FEATURED

CrowdStrike Just Had Its Best Year

Key Takeaways

• CRWD closed at $546.18 on May 12, 2026 — within ~4% of its 52-week high of $566.90 — after a ~59% rally off its April low of $342.72, far outpacing the broader software sector year-to-date while the iShares Expanded Tech-Software ETF (IGV) remained deeply negative.
• Q4 FY2026 revenue hit $1.31B (+23% YoY); full-year FY26 revenue reached $4.81B (+22%). Ending ARR crossed $5B for the first time in company history, closing at $5.25B (+24% YoY). Net new ARR of $330.7M in Q4 grew 47% year-over-year — an all-time company record. Full-year net new ARR topped $1B for the first time at $1.01B (+25% YoY).
• Falcon Flex ARR reached $1.69B, up 120%+ YoY, signaling rapid enterprise platform consolidation. Gross retention held at 97%; dollar-based net retention at 115%. Non-GAAP operating income for FY26 hit $1.05B — the first time CRWD crossed the billion-dollar operating income milestone.
• FY27 guidance: revenue $5.87B–$5.93B, ending ARR $6.47B–$6.52B (+23–24% YoY), non-GAAP EPS $4.78–$4.90. Q1 FY27 ARR guided to $5.502B–$5.504B with net new ARR of $249M–$251M. Q1 FY27 earnings confirmed for June 9, 2026 after market close.
• Project QuiltWorks — launched April 23 and expanded May 5 — now includes Accenture, Anthropic, Armadin, Cognizant, EY, HCLTech, IBM, Infosys, Kroll, KPMG, NTT DATA, OpenAI, Tata Consultancy Services, and Wipro, backed by 10,000+ certified professionals. In an early use case, an EY Fortune 100 customer identified nearly 45 million previously undetected vulnerabilities within hours of deployment.
• On May 11, 2026, Google’s Threat Intelligence Group confirmed the first AI-developed zero-day exploit caught in the wild — a criminal group used an AI model to discover and weaponize a 2FA bypass targeting an open-source web administration tool, with plans for a mass exploitation campaign. Google worked with the vendor to patch quietly before the campaign launched. Neither Gemini nor Anthropic’s Mythos was used.
• Valuation is the live tension: CRWD trades at ~112x forward earnings and ~28x price-to-sales (Morningstar, May 12). Consensus from 46 analysts rates the stock Buy with an average 12-month target of ~$507 — the stock has already run well through that level. $85M in recent insider selling warrants attention at these multiples.

The AI-kills-cybersecurity thesis had momentum for about four months. The market sold first and asked questions later. Then the questions started getting answered in ways nobody expected.

From its April low of $342.72 to a May 12 close of $546.18 — roughly 59% — CrowdStrike has staged one of the more decisive recoveries in large-cap software this cycle. The S&P 500 has been grinding its own comeback, logging six consecutive weeks of gains through May 9, but the cybersecurity sector’s move feels different. It’s not just broad risk-on rotation. Something structural shifted in the argument, and the market picked up on it faster than most analysts did.

Two things happened in close succession that reframed the entire debate — and a third thing happened on May 11 that may have settled it, at least for now.

The Catalyst Stack

On April 7, Anthropic announced Project Glasswing — a cross-industry defensive cybersecurity coalition built around its unreleased Claude Mythos Preview model. The coalition includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks as launch partners, with access extended to more than 40 additional organizations managing critical software infrastructure. Anthropic committed up to $100M in model usage credits and $4M in direct donations to open-source security organizations.

The reason this matters isn’t the headline partnership — it’s what Mythos Preview has already done in testing. The model identified thousands of high-severity and zero-day vulnerabilities across every major operating system and web browser. Anthropic’s own framing was direct: AI coding capability can now exceed all but the most elite human security researchers at finding and exploiting software flaws. Notably, Anthropic delayed Mythos’ full rollout specifically because it found critical vulnerabilities at a pace that raised serious concerns about adversarial misuse. CrowdStrike’s 2026 Global Threat Report documented an 89% year-over-year increase in AI-assisted adversary attacks. That number resets every assumption about the threat timeline.

Then on April 23, CrowdStrike launched Project QuiltWorks — its own industry-wide coalition combining frontier AI models from OpenAI and Anthropic with the remediation capacity of Accenture, EY, IBM Cybersecurity Services, and Kroll, backed by a certified professional network exceeding 10,000 practitioners. The Falcon platform — processing trillions of security events daily — sits at the center, applying adversary intelligence to determine which vulnerabilities are actually reachable and exploitable in a given enterprise environment. That distinction matters: identifying vulnerabilities is the easy part. Knowing which ones are exploitable in your specific environment, right now, is where the real value lives.

What happened next is worth noting separately. On May 5, CrowdStrike expanded Project QuiltWorks significantly — adding Armadin, Cognizant, HCLTech, Infosys, KPMG, NTT DATA, Tata Consultancy Services, and Wipro to the coalition, extending its global delivery reach across industries and regions. The coalition also integrated Anthropic’s Claude Opus 4.7 directly into the Falcon platform to accelerate AI-powered vulnerability discovery. And in one early real-world result that stood out: an EY Fortune 100 customer using QuiltWorks identified nearly 45 million previously undetected vulnerabilities within hours of deployment — many of which had gone unnoticed for years. That’s not a marketing number. That’s a demonstration of what frontier AI-powered scanning does at scale that traditional tools simply can’t.

Slight tangent, but it connects directly to enterprise spending decisions: the EU AI Act’s next compliance phase takes effect August 2, 2026, introducing mandatory cybersecurity requirements for all AI systems classified as high-risk, automated audit trail mandates, incident reporting obligations, and penalties up to 3% of global annual revenue for non-compliance. Every major enterprise operating in Europe is working through that right now at the board level. CrowdStrike is positioned to be part of that answer.

Then May 11 happened — and it changed the entire conversation.

Google’s Threat Intelligence Group published a report confirming what the security community had been anticipating but hoping to delay: the first documented real-world case of a criminal threat actor using an AI model to discover and weaponize a zero-day vulnerability in a planned mass-exploitation campaign. The exploit — a 2FA bypass targeting a popular open-source web-based system administration tool, implemented in a Python script — bore all the hallmarks of AI-generated code: educational docstrings, a hallucinated CVSS score, and a clean, textbook-style Pythonic format characteristic of large language model output. GTIG confirmed they had high confidence an AI model was used to both identify the semantic logic flaw and turn it into a working exploit. Notably, Google confirmed neither Gemini nor Anthropic’s Mythos was the AI involved. Google worked with the vendor to quietly patch the vulnerability before the campaign could launch, which it believes may have disrupted the operation before it gained traction.

John Hultquist, chief analyst at GTIG, was direct: the discovery is “probably the tip of the iceberg.” The threat group involved has “a strong record of high-profile incidents and mass exploitation” — this wasn’t a low-capability actor experimenting. And separately, GTIG documented North Korean crew APT45 running thousands of automated CVE prompts through AI models to bulk-validate exploits at industrial scale, and Chinese state-linked operators experimenting with AI for systematic vulnerability hunting. The picture is clear: AI-weaponized attacks are not a future risk. They’re current.

This is the structural argument for CrowdStrike, and it’s getting harder to dismiss: more sophisticated AI-powered attacks require defenders with better data and faster response capability. CrowdStrike’s Falcon dataset — built from trillions of daily security events across a massive installed base — is the training and detection advantage that competitors can’t replicate quickly. The moat widens as attack sophistication increases.

The Numbers

The macro argument is compelling, but the underlying numbers have to support it. Here’s what the Q4 FY2026 report — released March 3 — actually delivered.

Total Q4 revenue of $1.305B grew 23% year-over-year, beating consensus. Subscription revenue — the core recurring engine — hit $1.242B (+23%). Professional services came in at $63.1M (+26% YoY), driven by the elevated threat environment. Non-GAAP subscription gross margin expanded to 81% from 80% in Q4 FY25. Non-GAAP operating income hit $325.8M for the quarter, up 45% YoY — the third consecutive quarter of record operating income. Full fiscal year 2026 revenue reached $4.812B (+22% from $3.95B the prior year). Full-year non-GAAP operating income exceeded the $1 billion milestone for the first time at $1.05B. Full-year free cash flow reached $1.24B, a 26% margin.

Ending ARR crossed $5B for the first time in company history, finishing at $5.25B — up 24% year-over-year and accelerating from 23% growth the prior quarter. Net new ARR of $330.7M in Q4 alone grew 47% year-over-year, an all-time record. Full FY26 net new ARR topped $1B for the first time at $1.01B (+25% YoY). Falcon Flex ARR reached $1.69B (+120%+ YoY) — signaling rapid platform consolidation among large enterprise accounts that have adopted the consumption-based subscription model.

Retention metrics are worth attention. Gross retention held at 97%. Dollar-based net retention was 115%. At $5B+ ARR scale, those numbers are exceptional — existing customers are expanding faster than they churn, and the base is durable even in a choppy macro environment. Module adoption continued climbing: 50% of subscription customers using six or more modules, 34% using seven or more, 24% using eight or more. The platform consolidation story is real and measurable in the data.

CFO Burt Podbere noted the Q1 FY27 pipeline entering the fiscal year grew 49% year-over-year — a record. Free cash flow margin guidance for FY27 is at least 30%, with Q1 specifically guided at approximately 33%. That’s the profile of a platform scaling into profitability, not a growth story running on fumes. Rule of 40 metric for FY26 came in at 47, combining 22% revenue growth with a 26% free cash flow margin.

FY27 full-year guidance: total revenue $5.87B–$5.93B (+22–23%), ending ARR $6.47B–$6.52B (+23–24%), non-GAAP EPS $4.78–$4.90. Q1 FY27 guided to revenue of $1.360B–$1.364B, ARR of $5.502B–$5.504B, and non-GAAP EPS of $1.06–$1.07. Q1 FY27 earnings are confirmed for June 9, 2026 after market close — that’s the next major event on the calendar.

CEO George Kurtz’s long-term target remains $20B in ending ARR by fiscal year 2036. From $5.25B today, that’s roughly a 4x over a decade — ambitious, but not disconnected from the underlying growth rate if the AI security spend environment holds.

Sector Context and Competitive Positioning

The broader cybersecurity sector is beginning to move out of what JPMorgan and CNBC flagged as the “SaaSpocalypse” — a fear-driven selloff where investors priced in AI cannibalizing traditional SaaS security providers. JPMorgan highlighted software names it considers to be breaking out of that compression in early May, with cybersecurity leading the move. The iShares Expanded Tech-Software ETF (IGV) remains well below its January levels, making CRWD’s individual performance even more notable in context.

Palo Alto Networks is the closest comparable — also a Glasswing launch partner, also operating a platform consolidation model — and Zscaler and Okta remain relevant in identity and zero-trust architecture. But CrowdStrike’s differentiation is the Falcon data asset: trillions of events processed daily across a massive installed base, feeding AI models with adversary intelligence that competitors can’t replicate quickly. That advantage grows as AI-powered attack sophistication increases, because better attacks require better threat intelligence to train effective defenses.

CrowdStrike was also named a Leader in the inaugural 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies and named Frost & Sullivan’s 2026 Company of the Year for Identity Threat Detection and Response. CrowdStrike also announced Falcon OverWatch for Defender on May 5, bringing AI-powered threat hunting to Microsoft Defender endpoint customers — a move that extends Falcon’s presence into enterprises that are standardized on Microsoft tooling without forcing full platform replacement. These aren’t price catalysts in isolation, but they reinforce enterprise buying decisions and deepen the partner ecosystem.

Technical Structure

CRWD closed at $546.18 on May 12. The confirmed 52-week range is $342.72 to $566.90. The all-time closing high is $557.53, set November 10, 2025 — the stock has nearly reclaimed that level on this recovery leg and is trading at $544–$546 in mid-May intraday sessions.

Short-term moving averages have crossed above long-term moving averages, a broadly constructive signal. A pivot bottom signal triggered in late March, and the stock has rallied approximately 47–59% off that level depending on the reference date used. MACD on the 3-month timeframe is in positive territory with volume rising alongside price — both consistent with a trend that has institutional participation, not just retail momentum.

Key levels worth monitoring: resistance sits in the $552–$566 zone, which encompasses the 30-day high ($552.43), the all-time closing high ($557.53), and the 52-week intraday high ($566.90). A sustained weekly close above $566.90 would open the path toward the $597 area — the next projected resistance band based on prior volume structure. On the downside, $505–$507 is the first meaningful support level — prior resistance turned potential floor. Below that, $426–$434 represents a secondary support zone from accumulated volume. A weekly close below $505 would constitute a meaningful change in the technical picture and warrant reassessment of near-term positioning.

One note worth flagging: RSI has been elevated on shorter timeframes after a 47%+ move in roughly six weeks. Elevated RSI doesn’t forecast a reversal — it simply means any sideways consolidation would be constructive rather than concerning. The stock doesn’t need to keep moving to remain in a technically healthy position.

Scenario Modeling

Bull Case — CRWD sustains above $550 and breaks through the $557–$566 resistance zone on a weekly closing basis before or shortly after the June 9 Q1 FY27 report, supported by Q1 ARR beating the guided $5.502B–$5.504B range, Falcon Flex adoption accelerating further, and continued enterprise AI security budget expansion. In this scenario, $597 becomes the next target on a 3–6 month view, with a path toward $630–$650 if the AI security spend environment sustains institutional conviction. Specific catalysts that could accelerate this move: Q1 beat with raised FY27 guidance, additional major AI coalition additions, or a high-profile enterprise breach event that pulls forward competitive replacement cycles.

Base Case — CRWD consolidates in the $505–$566 range through the June 9 report, with Q1 results meeting but not materially exceeding guidance. The stock absorbs its 47%+ recovery move, trades between institutional buyers and profit-takers at the top of the range, and uses the earnings event as the next directional catalyst. This is the most probable near-term outcome given the magnitude of the recovery and elevated RSI on shorter timeframes. Traders with existing positions manage risk around the $505 support level; new entries consider waiting for either a confirmed breakout above $567 or a constructive pullback toward $510–$525.

Bear Case — Q1 FY27 earnings on June 9 disappoint relative to the current implied expectations — either ARR growth decelerates below the 23–24% guided range, net new ARR misses the $249M–$251M target, or management issues conservative guidance that implies deceleration in the back half of FY27. A miss at these valuation levels — 112x forward earnings, 28x price-to-sales — would be dealt with quickly. First move on a breakdown would be toward the $505 support zone, with a secondary test of $426–$434 possible if institutional conviction erodes. Macro risks also apply: any renewed tech rotation toward value, a risk-off event, or unexpected execution issues could compress multiples regardless of the fundamental thesis.

Active Trader Framework

Here’s where discipline matters most — because CRWD is not a low-volatility name at current levels. The stock moves. Average true range over recent sessions has been significant, and any earnings-adjacent positioning requires explicit risk parameters before the trade is placed.

For existing long positions: the $505–$507 level is the logical stop reference on a weekly closing basis. A sustained break below that level changes the technical picture and warrants reassessment. Above that, the trend remains intact. Partial profit reduction in the $550–$566 resistance zone is rational risk management — it acknowledges that the stock is approaching a historically significant price level after an extended move, not a directional call on the business.

For traders considering new exposure ahead of June 9: the risk/reward calculus gets more complex the closer you get to the earnings event. Options pricing will reflect elevated implied volatility as the date approaches — making defined-risk structures (spreads rather than outright long calls) more appropriate for most frameworks. The implied volatility crush risk post-earnings is real regardless of which direction the stock moves on the day.

Key levels through June 9: $566.90 on the upside (52-week high / primary resistance), $552.43 (30-day high / near-term resistance), $505–$507 (first support / former resistance), $426–$434 (secondary support from accumulated volume). CRWD has historically made large post-earnings moves in both directions. Volatility expectation is elevated. Position sizing that accounts for that reality isn’t optional — it’s the only way to stay in the position long enough for the underlying thesis to play out.

One more data point worth flagging: the consensus analyst average target across 46 firms sits at approximately $507 (StockAnalysis, May 12) — the stock has already run well through most of those targets on this recovery. That creates a dynamic where analyst upgrades and target raises become potential additional catalysts, as firms update their models ahead of and after the June 9 results.

The Honest Risk Picture

Valuation is the real question here, and there’s no clean answer. At 112x forward earnings and approximately 28x price-to-sales, CRWD is priced for sustained execution. The company has earned a premium — the ARR growth rate, the retention metrics, the platform consolidation data, and the AI security spending environment are all legitimate tailwinds. But stocks priced for perfection are unforgiving when anything goes wrong.

$85M in recent insider selling is worth noting — not as a definitive red flag, but as a data point. Insiders are choosing to realize gains at these levels. That’s not unusual after a 59% recovery off the lows, but it’s worth factoring into the conviction equation alongside everything else. Morningstar’s fair value estimate of $671 (as of March 2026) implies upside from current levels, but with a “Very High” uncertainty rating — meaning the range of reasonable outcomes is wide.

The AI-kills-security thesis was probably wrong. The AI-accelerates-the-threat-surface thesis — and therefore the security spending thesis — is getting confirmed in real time, most recently by Google’s own researchers on May 11. But the valuation math still demands near-perfect execution quarter after quarter. That tension — between a structurally differentiated platform in a genuinely expanding market and a multiple that doesn’t tolerate error — is exactly what makes this stock worth watching closely rather than dismissing in either direction.

June 9 will answer a lot of the outstanding questions. Preparation is what matters between now and then.

For informational and educational purposes only. Not investment advice. Trading involves risk, including loss of principal.