There have been some big surprises in the COVID-19 sell-off. One is that many of the stocks once considered richly valued haven't fallen nearly as much as the broad market.

I'm talking about software-as-a-service (SaaS) stocks. Never mind profits, a number of SaaS companies don't have any, and they still trade at sky-high price-to-sales ratios. In a way, it's disappointing -- we can't buy these stocks at bargain prices.

That won't stop me from loading up on shares of one SaaS cybersecurity company: CrowdStrike (CRWD -0.24%). Believe it or not, the stock is actually up 17% year to date, far outpacing the S&P 500. But that's because the company's market opportunity is vast.

Map of the world with a lock superimposed on top reading "Lock Down"

Image source: Getty Images.

A quick introduction

There's little doubt that cybersecurity is important. The emergence of the coronavirus pandemic is only accelerating our realization of this fact. As more employees work from home, companies are scrambling to make sure their networks are secure.

That said, I normally shy away from cybersecurity businesses. The reason: The bad press from a single breach could bring a company to its knees. That type of binary event is enough to give me -- a mortal human with no ability to predict the future -- pause.

But CrowdStrike has a differentiated approach. In a way, it benefits from its customers being breached. That may sound confusing, but consider how CrowdStrike's technology works:

  • Whenever a CrowdStrike customer suffers a breach, the customer is alerted and data about the breach is sent to the company's AI mothership in the cloud -- The Threat Graph.
  • The Threat Graph immediately analyzes the breach and sends an update to all other CrowdStrike customers giving them immunity to further breaches of this type.

While that's just a view of the technology from 30,000 feet, it does point to a massive moat provided by network effects: With each additional customer CrowdStrike signs on, the software becomes more valuable for existing users. That's why I'm willing to make an exception when it comes to CrowdStrike and cybersecurity investments.

Stellar growth

It's becoming increasingly clear that those in the market for cybersecurity solutions understand the power of what CrowdStrike offers. Check out the company's results from the past three years:

Metric Fiscal 2018 Fiscal 2019 Fiscal 2020 Growth Rate
Customers 1,242 2,516 5,431 109%
Annual recurring revenue $141.3 million $312.7 million $600.5 million 106%
Dollar-based net retention rate 119% 147% 124% N/A
Free cash flow ($88.2 million) ($65.6 million) $12.5 million N/A

Data source: SEC filings. Growth rate = compound annual growth rate, or CAGR.

Let's digest what this means:

  • Customers: The number of customers joining the CrowdStrike ranks has more than doubled every year since 2018.
  • Sticky service: CrowdStrike offers 10 different modules. Existing customers are clearly adding more as the dollar-based net retention rate -- "which measures expansion in existing customers’ subscriptions over a 12 month period" -- is over 120%. That means annual recurring revenue should skyrocket.
  • Profitability: While CrowdStrike isn't profitable on paper, I'm not worried. It put money in the bank on a free-cash-flow basis last year.

These trends should make any growth investor salivate.

Inherently anti-fragile

Over the past five years, I've developed a framework for evaluating potential stocks. I've dubbed it the Antifragile Framework, and it has served me well. The idea behind antifragility is simple: I want to invest in companies that -- when exposed to random, hard-to-predict events -- will get stronger because of them.

I've already talked about how CrowdStrike gets more valuable when a client's systems is attacked. But consider this as well: Now that the company is free-cash-flow positive and has over $900 million in cash and no long-term debt, it is also flexible. It can take advantage of situations where rivals can be bought out or priced out of the market.

Finally, I'm a big believer in founder-led companies where executives have lots of skin in the game. The fact that these people would suffer -- financially and existentially -- from negative events leads me to believe they'll go the extra mile to protect shareholders from such occurrences.

I'm heartened that George Kurtz, who co-founded CrowdStrike, is still the CEO. He also owned over 10% of Class B shares after taking the company public last year.

Position your size accordingly

I'm somewhat indifferent to valuation. When a company has a wide moat (as CrowdStrike does) and optionality (it has 10 modules now, but I believe it will have more in the future), along with financial flexibility and a high level of skin in the game, I tend to ignore valuation.

That said, CrowdStrike trades for over 25 times trailing revenue and nearly 1,000 times trailing free cash flow. Also, I'm not a cybersecurity expert. So while I'll be buying shares of the company when Motley Fool's trading rules allow it, I'm limiting the position to no more than 4% of my holdings.

In the age of increased focus on cybersecurity, I believe CrowdStrike deserves consideration for your own portfolio.