CrowdStrike - Earnings Call - Q3 2026
December 2, 2025
Transcript
Speaker 1
Hello, and welcome to CrowdStrike's Fiscal Third Quarter 2026 Financial Results Conference Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, we will conduct a question-and-answer session. Please be advised that today's conference is being recorded. I would now like to hand the call over to Andy Nowinski, Vice President of Investor Relations and Strategic Finance. Andy, please go ahead.
Speaker 2
Good afternoon, and thank you for your participation today. With me on the call are George Kurtz, Chief Executive Officer and Founder of CrowdStrike, and Burt Podbere, Chief Financial Officer. Before we get started, I would like to note that certain statements made during this conference call are not historical facts, including those regarding our future plans, objectives, growth, including projections, and expected performance, including our outlook for the fourth quarter and fiscal year 2026, and any assumptions for fiscal periods beyond that are forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements represent our outlook only as of the date of this call. While we believe any forward-looking statements we make are reasonable, actual results could differ materially because the statements are based on current expectations and are subject to risks and uncertainties.
We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise. Further information on these and other factors that could affect the company's financial results is included in the filings we make with the SEC from time to time, including the section titled Risk Factors in the company's quarterly and annual reports. Additionally, unless otherwise stated, excluding revenue, all financial measures disclosed on this call will be non-GAAP. A discussion of why we use non-GAAP financial measures and a reconciliation schedule showing GAAP versus non-GAAP results is currently available in our earnings release, which may be found on our Investor Relations website at ir.crowdstrike.com or on our Form 8-K filed with the SEC today. With that, I will now turn the call over to George.
Speaker 0
Thank you, Andy, and a warm welcome to the CrowdStrike team. Andy is no stranger to many on this call, and I'm glad to have him with us to lead Investor Relations. I'm excited to share CrowdStrike's fantastic Q3. It was a record quarter as the business continued accelerating. On the back of record attendance at Falcon Global and Falcon Europe, the momentum we're seeing with customers, prospects, and partners drives my conviction in our near-term and long-term growth. Last quarter, Q2, we delivered our forecasted re-acceleration a quarter early. This quarter, we furthered the trend with relentless execution. Across the entire CrowdStrike team, I'm extremely proud of our Q3 with highlights including: One, record Q3 net new ARR of $265 million, which grew 73% year over year, beating our expectations by more than 10%. Two, ending ARR of $4.92 billion, which accelerated to 23% growth year over year.
Three, record Q3 free cash flow of $296 million, or 24% of revenue. Four, all-time record operating income of $265 million, or 21% of revenue. This is the second consecutive quarter of record operating income. Five, broad-based ending ARR acceleration across cloud, next-gen identity, and next-gen SIEM collectively, as well as acceleration in our endpoint business. And six, more than $1.35 billion in ending ARR from accounts that have adopted the Falcon Flex subscription model, growing more than 200% year over year. Underpinning these financial highlights is the CISO, CIO, and board feedback I regularly hear. CrowdStrike is mission-critical in today's agentic society. No matter how the market swings, geopolitical tensions evolve, or what technologies are in vogue, our digital society mandates cybersecurity as a necessity. And now more than ever, synonymous with that, CrowdStrike is a necessity. Our growth is driven by pervasive, durable, and thematic market forces.
Organizations of all sizes are in the midst of AI transformations, investing in the future of workforce productivity in the name of speed, scale, and cost benefits. In the midst of this societal shift, what I've shared over the past few years and quarters is unfolding before our very eyes. One, AI is rapidly expanding the attack surface. Businesses are onboarding a whole new type of workforce today, the agentic workforce. Humans using agents to do more and agents working by themselves, each with access to data, applications, compute, and sometimes even other agents. While the benefits of this newfound workforce are exciting and increasingly vital for market competitiveness, the rapidly expanding risk profile of this realm cannot be ignored. Every single agent expands the attack surface, necessitating protection. CrowdStrike is both the armor and intelligence layer that keeps each agentic identity secure.
The intelligence layer, providing visibility and context to organizations from agentic threats and risks, and the armor, protecting agents from attacks, influence, exfiltration, and data manipulation. In addition, CrowdStrike is also present as the foundational protector of the underlying technologies powering the AI revolution, providing security by design for the world's cloud and token factories. Two, the democratization of destruction wasn't just a bold prediction. It's already today's reality. Businesses every day are having jarring, lightbulb moments, witnessing AI-powered adversarial tradecraft firsthand. Just a few weeks ago, a major AI company shared that China state-sponsored adversaries were using their LLM to create and operationalize active cyber intrusion agents. This is just one of the many AI-enabled attacks we've seen. The AI cyber battleground is no longer theoretical. It's now real.
Now, just as anyone can use AI to vibe code and become a software engineer, anyone can now also vibe hack, becoming a sophisticated adversary with AI. Three, cybersecurity in the agentic era demands a single platform. The criticality in being able to operate with agility, efficacy, and speed to stop breaches is having the data, the controls, and the actions in a single platform, not multiple platforms. Because when you have multiple platforms, by definition, you don't have a platform. Tab switching and context switching cost time. Data stitching doesn't scale. These are the seams and cracks where adversaries thrive. The leaky lifeboat of PowerPoint platforms and point product fragments simply cannot offer the protection, scalability, and cost benefits, or the ease of use of a single platform solution. CrowdStrike wins as the market's broadest and only single platform solution.
Taking my three points together, one, we've built the right architecture, a single console, single data backend, single sensor, agentic hyperscale platform that is frictionless and one of a kind in cybersecurity. Two, it's the right time with the rapid growth of AI agents raising the threat risk profile and driving a holistic technology shift, and three, we're in the right position. CrowdStrike's technology, innovation engine, and ecosystem position us as the operating system of cybersecurity for the agentic era. Market demand is high because the need is real. We have the right architecture, we have the right products, and we're in the right market position to continue taking share. Successful AI adoption requires cybersecurity transformation, necessitating a new operating system to create a structure around the next chapter of enterprise security programs.
Falcon Next-Gen SIEM is the foundation of our platform, turning CrowdStrike into our customer's operating system for cybersecurity. Next-Gen SIEM has become a scale disruptor in a market that has historically been slow to evolve as customers embrace the speed and efficiency advantages versus legacy competitors. And with the acquisition of Onum, we're making it even easier to build on CrowdStrike with a hyperscalable telemetry detection pipeline that brings CrowdStrike even closer to all our customers' critical data. Falcon Next-Gen SIEM had a record net new ARR quarter, a clear outcome of the deliberate strategic choices we've made over the past several years. We know that the value of the technology is only as good as the platform on which it's delivered. So we invested heavily in integrating Next-Gen SIEM to create a unified single platform. This isn't just a single console.
It's a truly integrated and unified data backend that brings together all of CrowdStrike in one place, delivering not just economies of scale, but far superior outcomes, and with Charlotte as the agentic SOC orchestrator, now FedRAMP high approved, we're delivering the AI SOC of the future today. Furthering our position as the operating system of cybersecurity, we recently announced our expanded partnership with AWS. Through this announcement, all of AWS's millions of customers will have access to Falcon Next-Gen SIEM natively within their AWS security console, enabling them to immediately access, interact with, and analyze AWS telemetry directly in Next-Gen SIEM. Going a step further, we've also enabled federated search so that AWS customers can query their data from a single console.
We're incredibly excited about what the future holds and thank AWS for both our amazing partnership and for the validation of Falcon Next-Gen SIEM as the best choice for their customers. A large European bank renewed their more than 500,000 workload EDR deployment, adding Next-Gen SIEM, Onum, and Charlotte in a large eight-figure expansion deal. With our acquisition of Onum, this financial institution was able to eliminate their existing streaming pipeline point product as well as migrate off Splunk. Competing against hyperscalers and firewall vendor SIEMs, Falcon Next-Gen SIEM won the hearts and minds of the security and IT team as the easiest solution, fastest to see value, and best agentic SOC transformation platform. Our identity business continues to perform exceptionally well. While the demand for our ITDR offering has increased, it's the launch of both our PAM and Falcon Shield offerings that has our customers increasingly excited.
Falcon Shield had a record net new ARR quarter, growing nearly 50% sequentially as market demand for SaaS application security has become a mainstream necessity. Securing SaaS app misuse from human and non-human identities has never been more important or challenging. Nefarious agentic behavior is targeting data-rich SaaS applications that have quickly become a feeding ground for breaches. From on-prem apps to cloud apps, we stopped these breaches. A Fortune 500 logistics company used Falcon Shield to uncover exfiltrated CRM data in less than 30 minutes from deployment, resulting in a seven-figure deal. A leading customer experience platform saw a shield demo and activated the module via Flex within an hour. And lastly, a Global 500 personal care leader conducted a shield assessment uncovering 25 unknown shadow instances of their CRM. This customer quickly transacted a seven-figure expansion, bringing their SaaS environment under control.
As these examples illustrate, today's elevated third-party SaaS risk environment demands visibility and protection. Falcon Shield delivers near immediate time to value and is a product that we can land new logo accounts with even without endpoint deployments. Turning to the cloud where we delivered Q3 record net new ARR. While CrowdStrike continues to benefit from M&A-related market disruptions, it is our customers' embrace of best-in-class runtime protection that continues to push us forward. As the cloud security market matures, customers are realizing that posture doesn't equate to prevention. Security teams now understand that they need active defense within their cloud environments, and this can only be delivered in runtime. CrowdStrike is the cloud runtime security leader as validated by the most recent Frost & Sullivan CWP report, and with our recent acquisition of Pangea, we're now positioned to protect the entirety of our customers' AI infrastructure.
At our recent analyst day at our Falcon conference, we discussed how protecting AI is akin to protecting a building. Security teams don't want a non-integrated, fragmented series of solutions to protect their critical AI infrastructure because they know that this complexity creates gaps that are increasingly exploitable by AI-enabled adversaries. CrowdStrike Falcon Cloud Security offers customers a unified, integrated, end-to-end solution that enables secure adoption of transformative technology without slowing the end user down. A Fortune 500 consumer packaged goods company grew their Falcon deployment with Falcon Cloud Security and a seven-figure expansion deal. This customer took the opportunity to displace Wiz, bringing their cloud security program to Falcon for the benefit of our consolidated CSPM, ASPM, CIEM, and CDR approach. The outcome delivered is single platform management, better visibility, and the ability to stop cloud breaches versus simply alerting on them.
This was just one of multiple Wiz replacements. In addition, Falcon Cloud Security was selected to protect a leading NeoCloud in an eight-figure transaction. This token factory decided it was time to secure AI from the source so that enterprises of all sizes would trust and build with confidence on them. Cybersecurity became a differentiator and business enabler, not a cost. Finally, I wanted to touch on our endpoint business. Our endpoint business accelerated in the quarter on the heels of AI-driven demand. In the world of AI, so much is being pushed to the edge. Employees are now deploying new applications such as Claude Desktop and ChatGPT directly onto their machines, driving both rapidly improved productivity and also significant new risks. This is further exacerbated by the rapid adoption of new AI browsers such as Common and Atlas, which bring new opportunities and concurrently new vulnerabilities and threats.
AI adoption is supercharging renewed interest in the endpoint as the endpoint is the epicenter of human and non-human interaction with AI. In this new agentic world, the endpoint has quickly become the risk point, the productivity point, and the opportunity point. A large government agency took the opportunity to modernize, replacing more than 75,000 endpoints of legacy AV with Falcon, as well as deploying us in their AWS environment for cloud protection in what was a strong federal quarter for CrowdStrike. In addition, EY brought us into a Fortune 500 healthcare account where in just a few months we were able to modernize the endpoint, cloud, and SIM environments in an eight-figure end-to-end Flex expansion deal where we displaced two SIMs, Defender for Endpoint, and a point cloud security product.
Frequently imitated but never duplicated, Falcon Flex makes it easier than ever for our customers to experience the full power of the Falcon platform without procurement friction. The Flex model cultivates more platform utilization, accelerating module adoption. Falcon Flex is an unlock, not an ELA. Flex customer ending account ARR more than tripled year over year. But what has us even more excited is the momentum we're seeing in re-Flex activity. The number of re-Flex accounts more than doubled quarter over quarter to more than 200, with 10 customers re-Flexing more than 2x their initial Flex subscription. This demonstrates that Flex customers can and do increase their ARR and TCV spend with CrowdStrike, which is contrary to the ELA model where all the economic value is realized once upfront.
When we launched Flex, we believed that it would allow customers to more quickly benefit from the full value of our platform, and that's exactly what's happening. As customers and partners alike continue to embrace Flex as the best way to adopt Falcon, we expect it to become our licensing standard. Our community or crowd powers our technology, and that's who we build for. Our ecosystem partners continue leading us to new heights, affirming CrowdStrike's market and category leadership. Our alliance team delivered a record quarter in terms of deal value closed with partners. CrowdStrike's market position comes to light in mission-critical times. F5 asked us to partner with them to further secure their BIG-IP hardware and virtual appliances.
We rapidly deployed our sensor on BIG-IP, which they certified, and F5 took the opportunity to purchase Falcon and OverWatch licensing for their installed base in a large Flex transaction. We are pleased to be taking our industry-leading protection capabilities to new insertion points designed to enhance network perimeter protection. Today, hundreds of F5 customers are now securing their F5 appliances with CrowdStrike, many of whom weren't CrowdStrike customers prior. Partners take us into new account environments, implementing Falcon as part of their broader agentic enterprise architecture vision. Experiencing the success of Next-Gen SIEM in the market, EY took a bold step to standardize their SIEM practice on Falcon in a large seven-figure transaction. EY is migrating accounts for which they own and operate multiple legacy SIEM technologies, consolidating on CrowdStrike.
Additionally, EY is a leading global partner of ours for Next-Gen SIEM implementations, taking numerous Fortune 500 accounts through the journey from legacy SIEM to Next-Gen SIEM migration. Deloitte announced Next-Gen SIEM in their MXDR practice, replacing their legacy SIEM provider, and Wipro, too, has standardized security delivery and incident response on Falcon. The GSI community is quickly seizing the SIEM and SOC transformation opportunity that only our single platform provides. The ecosystem embrace of partner-led services on Falcon is correlated to the opportunity we represent. A recent Canalys report showed that our ecosystem creates up to $7 in services opportunities for every dollar of Falcon product sales, illustrating the large ecosystem opportunity surrounding the Falcon platform. I want to return to yesterday's announcement that we made with AWS. AWS selected Falcon Next-Gen SIEM as the default SIEM for all their customers offered in their Security Hub console.
This brings Falcon Next-Gen SIEM with pre-populated AWS data to millions of AWS customers in a product-led growth motion. Our intent is to convert Next-Gen SIEM usage into Flex subscriptions as more accounts experience the power, speed, and actionability of their AWS data, CrowdStrike data, and other third-party data in Next-Gen SIEM. Our Next-Gen SIEM helps AWS fill a critical market gap, now competing with other hyperscaler SIEMs and doing so with Falcon. Our Next-Gen SIEM delivers value for AWS customers, even those who don't yet use Falcon, because we've become a federated, pre-populated, and affordable security data lake for observability, triage, and threat hunting, and Charlotte is there to help operate the whole system on a customer's behalf. In addition, Accenture is our launch partner with AWS, helping AWS customers leave their legacy SIEM for Falcon Next-Gen SIEM on AWS.
Our partnership with AWS continues from strength to strength, with CrowdStrike announced as AWS's Global Security Partner of the Year and AWS's Global Marketplace Partner of the Year yesterday at re:Invent. We're excited about the opportunity to engage AWS accounts, onboarding them to Falcon, and serving as their operating system for cybersecurity. Lastly, I want to share a noteworthy MSSP partnership, which we've announced today with Kroll, a leading mid-market professional services firm. Kroll's cybersecurity division performs thousands of incident response engagements yearly for mid-market firms around the world, largely from their cyber insurance panel inclusion. Kroll had been using a point product EDR in their incident response and managed detection and response business. Now, Kroll exclusively uses Falcon.
And in an almost eight-figure rip and replace transaction, Kroll is migrating nearly 500,000 endpoints to Falcon, which were previously running on a point product SMB EDR, and upleveling their own MDR service with Falcon Complete for service providers, with our Falcon Complete team becoming the SOC for Kroll. This partnership announcement illustrates the value that only CrowdStrike can deliver. The best technology platform with numerous expansion opportunities to help customers and partners alike consolidate. The services opportunities partners need to see value, whether that be an incident response, proactive assessments, managed detection and response, or SOC transformation, and our skilled and agentic MDR teams to uplevel partners so they can focus on selling and client services while we focus on stopping breaches as the world SOC.
We've improved Kroll's technology stack, displaced an inferior point product, improved their margins with Falcon Complete, and they migrated their entire practice to us. This transaction highlights the power of Falcon to be a business creator for our ecosystem. We're not selling products. We're delivering outcomes, introducing the world to a whole new way of performing cybersecurity and risk management. In closing, this was one of our very best quarters in company history. Acceleration is back. We're winning, and we're living the company's mission of stopping breaches. AI represents our largest opportunity and demand driver yet. We're using AI to revolutionize cybersecurity, and even larger, we're securing the world's use of AI so businesses of all sizes can adopt more AI faster, securely, and with confidence. The takeaway is this: AI adoption necessitates the right cybersecurity. It necessitates CrowdStrike.
Jensen Huang summed up our market position best, saying, "I can't imagine a better defender than CrowdStrike," on the stage at NVIDIA GTC in Washington, DC. The transformative work we're doing with NVIDIA is representative of how we're securing AI at its very source, all the way down to its human and non-human users and its outcomes. I see this as a generational opportunity for the company. AI is but one of many tailwinds continuing to propel CrowdStrike to new heights. One thing is certain: whenever our customers engage in technology change and transformation, cybersecurity has been a constant necessity, and that constant is CrowdStrike. With that, we have a big Q4 opportunity in front of us, a robust demand environment, and no shortage of breaches to stop. Cybersecurity doesn't slow down for the holidays, and neither do we.
Stay safe, happy holidays, and I'll pass the call over to Burt Podbere, CrowdStrike's CFO. Thank you, George, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers except revenue mentioned during my remarks today are non-GAAP. Additionally, the results we are reporting today include the acquisitions of Onum and Pangea, which closed during the quarter and were de minimis to revenue and ARR. We delivered an exceptional third quarter driven by organic growth, exceeding expectations across all guided metrics. We achieved record Q3 net new ARR of $265 million, exceeding our expectations by double-digit millions and more than 10 percentage points. Net new ARR growth accelerated to 73% year over year, and ending ARR reached $4.92 billion, accelerating to 23% growth over last year.
As George highlighted, our performance reflects the success of our single platform strategy as organizations prioritize cybersecurity in the agentic era and customers consolidate on Falcon as the operating system of the SOC. We delivered acceleration across the platform with Cloud, Next-Gen SIEM, and Next-Gen Identity, all delivering strong results. Momentum was broad-based across customers of all sizes, from enterprise to down market and MSSPs, achieving record results in our corporate business and strong performance in the public sector, particularly in U.S. federal and higher education. Falcon Flex continues to be a powerful driver of platform consolidation, with over $1.35 billion in ending ARR from accounts that have adopted the Flex subscription model. Falcon Flex is quickly becoming the standard licensing model as it makes it easier for customers to adopt more of the Falcon platform faster.
Customers continue to leverage Falcon to consolidate their security needs and lower their total cost of ownership, resulting in higher retention rates over the prior quarter and increased module adoption rates. As of Q3, 49% of subscription customers are now using six or more modules, 34% are using seven or more, and 24% are using eight or more modules. With our business momentum increasing and our all-time record high pipeline entering Q4, we have strong conviction in our ability to deliver profitable growth as we finish FY26 and look into FY27 and beyond. Moving to the P&L, total revenue exceeded our guidance range and grew 22% over Q3 of last year to reach $1.23 billion. Subscription revenue grew 21% over Q3 of last year to reach $1.17 billion, and professional services revenue was $65.5 million. The geographic mix of third quarter revenue consisted of approximately 67% from the U.S.
and 33% from international geographies, with both U.S. and APAC year-over-year revenue growth accelerating compared to Q2. Total non-GAAP gross margin was 78%, and non-GAAP subscription gross margin increased to 81% of revenue. Total non-GAAP operating expenses in the third quarter were $703.2 million, or 57% of revenue. In Q3, we saw a typical step-up in sales and marketing expenses from our annual Falcon Conference we hosted in September, which was our biggest selling event of the year and set multiple records with over 8,000 attendees joining us. Non-GAAP operating income was a record $264.6 million, and operating margin was 21%, exceeding our guidance. The outperformance was driven by our strong top-line performance, gross margin improvement, and sales execution, underscoring our commitment to profitable growth as we balance accelerating net new ARR growth with operational excellence.
GAAP net loss attributable to CrowdStrike was $34.0 million, which included $26.2 million of costs associated with the July 19 incident and related matters and $5.6 million of acquisition-related expenses. Non-GAAP net income attributable to CrowdStrike was a record $245.4 million, or $0.96 on a diluted per-share basis, exceeding our guidance. Moving to cash, our cash and cash equivalents were $4.80 billion. We generated record cash flow from operations of $397.5 million and record Q3 free cash flow of $295.9 million, or 24% of revenue. Payments for incident-related and strategic plan costs impacted Q3 free cash flow by approximately $53 million. Moving to our outlook and modeling notes. The AI-driven demand environment, combined with our record pipeline and the continued momentum in customer platform consolidation on Falcon, gives us strong conviction as we finish Q4 and look toward FY 2027.
While we do not guide to ending ARR or net new ARR, our revenue guidance includes the following assumptions: low to mid-teen sequential net new ARR growth Q3 to Q4, bringing ending ARR growth for FY26 to 23% year-over-year. At the midpoint of our net new ARR assumptions, we expect second-half net new ARR growth of at least 50% year-over-year, well above our previously provided assumptions of at least 40% year-over-year, driven by our strong Q3 outperformance and record pipeline. Additionally, we continue to expect FY27 year-over-year net new ARR growth of at least 20% from our now increased FY26 net new ARR assumptions. As we discussed during our September investor briefing, as a result of our successful CCP and related partner programs, our ARR to subscription revenue assumptions include a separation of $13-$15 million in Q4.
Consistent with what we noted at Falcon, this gets you to the midpoint of our FY26 revenue guidance, which we have raised by $24.1 million at the midpoint to reflect our strong Q3 outperformance and record pipeline. We ask that you please be mindful of these dynamics when updating your models. Moving to cash, we expect Q4 free cash flow margin to be 27% and include cash payments of approximately $33 million in connection with incident-related costs. This brings our full-year FY26 free cash flow margin expectation to 25%. Finally, we remain confident in our previously provided assumptions for FY27 partner rebates, non-GAAP operating margin, and free cash flow margin, which are detailed in the modeling assumption slide of our Q3 FY26 earnings presentation, available at ir.crowdstrike.com, following our prepared remarks today. Moving to our outlook.
For the fourth quarter of FY26, we expect total revenue to be in the range of $1.290-$1.300 billion, reflecting our year-over-year growth rate of 22%-23%. We expect non-GAAP income from operations to be in the range of $315-$319 million, and non-GAAP net income attributable to CrowdStrike to be in the range of $282-$287 million. We expect diluted non-GAAP net income per share attributable to CrowdStrike to be approximately $1.09-$1.11, utilizing a 21% tax rate and weighted average share count of approximately 258 million shares on a diluted basis. For the full fiscal year of 2026, we currently expect total revenue to be in the range of $4.797-$4.807 billion, reflecting a growth rate of 21%-22% over the prior fiscal year. Non-GAAP income from operations is expected to be between $1.036 and $1.040 billion.
We expect fiscal 2026 non-GAAP net income attributable to CrowdStrike to be between $950-$954 million. Utilizing a 21% tax rate and approximately 256 million weighted average shares on a diluted basis, we expect non-GAAP net income per share attributable to CrowdStrike to be in the range of $3.70-$3.72. George and I will now take your questions. Thank you. If you would like to ask a question, please click on the raise hand button, which can be found on the bar at the bottom of your Zoom window. You may remove yourself from the queue at any time by lowering your hand. When it is your turn, you will hear your name called and receive a message on your screen notifying you that you may unmute yourself. In the interest of time, participants will be limited to one question.
Our first question will come from Brian Essex with JPMorgan. Please unmute and ask your question. Great. Thank you for taking the question and nice results. And Andy, congratulations on the new role. You know, maybe for George, great to hear the acceleration in the endpoint segment of the business. And I know you guys aren't giving any update until year-end on the emerging segments of the business, but could you offer a little bit of color on how those segments are behaving as you kind of wrap the initial CCP initiatives of last year? And then maybe for George, I mean, maybe for Burt, I know you're not offering any kind of impact from Pangea and Onum on ARR, but any sense of the seasonality, organic seasonality for net new ARR? Thank you. Hey, Brian, thanks.
Yeah, when we look at, obviously, the emerging products, which was the heart of your question, they performed fantastic. If you look at Next-Gen SIEM, it's been an all-star standout for us. We've seen just incredible results from a customer perspective and what they're able to do and driving down the cost and get better outcomes. Identity as well, that's key to securing the AI in an enterprise. And then, obviously, cloud, we talked about some of the big wins throughout the quarter. So when we look at those segments, and as you mentioned, we'll be reporting out on those next quarter, we're very, very pleased on the results. And customers are embracing the technology and the consolidation the single platform delivers. So from that standpoint, I think we're very happy. And then as we wrap the CCP, CCP was designed to do exactly what we delivered, right?
We helped customers through a situation, and also we provided a way to accelerate Flex adoption. And we've seen that with our Flex license adoption throughout the quarter, which we called out. And then, obviously, we had a fantastic endpoint quarter, which continues to help drive all the other modules. So overall, I couldn't be happier with the quarter that we just put up. Yeah, and on your question with respect to Pangea, I think that I called out that we have got a de minimis impact from both the revenue standpoint and net new ARR. And we're excited that those are going to roll into the platform in Q4. So that's how we think about it. Thanks for the question, Brian. Operator, our next question. Your next question will come from Sakat Kalia with Barclays. Okay, great. Hey, guys, thanks for taking my question.
Great quarter, and congrats, Andy. George, maybe for you, I just want to pick up on your comment earlier on SIM. It feels like the SIM market is starting to see more velocity of displacements. Can you just maybe talk about what sort of value you're able to capture in those opportunities compared to what customers were maybe spending before? And then maybe relatedly, how do you kind of think about the timetable for legacy SIM renewals in the coming quarters, years, which, of course, I imagine you'd be targeting? Thanks. Yeah, so I'll try to wrap this up into one answer here. But Sakat, let me just kind of lay this out. If you look at the journey that we've been on and how we've been able to replace legacy AV, it feels a lot like that market in the early days when we think about replacing legacy SIM.
Customers are looking for better outcomes. They're looking for faster results, and they're looking for lower cost. And because we already have the EDR data in the platform, we can offer disruptive pricing versus our competitors. The stickiest data that's out there is the EDR data, and we already have it. And really, what it becomes is a journey to activate Next-Gen SIEM for our customers. So when we think about the opportunity to work with customers and how we get in and the opportunity going forward, keep in mind, all of our customers are Next-Gen SIEM enabled. All of our customers are Next-Gen SIEM enabled. It's a huge difference between us and everyone else in the marketplace. And all we need to do is go through the licensing exercise, and Flex is helping to accelerate that.
So we can offer competitive, disruptive pricing, and then overall grow our total wallet share with a customer over time. So it's a multi-year, long-tail journey that feels very similar to the displacement of legacy AV. Very helpful. Thanks, Sakat. Thanks, Sakat. Operator, next question. Your next question will come from Matt Hedberg with RBC. Great. Thanks for taking my question. Congrats from me as well on the quarter, and Andy, to you as well. George, building on your Next-Gen SIEM success and Onum, and a little bit related to Sakat's question, do you see a further push into observability? Obviously, there's been some movement with some of your cyber competitors to go deeper into observability. Just curious on kind of how you view that market, and is that a consolidation opportunity for you as well? Well, we do view it as a consolidation opportunity.
I'll remind everyone on the call that when we acquired Humio, which became LogScale, 50% of their business was actually in observability. So we have all of the technology. In fact, because the platform is collecting so much data and so much telemetry, we have customers today that are using it for observability use cases. You combine that with our agent technology, which does deep inspection within its platform, and we have data that goes well beyond security data that is already being consumed by customers. Then you combine that with Onum, the pipelining technology, the data fabric, which again has the ability to take IT data. We have a fantastic opportunity in front of us to consolidate in those areas, which, again, this is nothing new to us.
We've actually been doing this, and this has been part of our selling motion as well as what customers are embracing. So it's already there, and there's certainly more that we can do, and certainly more we will do. Great. Thanks, Matt. Operator, next question. Your next question will come from Gabriela Borges with Goldman Sachs. Hi, good afternoon. Thank you. Question for Burt. So CrowdStrike has years and years of data on customer cohorts and how your customer cohorts typically expand with you over time. You've now got several quarters of data on Flex and how the Flex customers expand with you over time. There's a piece of this which is structural, which is making it easier for customers to consolidate with you.
But I'm wondering if there's also a dynamic where you've seen elevated tailwind to NRR for a period of time because of Flex and Flex starting with your best and most excited customers, and then perhaps normalizes lower. So my question for you is, how do you think about that dynamic? How do you think about the tailwind that Flex is driving in the model and how sustainable that is? Thank you. Thanks, Gabriela. So the way I think about this is our Flex licensing, it's continuous. Net ARR will be continuous throughout time. And the beauty of this whole program is that it's designed for customers to easily buy more. So over time, we're excited about the opportunity as we bring more products to market and offer more availability to our customers easily.
And I think that's the biggest piece that everybody on the call should just remember is that that's exactly what Flex was designed to do. Make it easier for customers to buy, make it very easy for us to be able to deploy, and be able to give value and lower TCO. That's how we think about it. And the benefit is that we're seeing bigger deals and longer deals. And that's all good for us, and it's great for the customers. And I think what I think the most important thing is, and not get lost in things I've just said, is consolidation. We started this company talking about consolidation, the ability for customers to do more with us, spend more with us, and lower their total TCO, but spending more with us. So I think that's the biggest point that I want to drive home. Thanks, Gabriela.
Operator, next question. Your next question will come from Dan Ives with Wedbush. Yeah, thanks. And also congrats on the Mercedes deal, George. Can you just talk about AI? As you're starting to see more and more deployment, talk about how that's changing the conversations with customers, even over the last three, six, nine months relative to where CrowdStrike sits. Can you just maybe just give some insight into how those have changed from your perspective? Yeah, great. Thanks, Dan. Thanks, as always. Yeah, when we think about the conversation of AI, what customers have realized is that CrowdStrike is probably the only company in security that's moved beyond chatbots. And what I mean by that is Charlotte AI and its related agents are deeply embedded into the platform.
At our last Falcon in Europe, we talked about 11 AI agents and AgentWorks, which allows our customers to actually create their own security agents, which we think is going to be a massive opportunity for us. So it's moved from chatbots to actual doing work. And this is something that we continually hear differentiates us from our competitors. Our competitors are still stuck on chatbots where we've done the orchestration within the platform. We've created models around each of our modules, and we're delivering results. Things that would take four days of work, we're delivering in minutes for customers. And at the various events that I was at, both in Las Vegas for Falcon and in Europe for our Falcon in Europe, I had customers talk about just the evolution of Charlotte, the maturation of it, and how it's become a key part of their success and their SOC.
It gets back to what I've said earlier. CrowdStrike has become the operating system for the SOC, and Charlotte is a big piece of it. All right, thanks, Dan. Operator, next question. Your next question will come from Joseph Gallo with Jefferies. Hey, guys, thanks for the question, and congrats, Andy, on the new role. It was awesome to see you guys maintain the fiscal 2027 net new ARR growth of 20% on higher numbers. You mentioned several key components of the business accelerated in 3Q. Is there one or two products that you think have an outsized growth impact for upside next year? And then as a part of that, security for AI feels necessary, but very early. Is that accounted for in your preliminary fiscal 2027 guidance, or is that more longer term? Thank you. Yeah, sure.
So I think when we look at next year, again, seeing the momentum that we talked about with Next-Gen SIEM, again, it's an all-star product. It delivers a lot of value, which is key in this market when you're talking about consolidation. And it's enabling customers to do things that they haven't been able to do. And I think one of the areas that maybe is really not appreciated is that many organizations of all sizes are making a decision in the past to not collect certain data because of the cost. With CrowdStrike, we can actually open the aperture, and we can provide value to collect all that data. So in general, we're expanding the wallet share, but we're giving them more value because we're collecting data they've never seen, and we're giving them outcomes that weren't available to them previously.
So I would look at that as an all-star. I would look at cloud. We look at the displacements that we talked about in the call. We talked about the runtime protection, which is key. Customers want that protection. And then we look at Falcon Shield, which is, again, cloud and identity, but it is a key technology to help protect the SaaS application. So these are all fantastic opportunities for us in the coming year, and we'll continue to double down on them. All right, thanks, Joe. Next question, please. Your next question will come from Fatima Boolani with Citi. Fatima, you may unmute and ask your question. Oh, here I go. Thank you for taking my questions. George, I wanted to direct this to you. You gave us a lot of information about your strengthening partnership with AWS.
Your proximity to AWS as a customer and a very, very strategic partner has only cemented further. So I wanted to ask you a very high-level strategic question. This proximity that precludes you or influences you or potentially maybe even complicates your relationship with other hyperscalers and your customers who would typically, presumably, have multi-cloud infrastructure footprints would love for you to sort of dive into some of those dynamics a little bit, again, just by virtue of the strengthening partnership with AWS and the availability of the full Falcon suite in a very deep integrated way inside AWS. Thank you. Yeah, so first, we couldn't be more excited about this partnership, and really, I mean, I think this is something that's going to be incredible for AWS customers as well as customers at CrowdStrike.
And the fact that now natively, you can actually flow data from AWS into Next-Gen SIEM. It's right in your console, and it's going to be a tremendous enabler for new customer acquisition. And it's a needed technology for AWS customers. So overall, fantastic relationship, and we're excited to be deeply integrated. And when we think about the current environment, as you know, there's always an area to cooperate with many different companies that are out there. Just look at the AI space and how many people work with different companies that are out there. I think if you look at that and you apply it to security, of course, we're going to work with other players that are out there. They're going to leverage the best technology in the market, which is CrowdStrike. And we're there to support all of our customers and potential partners.
So it doesn't preclude us from doing that. But again, I think this reinforces what a great relationship we have with AWS, how we've been able to partner with them, not only in the technology side, but also in the marketplace. And you've seen the evidence of that by the awards that I called out. So overall, extremely excited about what the future brings. Thanks, Fatima. Operator, next question, please. Your next question will come from Matthew Marshall with Morgan Stanley. Great, thanks. You noted core EDR acceleration in the quarter, and you kind of noted AI as a catalyst for that. But just, is that kind of more endpoints getting protected as they become more intelligent, or just existing customers looking to modernize as part of general AI adoption? Sure. When you think about endpoints and the adoption of AI, a lot of it takes place at the endpoint.
Think about all of the various technologies that are out there where people are running these as a user on their endpoints. I mean, we've seen some big announcements from consulting firms and others that are leveraging AI in their business because they have to, and they have to drive efficiency. So what that means is that that creates opportunities and exposure for companies. So they're going to need to monitor what sort of queries go in. They're going to need to monitor what data comes out. They're going to need to monitor what other services are connected into those AI desktop technologies. And that becomes another threat factor. So this becomes a catalyst. Again, I think this is underappreciated as a new risk factor that we hadn't had over the last number of years. Now, with the adoption of this, this isn't AI creation. It's AI adoption.
And that's, I believe, is going to be a massive market opportunity for us. So that's where we see that. And overall, as I always say, 50% of the market is still legacy AV, and there's still a long runway in the endpoint business to be able to take that legacy market share. Thanks, Mita. Operator, next question, please. Your next question will come from Patrick Colville with Scotiabank. All right, thanks, Andy, for having me on. I guess this one's for George. I want to ask about discounting levels. Because if I think about this time last year, we had the CCP program, but we also had CrowdStrike very correctly being aggressive to cement and extend its position through discounting. That was the right strategy, and these results prove that.
But as I think about the quarter we've just had, fiscal 3Q, and as we look towards fiscal 2027, I guess, can you just talk about how you're thinking about just discounting and normal course of business discounting? Are those levels going to diminish over time as we have the Falcon outage further and further in the rearview mirror, and your position's looking very strong? Sure. Well, I think when you look at this market and you look at, say, enterprise sales, I mean, there's always some level of discounting. That's not unique to us. It's not unique to security, and it's not unique to software companies. It just happens as a normal course of business. And I think we've been very prudent in how we operate in those areas.
And we've tried to focus on things like CCP, which, again, allow customers to take new technologies in, but protect the price point and allow us to basically capture them in a flex opportunity. So we're going to use the tools available to us to be competitive. We continue to take share. We continue to drive new customer business. And we don't see anything out of the normal course of business, but we've got various tools in our toolbox, and we tend to use those judiciously and, again, where it makes sense for us and for the customer. And that just drives the growth that you've seen. And I'll also point out the 81% gross margin. You have to look at the margin as well. And we've been able to be successful, and we've been able to protect the margin. Thanks, Patrick. Operator, next question, please.
Your next question will come from Eric Heath with KeyBank. Hey, great. Thanks for taking the question. Nice set of results. George, I wanted to ask about the partnership with F5. I thought that was pretty interesting. But correct me if I'm wrong, but I believe this part of the infrastructure stack historically was never able to support endpoint agents before. So does this expand the endpoint TAM? How meaningful can this be? And are there other areas of the infrastructure stack you think this is applicable to? Yeah, this is a great and insightful question. I'm really glad that you asked it because it does. And what we've seen over the years is that customers have been asking for a long time to protect these appliances.
In many cases, the appliances have not been available to us, the underlying operating system, if you will, to be able to protect, but there's been a huge demand there. We worked with F5 in great partnership and very quickly to be able to certify our agents to run on their platform. We do think that this will create a working model that will open it up to other appliance vendors to be able to have it protected. I can tell you just some anecdotal stories. There was a story just last week of a non-customer who never used CrowdStrike, had the opportunity to actually use our technology because of F5, and was blown away. Within a week, we had him in an EBC, and now we're getting into a proof of value.
So this play works, and we're going to expand our market and be very forward-leaning in being able to protect other appliances that are out there, which you probably have seen are the tip of the spear for many of these nation-state breaches. Thanks, Eric. Operator, next question. Your next question will come from Roger Boyd with UBS. Great. Can you hear me okay? Yes. Awesome. Well, congrats, Andy, on the new role. I wanted to double-click on the Kroll partnership. I know MSP has been a growing part of the channel for CrowdStrike for the past couple of quarters. Can you walk us through that longer-term opportunity as you expand with Kroll and other beyond kind of the initial endpoint landing spot? Thanks. Sure. Yeah. We were excited about this opportunity. We took out another EDR vendor that was in there.
We're providing a much better solution for them and their customers. And they're in a segment that allows us to bring our technology too. There's a lot of incident response engagements they're doing. They're part of the insurance panels. And it opens up a market opportunity with one customer and just accelerates our ability to penetrate that. So these are the type of models that we like to create. We've been very successful in the MSSP market. This is just another proof point of us working with customers like Kroll and the reach that they have and the trust that they have. So the idea is to create more Kroll opportunities and certainly grow the opportunity that we have with Kroll, which I feel very confident we will. Thanks, Roger. Operator, next question. Your next question will come from Tal Liani with B of A. Hi, guys.
You're a $5 billion revenue company, and you only provide one number, revenue or ARR. There's no breakdown. So I'm trying to understand a little bit of the kind of any segmentation of your revenues. And the question I have is, can you discuss verticals like contribution of SMB and trends in SMB, kind of new market opportunities that were not in your core before and how you're addressing them, and also new customers versus upsell to existing customers? Are you disclosing NRR and GRR? I know you stopped doing it a few quarters ago. Thanks. Actually, let me take the last part of your question first. So basically, we are going to be giving out dollar-based net retention and gross retention rates at the end of the year. So that's what we've talked about, and we will do that at the end of Q4.
We do it every Q4. So I think you'll get that information. Now, with respect to breaking out how we think about our business, whether it's enterprise or SMB or MSSP, the great news about our business is that we sell all of it. We're successful with all of it. We're successful with small deals. We're successful with large enterprise deals. And for us, we have that great technology that it's the same. It's the same technology for if you're a five-person shop or you're the largest company in the world. And the beauty of how we're able to deliver our technology is that it's up and running in seconds. So when you think about segmentation, you think about who we sell to, it really is everybody. Our ability and our success is agnostic. We are really driving new wins and displacing competitors on a daily basis.
And for us to continue to invest in the business, for us to be able to continue to make sure that we're able to deliver in a very timely manner, these are the successful things that we look at to be able to sell to all of our customers, whether big or small. So we're excited about that. And we're also rare in the entire security community to be able to do that successfully. All right. Thanks, Tao, for the question. Operator, next question. Your next question will come from Mike Cikos with Needham. Hi, this is Jeff Hobson on for Mike. Thank you for the question. With the increased amount of M&A activity and security we've seen this year, including CrowdStrike recently, how are you guys approaching the buy versus build when it comes to a technology like AI that's developing pretty quickly? Thank you.
When we look at the market, certainly there's a lot of activity out there. It probably isn't a week that goes by that we don't talk to some bankers that are talking about other companies. The great news is we've got a tremendous balance sheet. We're in a fantastic position to be able to build or buy or partner. I think we've been very thoughtful about our acquisitions. A big part of our strategy has been the integration. When you look at Pangea, we're really starting to sell that in Q4 because we wanted to take the time and effort to integrate it. It's not just kind of stitched together. The single platform, which I talked about, is very important to our customers. We're going to continue to be thoughtful.
We're going to continue to buy what we perceive as best-of-breed in the market, not legacy technologies. We're going to integrate them, which is part of our customer brand promise. And we're going to continue to grow them within our sales motion and the channel that we built. So we'll be opportunistic, but we'll also be very strategic in what we buy. All right. Thanks for the question. Operator, last question, please. Your last question will come from Adam Borg with Stifel. Awesome. And thanks so much for the question, and Andy, congrats on the role. Maybe just on the identity business, it's great to hear the stronger quarter there qualitatively. I know we've talked in the past about PAM being almost like a 1.0 product. Love to hear more about how you're thinking about that product in particular and the maturity in coming quarters. Thanks so much.
Yeah. So identity, as we mentioned, is super important in an AI era, something we got into many years ago, and we continue to evolve that. And we've seen some really nice wins specific to our PAM technology. We have to look at what customers are telling us and basically skate to the puck of where they're going, which is they're looking for more modern identity solutions. They're looking for solutions that can do just in time and some of the kind of legacy vaulting they'd like to move away from. So those are areas of focus for us. We'll continue to build out our identity stack. It's been very successful for us, but certainly there's more to do. There's more to build out, and there's more opportunity in front of us. The good news is there's demand from customers, as you've seen lots of market movement.
And as customers think about what they're going to do next, they want to make sure they set themselves up for really in the next era of agentic identity, and CrowdStrike will be there for them. This concludes today's question and answer session. I would now like to turn the call back to George Kurtz for closing remarks. Thanks, everyone, today for your time. We appreciate your continued support. We'll actually be presenting at the UBS conference tomorrow. And a live webcast and replay of the presentation will be available on our IR website. And we look forward to seeing many of you at the conference. So thanks so much. Stay safe, and we'll talk soon.