CrowdStrike (NASDAQ:CRWD) Chief Financial Officer Burt Podbere told investors at a Morgan Stanley conference that fiscal 2025 was “one of the greatest years in our company history,” pointing to record results in net new annual recurring revenue (ARR), profitability, and free cash flow while highlighting continued momentum in next-generation security products and adoption of the company’s Falcon Flex licensing model.
Record net new ARR, profitability, and free cash flow
Podbere said the company’s performance in fiscal fourth quarter was anchored by net new ARR of $330.7 million, which he described as the largest net new ARR figure in company history. He emphasized net new ARR as the company’s primary forward-looking metric and a key indicator of business health.
Fiscal 2027 outlook and momentum across growth pillars
Podbere addressed CrowdStrike’s decision to raise its fiscal 2027 ARR growth target above the 20% framework discussed at the company’s Analyst Day. He said the higher target would have been unchanged without recent acquisitions, noting acquired ARR was “very small,” which he quantified as $5 million to $8 million related to SGNL and Seraphic.
As support for confidence in longer-term targets, he cited what he called broad-based demand across different customer sizes, a “record Q1 pipeline” that was up 49% year-over-year, and expanding scale in emerging products. Podbere said Next-Gen SIEM, Next-Gen Identity, and cloud collectively exceeded $1.9 billion in ARR and were growing at 45%, which he characterized as evidence customers are increasingly adopting offerings beyond CrowdStrike’s earlier endpoint roots.
He also said the company was making a point of providing more transparency, describing the fiscal 2027 net new ARR guidance as the first time CrowdStrike has guided to a specific net new ARR target.
AI in cybersecurity: data advantage and product adoption
On artificial intelligence, Podbere argued the market is separating into companies that face “existential vulnerability” from AI and companies that will thrive due to “data moats.” He positioned CrowdStrike as a “net data creator” that collects and curates data, enabling it to use AI to accelerate outcomes. He also said, “AI is created with GPUs. CrowdStrike secures that AI.”
Podbere cautioned that cybersecurity requires complete accuracy and speed, and he contrasted those requirements with concerns about false positives—linking them to “hallucinations” in AI systems. He compared current AI-related disruption concerns to earlier claims that hyperscalers would dismantle SaaS security vendors, saying cloud ultimately became an “accelerant” for CrowdStrike’s business.
He said AI is already material in CrowdStrike’s offerings through tools such as Charlotte, an AI orchestrator used in exposure management. As an example, he said Charlotte can identify patch status across machines and, in combination with other CrowdStrike technologies such as Falcon for IT, can help execute patching. He provided several adoption metrics:
- Charlotte utilization increased 6x year-over-year, and associated ARR increased 3x year-over-year.
- AI Detection and Response (AI DR), which he said had been in the market only a few weeks, grew 5x quarter-over-quarter.
Podbere also said CrowdStrike “was built on AI,” noting that what was previously called machine learning and earlier agentic AI work has long been embedded in the company’s approach.
Platform consolidation, Falcon Flex, and “reflexing” behavior
Podbere said customers continue to seek “the best outcome at the cheapest price,” and he argued CrowdStrike’s platform approach—one sensor and one console—supports vendor consolidation and reduces weak points that can emerge when disparate tools are stitched together. He said he expects consolidation tailwinds to persist and suggested the market could ultimately settle around three or four full security platforms, with endpoint at the center.
He described Falcon Flex as a key mechanism to reduce sales friction by letting customers acquire technology “easily” and “seamlessly.” Podbere said Flex ARR grew 120% year-over-year and pointed to customer behavior he said indicates strong engagement: almost 100 customers have “reflexed” multiple times within the same original contract period.
Asked what is driving reflexing, he pointed to Next-Gen SIEM as a “big accelerant,” saying customers use it and want more of it. He also described Flex as enabling customers to experiment across CrowdStrike’s 33 products, which can increase adoption as customers discover capabilities they were not previously aware of. Podbere said the company is pushing Flex as its primary commercial model, stating that starting in fiscal 2027, deals that are not Flex will require a management exception.
Next-Gen SIEM, cloud security, identity, and partnerships
Podbere called Next-Gen SIEM a “home run,” saying it was built on technology from the Humio acquisition and emphasizing speed and cost advantages, including an “index-free” architecture. He said customers can “log everything” more economically than with legacy SIEM tools, where high costs can lead to logs being dropped. He also said approximately 80% of SIEM security data comes from CrowdStrike’s first-party Falcon data, with 20% from third parties, and noted pricing advantages on first-party data ingestion.
Discussing the Onum acquisition, Podbere said Onum functions like a data “highway” that can deliver data while also performing detection en route, filtering information before it reaches the SIEM to improve cost efficiency. He described Onum as an “accelerant” to Next-Gen SIEM because it helps CrowdStrike control both the data and the routes by which it moves.
On cloud security, Podbere reiterated that the business reached $800 million in ARR and was growing 35% year-over-year. He framed cloud security as including both runtime protection (cloud workload protection, which requires a sensor) and non-agent capabilities such as compliance reporting, and said CrowdStrike’s strategy is to provide and invest in both. He also referenced investments in areas including ASPM and DSPM.
In identity, he said CrowdStrike’s approach focuses on “security and identity,” not identity creation (which he associated with Microsoft) or identity brokering (Okta and Ping). He pointed to the company’s acquisition of Preempt as foundational, discussed a “modern PAM” offering centered on just-in-time credentialing, and referenced Shield (formerly Falcon Shield) as identity for applications and machines and non-machines. He argued identity remains a critical pillar of breach prevention even if vulnerabilities were eliminated.
Podbere also discussed partnerships as changing competitive dynamics, citing a Microsoft Marketplace relationship and usage of hyperscaler marketplaces. He said CrowdStrike has $1.5 billion going through AWS and suggested Microsoft marketplace participants would want to see similar scale over time. While noting collaboration, he also identified Microsoft as CrowdStrike’s largest competitor.
On channel strategy, Podbere said CrowdStrike is “channel-first,” describing efforts to incentivize partners so that CrowdStrike is the “first product out of their bag.”
Concluding with margin and profitability priorities, Podbere pointed to a record fourth-quarter subscription non-GAAP gross margin of 81%. He said the company is optimizing public cloud usage and leveraging scale to improve economics, describing an approach focused on incremental gains of 0.1% at a time and noting he believes the company is not far from its long-term model.
About CrowdStrike (NASDAQ:CRWD)
CrowdStrike Holdings, Inc (NASDAQ: CRWD) is a cybersecurity company founded in 2011 and headquartered in Sunnyvale, California. The firm was co-founded by George Kurtz and Dmitri Alperovitch and became a publicly traded company following its initial public offering in 2019. CrowdStrike positions itself as a provider of cloud-native security solutions designed to protect endpoints, cloud workloads, identities and data against sophisticated cyber threats.
The company’s core offering is the CrowdStrike Falcon platform, a modular, cloud-delivered security architecture that combines endpoint protection (EPP), endpoint detection and response (EDR), threat intelligence, and device control through lightweight agents and centralized telemetry.
