CrowdStrike CEO George Kurtz On Microsoft’s ‘Murky’ Breach Details, Palo Alto Networks Platform Debate

In an interview with CRN, Kurtz discusses Palo Alto Networks’ change in strategy and Microsoft’s explanation for its recent executive emails breach.

Following a massive quarter for CrowdStrike, the company’s accelerating growth is due to its ability to offer a “real” cybersecurity platform that truly reduces complexity and protects against breaches, CEO George Kurtz said in an interview with CRN.

For some of CrowdStrike’s competitors, however, Kurtz believes the same cannot be said.

“My view is a real platform is a single platform,” Kurtz said Friday when asked about comments last week on X from Palo Alto Networks CEO Nikesh Arora. In a series of posts, Arora disputed an earlier characterization by Kurtz of what counts as a “real” security platform.

The CrowdStrike co-founder and CEO also weighed in on the latest update from Microsoft, posted Friday, about the recent hack of multiple senior executive accounts by a Russia-aligned threat actor. While Microsoft is “dribbling out information” on the incident, “I think it’s still murky” on the whole, Kurtz said Friday following the Microsoft disclosure.

Meanwhile, for the fourth quarter of CrowdStrike’s fiscal 2024, ended Jan. 31, the company beat analyst expectations and raised its revenue guidance, prompting a 25 percent surge in its stock price.

Notably, the company’s growth in net-new annual recurring revenue (ARR) actually accelerated during the quarter, reaching a growth rate of 27 percent year over year. “That’s fantastic results—particularly in light of the macro [environment] and in light of what some of our competitors posted,” Kurtz said.

What follows is an edited portion of CRN’s interview with Kurtz.

For the recent Microsoft executive emails breach, you had thoughts previously about things not adding up with how they were describing it. Do you feel like Microsoft has clarified any of that or no?

I think it’s still murky. I think it’s dribbling out information. And as I said in late January, [there’s] a lot more to come on this. It just didn’t add up to me to have a test system that was sort of in the corner and then all of a sudden you’ve got this massive impact and source code being breached. So I think Microsoft needs to step up the level of transparency—not just talk about it, but demonstrate it in action. Because if there’s source code that’s out there, what is it to? What’s the impact? What’s the customer impact? What customers have been impacted by this? It’s hard for me to believe that there hasn’t been a customer impact.

Apparently there were customer ‘secrets’ exposed in the breach.

I think there’s a lot of nuances in the wording. I don’t know what happened. But the secret could be a cookie—it could be a key that’s used to access a customer environment. And when you have the key to the authentication system—and I’ve been pretty vocal on the fact that there’s, in my opinion, some serious architectural flaws there—but if you have the key, like a Kerberos key or a SAML key, that can allow you in. It doesn’t mean it’s the actual password.

This [began with] a password spray attack. As a starting point, it’s not the most sophisticated of attacks. You have to think about, where’s two-factor authentication? Is it not in place on these critical systems? That’s a question for Microsoft.

In terms of your latest quarter, what can you say about the contribution of MSSPs and other partners to your growth?

It’s a big opportunity for us—triple-digit growth [with MSSPs], fantastic success with the likes of Pax8 and others. [Working with partners] that focus on the SMBs, we’re hitting markets that would be difficult to hit en masse. So it really gives us the ability to go downmarket and capture some of those customers that are at risk. They’re at risk from ransomware, they’re at risk for data exfiltration, they’re at risk for impact into their organization. I think we had a great year and there’s more to come. We put the architecture in place in ’23, and you’re starting to see it bearing fruit now.

Do you feel like you’ve hit an inflection point of some sort, given the acceleration during the quarter?

Obviously, we’re very happy with it. Great execution by the team, and you’ve seen an acceleration in ARR. And given where we landed at $282 million in ARR, up 27 percent, that’s fantastic results—particularly in light of the macro [environment] and in light of what some of our competitors posted. So from that standpoint, I think it reinforces the strategy that we’ve been espousing for the better part of a decade around platforms and what we’re building and the capabilities to solve problems well beyond just for endpoint protection. And I think you’ve seen the manifestation of a lot of the moves that we’ve made with next-gen SIEM [security information and event management], with identity protection, with cloud workloads. It all came together.

Do you attribute your ability to accelerate to the adoption of those additional tools?

Correct. Really what we’re selling is the platform, and endpoint protection is one piece of it. When I started the company, we created a data-centric platform and we began to solve these use cases. We created things like EDR [endpoint detection and response] with the data that we had. But over the last 10 years, given what we collect and the first-party data we create with our agent—and now the third-party data we can ingest with LogScale, which is natively part of the platform—that opens up many more use cases. So if you buy into the concept that data can really help solve use cases in security, and you buy into the fact that data has driven a lot of the AI learnings—whether it’s machine learning or now generative AI—then we’ve got the right platform. If you just took some of the disclosures that we talked about, there’s three businesses that we called out—identity, cloud and next-gen SIEM. That’s a greater than $850 million business growing exceptionally fast. So what we’ve been able to do is really demonstrate the platform. It’s all integrated. It’s a single platform, not multiple platforms. One console, one agent. And it’s immediate time to value. I think customers are voting with their wallets.

What is your take on Palo Alto Networks’ recent change in strategy?

Well, it’s not new. What they’re trying to do [is] discounting, bundling and giving products away for free. This has happened for the last 30 years in software. It’s happened certainly in the security market. And as you work deals, you try to figure out, what does the customer need? There’s nothing new here to me, other than I think maybe they’re trying to use that as a marketing tool. But nothing new from what I can tell.

How would you contrast what they’re doing with your approach to driving adoption of the CrowdStrike platform?

I think we would contrast it with [the fact that] we run our business to focus on getting the right outcome for customers. And if we need to be flexible on pricing, if we need to be flexible on terms, if we need to be flexible and help them ramp into a license, we do that. We’ve done that for a long time as well. So in competing with them, we demonstrate the value. People are buying our technology because it’s the best in the market. And that’s validated by multiple sources, including the latest Gartner Magic Quadrant. So we’re able to keep our margins up. We’re able to sell on value. But certainly all of the tools available in selling software are available to us. And we can use those and have used those in the past. We’ll continue to use those depending on the deal.

But you haven’t felt the need to announce that you’re doing this in the same way that they have.

We haven’t put out [an announcement] like, ‘We’ll give you something for six months for free as a broad offer.’ But certainly we have the ability to discount, bundle and provide flexible terms for customers. So those are all available to us.

Could you elaborate on your comments about what a legitimate security platform looks like and what it doesn’t look like?

Part of my experience in starting CrowdStrike was, you have to go back in time—you have to look at how software and in particular security software is sold. First, [it was] point products. Then in the McAfee-Symantec era, it was really best-of-suite. And when I left McAfee, it was a hodgepodge of many acquisitions that weren’t integrated. It was hard to make it work in a customer environment. So when I started CrowdStrike, it was really focused on one platform, a single agent. Collect data one time into a common data store and then you create these modules—the whole idea was [to be] the ‘Salesforce of security.’ Once you have the data, then you can monetize on top of it.

But the key thing is, it’s super simple, and it’s one platform. It’s not multiple platforms. And I think what you’re seeing with some of our competitors, they’ve acquired a lot of products just like McAfee. And they’ve wrapped some veneer around it. But essentially you’ve got a bunch of point products in multiple platforms, not one, that don’t work well together. So what does that do? You’re talking about five different agents versus one. You’re talking about lengthy implementation times. You’re looking at consoles that you’ve got to go between all these, they’re not integrated. Multiple data lakes, two or three different data lakes. It is very complex compared to what we have. And again, what does that mean for a customer? Easy to deploy, lower TCO [total cost of ownership]. There’s a difference between price and cost. Microsoft gives [products] away for ‘free’—it still costs you more. And you’re not going to get the right outcome. Then you wrap some of the services around what we built.

The reason why we were able to really pioneer MDR [managed detection and response]—there was no MDR until we started CrowdStrike, that term didn’t even exist. We started with OverWatch and Complete, and Gartner and others came up with MDR. It’s because of the way the platform works. We’re able to look across all the customers. We’re able to collect and view as a multitenant architecture, not a bunch of single tenants kind of strapped together. And that architecture makes a difference. So lower costs for customers, quicker time to implementation and better outcomes.

Specific to what Nikesh [Arora] had to say on X, he was arguing that they are a ‘real’ platform and that it wasn’t characterizing them correctly to say otherwise. What are your thoughts on what he had to say?

My view is a real platform is a single platform. And it’s built natively from the ground up, and it has a level of integration that makes it easy for customers to deploy—[it’s] not complex. So we’re going to let our customers decide what they believe is the right approach. And I think the numbers that we put up for Q4 demonstrates what customers are saying.

When you look at the technology platform—this single agent, data-centric platform—it really starts with getting data in. And then if you buy into the fact that data can help you actually solve these use cases, then it sets everything up. And that really has borne out in the way customers use the product, the way they buy it and the financial results. So when you look at the leverage in the business model, which is different from the technology model, how do you see 80 percent gross margin? How do you see 33 percent free cash flow margin? It’s because once we collect the data, we can monetize the modules on top of it. They’re all integrated. They’re all from the same data source. And every time we add a new module, it’s virtually pure margin because for all intents and purposes, you’ve already collected that data. So when we add something new, we can bring that to market very rapidly because we’re working on the workflow rather than some hodgepodge integration.

So there’s a business model aspect to it, and there’s a technology aspect, and there’s a difference [between those]. I’ve been through this multiple times and I can tell you that if you don’t build it right from the start, and you try to piece parts together, you get a customer outcome that is suboptimal.