We believe CrowdStrike CRWD 0.00%↑ is facing several existential threats in the highly competitive Cybersecurity-SaaS sector. Without question CrowdStrike is the market share dominator for enterprise level cybersecurity. However, we believe CrowdStrike is functionally a glass Death Star both in their balance sheet and in operations.

And—the simplest way to understand CrowdStrike’s competitive vulnerability requires absolutely no technical background. One of their biggest competitors: Microsoft has a cybersecurity product (Defender) for Endpoint built into their enterprise license suite at no additional cost. Approximately 60% of CrowdStrike’s Fortune 500 customer base already holds E5 licenses. So these organizations are, in practical terms, paying CrowdStrike a premium subscription for endpoint protection they already own through their existing Microsoft agreement.

By way of simple analogy this is like purchasing a home that comes with a free professionally monitored security system (Microsoft.) Only to then turn around and pay a different company (CrowdStrike) to install a second system on top of it. This is a redundancy that was once justified only by the market’s perception that Falcon was the categorically superior product.

Our research below will show CrowdStrike's reported 97% retention rate is structurally misleading and most outage-affected customers haven't reached renewal yet. We present evidence of a joint SEC/DOJ investigation, $500M+ in litigation surviving dismissal, and a contract renewal cliff the market has not priced.

In a follow-up article we will be presenting Open Source Intelligence (OSINT) collected by First Strike investigators which reveals CrowdStrike’s arrogant “cybersecurity Jesus” complex headlined by their social prestige and backstopped by a culture of catastrophic QA, pushy sales tactics, and a befuddled customer support network which is often regarded as painstakingly slow.

Don't miss out, subscribe now!

CrowdStrike CRWD 0.00%↑ trades at 25.8x revenue with a 95x forward P/E we believe the market hasn't yet seen what happens when the contracts come due. On July 19, 2024, a single faulty content update crashed 8.5 million Windows systems in the largest IT outage in history. Airlines grounded 16,896 flights. Hospitals went dark. Fortune 500 companies absorbed $5.4 billion in losses. But because CrowdStrike locks enterprise customers into 1-3 year prepaid contracts with no termination for convenience, and the churn from that catastrophe has just begun to surface in reported financials. The first major renewal wave starts now. Meanwhile, the SEC and DOJ are jointly investigating the company's revenue recognition practices — a dual-agency probe that, outside of FCPA cases, is rare and typically signals potential criminal exposure.

At the helm is CEO George Kurtz, who is the only cybersecurity executive in history to preside over two global IT outages caused by faulty updates. He declined to testify before Congress about the incident; opting to send Adam Meyers, the company’s Senior Vice President of Counter Adversary Operation instead.

First Strike investigators also uncovered dozens of testimonies from former employees, customers, and adjacent cyber security professionals regarding the arrogant and reckless culture that is plaguingthe company.

• Premium valuation disconnected from decelerating fundamentals. CRWD trades at 25.8x P/S and 95.2x forward P/E — more than double peer averages — while revenue growth has decelerated from 36% to 22%, ARR growth has fallen from 35% to 23%, and net revenue retention has dropped to a record-low 112%. Free cash flow margin compressed from 31% to 27%, moving further from management’s 34-38% target.

• The July 2024 outage was the largest IT failure in history — and the financial impact is structurally delayed. A faulty update, negligently pushed by CrowdStrike caused $5.4 billion in estimated Fortune 500 losses and over $10 billion in total global economic damage. CrowdStrike’s 1-3 year contracts stipulate no termination for convenience which means tranches of customers have not yet reached renewal.

• Competitors are actively converting pipeline from the outage. Palo Alto Networks confirmed active discussions with companies seeking to switch providers. SentinelOne also reported record pipeline and a record number of competitive wins, while growing revenue at 32% way faster than CrowdStrike.

CrowdStrike’s market dominance hides cracks in the foundation

CrowdStrike commands an impressive 21-22% market share in endpoint protection, making it the category leader ahead of McAfee and Microsoft Defender.

The flagship Falcon platform is deployed across 60% of the Fortune 500 and 70% of the Fortune 100, this has afforded CrowdStrike a deep competitive moat through its cloud-native architecture and real-time threat intelligence. The company reached a $118 billion market capitalization and joined the S&P 500 in 2024—the fastest any pure-play cybersecurity firm has achieved that milestone.

However, we believe this growth is decelerating rapidly. Annual recurring revenue growth has fallen from 35% in Q3 FY2024 to 23% in Q4 FY2025, while revenue growth declined from 36% to 22% over the same period.

In our opinion, one of the most concerning problems with CrowdStrike is their net revenue retention rate. By way of context, NRR is one of the most important KPIs in SaaS as it shows whether a company’s customer base is growing more or less valuable overtime. This important metric demonstrates CrowdStrike’s ability (or lack-there-of) to upsell, cross sell, and avoid churn.

NRR at CrowdStrike—dropped to 112%, the lowest in company history, down from 119% just four quarters earlier. Net new ARR of $153 million in Q3 FY2025 represented a significant decline from the $223 million record set the prior year.

The valuation premium appears increasingly disconnected from these fundamentals. CrowdStrike trades at a forward P/E of 95.2x versus an industry average of 29.5x, and a P/S ratio 2.2 times higher than peer companies including Palo Alto Networks, SentinelOne, and Zscaler. Free cash flow margin compressed from 31% in FY2024 to 27% in FY2025, moving further from management’s stated target of 34-38%. GAAP operating margin swung from near-breakeven to negative 3%, generating a $120.4 million operating loss in FY2025 compared to prior-year profitability.

Competitive threats are intensifying from multiple directions. Microsoft’s MSFT 0.00%↑ Defender offering has captured 12.7% market share through aggressive bundling with E5 enterprise licenses—meaning many CrowdStrike customers already have unused Microsoft security capabilities they could consolidate to at no incremental cost. By way of simple analogy without technical nuance: this is like buying a house which includes a free security system (Microsoft) only to turn around and purchase a completely separate system.

Palo Alto Networks’ PANW 0.00%↑ $25 billion CyberArk acquisition and “platformization” strategy directly targets CrowdStrike’s enterprise customer base.

SentinelOne S 0.00%↑ is showing impressive growth at 32-33% annually faster than CrowdStrike all while achieving its first-ever profitable quarter while offering similar capabilities at lower valuations.

The July 2024 outage was unprecedented in scale and cause

At 04:09 UTC on July 19, 2024, CrowdStrike released a faulty Falcon sensor content update that crashed 8.5 million Microsoft Windows systems worldwide—the largest IT outage in the history of information technology.

The root cause was simple: CrowdStrike pushed an update with an additional data field that the Falcon sensor was not built to handle. By way of simple analogy CrowdStrike put diesel fuel in a gasoline car. This in turn crashed windows machine into endless boot loops.

To get technical: Channel File 291 provided 21 input fields when the Falcon sensor expected only 20, causing an out-of-bounds memory read that triggered Windows Blue Screen of Death errors and boot loops.

The Falcon sensor operates at the Windows kernel level with the highest system privileges. When it crashed, it took down entire operating systems. BitLocker-encrypted machines required unique 48-digit recovery keys for restoration, and all affected systems needed manual intervention—technicians booting into Safe Mode to delete a single faulty .sys file, one machine at a time.

The damage spread across every sector of the global economy. Airlines cancelled 16,896 flights within 72 hours.

Parametrix Insurance estimated $5.4 billion in Fortune 500 losses alone, with total global economic damage exceeding $10 billion. Delta Air Lines was hit hardest of all, cancelling 7,000+ flights, stranding 1.3 million passengers, and suffering $550 million in total losses ($380 million revenue, $170 million expenses).

CrowdStrike’s crisis response drew sharp criticism. CEO George Kurtz’s initial Twitter statement identified the problem but notably omitted any apology.

Their contract structure creates a delayed churn trap

The most critical element of our thesis may be what current financials cannot yet show. CrowdStrike requires upfront payment for the entire subscription term—typically 1-3 years—and explicitly does not allow termination for convenience. This contractual structure creates a significant lag between customer dissatisfaction and visible churn.

Enterprise customers locked into multi-year agreements signed before July 2024 cannot switch providers until their contracts expire. A three-year deal signed in Q3 2023 won’t reach renewal until Q3 2026—more than two years after the incident. Even one-year contracts signed in early 2024 are only now approaching their first renewal window. The Q1-Q3 2025 period represents the first major wave of post-incident contract renewals, meaning the true test of customer loyalty is only beginning as of February 2025.

SentinelOne’s CEO observed that “companies do not make snap decisions and need to figure out how to make the transition. Sales cycles typically last 9 to 12 months.”

Competitors report active customer interest. Palo Alto Networks’ CEO confirmed “a number of discussions with companies looking to change vendors,” while SentinelOne reported a “record pipeline” and “significant pipeline pickup” following the outage, later citing “record number of wins against closest competitor.” CrowdStrike acknowledged losing accounts in the “managed security services space” and has deployed “Customer Commitment Packages”—discounts, free products, and extended terms—that reduced quarterly revenue by $10-15 million while generating “longer-term deals” designed to lock customers in past the immediate churn risk window.

CrowdStrike reports a 97% gross retention rate, but this metric only measures customers who reached renewal—it cannot capture churn intent among the majority still locked into multi-year contracts. The true retention picture will only emerge over the next 18-24 months as the contract renewal wave progresses.

Legal and regulatory exposure extends beyond Delta

Delta Air Lines filed suit against CrowdStrike on October 25, 2024, in Fulton County Superior Court, Georgia (Case No. 24CV013621), seeking $500 million or more in damages plus punitive damages and legal fees. The complaint alleges gross negligence, breach of contract, computer trespass under Georgia law, and willful misconduct, claiming CrowdStrike “forced” untested updates through an “unauthorized door” within Microsoft’s operating system. Delta’s attorney David Boies argued CrowdStrike’s initial remediation assistance “simply referred Delta to CrowdStrike’s publicly available remediation website.”

CrowdStrike filed a countersuit the same day in federal court (N.D. Georgia, Case No. 24-cv-04904), seeking declaratory judgment that liability is capped at contract limits—which external counsel characterized as “single-digit millions”—and blaming Delta’s “antiquated IT infrastructure” for the extended recovery period. In May 2025, Judge Kelly Lee Ellerbe ruled that Delta’s claims may proceed, allowing gross negligence and computer trespass claims to advance while dismissing most fraud allegations. If Delta proves gross negligence or willful misconduct, standard contractual liability caps may be invalidated, exposing CrowdStrike to the full claimed damages.

The most significant legal development came in June 2025, when CrowdStrike disclosed an ongoing SEC and DOJ joint investigation into revenue recognition practices. The probe focuses on a $32 million Carahsoft-IRS transaction from 2023, structured as four $8 million payments with reportedly no products ever purchased. CrowdStrike later excluded approximately $26 million from ARR citing “distributor-transferability issues.” Investigators are interviewing former staff about potential “pre-booking” or “channel-stuffing” practices and reviewing Sarbanes-Oxley compliance questionnaires. Dual SEC/DOJ involvement outside FCPA cases is unusual and suggests potential criminal exposure. Disclosure Insight research flagged elevated restatement risk.

Additional proceedings include a dismissed passenger class action against CrowdStrike (now on appeal to the 5th Circuit) and an active passenger class action against Delta where some claims survived dismissal in May 2025. Insurers who paid first-party claims to affected customers are expected to pursue subrogation claims. Total insured losses from the incident are estimated at $400 million to $1.5 billion.

George Kurtz’s track record raises governance questions

CEO George Kurtz co-founded CrowdStrike in February 2012 after serving as McAfee’s Executive Vice President and Worldwide Chief Technology Officer. His tenure at McAfee included oversight of a strikingly similar incident: On April 21, 2010, McAfee released a faulty antivirus update that mistakenly flagged the critical Windows XP file “svchost.exe” as malicious, sending systems into endless reboot loops. Internal documents cited by ZDNet blamed “inadequate” quality control. McAfee was acquired by Intel for $7.7 billion shortly after. Kurtz resigned in October 2011.

Kurtz is now the only cybersecurity CEO to have been at the center of two global IT outages caused by faulty security software updates—a pattern that raises fundamental questions about quality control culture under his leadership.

Following the July 2024 incident, the House Homeland Security Committee formally demanded that Kurtz personally testify before Congress. CrowdStrike declined, stating Kurtz was “not the appropriate witness,” and instead sent SVP Adam Meyers to the September 24, 2024 hearing. Industry observers expressed surprise. Josh Aaron, CEO of Aiden Technologies, stated it was “a little shocking to me that CEO George Kurtz didn’t agree to also testify.” Meyers acknowledged during testimony that the faulty update was distributed “to all customers in one session” and that the validator that failed had been “in place for over a decade.”

Kurtz’s compensation totaled approximately $47 million in FY2024 and $35.2 million in FY2025—158 times median employee pay. The FY2024 package represented a 29% increase over the prior year despite the catastrophic July 2024 incident occurring mid-fiscal year.

SEC Form 4 filings document substantial insider sales in the months preceding the outage. Kurtz sold approximately $28.4 million in stock on January 12, 2024, $25.5 million on March 21, 2024, and $17 million on May 3, 2024—totaling over $70 million in the six months before the incident. The company characterizes these as routine administrative sales to cover tax withholdings on vesting RSUs under 10b5-1 plans. CrowdStrike insiders recorded 41 sales and zero purchases over a twelve-month period.

Delayed reality

Our thesis does not solely rest on speculation about whether the July 2024 outage damaged customer relationships—it rests on the structural reality that most of that damage cannot yet appear in reported metrics. The combination of 1-3 year upfront-paid contracts, 9-12 month enterprise sales cycles, and no termination for convenience means the true retention picture will only emerge through the Q1 2025 to Q3 2026 renewal window.

The company faces this reckoning with a 25.8x P/S multiple that assumes continued premium growth, despite clear evidence of deceleration: revenue growth down to 22%, ARR growth down to 23%, net revenue retention at a record-low 112%, and FCF margin compressing from 31% to 27%. Competitors are growing faster (SentinelOne at 32%), executing aggressive platform strategies (Palo Alto’s $25 billion CyberArk deal), or bundling at zero incremental cost (Microsoft Defender).

Legal exposure compounds operational risk. The Delta lawsuit seeks $500 million and survived a motion to dismiss on gross negligence grounds—the specific claim that could void CrowdStrike’s contractual liability caps. The SEC/DOJ joint investigation into revenue recognition represents potential restatement and enforcement risk. And CEO George Kurtz’s refusal to testify before Congress, combined with his unique distinction as the only cybersecurity executive to oversee two global IT outages, raises fundamental governance questions.

The bull case assumes customers will forgive and renew, the SEC investigation will resolve without material consequence, and competitive dynamics will not erode the premium valuation. The bear case observes that none of these assumptions have yet been tested—and the tests begin now.