Welcome to the Free edition of How They Make Money.

Over 300,000 subscribers turn to us for business and investment insights

In case you missed it:

• 🤖 NVIDIA: Gone Parabolic

• 📊 Earnings Visuals (5/2026)

• 🚀 How SpaceX Makes Money

• ❄️ Snowflake: AI Consumption Wins

Beat. Raise. Sell.

Palo Alto Networks and CrowdStrike are the two largest pure-play cybersecurity companies in the world, and they reported a day apart this week with almost the same script: strong results, higher guidance, and a stock that fell anyway.

Both stocks had rallied more than 50% into earnings as investors embraced the same thesis: AI is becoming a tailwind for cybersecurity.

The trigger was Anthropic’s Mythos, the model judged too dangerous to release widely, which sent enterprises scrambling to reassess their defenses.

The numbers suggest the AI security thesis is real. The problem is that the investors already knew it.

Today at a glance:

1. ☁️ Palo Alto: Buying the AI Security Era

2. 🦅 CrowdStrike: The Mythos Moment

1. ☁️ Palo Alto: Buying the AI Security Era

Palo Alto delivered a strong quarter, but the headline numbers were messy.

Revenue grew 31% Y/Y (or 14% organically) to $3.0 billion ($60 million beat), and non-GAAP EPS landed at $0.85 ($0.05 beat).

The company also reported an unusual $183 million operating loss, but that was mostly deal-related noise from the recent $25 billion CyberArk acquisition and the Chronosphere deal. New acquisitions added roughly $280 million of intangible amortization and $198 million of deal costs this quarter alone.

Cash flow told a cleaner story. Operating cash flow rose 39% Y/Y to $871 million, while adjusted free cash flow hit a record $910 million, up 57% Y/Y. The trailing-12-month free cash flow margin reached 38.5%, up 4.3 percentage points Y/Y.

Management leaned into the early-2026 SaaSpocalypse selloff, spending $1 billion on 6.8 million shares at an average of ~$148 — nearly half today’s price. When you’re that sure the panic is wrong, you buy. That’s also why we built a larger PANW position at the time in App Economy Portfolio.

Did Palo Alto buy its way into the AI security era at the right price?

So far, the answer looks encouraging.

Strip out the acquisition noise, and the organic numbers look healthy:

• Next-Gen Security (NGS) ARR: $8.1 billion, up 28% organically.

• Remaining performance obligation: $18.4 billion, up 22% organically.

Organic growth matters because it shows that the CyberArk deal did not mask a slowdown. The forward-looking metrics show Palo Alto is still signing large customers, expanding its backlog, and converting more of the business to recurring revenue.

CEO Nikesh Arora framed AI as a forcing function. Frontier models are making companies rethink their defenses, especially as AI agents gain access to credentials, data, and internal systems.

The demand signal is already showing up. Roughly 1,000 companies reached out over two months to reassess their cyber posture, and the new Unit 42 Frontier AI Defense offering generated 800+ customer meetings in six weeks.

Palo Alto is also turning the threat into a tool. With early access to frontier models, the company says it can compress a year’s worth of penetration testing into under three weeks.

But Arora’s most important point was more grounded: AI still makes mistakes. Frontier models can hit error rates near 25% and fail at the last mile of complexity. In cybersecurity, that gap matters. Attackers only need to win once, and one wrong enforcement call can take down a production network. In short, AI expands the attack surface, but customers still need a trusted platform to manage the response.

Platformization Pays Off

Palo Alto’s pitch is to replace a dozen point products with one platform, trading upfront discounts for stickier, multi-year commitments.

The strategy is working:

• 110 net new platformizations this quarter, lifting the total to ~2,280.

• 120% net retention with single-digit churn. That’s exactly what justifies large onboarding discounts.

• Firewall bookings rose across appliances (+40% Y/Y, the strongest hardware quarter in a decade) and software (+25%).

The legacy firewall business still matters, but the mix is changing. 46% of trailing-12-month product revenue is now recurring software, up from 22% three years ago. That transition is the key. Palo Alto is using its firewall footprint to pull customers into a broader subscription platform.

Built for the Agent Era

The acquisitions are the clearest sign of where Palo Alto thinks cybersecurity is going. The company is trying to own the full stack before the market fully forms.

• Identity: CyberArk, now rebranded Idira, gives Palo Alto a stronger identity layer for humans, machines, and AI agents. As agents spread, credentials become one of the fastest-growing attack surfaces.

• Security operations: Cortex XSIAM crossed $600 million ARR, up roughly 100% Y/Y, with more than 740 customers as it displaces legacy SIEM tools.

• AI runtime: Prisma AIRS topped 300 customers, tripling sequentially, with a $20 million-plus enterprise deal already signed.

Guidance

Management raised the full-year outlook for the third straight quarter:

FY26 revenue guidance increased to $11.42 billion ($60 million raise), while non-GAAP EPS moved to $3.77–$3.79 (up from $3.65–$3.70).

Longer term, management still expects a 40% free cash flow margin by FY28 and $20 billion in NGS ARR by FY30. CFO Dipak Golechha also flagged rising memory and storage costs, with a 10% increase in hardware prices now baked into the guide.

Takeaway: Palo Alto’s AI security pitch is credible because the organic engine is still strong. The CyberArk deal adds complexity, but it also gives Palo Alto a better shot at owning identity in the agent era. Arora has earned the benefit of the doubt. The risk is valuation: after a nearly 50% rally this year and a stock near 62x forward EBITDA, investors are already pricing in a clean integration.

2. 🦅 CrowdStrike: The Mythos Moment

CrowdStrike delivered the cleanest validation of the AI thesis yet: Q1-record net new ARR and higher guidance on every line.

After surging over 60% in the month leading up to the print, the bar was set for a flawless report, and a merely excellent one wasn’t enough. The stock fell more than 10%.

Revenue grew 26% Y/Y to $1.4 billion ($30 million beat), the fourth straight quarter of acceleration, and non-GAAP EPS landed at $1.10 ($0.03 beat). Margins improved across the board, with the operating loss narrowing to $31 million (from $125 million a year ago).

Free cash flow hit a record $468 million, a 34% margin and an all-time high, lifting CrowdStrike’s Rule of 40 score to 59. Stock-based compensation remains a significant factor, accounting for 21% of revenue and showing little improvement over time.

The recurring-revenue engine is the main KPI:

• Ending ARR rose 24% Y/Y to $5.51 billion, well past the halfway mark toward the $10 billion target set at its 2023 Fal.Con briefing.

• Net new ARR, the quarter’s fresh recurring revenue and the truest read on momentum, hit a Q1-record $256 million (+32% Y/Y). Q1 is the weakest quarter seasonally, making the numbers all the more impressive.

The thesis CEO George Kurtz has pushed for a year is now the customer’s thesis. Enterprises increasingly treat CrowdStrike as AI security infrastructure rather than a line item. Post-Mythos, executive-level inquiries surged, and the company stood up Project QuiltWorks, a coalition that helps large customers find and fix vulnerabilities in real time.

It also created a Chief AI and Autonomous Systems Officer role, poaching Bartley Richardson from NVIDIA. It illustrates where CrowdStrike thinks the platform will head over the next decade.

The Flex Flywheel

With Falcon Flex, customers commit a security budget upfront and then spend it across modules over time. It remains the consolidation flywheel. The company added 300+ Flex accounts, and Flex ARR nearly doubled to $1.9 billion (more than a third of overall ARR).

Customers who burn through their Flex budget early come back and commit more.

• 480 ReFlex customers (~25% of Flex accounts) lifted ARR by an average of 26%.

• 130+ have ‘reflexed’ more than once, for an average 51% uplift over their original commitment.

AIDR, the Next EDR

CrowdStrike is racing to own the attack surfaces AI is creating.

• AIDR (AI Detection and Response): Ending ARR grew +250% sequentially, with a Q2 pipeline above $50 million. Kurtz called the ramp the fastest of his career and pegged AIDR as a market potentially larger than endpoint detection itself, as AI agents multiply.

• Next-Gen SIEM: Ending ARR topped $600 million, and combined with cloud and identity now exceeds $2 billion.

• FalconShield: ARR nearly quadrupled Y/Y as customers scramble to secure AI agents operating inside their SaaS apps.

Guidance

Management raised the full year on every line. FY27 ARR is now expected to grow +25% Y/Y. Net new ARR guidance rose by more than $50 million, which Kurtz framed as the AI tailwind in action. The Q2 guidance came just in line, though.

Takeaway: AI is turning cybersecurity from a defensive budget line into a strategic priority. Palo Alto is buying its way deeper into identity and agent security, while CrowdStrike is expanding Falcon into AI-native infrastructure. The thesis is working. The stocks are the hard part. After massive rallies, expectations have caught up with the story, and the valuations leave little room for error.

That’s it for today!

Happy investing!

Want to sponsor this newsletter? Get in touch here.

Thanks to Fiscal.ai for being our official data partner. Create your own charts and pull key metrics from 50,000+ companies directly on Fiscal.ai. Save 15% with this link.

Disclosure: I own PANW and CRWD in App Economy Portfolio. I share my ratings (BUY, SELL, or HOLD) with App Economy Portfolio members.

Author's Note (Bertrand here 👋🏼): The views and opinions expressed in this newsletter are solely my own and should not be considered financial advice or any other organization's views.