately, we're seeing that growth slow due to macro?
Michael Sentonas
Hi, Sterling, it's Mike. I can jump in there. It really is both, to answer the question. Obviously, we got a lot of organizations that have significant cloud deployments today. And the big thing that I'd call out is they've got a flavor, a version of everything. And that really works well with our strategy which is to not dictate what cloud people should use, but to give you choice, to give you the ability to run any cloud version you like, any infrastructure you like, and then we'll come in and secure it.
So works very well for what people have today. And then as people continue to build out and grow, and grow aggressively into the cloud, the technology stack allows them to continue and we grow with them, which is part of that simplicity and elegance of the solution that we talk a lot about.
Burt Podbere
And just to follow on that, we actually have many customers who started in the cloud first. They were on a journey. They may be they were a little bit later in the adoption curve with cloud. They chose CrowdStrike to protect that cloud environment and they realized how easy and effective it was. And then we actually were able to get the internal desktops, servers, laptops, etc.
Sterling Auty
Understood, thank you.
Maria Riley
Thank you, Sterling. Our next question is from Joel Fishbein at Truist. And he will be followed by John DiFucci of Guggenheim. Joel, please proceed.
Joel Fishbein
Thank you, Maria, and thanks for taking the question. And lots of great info here. George or Michael, it's the -- I would love to just understand Falcon Complete. It sounds -- it seems to us that Falcon Complete, every customer should have it. What's the impediment of not every customer adopting Falcon Complete? And what is the strategy to potentially get more customers to adopt it to? Be really helpful. Thanks,
Michael Sentonas
Hi, Joel. I'll take this one. I mean, look, you are right. It's an incredibly compelling offering. And really, when you look at the economic value that a customer gets, they have the ability to get access to Falcon Complete. They have the ability to leverage the platform, they have the benefit of us deploying the capability, operationalizing it and providing 24 by 7 all year round.
The cost benefit to the customer is very clear. They get -- straightaway, they get economic value. It's going to cost them a lot more to try to hire people to build a 24 by 7 service, to be able to get the skills and keep people employed. It's a tough market, as you know. So very compelling offering. And look we're really making sure that people have the ability to get access to Complete. We want people to get the access either directly from CrowdStrike, or through our partners.
And having Daniel on the team and really building out that capability. So people have the choice to work with CrowdStrike, or local partner as part of the strategy. And as you've seen, we've also increased the complete offerings. We started off providing Complete as a service to leverage the prevent and insight module with OverWatch. And we've built that out to include identity to include the cloud. We provide complete for LogScale. And we will continue to innovate in this space as customers are demanding more and more and just getting so much value from it.
George Kurtz
And I think just to add on to Mike's comments, I think what's under appreciated in our model is the ability to create additional offerings in the complete product family. As Mike said, we started with one and now as we've added new modules or acquired new companies adding new technologies, in almost every case, we have the ability to add an additional extension to the Falcon Complete product offering. And that obviously is a massive opportunity for us, given the price points for Falcon Complete.
Burt Podbere
And one last point, we often go back to our customers with respect to something called a business value realized. So we do a business value assessment. Six months later, we go back and show the savings. And if they don't have Complete at that point, we would show them additional savings that are there to be had. So it's not something that we just try to educate once but we continue to do that education and to continue to show value in that offering.
Joel Fishbein
Great, thank you.
George Kurtz
Thank you
Maria Riley
Thank you, Joel. Our next question is from John DiFucci of Guggenheim. And he will be followed by Alex Henderson at Needham. John, please proceed.
John DiFucci
Thanks Maria. Thanks for getting me in there. I was getting all confused there. But anyway, my question is actually for Daniel, or if these -- if he can answer. And maybe George, you can come in on this too. It makes a ton of sense for you guys to go the SMB for you. I see a sort of all Greenfield opportunity. It's not someplace you've ever really got after aggressively. Maybe you've picked up customers along the way but not nothing like what's out there.
But it's also traditionally a very cost sensitive market and your premier product is also usually sold at a premier price, because it's the value selling right? I guess I'm just trying to figure out how you combat that? Your thoughts around.
Daniel Bernard
John, let me jump in there. So first, the markets that are maturation point where the existing solutions and products that are there just aren't good enough. And customers are really looking for something different. And there's a willingness to pay. We've tested that thousands of times over. There's a willingness to pay for a superior product, a superior outcome. So that's number one.
Two, and it really dovetails nicely into the role in what I'm doing here. The partners plays such a pivotal part in our go-to-market and that part of the market, specifically. So the way that we're going to dominate the SMB isn't by hiring another couple of reps or hundreds of reps. It's going to be by activating the partner ecosystem to really focus there and work with the kinds of partners that really specialize in that area of the market.
So it's really a different go to market motion for us. The third is really just the product market fit and having this ubiquitous brand, the trust in the market. I mean, folks drive to work. They hear George on the radio, they watch on TV, they know CrowdStrike. They know it's the best cybersecurity. They read the Global Threat Report. They call their cyber insurance broker, they hear about us there. So this market is ours for the taking, we're not going to do it on the cheap, we're going to make sure that we're offering the right value.
John DiFucci
Okay, that makes sense. And then -- and I'd like to see George wear that jacket on TV next time. But go ahead, George, I actually like it.
George Kurtz
Oh, good, good. I'll let my wife know. So at the end of the day, when you look at this market, as we talked about, SMB is very fragmented. And it really is the partner community that's going to help. I sometimes make the joke. It's a little like the AV world in your house. You just want the AV to work and whatever they commend you kind of go with. And that's kind of the relationship that's out there in the SMB market. If you are the recommended solution, you're going to get in at the right price point.
And just to even further the comment on the willingness to pay, we've had customers talked about stories like this over and over, that have come in, bought $2,000 of Falcon Go, and then we upsold them to $40,000 of Falcon Complete. Yeah, a lot more money. But when you look at what we're giving them, they couldn't even hire a quarter of a person to do what we were doing for them.
And by the way, they were getting discounts on their insurance, with Falcon Complete. It's a huge opportunity. So when you package it all up, and you look at the total value, it becomes a no brainer, which is why so many small businesses have chosen Falcon Complete.
John DiFucci
Okay, and I guess -- and I'm sorry, it's the same topic, but just that go-to-market difference is that, can that also be a lower cost go-to-market, so you can play a little bit with price if you want.
George Kurtz
We have the flexibility to play with price there. With Falcon Go, we have a lot of flexibility, and the partner ecosystem, we know where we need to be. And we can actually be in that ballpark. And then we have the ability obviously, to upsell adjacent modules and things like Falcon Complete. So once we get in, we know we have a history of being able to cross sell. You can see it in all our numbers. And that's the goal in the SMB space.
John DiFucci
Great, thank you.
George Kurtz
Thank you.
Maria Riley
Thank you, John. Our next question is from Alex Henderson of Needham. And he will be followed by Brian Essex of JPMorgan. Alex, please proceed.
Alex Henderson
Great. Thanks so much, Maria. And George, it's great to hear you really reiterate the importance of seeing you not as an endpoint company. But definitively as a platform. I wanted to shift the question a little bit over to what I think a lot of people are worried about in terms of risk. And maybe I can get Burt to talk a little bit about a couple of categories of risks.
Specifically, what is your finance vertical exposure? Are you concerned at all about the recent impact on regional banks? And what that might mean for their spending outlook? And if that's a vertical that has meaningful scale to it, when do you think that might show up in the numbers?
And second, along the same lines, a lot of companies particularly in tech, doing staff reductions, reducing their physical footprint by closing offices. How are you impacted by those dynamics? And is that something that's a slice of bread or a loaf of bread? How big a risk do we have to those two variables?
Burt Podbere
Yeah, so look, I'll take the first and talk a little bit about the banking sector. For us the regional banks, we have low single percent of ARR in that bank. And so the exposure is quite low. So for us, that's something that we're in a really good position to be able to, minimize, minimize that risk. And it goes beyond just regional. Right. We have, overall, you know, the risk in the banking sector is single low digits in ARR. And I'll turn it over George for the second piece.
George Kurtz
Yeah. And just to comment on that first question. It's not like banks are going to stop needing security. I mean, it's a regulatory requirement, right. So but specific to your question around employees, basically, what we found is we've hit even a broader sweet spot for companies that have reduced some of their workforce, because they don't have the people power to actually protect their environment. And what we've seen is there are budgets available, just not for headcount.
So we've been, I think, quite successful in selling Falcon Complete into these organizations that are looking to right size, their environment and provide a level of protection and maturity within the security organization through our Falcon Complete offering. And that I think is a sweet spot for particularly for those companies that are looking to right size.
Alex Henderson
Super.
George Kurtz
Thank you.
Maria Riley
Thank you, Alex. Our next question is from Brian Essex of JPMorgan. And he will be followed by Andrew Nowinski of Wells Fargo. Brian, please proceed.
Brian Essex
Thanks, Maria. Thanks for taking the question. The question was for you, Burt. You noticed the margin targets? You know, I noticed that you indicated that they exclude M&A and you have that nice $10 billion ARR target out there. So I guess a couple of points on that. How aggressive should we anticipate you might be at pursuing that $10 billion target? And how should we expect the extent to which you might sacrifice margins for M&A?
What is your discipline around margin accretion with regard to M&A? Is it going to -- are you going to set a floor saying, for example, it wouldn't fall below this level? Or is there an expectation like if you happen to do a deal, that's not immediately accretive to margins, you might set a recovery rate to set expectations around.
Burt Podbere
Yeah, so good questions, Brian. So one -- so first, before we get to the $10 billion, talk about the $5 billion. Again, it's an illustrative example of how to get there. And the idea there, the design, there was to show many different paths to be able to get to the $5 billion. The $10 billion, is going to be not even further.
We don't know when that's specifically going to happen. But obviously we think that with the TAM, that we talked about, and its opportunity, and the fact that we are so low penetrated with respect to the TAM, we have an incredible opportunity to go and capture so much more. And that was the idea, just generally and how we think about it.
And then M&A we've been quite disciplined to date. I'll let Mike take a little bit about that. But from a financial profile, number one, we're not growing. We're not -- we're the company that's not growing at any cost, right. We've been disciplined from day one. Having said that we're going to be looking at targets that have been successful for us. The ones that are great tech, great people, we're not looking to buy ARR.
We think we've got a great distribution engine, where if we do buy a great tech and great people, we can plug that in, and off we go. But I'll toss it over to Mike with respect to a little more depth on the M&A side.
Michael Sentonas
Yeah, sure. Hi, Brian, thanks for the question. I think Burt said it really well. We obviously look for great tech and great people. But the thing that I'd put above that is making sure that the great tech and the great people work for our customers. And one of the things that we've been really careful about is making sure that the technology that we -- the companies that we acquire and the technology that we want to bring to market integrates with our security platform and integrates with our endpoint where applicable. And it's a really careful consideration that we make to make sure that the customer doesn't become the systems integrator. And we see this all the time.
You look at a lot of companies in security, really a lot of organizations in the tech space that buy a lot of product. And what ends up happening is the end user ends up suffering. And we see very commonly, a lot of vendors will then go on buy maybe some middleware. They'll go and buy an orchestration platform to try to get all those products to work. And it doesn't really end well for the end user. So we've been very careful.
We want to make sure that we stay focused on the areas that are foundational for CrowdStrike and the emerging areas that we talked about. We want to get products that solve real world customer problems. But they have to be something that we can integrate, they have to be great. The technology needs to be highly differentiated. And we're looking for good people. So we will continue to be careful in this space.
Brian Essex
Okay, helpful color. Thank you.
Maria Riley
Thank you, Brian. Our next question is from Andy Nowinski at Wells Fargo. And he will be followed by a question from Jonathan Ho of William Blair. Andy, please proceed.
Andrew Nowinski
Thanks Maria and thank you very much for taking the question today. So you guys did a great job laying out all the different growth drivers and all the different new market segments like SMB that you guys are penetrating. And I guess I want to circle back and talk about the $5 billion ARR target, you have. I think you've made the argument that, that target in FY25 is very -- is almost ultra conservative, and that it only requires $830 million in net new ARR growth or no growth, I should say, flat growth for three consecutive years.
So seems to me like, I guess number one, why wouldn't you raise that target, given all the positives you talked about today? And second, what would have to go wrong to hit that $5 billion target, because it seems like a lot more would have to go wrong versus right for CrowdStrike to deliver $5 billion in ARR in FY25. Thanks.
Burt Podbere
Sure, Andy. I'd love to explore that a little more with you. So first, again the $5 billion was a rough sort of design to show you the many paths. I mean, we really look at the $5 billion as a whole platform sale. This is how our customers view it as well. They're buying the platform at the end of the day. The more foundational capabilities we deliver through our single agent cloud architecture. The more we differentiate ourselves in the market and drive high retention rates, that's what we're really after. We really become critical to the business. And our foundational capabilities drive growth for modules in newer areas, that may have once been considered adjacency and vice versa.
We have this great opportunity to explore that $5 billion through our foundational, our financial capabilities, as well as our some of our faster growing that were adjacencies that are now converting into our foundational capabilities. So we're getting excited about how to get to a $5 million from many different angles.
And I think for now, I think the right answer is to show you those, and to show you how we think about it. And there are other many different other angles. And we talked about SMB. DB, went into it a little more about how he thinks about SMB. And you've got to remember that our tech, we don't have to customize our tech for SMB versus enterprise. It's that same tech, which is so rare in software as you know Andy.
So that's how that's how we think about it. And we're excited to be able to put out the $5 million, different paths to get there from an illustrative example point of view, to kind of illustrate, the different levers that we can pull together. And I think that was the reason behind why we put it out there.
Andrew Nowinski
Thank you. Keep up the good work, guys.
Burt Podbere
Thank you.
Maria Riley
Thank you, Andy. Our next question is from Jonathan Ho of William Blair. And he will be followed by a question from Hamza Fodderwala of Morgan Stanley. Jonathan, please proceed.
Jonathan Ho
Hi, there. I just wanted to maybe circle back with sort of the Microsoft question. How often do you see customers that have switched from CrowdStrike to Microsoft switch back? And are you seeing any scenarios where maybe these customers, their testimonies or their experiences are getting out more into the marketplace and sort of altering that dynamic over time? Thank you.
George Kurtz
Yeah, I'll start and I'll let Mike jump in. We haven't seen many switch. So let's start there. That's the good news. So I don't know, I guess it's still early in the cycle. I'm not saying someone couldn't have switched. But what we find though, are the customers that have already bought into Microsoft, switching to us and we've gone through a litany of those, or at least several in this particular webinar. And again, it gets back to what we were talking about.
A lot of times they come to us after a breach, a lot of times they're frustrated. They thought they were going to pay one item and it was much bigger bill at the end. And they got sticker shock. And again, I kind of see this playing out just like the Symantec McAfee days in that signature based AV that isn't really -- it's cobbled together consoles. It's not stopping breaches is why we've been so successful.
So customers who may be on Microsoft, we think is a great opportunity down the road, come back -- to come to CrowdStrike. And that's what we'll focus on. Mike, you want to add to that?
Michael Sentonas
Yeah, I think just follow on a couple of your comments there. George. What we are seeing is more examples of people coming from Microsoft to CrowdStrike, not from CrowdStrike to Microsoft and then boomeranging back and I wanted to use one example obviously, when we reached out to you all and asked what you wanted us to cover and talk about, there was a lot of questions around Microsoft.
And I thought that was a great example having Tim Parisi from our services team use and go through an example, where somebody had issues and then came over to CrowdStrike, and starts with an incident response engagement. So there's an opportunity there and then ends up with a platform sale.
And beyond that we see this quite often. I was with a customer last week, who was telling me about the issues that they had, a Defender customer. They even brought in Microsoft during a breach. And that didn't go well. They got breached again. And then they ended up going with CrowdStrike. And they've had an amazing experience since. So that's probably more representative of what we see out there in the field, Jonathan?
George Kurtz
Yeah. And I'll add one more to that. I was with a customer last week, and they were Microsoft customer. They had an issue, they switched to CrowdStrike. And the CTO's [ph] comment was, if I ever leave my current employer, I will put my contract a requirement that the new employer buys CrowdStrike if they don't already have it. So I think that's strong testimony. And that's the kind of fanatical customers that we have at CrowdStrike. So thank you.
Jonathan Ho
Excellent, thank you.
Maria Riley
Our next question is from Keith Bachman of BMO.
Keith Bachman
Okay, perfect. And I think BMO's a new CrowdStrike customer. So happy about that. I wanted to ask, really a two part question. First is on the margin targets that you gave, the free cash flow margin increase from the 30%, looking out a couple years to 32% plus, is less of a slope, if you will, in terms of your operating margin target increase over that same period of time. So I just wondered if there anything you want to call out, is -- are you embedding some duration, difference in that margin target that you put out for free cash flow?
And then perhaps just in the interest of time, I'll sneak in my second one here. Just wanted to ask about pricing within the context of SMB. You did say that the underlying technology is great, which makes it a really efficient go to market capability. But it sounds like you might be more willing to ask for different pricing structures. And indeed, this past quarter, we got some feedback from the channel in the SMB category, CrowdStrike was more aggressive in enterprise. There was really no pricing change behavior.
And I just want to speak to while the underlying technology is the same, is there sort of a different philosophy as you're migrating into the SMB category from a pricing? So this isn't related to channel, but just absolute pricing? Then I'll cede the floor. Thank you.
Burt Podbere
Sure, I'll start with the -- I'll start with the cash. So the only thing I would call out on cash and why op margin is outpacing free cash flow margin slightly, it's due to a little bit on duration, on billings duration to be specific or billing cycles. Let's start the conversation with respect to prior to the macro. The majority of our customers were on annual billings. And as we entered the macro, we saw a slight increase of our non annualized billing customers move towards annual billing.
So that would be the counterpoint to why the op margin is growing faster than free cash. And I'll turn it over to Mike and George to talk about the SMB and what's going on there.
George Kurtz
Yeah, I'll start in the SMB side. When we think about SMB, and how we look at the market, we can be very aggressive in that market. And what's important to keep in mind is that the price points are relatively high in that market. So there's a lot of margin if you need to be aggressive, compared to a large enterprise deal that has volume discounting. So I think it may seem counterintuitive, but there's high price points, and we have the ability to be very aggressive, given the margin profile of something like Falcon Go.
So we have, we will and we continue to be aggressive because we know we have high gross and net retention rates and our ability to go in and consolidate that market is pretty exciting to us. And that's what we want to take advantage of. And that's why guys like Daniel are here and given our routes to market with our partners we think we're going to be pretty successful there. Daniel, anything to add there.
Daniel Bernard
George, you summed it up well. Keith, these folks are looking for a change. We have the change they need and they may not need all 20 plus modules on day one. So there's a lot of opportunity to not only land at a compelling price, but also expand, take them on the journey, get them into Falcon Complete or have our CrowdStrike powered Falcon Complete service help a partner deliver that on our behalf. So a lot of optionality there and a lot of reasons for partners to take us down into that part of the market.
Keith Bachman
Okay, many thanks.
Maria Riley
Thank you, Keith. Our next question is from Patrick Coleville of Scotiabank. And he will be followed by Roger Boyd of UBS. Patrick, please proceed.
Patrick Colville
Hey, Maria. Thank you so much for hosting this session. I guess my questions around the exposure to the tech vertical. So Burt, you kind of very helpfully discussed earlier, the exposure to the finance vertical. I think another risk that we've been fielding from investors is, what about exposure to the VC-backed tech vertical? Would you be able to provide some, I guess qualitative color there, and then also some kind of quantitative data just to help us frame that question.
Burt Podbere
So sure, I'll start, and then I'll toss it to George to finish. And you'll get where I'm going. So basically, on the tech side of the house, all the banks that did bank with SVB, in the tech area, the private ones, I mean, the good news is obviously the FDIC stepped in. They're still making payroll. They're still doing what they need to do. And so they're still there. But what I can say with respect to, not only the focus, what's happened with respect to the focus on profitability, not only in the privates, but in the publics.
I would say, A, they all need security. Let's start there. And then B, I think the key point is, even if they are downsizing in terms of number of people, they're still going to need to have cloud protection, or they're going to need workload protection. And as automation can take over more and more of a company in terms of how they run their business, we're going to be there to be able to supply that type of security.
The other thing that I'd like to say is on the -- on some of the smaller tech companies, the one thing that we do really well is complete, right. So I think this is that offering, where we're able to offer the best in class type of security at a fraction of the price of what it would cost for somebody to go out and hire a team, or even one person in many examples.
So when you have something like CrowdStrike out there, that's easy to use, simple to deploy, and we can manage it for you, that's super compelling for not only the private tech companies, but for the public ones. And I think that when we think about the tech space, and you've seen all the downsizings that are taking place, ultimately, workloads and companies becoming more efficient is what's going to drive our continued success with respect to our offerings, right? It's not just about users, it's about protecting the data. It's about protecting the machine.
So I think that -- the end servers, and so -- and cloud workloads. I think those things are going to continue to grow and be important to us as we look down the horizon.
Maria Riley
And our last question comes from Roger Boyd of UBS. Roger, please proceed.
Roger Boyd
Thanks for taking the question. And thanks for the informative day. Just to hit on Falcon Complete, I think Gartner's talking about one in every three EDR customers buying provider offered MDR on top of it. And George, you talked a little bit about the momentum you're seeing, especially in this market with the need for more outsourced services. But I'm wondering if you could talk about Falcon Complete from a competitive angle. And how big of an advantage is that versus some of your core competitors?
Maybe you could talk about Microsoft who are a little bit less established in that provider offered MDR space? Thanks.
George Kurtz
Well, it's a great question. And it's a huge advantage for us. And it really is set up with the XDR agent that we have and the platform that we've built. It's very difficult to do or replicate what we do with the existing tooling that's out there with a mishmash of technologies, consoles, and again, getting the right outcome. There's a reason we offer a million dollar -- up to a million dollar breach warranty to our Falcon fleet customers, right. I don't see Microsoft or others doing that. And the reason we do that is we've got confidence in the service. And it works.
When you look at the ability to try to replicate that, it's difficult because the way the agent works and the way the data is actually centralized, we get a complete view of what's happening across the entire organization. And it isn't sort of a piecemeal that you have to stitch together. So from that standpoint it is very differentiated. And in fact, I talk to customers all the time. We -- again this is a different customer, but last week I was with one they said, you know if I can marry a technology, it would be CrowdStrike. That was another Falcon Complete customer. And these are all great quotes.
We'll have to get him on one of our Investor Days. But to that end, I'll maybe turn it over to Daniel to see if he wants to add anything with Falcon Complete because obviously that's a big opportunity for us, particularly in the small businesses.
Daniel Bernard
Yeah, not only in the small businesses first, Roger, the stat's true in terms of vendor delivered. The other piece here is partner delivered. And there's a huge opportunity for partners that they have the same problem that a lot of these customers have, which is how do I find cybersecurity staff to staff the SOC to deliver a service, and that's where the value prop of Falcon Complete becomes even more compelling, where partners are either turning to Falcon Complete to deliver the SOC for them, or to augment their SOC with a cloud powered offering.
And that gives them brand cachet that gives instant credibility. So while one may be buying it from a vendor, through a partner, there's still two more, three more, five more, ten more that are going the route of consuming it through partners. And then you go down the stack to what we were talking about before to SMB. You're not hiring any cybersecurity staff, you need this capability. This becomes belt and suspenders, a necessity for how you operate security today. Mike?
Michael Sentonas
Yeah, I would jump in Roger and just add one point, I think, really, if you want to look at a great example of where the rubber hits the road, as they say, last year, MITRE's attack evaluation for security service provider, really showed the differences between the tests. There was a closed book test. It was a very complex test, very different to the typical MITRE attack evaluations. CrowdStrike Falcon, the platform achieved 99% detection, and coverage of adversary behavior. And you just didn't see that performance across the stack. And we're service providers that have great people have great skills, use tools from Microsoft or Palo or other vendors. Some even use products and pulled out of the test.
You saw a couple of things really, really clearly CrowdStrike was easy to use, it got the efficacy, it got the results. And where people were using those other products, they didn't do well at all and service providers really struggled. And it talks to a problem with complexity, it talks to a problem with hard to leverage these products when you need them most, when you need them to perform. And I think we were really proud of that we've demonstrated time and time again, how different the platform is to, to what's out there from other competitors.
Roger Boyd
Appreciate the detailed answer. Thanks again.
Michael Sentonas
Great.
Maria Riley
Thanks, guys. With that, I'll turn it back to George for closing remarks.
George Kurtz
Well, I just wanted to thank everyone for spending some time today with us. Hopefully this was informative. We tried to give you a view of the platform itself and how we think about our platform as really a form factor of being able to create additional adjacencies that go beyond what might one might consider just core endpoint protection. We talked about emerging products and modules. And again, I want everyone to really think about what we have as a platform. And some of the modules are faster growing, but it's all one platform. And that's really how our customers consume it, foundational platform with emerging modules.
Mike, I think gave some great demos and talked about our identity solutions and XDR and Surface. Again, great feedback from customers. And there's a reason why they continue to buy more and more modules from us. And then Daniel spoke about how much effort we're putting into SMB and also our partner network and the reception there. And then obviously, Burt went through all of his financial numbers in his illustrative discussion around our path to $5 billion.
And with that, I'll get things wrapped up. We look forward to seeing everyone on our next quarterly conference call. And again, thanks everyone for their time today.
- Read more current CRWD analysis and news
- View all earnings call transcripts