We're Among the Best at What CrowdStrike Structurally Can't Be. We Have Two Paying Customers. Both Are True.

Someone asked me a fair question this week: are we among the best? Not "are you good" — anyone will tell you they're good. Among the best. It deserves an honest answer, and the honest answer is two things that sound contradictory and aren't. On the axes that will decide this fight in two years, yes — and I'll show the receipts instead of asserting it. On the scoreboard the market keeps today, no — we have two paying customers. Both of those are true at the same time, and learning to hold them together without flinching is most of what running a real company turns out to be.

Start with where the "yes" is earned, because vague confidence is worthless and specific confidence is the only kind worth publishing.

Lead time is measurable, and we lead. We named a remote-access trojan forty-three days before a billion-dollar vendor got around to rebranding it. That's not a war story we tell at parties; we built a ledger that computes our lead time on CISA's Known Exploited Vulnerabilities catalog as a standing metric — for each new KEV entry, how many days earlier did our corpus already name the CVE, the campaign, or the vendor. When you measure the thing instead of bragging about it, the bragging becomes unnecessary.

The MCP surface is the one almost nobody else holds at scale. Model Context Protocol servers are how AI agents reach tools and data — they are quietly becoming the supply chain, which means they are quietly becoming the attack surface. We crawl them at over 1.14 million servers, carry nearly 164,000 security findings on them, and run a judge that evaluates a server's full dependency graph before an agent is allowed to call it. When last month's worm started injecting backdoors into AI coding-agent configuration directories — turning the tool that writes your next package into the thing that betrays you — that wasn't a surprise attack from nowhere. It was an attack on the exact surface we'd already mapped a million servers deep.

The method is genuinely good. Ranking hosting abuse by density per IP instead of raw volume, so the bulletproof shops light up and the hyperscalers everyone wrongly blames fall away. Bloom-filter novelty checks so we spend attention only on what's actually new. Cross-index correlation that ties an indicator across a dozen datasets at once. Detection signatures for build-time execution tricks that sidestep every lifecycle hook the scanners watch. That's craft, and craft compounds.

And we do something most shops structurally cannot: we publish our misses. This week we audited the month's real breaches against our own defenses and graded ourselves three stopped, three warned, one missed — and we left the miss in, named, on purpose. A capability claim you can't falsify isn't a capability claim. It's a brochure.

All of that runs on roughly $384 a month, on zero venture capital, against twenty-five million indexed documents and a live edge that blocks known-bad traffic at the door. That combination — the speed, the frontier positioning, the intellectual honesty, the cost — is real, and on those axes we are, with a straight face, among the best.

Now the part the brochure-writers leave out.

We are not among the best by the measures that pay the bills. Not on scale, not on headcount, not on distribution, not on enterprise sales, not on breadth of telemetry. CrowdStrike sees endpoints we will never touch. Recorded Future has analysts and reach we don't have and won't have soon. Those are not insults to ourselves; they are the accurate shape of a two-person operation, and pretending otherwise would cost us the only thing we actually have more of than they do, which is credibility. The market's verdict on us, rendered in the only currency markets respect, is two paying customers. Craft excellence is not market position. A thing can be excellent and unbought at the same time, and ours currently is.

So how do both stay true without one being a lie? Because they measure different clocks. "Among the best on craft" measures the work. "Two customers" measures the market's awareness of the work, and awareness always lags. The entire history of good small companies is the story of that lag closing — and the entire graveyard of good small companies is the story of it never closing in time. We don't get to assume which one we are. We get to close the gap or not.

That gap — between how good the work is and how many people pay for it — is not a problem to be embarrassed about. It is the job. It is, specifically, the only job left. The threat intelligence is built. The MCP surface is built. The edge shield is built. The method is sharp and the honesty is load-bearing. What isn't built yet is the bridge from a craftsman's "this is genuinely among the best" to a market's "and that's why I pay for it." Those are different sentences, and only the customer gets to write the second one.

We cap our confidence at 95 percent on everything, and this is no exception: maybe the axes we're betting on — supply chain, the agent layer, the shared pre-authentication edge — aren't the ones that decide the next two years, and we're excellent at the wrong race. We don't think so. We've put our surface exactly where the attacks are migrating, and the breaches keep proving the map. But the residual five percent is real, and naming it is the same discipline that lets us say the rest flatly.

So: among the best on the axes that will matter most by 2028 — yes, and I'd stake the company on it, because I am. Among the best by today's scoreboard — no, not yet. Both true. The second one is the only one left to earn, and earning it is the whole point of getting up in the morning.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register