CrowdStrike: The "Mythos Moment" Rewrites the Cybersecurity Growth Story — AIDR Could Be Bigger Than EDR
Q1 FY2027 Earnings Call, June 3, 2026 — Record ARR, Full-Year Guidance Raised 520 Basis Points, 4-for-1 Stock Split Announced
CrowdStrike delivered its most consequential earnings call in years, not simply because the numbers beat across the board, but because CEO George Kurtz made a credible case that the company is standing at a structural inflection point that could dwarf anything it has experienced since the early days of EDR. The two headline developments — a new AI-native security category called AIDR growing 250% sequentially in its first full quarters, and a 520 basis point raise to full-year net new ARR growth guidance — signal that something genuinely new is happening in enterprise demand, not just a cyclical uptick.
AIDR: The Most Important New Product CrowdStrike Has Ever Launched
The single most important takeaway from this call is CrowdStrike's introduction of AIDR, or AI Detection and Response, and Kurtz's assertion that it could ultimately be a larger market than EDR. That is an extraordinary claim from a company that essentially invented the EDR category and built a five-billion-dollar ARR business on it. The logic, however, is grounded in arithmetic rather than aspiration. Industry data suggests that enterprises will deploy an average of 90 AI agents per employee. Each of those agents runs on an endpoint, makes tool calls, accesses files, invokes APIs and moves data at the process level. As Kurtz explained, "to detect and respond to AI threats in real time, you need a runtime sensor where AI executes — that's Falcon."
The structural advantage is not subtle. Competitors can provide AI visibility at the application or API layer, but only a sensor sitting at the runtime layer can detect, block and respond to threats where AI actually executes. CrowdStrike already owns that real estate from its EDR installed base. AIDR ending ARR grew more than 250% sequentially, and the Q2 pipeline already exceeds $50 million. Kurtz noted this went from zero to that figure in under two quarters, adding, "In my career, I've never seen adoption happen this fast." With worldwide AI spending forecast to exceed $2.5 trillion and only a low single-digit percentage of organizations having an advanced AI security strategy, the gap between AI deployment and AI protection represents, in Kurtz's words, "the widest asymmetry in security since the cloud transition, and it's moving faster."
The Mythos Inflection: When Frontier AI Labs Called CrowdStrike First
The demand catalyst underpinning the guidance raise has a name: the Mythos moment. In April, Anthropic released a new frontier model with direct cybersecurity relevance — specifically its ability to chain multiple vulnerabilities to construct what Kurtz called "lethal cyber attacks." CrowdStrike was embedded from the start through Project Glasswing, a focused coalition of consequential companies assembled to ensure market readiness. Shortly thereafter, OpenAI launched GPT-5.5-Cyber, internally known as Daybreak, and selected CrowdStrike as a founding member of its Trusted Access for Cyber program. CrowdStrike is the only cybersecurity company selected by both Anthropic and OpenAI for their respective introduction programs.
The practical consequence was a demand wave that Kurtz described as unprecedented. "The thousands of interactions that we've had with customers on Mythos briefings and our Project QuiltWorks has been incredible," he said. QuiltWorks is CrowdStrike's industry coalition — now including Accenture, EY, IBM, Kroll, Cognizant, Infosys, Wipro, TCS, NTT Data, KPMG and HCL Tech on the services side, and Coalition, Liberty Mutual, Lockton, Resilience and Marsh on the insurance side — designed to mobilize enterprises through a phased process of vulnerability discovery, prioritization, remediation and board-level communication. One EY engagement with a Fortune 100 client uncovered more than 45 million vulnerabilities using Falcon Exposure Management and frontier models, simultaneously accelerating next-gen SIEM adoption within the same account.
Kurtz was direct about what changed at the strategic level: "For the first time in my career, the market's view of cybersecurity's role has shifted from being viewed primarily through the lens of risk management, compliance and protection to being recognized as a strategic accelerator and a critical enabler of AI adoption." CEOs, he noted, were calling their CISOs on weekends asking whether the Mythos threat was real. The boardroom has entered the conversation in a way that has no historical precedent in cybersecurity.
The Numbers: Records Across Every Major Metric
Against that backdrop, the Q1 financial results were unambiguously strong. Net new ARR came in at $255.8 million, up 32% year-over-year and above the high end of guidance. Ending ARR reached $5.51 billion, accelerating to more than 24% growth. Total revenue of $1.39 billion grew 26% year-over-year, marking the fourth consecutive quarter of sequential acceleration. Non-GAAP operating income of $325.7 million represented a 24% margin, up 530 basis points year-over-year. Free cash flow hit a record $468.5 million, or 34% of revenue, driving a Rule of 40 score of 59% — also a record, and the fourth consecutive quarter of improvement on that metric. CFO Burt Podbere noted that non-GAAP subscription gross margin reached a Q1 record of 81%, up 90 basis points year-over-year on continued cloud optimization.
The company also closed the acquisitions of SGNL and Seraphic in the quarter, contributing a combined $7.8 million of acquired net new ARR, within the stated $5 million to $8 million expectation. CrowdStrike repurchased $176 million in shares at an average price of $365.63, leaving approximately $1.3 billion under its repurchase authorization.
Guidance Raised Materially — But the Seasonality Shift Warrants Attention
The guidance revision is the most concrete expression of management's conviction. CrowdStrike raised full-year net new ARR guidance by $52 million to a midpoint of $1.291 billion, representing 27.7% year-over-year growth at the midpoint — a 520 basis point increase from prior guidance — and explicitly guiding for net new ARR growth to accelerate over FY2026. For Q2, net new ARR guidance is $284 million to $286 million, implying 28% to 29% year-over-year growth. Full-year revenue guidance is $5.915 billion to $5.959 billion, or 23% to 24% growth, with non-GAAP operating income of $1.452 billion to $1.48 billion.
One nuance worth noting is the seasonality revision. Management now expects 42% of full-year net new ARR to land in the first half and 58% in the second half. Given the Q1 outperformance, this implies a second-half weighted profile that is consistent with historical patterns but still leaves a meaningful portion of the annual raise to be proven out. Burt Podbere was straightforward in explaining that the confidence comes from record Q2 pipeline, strong module adoption, and gross and net retention rates — not from deals already closed.
Platform Modules: SIEM Crosses $600 Million, Identity ARR Up 4x, Endpoint Accelerates Again
Beyond AIDR, several platform businesses continued to scale. Next-gen SIEM exceeded $600 million in ending ARR and has, in Kurtz's framing, transformed CrowdStrike into "the operating system of the AI SOC." Charlotte AI, the platform's reasoning engine, is now automating alert triage, correlating cross-domain telemetry and driving investigation at machine speed. The quarter also saw the launch of AgentWorks, an ecosystem of purpose-built AI agents built on Falcon data in partnership with Accenture, AWS, Anthropic, Deloitte, NVIDIA, OpenAI and Salesforce.
The identity business saw next-gen identity net new ARR growth accelerate versus Q4. Falcon Shield ARR grew nearly 4x year-over-year. The SGNL acquisition, which delivers granular policy-based authorization over agentic workloads, is already generating repeat customers — Kurtz recounted meeting a CISO at RSA who had deployed SGNL at a prior company and immediately moved to deploy it again at his new employer, noting that standing up a new identity had gone from two weeks to two minutes. In endpoint, acceleration extended to a third consecutive quarter, supported by Gartner naming CrowdStrike a leader for the seventh straight year and ranking it highest on both axes of the Magic Quadrant for the fourth consecutive year.
Falcon Flex accounts approaching $2 billion in ending ARR grew 99% year-over-year. The "Reflex" dynamic — customers renewing and expanding ahead of their subscription renewal date — is becoming a meaningful commercial signal. The number of Reflex customers reached 480, representing nearly 25% of all Flex customers. The average Reflex uplift was 26%, happening on average in seven months, ahead of the contract renewal date. More than 130 customers have Reflexed multiple times, with average ARR uplift over the original Flex contract running at 51%.
Incremental Spend, Not Reallocation — And Still Early Innings
JPMorgan's Brian Essex pressed on whether the AI-driven demand surge represents net new budget or a reallocation from legacy vendors. Kurtz was unambiguous: "Two years ago, there weren't these big token budgets. All of a sudden, there are and people are finding money and it's incremental." He drew the causal chain clearly — token spend is growing at jaw-dropping rates, and security spending is following the slope of that adoption curve. His formulation bears repeating for investors sizing the opportunity: "If you want to create AI, you need GPUs. If you want to use AI, you need security."
At the same time, Kurtz was careful not to overstate where enterprises currently stand in their AI deployment journey. "We're still in the early innings," he acknowledged, noting that AI adoption within enterprises is not yet company-wide — it resembles the early days of EDR, where a division or geography would adopt first. "Once it goes really mainstream and entire companies adopt it across all of their employees and workloads, I think you're going to see just another incremental increase in opportunities." That measured framing is important context for investors trying to distinguish between pipeline enthusiasm and durable, multi-year revenue conversion.
New Hires, Stock Split, and the U.S. Government AI Executive Order
Kurtz announced that Dr. Bartley Richardson, formerly of NVIDIA where he led Agentic AI and cybersecurity AI, has joined CrowdStrike's leadership team as Chief AI and Autonomous Systems Officer. The hire deepens the company's NVIDIA partnership and signals a deliberate verticalization of AI talent into the security stack.
CrowdStrike also announced its first-ever stock split as a public company — a 4-for-1 forward split. Stockholders of record after market close on June 25, 2026 will receive three additional shares for every one held, with split-adjusted trading commencing July 2, 2026. Post-split Q2 non-GAAP EPS guidance is approximately $0.29 on roughly 1.034 billion diluted shares.
On the U.S. government's executive order to upgrade federal systems for advanced AI, Kurtz was supportive but measured, calling the White House's approach a balanced one and noting that the mandate will "create a tailwind ultimately for businesses like CrowdStrike because these federal governments are going to need to expedite and prioritize cyber defenses in a more modern way." He stopped short of quantifying any near-term federal revenue benefit, and Podbere did not incorporate speculative federal upside into the guidance framework.