CrowdStrike reported fiscal Q1 2027 earnings after the close on June 3 with revenue at $1.34 billion (up 22% year-over-year), net new ARR of $235 million, and total ARR crossing the $4.6 billion mark for the first time. The AI-Native Endpoint Detection product line delivered the strongest sequential ARR contribution since launch, and Falcon Identity Threat Protection passed 20% of net new ARR for the first time in the company's history. Dollar-based net retention came in at 119%, which is a sequential improvement from the prior quarter's 116% and the strongest read since the post-July 2024 outage recovery cycle.
The print sets the tone for the rest of the cybersecurity earnings cycle. Palo Alto Networks, Zscaler, and SentinelOne all report inside the next four weeks, and the spending patterns CrowdStrike just disclosed are the leading read on what those companies will print. Here is what the result means for the broader cycle and why the crypto-treasury cybersecurity spending tailwind keeps showing up in the numbers.
What the Numbers Actually Showed
The headline beat the consensus by roughly $40 million on revenue and 14 cents on adjusted EPS. The buy-side conversation going into the print was less about the headline and more about three forward indicators inside the segment-level disclosure. Net new ARR of $235 million represented a clear acceleration from the prior quarter's $211 million and confirmed that the post-outage recovery cycle is fully past. The AI-Native Endpoint Detection contribution to net new ARR jumped from roughly 12% in fiscal Q4 to 18% in fiscal Q1, which is the steepest sequential acceleration the company has disclosed for any single product since the original Falcon platform launch.
Dollar-based net retention at 119% is the cleanest read on customer behavior. The metric measures how much existing customers expand their spending year-over-year, and a 119% print means the average existing customer is spending roughly $1.19 for every $1.00 they spent a year ago. That number was as low as 110% during the worst of the post-outage cycle, which means the trust recovery is now showing up in the spending data rather than just the customer count data. CrowdStrike's earnings supplement walked through the segment build in unusual detail this quarter.
The Read-Through to Palo Alto, Zscaler, and SentinelOne
The cybersecurity end market has been bifurcating for several quarters. Customers are consolidating their security tooling spend toward the platforms that show real AI-native product traction and away from the legacy tools that are still selling on the older signature-based or rules-based detection model. The Gartner 2026 endpoint protection magic quadrant tracks the consolidation across the named platform vendors. CrowdStrike's AI-Native EDR acceleration is the most direct evidence yet that the cycle is real and that customers are willing to pay premium pricing for AI-driven detection that meaningfully reduces alert volume.
The implication for the upcoming prints is straightforward. Palo Alto Networks (reporting June 18) has been pushing itsXSIAM platform on a similar AI-driven detection narrative, and the CrowdStrike read says XSIAM should print net new ARR strength if the narrative is real. Zscaler (June 20) sits in a related but distinct part of the stack focused on zero-trust network access, and the read-through is less direct but generally supportive. SentinelOne (June 26) is the most exposed competitor to CrowdStrike's EDR market share, and the AI-Native EDR acceleration suggests SentinelOne's print should show share-loss pressure inside the endpoint segment.
The two-sided dispersion matters because the cybersecurity sub-sector ETFs have been trading as a single basket through the post-outage cycle. If the CrowdStrike read translates as expected, the next four weeks will produce visible dispersion between the platform consolidators and the share-loss names, which is the kind of single-stock environment cybersecurity has not seen since the 2022 unwind.
The Crypto-Treasury Cybersecurity Spend Tailwind
One piece of the CrowdStrike disclosure that does not show up in the headline numbers but matters for crypto-adjacent investors is the customer-segment commentary around crypto treasuries and digital asset infrastructure. Customers in that segment passed 8% of net new ARR for the first time, up from less than 3% two years ago. The driver is the combined growth of corporate crypto treasuries (Strategy, Metaplanet, Semler Scientific, Marathon Digital, and roughly 60 other public-company holders) and the institutional digital-asset custody segment that supports the spot Bitcoin and Ethereum ETF complex.
The economics of that segment are favorable for cybersecurity vendors. A custody operation that holds tens of billions of dollars in digital assets cannot run on consumer-grade security tooling, and the per-seat or per-endpoint pricing for the enterprise platforms (CrowdStrike, Palo Alto, Microsoft Defender) ramps quickly when an entire operations team needs full coverage. The Fireblocks 2026 institutional digital-asset security report tracks the per-seat security spend curve for the institutional custody cohort directly. That growth is structural rather than cyclical, which means the contribution to net new ARR should continue building from here regardless of the broader crypto market direction.
For broader context on the security frameworks crypto operations are building on, the Phemex crypto security checklistwalks through the institutional and retail security stack.
What the Cybersecurity Capex Cycle Looks Like From Here
The cycle entering fiscal 2027 looks materially different from the cycle that ended fiscal 2025. The customer side has consolidated its tooling spend toward fewer, larger platform vendors. The product side has shifted toward AI-native detection that runs natively on the customer's existing endpoint and identity infrastructure rather than on standalone tooling. The competitive side has produced clear winners (CrowdStrike, Palo Alto, Microsoft Defender) and clear share-loss candidates (legacy SIEM vendors, single-product EDR challengers).
That structure favors the platform consolidators on a multi-year basis. The CrowdStrike print is one data point inside a longer cycle, but the data point lines up with the structural read. The AI-Native EDR acceleration shows the product transition is real. The Falcon Identity acceleration shows customers are expanding their platform footprint. The 119% net retention shows existing customers are spending more per seat. The crypto-treasury and digital-asset segment growth shows new addressable markets are opening up.
The risk to the bull case is that the AI-native product cycle attracts new competitive entrants over the next 18 months, particularly from the hyperscaler-affiliated security platforms (Microsoft, Google Cloud security, AWS GuardDuty). Those entrants do not yet have feature parity with CrowdStrike's Falcon platform, but the underlying compute and AI infrastructure they sit on top of (which connects back to the same hyperscaler capex cycle driving the broader AI infra trade) could compress the competitive moat faster than the current consensus assumes.
CRWD Stock Setup Post-Print
CrowdStrike is not tokenized on Phemex, so the direct stock exposure has to be expressed through traditional brokerage rather than through a tokenized futures contract. The closest tokenized exposures inside the Phemex product set are AVGO (which sits on the AI infrastructure side of the same capex cycle) and the broader semi names that benefit from the underlying compute substrate. The thematic exposure to the AI-native cybersecurity cycle is best captured through the AI infra names rather than through any single cybersecurity ticker on the Phemex tokenized-stock list.
The earnings reaction in the stock will play out over the next few sessions and will largely depend on if the buy-side accepts the AI-Native EDR acceleration as a multi-quarter trajectory rather than a single-quarter print. The historical pattern for cybersecurity prints is that the multi-quarter acceleration narratives have to be confirmed for at least two consecutive quarters before the multiple rerates higher. The fiscal Q2 print in early September will be the decisive one.
Frequently Asked Questions
What was CrowdStrike's fiscal Q1 2027 result?
Revenue came in at $1.34 billion (up 22% year-over-year), net new ARR was $235 million, total ARR crossed $4.6 billion, and dollar-based net retention reached 119%. The AI-Native Endpoint Detection product contributed 18% of net new ARR, the strongest single-product acceleration since the original Falcon platform launch.
What does the print say about Palo Alto, Zscaler, and SentinelOne?
CrowdStrike's AI-Native EDR acceleration suggests Palo Alto's XSIAM platform should print net new ARR strength on the same AI-driven detection narrative, Zscaler should print generally supportive on zero-trust network access, and SentinelOne should show share-loss pressure inside the endpoint segment. The next four weeks of cybersecurity prints will produce visible dispersion between platform consolidators and share-loss names.
How does the crypto-treasury segment affect CrowdStrike?
Crypto-treasury and digital-asset custody customers passed 8% of net new ARR for the first time, up from less than 3% two years ago. The growth is structural rather than cyclical, driven by the combined expansion of corporate crypto treasuries and the institutional custody segment supporting the spot Bitcoin and Ethereum ETF complex.
Is CrowdStrike stock tokenized on Phemex?
CrowdStrike is not currently part of the Phemex tokenized-stock product set. Thematic exposure to the AI-native cybersecurity cycle on Phemex is best captured through the AI infrastructure names (AVGO sits on the same hyperscaler capex cycle that drives both AI infra and cybersecurity demand).
Bottom Line
CrowdStrike's fiscal Q1 2027 print confirmed the post-outage recovery cycle is fully past and pushed the AI-Native EDR acceleration into the leading position inside the product mix. The 119% dollar-based net retention, the 18% AI-Native EDR contribution to net new ARR, and the 8% crypto-treasury segment contribution all support a multi-quarter acceleration narrative that will need to confirm in fiscal Q2 before the multiple rerates higher. The read-through to the next four weeks of cybersecurity prints favors platform consolidators and pressures share-loss candidates. The longer-term risk is hyperscaler-affiliated security platform entrants compressing the moat from 2027 onward.
This article is for informational purposes only and does not constitute financial or investment advice. Stock and crypto trading involves substantial risk. Always conduct your own research before making trading decisions.
