This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
12/1/2021
Thank you for standing by and welcome to the CrowdStrike Holding Inc. Q3 2022 Financial Results Conference Call. At this time, all participants are in listen-only mode. After the speaker's presentations, there will be a question-and-answer session. To ask a question at that time, please press star then 1 on your touch-tone telephone. As a reminder, today's conference call is being recorded. I would now like to turn the conference to the host, Ms. Maria Raleigh, Vice President of Investor Relations. Please go ahead.
Good afternoon, and thank you for your participation today. With me on the call are George Kurtz, President and Chief Executive Officer and co-founder of CrowdStrike, and Bert Podbear, Chief Financial Officer. Before we get started, I would like to note that certain statements made during this conference call that are not historical facts, including those regarding our future plans, objectives, growth, and expected performance, including our outlook for the fourth quarter and fiscal year 2022, our forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements represent our outlook only as of the date of this call. While we believe any forward-looking statements we make are reasonable, actual results could differ materially because the statements are based on current expectations and are subject to risk and uncertainties. We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise. Further information on these and other factors that could affect the company's financial results is included in filings we make with the SEC from time to time, including the section titled Risk Factors in the company's quarterly and annual reports that we file with the SEC. Additionally, unless otherwise stated, excluding revenue, all financial measures included on this call will be non-GAAP. A discussion of why we use non-GAAP financial measures and a reconciliation schedule showing GAAP versus non-GAAP results is currently available in our press release, which may be found on our investor relations website at ir.crowdtrack.com or on our Form 8K filed with the SEC today. With that, I'll turn the call over to George to begin.
Thank you, Maria, and thank you all for joining us. I will start today's call by summarizing three key points. First, we delivered an outstanding third quarter, headlined by an acceleration in net new ARR growth, strong execution across the market from large enterprises to small businesses, and expansion within the U.S. federal government. Second, We are seeing an inflection in new products with growing demand for our identity protection and zero trust, Cumio, and cloud security modules. And third, the competitive and pricing environment remains favorable to CrowdStrike. We continue to expand our lead over legacy and next-gen vendors because of our scalability, efficacy, and differentiated offerings such as Falcon Complete. Now let's discuss our results and get into the topics in more detail. We delivered a robust third quarter with net new ARR growth accelerating and ending ARR growing 67% to surpass the $1.5 billion milestone. We added $170 million in net new ARR, which was ahead of our expectations, and gained over 1,600 net new subscription customers for the second consecutive quarter. We proudly serve 14,687 subscription customers. In addition to accelerating net new ARR growth, we delivered record bottom line results and free cash flow, reaching a new high watermark of $124 million. In the third quarter, we saw broad-based strength in multiple areas of the business, and among SMB, mid-market, and large enterprises. Our outstanding results this quarter reflect continued strong customer adoption of our core products, growing success with our newer product initiatives, including identity protection, log management, and cloud, and our growing leadership in the market with a continued groundswell of customers turning to CrowdStrike as their trusted platform of record with our 21 modules. We also gained significant momentum and delivered a record quarter in the public sector, including wins with educational institutions, states and local governments, and the US federal government. Our performance on this front is highlighted by a large win with CISA, the Cybersecurity and Infrastructure Security Agency, to secure a significant portion of endpoints and workloads for multiple federal agencies as they operationalize the White House Executive Order to improve the nation's cyber resiliency. This win represents the culmination of our dedication and hard work over the course of several years on our public sector strategy and government certifications. We believe this significant win will create new opportunities and unlock additional business within the massive U.S. federal government. For additional information, please visit my new post to the CrowdStrike blog. Moving to the competitive environment, we continue to believe we have a significant technology lead with no competitor matching our scalability, performance, ease of use, and commitment to customers. I could not be more excited by our opportunity, which has continued to grow. This quarter, our win rates increased across the board, and we saw a record number of wins against both legacy and next-gen vendors with SMB, mid-market, and large enterprise customers. We also landed a record number of wins and displacements over a recently public next-gen vendor, Sentinel-1. To be clear, we define a displacement as removing an incumbent's product and replacing it with Falcon. Let me share a recent example with one of the largest nonprofit hospital systems in the U.S., which had initially chosen the recently public next-gen vendor based on price and promised features that were never delivered. Just a few months into their multi-year contract with the other vendor, this organization realized the product failed to scale, caused major performance issues, prohibited critical processes from functioning properly, and drove significant friction within the organization and its subsidiaries. That is when they turned to CrowdStrike. purchased multiple modules in a multi-million dollar ARR deal and realized immediate improvement, gaining up to 30% performance increase on their servers alone and greater efficacy without intrusive false positives. Another marquee win this quarter included Qualtrics, a leader in experience management. Customer focus and trust are key parts of Qualtrics DNA. Therefore, it was critical for them to adopt best-of-breed security capable of fortifying their entire estate of traditional endpoints and cloud workloads without sacrificing end user experience. Qualtrics moved off the next gen endpoint security provider to Falcon in order to have a single solution that can be easily deployed and scaled along with their fast growing business. We look forward to continuing our relationship with Qualtrics as their trusted security partner. We continue to see success winning new customers among our larger competitors as well. Take, for example, a leading healthcare system that was using a combination of two legacy vendors, Microsoft and Symantec, when it was hit with a massive ransomware attack that disrupted their business. This organization turned to CrowdStrike's renowned incident response services team to remediate the breach They also came to realize that while Microsoft attempts to check most of the boxes on paper and appeal to the CFO office, in reality, when every second counts, they needed CrowdStrike and standardized on Falcon Complete. With our leading technology, unmatched platform, and adversary-focused approach to stopping breaches, we continue to eclipse our competitors and extend our leadership. which was once again recognized by industry analysts and third-party testing agencies, including IDC, which named CrowdStrike a leader in IDC marketscape, worldwide modern endpoint security for enterprise 2021 vendor assessment. Enterprise Management Associates, EMA, granted Humio their top three award in log management and observability. Humio was recognized for its index research and its ability to ingest structured and unstructured data at real time and at scale. Last month, SE Labs recognized CrowdStrike as the best endpoint detection and response product for the second year in a row. And just this week, CrowdStrike earned the highest rating in the October 2021 Gartner Peer Insights Voice of the Customer for Endpoint Protection Platforms. Cyber adversaries are increasingly attempting to accomplish their objectives without using malware. As we cited in our 2021 Threat Hunting Report, based on recent customer data indexed by ThreatGraph, 68% of detections analyzed were not malware-based. This is why companies need to employ a holistic breach prevention strategy rather than overly relying on malware prevention, regardless if it's legacy or next-gen. This increasing trend in the adversary landscape is driving a generational shift to zero trust technologies, including CrowdStrike Falcon. We are seeing this trend play out in our module adoption metrics, which have continued to increase. Our module adoption rates demonstrate the flywheel effect of our platform in motion with subscription customers that have adopted four or more modules, five or more modules, and six or more modules increasing to 68%, 55%, and 32% respectively in the third quarter. We believe high adoption rates of our modules drive high retention rates and reflect our growing position as the trusted platform of record with the average number of modules per customer also increasing quarter after quarter. Our results have proven quarter after quarter that transformational differentiation built into the Falcon platform continues its technology dominance over legacy and next-gen vendors alike, delivering strong results in the field. On the cloud front, our footprint continues to grow even faster than our overall server endpoint growth, with over 25% of the servers we protect now in the public cloud. CrowdStrike has redefined the approach to cloud security. With Falcon Horizon, we are selling into and enabling DevOps teams to improve decision-making and innovate faster. Falcon Horizon is API-driven and agentless, enabling customers to scan configurations and workloads across multiple cloud environments. Falcon Horizon provides continuous control plane threat detection and machine learning and indicator of attack detection, as well as guided remediation for all cloud accounts services, and users across the cloud estate. During the quarter, we extended Falcon Horizon to support Google Cloud environments, now supporting the three largest clouds. We also deepened our partnership with AWS with new features that work hand-in-hand with services from AWS to further protect customers from growing ransomware threats and increasingly complex cyber attacks. Moving to the partner front, as our leadership in the market increases, our partnerships grow and deepen with large name brand system integrators, VARs and MSSPs alike, building revenue streams for their businesses with Falcon. The third quarter was a breakout quarter for our MSSP ecosystem with our MSSP business growing more than 30% quarter over quarter and triple digits year over year. We also expanded our relationship with Google by joining their Work Safer program, which is designed to protect organizations, including small businesses, enterprises, and public sector institutions against modern cyber attacks. Just as we ushered the industry into a new era when we launched EDR and pioneered Zero Trust for the Endpoint with deep visibility, we are leading the industry forward and once again, redefining security by focusing on the greatest source of enterprise risk and friction. Unlike any other competitor in the market today, our identity protection modules give customers the ability to prevent the spread of ransomware and stop lateral movement when credentials are stolen. This is a major advantage to winning deals in the field and increasing deal size. The third quarter marks the one-year anniversary of our acquisition of Preempt, And in this one quarter alone, we generated more net new ARR from our zero trust modules than in the history of preempt before the acquisition. Large identity-driven deals in the quarter included AIA Insurance, one of the largest public insurers in the Asia-Pacific region, multiple major airlines, and a Fortune 100 manufacturer. CrowdStrike already natively enforces zero-trust protection at the device layer and the identity layer. By harnessing technology from our recent acquisition of Secure Circle, we plan to take data protection to a new level by enforcing zero-trust at the data layer. Legacy Point products like DLP are aging, brittle, prone to false positives, and require a high reliance on human interventions. Based on IDC estimates, we believe the market for DLP and related technologies to be approximately $3 billion in calendar year 2022. Our innovative approach to data protection will put power back into the hands of customers without changing the way users work. Moreover, after we combine Secure Circles technology with CrowdStrike Zero Trust modules, customers will gain even more fine-grained visibility and control as well as continuous risk monitoring to detect and respond to threats, whether they manifest as a device, identity, or data layer. While the acquisition just closed, it will take some time to integrate into the Falcon platform. We have already received a tremendous response from customers that would like to replace their legacy DLP products from the likes of Symantec with Falcon's data protection module delivered today. through our single lightweight agent. CrowdStrike is the only platform in the market to connect the machine to identity and to data. It has been an unparalleled year of innovation at CrowdStrike. At this year's Falcon User Conference, we showcased our thought leadership, newest innovations, and continued commitment to providing customers gold standard protection to stay ahead of adversaries today and in the future. Our new Falcon XDR module headlined the event. Falcon XDR leverages the technology we acquired from Jumio and extends CrowdStrike's industry-leading endpoint detection and response capabilities to deliver real-time detection and automated response across the entire security stack. We also launched the CrowdXDR Alliance, which is a groundbreaking partnership with industry leaders, including Google Cloud, Okta, ServiceNow, Zscaler, Proofpoint, and Mindcast, among others. We invite you to learn more about XDR and our other new capabilities as well as hear discussions with our partners, AWS and Accenture, and our customer Zoom by tuning into our Falcon Investor Briefing, which is accessible on our Investor Relations website. Turning to Yumio, Q3 was a record quarter, and we see increasing momentum in the log management space that has exceeded our expectations. In addition to the seven-figure new customer land with the DevOps team of a financial services company we mentioned on our last call, Yumio wins in the third quarter included a Fortune 150 food brand, a leading European cloud-based e-commerce platform company, and Mimecast, a leader in cloud-based email management and security, and a CrowdStrike technology partner. We are also seeing strong uptake for our recently announced Humio Community Edition, which gives users 16 gigabytes of streaming data ingestion per day with seven-day retention for free. In less than six weeks since our launch, we have already reached 100% of our six-month customer registration goal. Humio's log management platform is unmatched in speed, performance, and storage abilities. Humio Community Edition offers customers unprecedented access to best-in-class log management that they won't see anywhere else. We expect this program to be a strong avenue for lead generation as customers experience the power of Humio. Before closing, I would like to announce that we are promoting Jim Seidel to Chief Sales Officer for and he will be responsible for global sales. Jim has been with CrowdStrike for over eight years, and for the past five years, he has done an outstanding job leading our America sales team, our largest region, and contributor to United States revenue, which accounts for 73% of our total revenue. During Jim's tenure, America's revenue has grown significantly and exceeded my expectations quarter after quarter. And for the past four months, while Mike Carpenter was on leave to welcome the arrival of his child, Jim has served as acting head of global sales and field operations. And true to form, as you can see from the results we published today, Jim delivered an exceptional third quarter on a global basis. Mike is transitioning to an advisory role until his departure from the company to spend more time with his family. We are very grateful to Mike for his years of service and contributions to building a world-class sales organization. Mike, it has been a great partnership, and I can't thank you enough. We wish you all the best. In closing, we delivered an outstanding third quarter that can be characterized by phenomenal execution across the board and accelerated net new ARR growth. We continue to see a very favorable competitive environment today and into the future. We continue to expand our leadership and rapidly innovate as we once again redefine security. Looking forward, I could not be more excited about our future opportunities for growth. We have built a best-in-SaaS platform that not only significantly expands our reach beyond the core endpoint market, but also unifies the opportunity across cloud security, log management, and identity protection. We see a long runway ahead in displacing legacy and next-gen point product vendors. And the fourth quarter is off to a great start It already includes a notable land with one of the world's largest financial institutions. With that, I will turn the call over to Bert to discuss our financial results in more detail.
Thank you, George, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers except revenue mentioned during my remarks today are non-GAAP. We once again delivered exceptional results. In addition to strong growth at scale with accelerated net new ARR growth, we continue to maintain very high unit economics, drive leverage, and generate strong operating and free cash flow. We also continue to perform at a high level, well in excess of the SAS industry's Rule of 40 benchmark, achieving a Rule of 77, and when calculated on a free cash flow basis, a Rule of 96 at scale with over $1.5 billion in ARR. We believe our continued outstanding execution speaks to our ability to rapidly and efficiently scale across the business, our customer-first and mission-driven culture, and our highly differentiated platform, all of which we believe set us apart from others in the market and are difficult to replicate. Demand in the quarter was broad-based and well-balanced. fueled by strength in multiple areas of the business as we expanded our leadership across the market from large enterprises to small businesses. We once again ended the quarter with our strongest pipeline to date, which we believe indicates a strong foundation for future growth. In the quarter, we delivered 67% ARR growth year-over-year to exceed $1.51 billion, a new milestone. Rapid new customer acquisition as well as expansion business within existing customers fueled an acceleration in net new ARR growth on both an organic and as reported basis. Net new ARR grew 55% on an organic basis and 46% on a reported basis to reach a new all-time high of $170.0 million with no outsized contribution from any one deal. It was a standout quarter for large deals as we derived a record amount of net new ARR from million dollar deals. We believe this reflects our continued leadership in the enterprise segment, expanding deal sizes, and the pricing leverage attributable to our distinct product differentiation. As George mentioned, we signed a large deal with CISA in the quarter, which will make the US federal government one of our top customers. However, given this win covers multiple agencies, each with their own deployment schedules, the contribution to net new ARR was not notable in Q3, and we will see it steadily fold into ARR over the coming quarters. Our dollar-based net retention rate was once again above our benchmark. Our gross retention rate remained consistently high with prior quarters, and contraction insurance decreased on both a dollar basis and percent of ARR. Moving to the P&L, total revenue grew 63% over Q3 of last year to reach $380.1 million. Subscription revenue grew 67% over Q3 of last year to reach $357.0 million. Professional services revenue was $23.0 million, setting a new record for the fifth consecutive quarter and representing 22% year-over-year growth. The geographic mix of third quarter revenue consisted of approximately 73% from the U.S., 13% from Europe, Middle East, and Africa, 10% from the Asia-Pacific region, and approximately 4% from other markets. Third quarter non-GAAP gross margin was 76%, consistent with Q3 of last year. Our non-GAAP subscription gross margin was 79% and in line with Q3 of last year. We continue to be pleased with our strong subscription gross margin performance as we continue to invest for growing demand. As planned, we continued investing aggressively in our business during the quarter, including increasing investments in new technologies, international geographies, and marketing programs while driving increased operating profit. Total non-GAAP operating expenses in the third quarter were approximately $239.0 million, or 63% of revenue, versus $157.0 million last year, or 68% of revenue. We believe the investments we are making today will lead to sustained growth over the long term and maintain our pole position as the trusted security partner of choice. In Q3, we ended with a magic number of 1.3 as we continued to ramp investments to capture more of the market opportunity at hand and expand globally. Our continued exceptional unit economics speaks to the efficiency of our go-to-market engine and our ability to rapidly onboard and support customers of all sizes. We also believe that a magic number of 1.3 continues to indicate that we should increase investments even more given the massive market opportunity. Third quarter non-GAAP operating income grew 168% year-over-year to reach our record $50.7 million, and operating margin improved 5% at points over Q3 of last year to exceed 13%. Non-GAAP net income attributable to CrowdStrike and Q3 was $41.1 million, or 17 cents on a diluted per share basis. Our weighted average common shares used to calculate third quarter non-GAAP EPS attributable to CrowdStrike was on a diluted basis and totaled approximately 239 million shares. We ended the third quarter with a strong balance sheet. Cash and cash equivalents increased to approximately $1.91 billion. Cash flow from operations in the third quarter was $159.1 million, and free cash flow grew to a new record of $123.5 million, or 32% of revenue. Before we move to guidance, I'd like to cover a few modeling notes. While we do not specifically guide to ending or net new ARR, we continue to expect seasonality in net new ARR to be less pronounced relative to prior years as we move from Q3 into Q4, given our steady climb at a much higher scale in recent quarters and outstanding performance throughout this fiscal year. Our guidance includes the impact of our recent acquisition of Secure Circle, which closed on Monday. We currently expect the acquired net new ARR contribution from Secure Circle to be less than $1 million in the fourth quarter. Additionally, the $70 million IP transfer tax expenses related to the Humeo acquisition will be reflected in the fourth quarter, which will impact operating and free cash flow results. Lastly, we funded the acquisition of Secure Circle with cash. The approximately $61 million cash payment net of cash acquired, will be reflected in our Q4 cash balance. Moving to our guidance. We remain optimistic about the demand for our offerings, record pipeline, and the powerful secular trends fueling our growth. Given the growth drivers of our business, as well as our exceptional third-core performance and momentum into the fourth quarter, we are once again raising our guidance for the fiscal year 2022. For the fourth quarter of FY22, we expect total revenue to be in the range of $406.5 to $412.3 million, reflecting a year-over-year growth rate of 53% to 56%, with subscription revenue being the dominant driver of growth. We expect non-GAAP income from operations to be in the range of $55.2 to $59.5 million, and non-GAAP net income attributable to CrowdStrike to be in the range of $45.2 to $49.4 million. We expect diluted non-GAAP net income per share attributable to CrowdStrike to be in the range of 19 to 21 cents, utilizing a weighted average share count of 241 million shares on a diluted basis. For the full fiscal year 2022, We currently expect total revenue to be in the range of $1,427.1 to $1,432.9 million, reflecting a growth rate of 63% to 64% over the prior fiscal year. Non-GAAP income from operations is expected to be between $171.0 and $175.3 million. We expect fiscal 2022 non-GAAP net income attributable to CrowdStrike to be between $135.4 and $139.7 million. Utilizing 238 million weighted average shares on a diluted basis, we expect non-GAAP net income per share attributable to CrowdStrike to be in the range of 57 to 59 cents. George and I will now take your questions.
Thank you. Again, ladies and gentlemen, if you'd like to ask a question, please press star then 1 on your touch-tone telephone. Again, to ask a question, please press star then 1. One moment for our first question. Our first question comes from Sakit Kalia of Barclays Capital. Your line is open.
Okay, great. Hey, George. Hey, Bert. Thanks for taking my questions here. Hey, Sakit.
Great to hear your voice.
Yeah, same here, Bert. Maybe I'll start with you just to sort of knock this out first. I was wondering if you could speak to the pricing environment a little bit and whether you feel like competitors are having an impact here with potentially lower price strategies. Does that make sense?
It's a good question. But in regards to pricing, and it's been the same way for quite some time, discounting has remained consistent with prior quarters. And I think it highlights the differentiation in our platform and the value we bring to customers. We talk about value selling for quite some time. So it's allowing customers to center on us and take off other vendors. And that allows us to offer our customers lower total cost of ownership. And that really matters. In terms of the platform, I'll turn it over to George to talk a little bit about that.
As Bert said, a big part of what we're doing is being able to consolidate other vendors. Agent consolidation, agent fatigue is a big issue that's out there. And obviously, we have a broad platform that's differentiated and works. And that's the key aspect of the platform, that it actually works. And you've seen in the transcript that there was a large nonprofit hospital that went with a next-gen vendor on price and two months later was back with us and deploying because it didn't work. And I think that's a big part of it. You also have to look at things like identity, look at things like Falcon Complete. These are truly differentiated services. And when you look at the breadth of what we're doing, obviously we're way more than just an endpoint company when you look at what we're focused on and the value we're delivering. And that's how we continue to win and drive the right pricing for us and obviously good value for our customers.
That makes a lot of sense. George, maybe just to follow up for you, congrats on the CISA contract. I was wondering if you could just dig into that just one level deeper and maybe talk a little bit more broadly about how much opportunity you feel like CrowdStrike has within the federal government on the whole.
Sure. Well, we're really proud of that win, and I think it really – You know, the signature win given the directives that came out of the U.S. government. We're certainly proud to protect the U.S. government. You know, when you look at Falcon as a whole and the platform, it was tailor made to help protect the government. An adversary focused approach using next gen technologies, AI powered, very broad in what we're doing. And again, at the end of the day, our goal is to stop breaches. again, a truly differentiated offering that we have is our intelligence. You know, most vendors don't have what we have, certainly not the next gen vendors. And that's a key aspect to what we do. And part of the whole data element to CrowdStrike. So we're excited about this win. We believe it is a big opportunity for us. You know, obviously, we got this win, but there's more expansion capabilities and deployments. And I think it will really showcase how we can protect the U.S. government as well as many governments around the world.
Makes sense. Thanks, guys.
Thank you. Our next question comes from Sterling Ockey of J.P. Morgan.
Yeah, thanks. Hi, guys. Just one question from my side. Can you give us a sense of what percentage of the net new ARR that you added in the quarter is really came from protecting cloud workloads, and how does that compare to what it looked like maybe a year ago?
Well, I'll start. Hi, Sterling. So when we think about our cloud workload protection, so right now what we can tell you is that it's growing, it's continuing to grow, and we've seen growth in the amount of opportunities that are available to us in the cloud. Right now what we do talk about is the fact that 25% of our servers that we protect are in the cloud. So that's just giving you an indication of where we're going. Maybe George has a couple of other comments on that.
Yeah, and the 25% is up, as we've talked about in prior calls. So when we think about cloud workload protection or cloud security, there's two pieces to it, and we have both. One is workload protection. And that is really runtime protection, visibility across virtual environments, containers, et cetera. The second one is cloud security posture management, if you will, Falcon Horizon, which we continue to really drive innovation through. And that's an agentless technology that ties into many of the APIs of the cloud providers. Now we cover all three cloud providers. It drives a lot of value very quickly. And again, we have a unique offering because it combines the visibility from an API perspective with runtime protection, which is differentiated from a lot of the other competitors, including the private companies that are out there. So we feel really good about it, and we continue to drive and sell into the DevOps space. And I think we've really honed our skills in being able to sell value into that space and get people up to speed without a lot of friction.
Makes sense. Thank you, guys.
Thank you. And, ladies and gentlemen, we do ask that you please limit yourself to one question, and then you may be able to rejoin the queue. Thank you. Our next question comes from Alex Henderson Needham. Your line is open.
Thank you very much, and spectacular results again. I wanted to get a little bit clearer on the concept of XDR. It seems to me that you guys have been pigeonholed by many people online as a endpoint company, but you're really a platform. And to the extent that that platform allows you to then extend into other niches that have historically been seen as separate end markets, a lot of the companies that are in those end markets have turned around and redefined themselves as XPR, realizing that they needed to be a platform. But taking the term XDR and plug it in front of a CSCM company's product does not make it a platform. So can you talk a little bit about that flood that's out there and whether that confusion is spreading to any of your customers or whether they see through that issue and understand the importance of the extensible platform and the breadth of your product line?
Well, thanks, Alex. It's a great question. And I think, you know, if folks are looking at us as just an endpoint company, you know, pigeonhole endpoint company, they're really missing the big picture. I mean, that's as simple as I could say it. We've proven that we are a platform company. As I said before, the Salesforce have security 21 modules. You can look at the attach rates. And when you talk to customers and if folks really do their homework, and they talk to customers, they will see the value and they see how we're consolidating there. So when we think about XDR, you have to start with the best EDR in the market, which is ours. It's been validated by Gartner and others and IDC, I mean, down the list. And the extension of EDR is XDR, right? And as a company who pretty much pioneered cloud-delivered endpoint security with the ThreatGraph and the massive data moat that we have, by combining that with some of the technology we acquired from Humio and our ThreatGraph, I think we're in a unique position to be able to drive additional threat detection outcomes as well as the decoration of, you know, the threat narrative, right, the attack narrative. And that's independent of Humio as a standalone log management observability platform. So we're really driving a lot of innovation in this area. And to your point, if you are just kind of a SIM vendor now trying to glom onto XDR as an acronym, It's not going to work. You have to start with the best EDR in the world. And in my opinion, that's CrowdStrike.
Thanks. I appreciate the clarity of the response. Thank you. Thank you.
Our next question is from Brent Bill of Jefferies. Hey, guys.
You have a jail on for Brent. Really appreciate the question. Bert, can you just walk through the puts and takes of margin? I think guidance implied 150 points of contraction in that 4Q. Is that acquisition-related travel investment? and then maybe just how we should think about leverage going forward on an annual basis. Thanks.
Yeah. So first, let me start with operating margin in total. So we're really proud of where we came in this quarter, over 13%. And a lot of that is attributable, obviously, to the unit economics that we were able to garner, certainly on the sales side. So whether you pick magic number, or you pick rule of four that we talked about in the in the prepared remarks, that's driving a lot of that operating margin. When we think about, you know, the future, I think about a few things. One is that we have opportunity starting at the gross margin level. I think that we, you know, not long ago, I raised the long-term range of our gross margin expansion capabilities and opportunities. And I think that we have an opportunity to do that. And we're investing to do that. And then as you go down the rest of the P&L, I think that as we continue to grow and scale, we're looking for opportunities to continue to leverage our strong model. But at the same time, we want to invest aggressively. We're not going to move away from that strategy. And then in R&D, I think investing in innovation is key and core to who we are. So I think that we're going to continue to keep our eye on that and invest in exactly what I talked about, to be able to go after that massive opportunity that we see ahead of us. So that's how we think about it.
Thank you.
You're welcome.
Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open.
Great, guys. Thanks for taking my question. George asks, FileVantage for file integrity monitoring looks like a great addition to the platform. Can you talk about sort of what customers are saying? I know it was just launched, but sort of why is that such an important piece of a CISO sort of like data security fabric in sort of this new post-COVID world?
Yeah, thanks, Matt. It's a good question, and we're excited about this technology. And again, it goes to our strategy of consolidating agents and getting rid of other technologies that are costly and complex and weigh the system down. When you think about FIM, it's pure and simple compliance requirement. When you think about things like PCI and in the financial services industry, you have to understand what files change and who changed them and implement controls around that. So We've been able to do a lot of that for a long time. We've enhanced some features, put it into a module, and it's been extremely well received because it is literally a checkbox for just about any company that's out there, given the current regulatory frameworks and the various NIST standards that exist.
Thank you.
Thank you. Our next question comes from Roger Boyd of UPS. Your line is open.
Hey, thank you for taking my question. A follow-up on the CISA contract, can you talk a little more about the selection process here, how competitive it was, and really the role, you mentioned threat intelligence, but the role that that incident response played in helping achieve this, especially as the federal government gets more collaborative through programs like JCDC?
Yeah, anything in the federal government is competitive, as you know. That's by design. That's the way to do it. And I certainly believe in great partnership with them. And we believe it's a great technology choice and a proven technology choice and something that I've been saying for a long time that the government needs. So we're excited about the early partnership here. And when you think about threat intelligence, Again, having a very unique group, there's maybe one other company that has an intelligence capability as robust as ours, and they're not in the endpoint security space anymore. So from my perspective, it drives value not only for the U.S. government, but it really is a differentiator across all of our customers. We understand what the adversary is doing. We understand how to identify these sort of attacks. We program that into our AI technologies, and Again, taking an adversary-focused approach is important in stopping breaches. And then you combine that with other services that we have and, you know, some of the managed services. Again, very differentiated and I think going to be a great outcome for the government.
Thank you. Our next question comes from Brian Ethics of Goldman Sachs. Your line is open.
Great. Thank you very much, and thank you for taking the question. Maybe, George, if I could just have us unpack the new logo ads a little bit. It looks like a nice increase in new ARR. It looks like the landed costs of the logos that you added were a bit higher. Was it better strength from upmarket a little bit? Was it better, I guess, breadth of sale into the pipeline? Maybe if you could help us understand a little bit behind the drivers and what drove kind of the larger average customer ARR in the quarter?
Hey, Brian, it's Bert. I'll take that one. So first, we're really pleased with the... Yeah, no problem. We are very pleased with the new logo ads in the quarter. It's also... I think the fact that we were able to show acceleration in that new ARR was a big deal for us. Over 1,600 new logos, that's the second time we hit that high watermark. Again, really excited about the performance on the NETLU logos. In terms of where they came in on, I think that we had exceptional performance across the board. If I was to kind of highlight anything in particular we saw, So we saw some strength in the enterprise and the mid-market as well as MSSP. And so when you put that all together, along with some of the prepared remarks on the increase in the million-dollar deals, you were able to see the performance that we were able to put on the board. And remember, you know, I talked about the fact that we had, you know, no oversight or outside deals that contributed to this this quarter. And that, again, talks to the strength of the platform. and the broad-based success that we have this quarter.
Got it. Very helpful. Thank you very much. You're welcome.
Thank you. Our next question comes from Rob Owens of Piper Stanley. Your line is open.
Hey, guys. This is Justin Rochon for Rob. Just wanted to follow up around the cloud security solutions like your CSPM and CWP. Have you guys seen any increase in competitive pressures in this area given the number of players coming at it from both the network and the endpoint side, or do you guys still view this as a largely greenfield opportunity?
I think it's a largely greenfield opportunity. Obviously, you have a lot of early-stage companies out there, but this is so early in the lifecycle, and it's a massive opportunity for all the players that are out there. we think we're in a great position because a lot of the players actually don't have the runtime protection, which is important. You have to tie those two together. It isn't just about connecting, getting information from APIs, right? And although we do that in a differentiated way because we've basically ported some of our indicator of attack technology across that agentless technology, tying them together I think is really important for customers. A lot of these big wins involve cloud wins. Bert talked about the number of servers that we have. So tying together CSPM with cloud workload protection and things even like vulnerability management, we have that technology. Yes, it works against desktops, but we can be inserted in the CICD pipeline. We can look for vulnerabilities that are in images. We can prevent them from being deployed. So these are all key elements of creating a technology that's widely adopted by DevOps.
Got it. Thanks.
Thank you. Our next question comes from John Henry Caver of Bayard. Your line is open.
Yeah. Hey, guys. Congrats on that strong execution. You know, you've talked about the benefits of Umeo as it relates to data ingestion and just the additive nature to ThreatGraph and obviously the push into, you know, a broader XGR use case in George, you touched on this in your comments, but just wanted you to talk a little bit more around what you see around the log management observability use case and how you see that contributing to the overall platform near term and longer term.
Well, we've had some big wins this past quarter with Yumio, even outside security, certainly security use case, but observability and telemetry. It really is a telemetry platform. And if you think about today's environment you know, all the various technologies out there, all the information they're gathering, you have to have a telemetry platform like Humio to make sense of it all at scale. So it's been it's been an amazing opportunity for us since acquiring the company. I think we underappreciate it. What a huge opportunity is out there, particularly a lot of dissatisfaction with current vendors. and how open people are to wanting to switch into a technology like Yumio. We've got a lot of customers that we're working with right now. And I see that, as I said before, really as a shining star, as a massive business opportunity and revenue driver for us in the future.
And when you say that, is that including Falcon XDR? Is that more in the log management and observability use cases?
Well, it's a good question. Falcon XDR is going to give you essentially a threat detection outcome and some visibility into an attack scenario that starts beyond the endpoint. When you think about a Humio, you can log everything, you can store it pretty much forever, you can connect it to whatever you want to connect it to. and you can drive observability information from things that are outside just core security, things like connecting it to your HR system, to your performance management systems, to all the various workflows in your environment. That's not the use case of XDR. Security use case is XDR, and Humia goes way beyond that.
Yep. That helpful context. Thank you. Thank you.
Thank you. Our next question comes from Patrick. Your line is open.
Thank you so much for taking my question. You just talked about partnerships. I mean, you helpfully shared a statistic in your kind of opening remarks around, if I'm not mistaken, 30% sequential growth in partner source deals. I guess is that right? I just don't understand that kind of partnership dynamic. And I guess the reason I ask is because I know that some investors have a concern that other next-gen EDR vendors are more partner-friendly. So any color you can give around CrowdStrike and partnerships and try to quantify the trends you're seeing there would be very helpful. Thank you.
Sure. Sure. Let me just clarify to be very specific. It was 30% quarter over quarter on MSSP growth in triple digits year over year. So we're extremely partner friendly. I think there's a lot of noise in the system and people probably should talk to some of the larger partners that are out there because that's where we're sourcing our business from. Our partner opportunities are up. Our partners are making a lot of money jointly with us. And, you know, our goal is to be a partner-first company. And that's what we've done. We've been very consistent with that. And as you said, and you rightly pointed out, it's a lot of FUD that's in the environment. Great. Thank you so much. Appreciate it.
Thank you. Our next question comes from Joshua Tilton of Wolf Research. Your line is open.
Hi. This is Strecker on for Josh. Thanks for taking my question. I just have one for Bert. So you mentioned the net new seasonality, net new ARR seasonality will be less pronounced, and that makes sense. But as we start the model next year and the net new ARR seasonality, I'm not looking for guidance, but is there any, is there a year we should look to as framework? You know, because this year we had a sequential increase from 4Q to 1Q. You know, we're not expecting that again, but just any color or goalposts you provide, looking at the next year would be very helpful. Thank you.
Sure. So first, let me start with Q4 is off to a great start. We've got the record pipeline, record momentum, and we already landed a notable financial, a large financial, global financial institution. So off to a great start in Q4. But again, you know, we're coming off of a record Q3 at $170 million in the new ARR. Super proud of that record and obviously really strong throughout this year. When we look at comps, obviously my comments are more to the fact that when we guide and we're guiding to revenue, we don't guide to running the tables. We guide to what we know, not to what we don't know. That comment just wanted to put everything into perspective for us. The numbers are getting bigger and bigger, and that's great for us, but as you know, when you think about the law of large numbers, then you're going to have, and you don't guide to running the tables. That's why I put that comment in there.
Thank you. You're welcome.
Thank you. Our next question comes from Mike Walkley of Care and Accord Genuity. Your line is open.
Hey, guys. Good afternoon. This is Daniel on for Mike. Thanks for taking my question. So the prepared remarks, you noted that your identity modules generated more net new ARR than preempted previously while they were standalone. Are there any notable customer segments you're seeing the strength in, or was the demand pretty broad-based across the board?
Demand is broad-based across the board, and it really hit an inflection point. We've seen massive growth in it, as we said, more than all the preempts that they had as a standalone company. And the thing is, we took the time and effort to do the integration right. Customers see the value of a single integrated agent. They understand that identity is critical to security. And we're the company that's putting together runtime protection and visibility with identity. And now with data protection, it's that triumvirate, that three-legged stool. And customers love it. So we've seen some massive wins in retail, in financial services, in manufacturing. It is a massive problem. across the board for any company. And as we pointed out, over 60% of the breaches don't even use malware. They're using things like identity, which when you look at the sunburst attack from last year, obviously that was a key contributor. So people are looking to shore that up. And it's actually a key element to stopping ransomware above and beyond any malware prevention that's out there. So customers understand the value of it and they understand that we have it and others don't. And it's been a big driver for us.
Great. Thank you very much.
Thank you. Our next question comes from Shaw Ewell of Cowan Company. Your line is open.
Thank you. Good afternoon, guys. Congrats on the quarterly results and guidance. George, I know there was a prior question about partnerships. My question is actually about the alliances that CrowdStrike has been leading and joining over the course of the past, I think 12 to 18 months, give or take. Is that beginning to have some impact on revenue and on net new customer additions, specifically in light of the fact that you have been adding 1,600 customers, two quarters in a row now.
Hey, Sheldon. Can you just repeat the main bulk of your question? Because it got garbled a little bit.
Sure, sure. Apologies. A question about alliances that you've been leading, joining over the past 12, 18 months. Is that bird beginning to have some impact? on revenue and net new customer additions? I'm asking that specifically given, you know, the 1,600 customers additions over the course of the past two quarters, now actually in a row.
Well, it has. And when you look at some of the companies that we've talked about in the past, I mean, there's a lot. And I'm sure, you know, I can't single everyone out, but I think ZSkiller is a good example. You look at that partnership, you look at what we're doing, you look at what they're doing on the network side. the integrations that we're able to share data, what we're doing from an XDR perspective. And it makes sense. You know, we're pulling them into deals. They're pulling us into deals. And, you know, we're meeting in the field and adding value to the customers and obviously gaining a lot of traction with those customers. And that's just one example. We're doing that across the board in our Technology Alliance partnerships.
Thank you. And our last question comes from Greg Powell of BTIG. Your line is open.
Oh, great. Thanks for taking the question and working me in. So, yeah, I know you've talked about how you're more of a platform company than just an endpoint provider, but I'm going to ask an endpoint question if that's okay. So just high level, the last two years in the endpoint space have just been really strong. I'd call it almost like a near-perfect storm. How do you feel about the demand environment for the market as a whole looking into next year just on a relative basis? Like, do you think 2022 would be the same, better or worse than 2021 for the market?
I see it extremely strong. And when you look at the market in its totality, right, you have things like cloud adoption, cloud expansion, you know, massive opportunity. And we've proven that with servers and what we're doing there. when you look at the legacy players that are out there, you know, the replacements, the Symantecs, the McAfees, Microsoft, et cetera, massive opportunity for us. That's a long tail. You don't do that in one year. So we see that as a big driver for next year. And as I pointed out, even, I mean, it's a smaller base, but even the next-gen players, we see those as opportunities, you know, as customers get dissatisfied, as I pointed out, with some of the players that are out there. So, And you've got to bifurcate it a bit into pure endpoint and cloud, and I see both as massive opportunities because, again, if you look at our overall customer count, it's fantastic, but it's still small in the grand scheme of customers that are out there, and there's still a lot of legacy technologies that are out there that are and will be displaced.
All right. Good answer. Thank you very much. Thank you.
Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to George Kurtz for any closing remarks.
I want to thank all of you for your time today, and we certainly appreciate your interest and look forward to seeing you virtually at our upcoming investor event. Thanks again. Be safe, and we'll see you soon.
Thank you. Ladies and gentlemen, this does conclude today's conference. Thank you all for participating. You may now disconnect. Have a great day.