483: Heico 101, Crowdstrike Deep Dive, Constellation Q4, Topicus, Stock Market Size, 1.6-Petabit Disc, Power Grid Fragility, and Dune
"does organized crime have internal counter-intelligence"
Many of the interconnections in systems operate through the flow of information. Information holds systems together and plays a great role in determining how they operate.
—Donella H. Meadows, Thinking in Systems: A Primer
🛀💭 👮🏻♂️🚔🕵️♂️👀 The work of deep undercover law enforcement agents trying to infiltrate organized crime *has* to be harder in the social media age, right?
A few decades ago — think Donnie Brasco or The Departed — a new guy popped up and you could try to verify their backstory, but there were limits to what could be done. If they were a good actor and a convincing scenario was crafted, it was probably hard to figure it out (ie. they become someone’s cellmate, earn their trust, etc).
But today, someone’s social media footprint provides a multi-year trail of text, photos, and videos for both them and the people they are connected to (you can also check them out to make sure they’re real).
There are all kinds of ways to cross-reference this info: reverse-lookup on images, facial recognition software, see if anything matches personal profiles on the dark web, see if names and photos pop up on third-party websites that are harder to tamper with, check Google Cache and Archive-dot-org, etc. Or force them to hand over their phone and look at years of text messages and emails. You can even call old employers or schools to see what they say — it’s like checking references on a resumé.
Digital footprints and references can be faked, but if you want to be convincing and hold up to a bit of scrutiny, it’s a heavy lift. You need to create not only one fake life, but one for everyone that person is connected to, and have them have realistic archives that go back years and ideally keep posting in real-time.
How many people are employed at the FBI/DEA/etc to spend their days creating fake social media accounts and posts? Are they using LLMs for that yet?
This makes me wonder, does organized crime have internal counter-intelligence units that perform background checks on anyone above a certain level? Or is that contracted out to for-hire “black hat” third parties that specialize in lifting the veil on undercover agents? Do they just hire regular PIs to do deep background checks?
How long until they have LLMs comb through someone’s life to flag moles?
🤔🧠💭 Remembering is such a mysterious process.
When there’s something you know, and you know that you know it, but you can’t recall it. You rack your brain for a while, you squint your eyes, look up to the right and to the left, make some kind of internal effort… and then you remember!
What happened there? What were you *actually doing* when you were trying to remember?
That process is fascinating.
It’s so natural that we rarely even think about it. When I try to think about the phenomenon, I find it hard to step outside of it to observe it. It’s more like a feeling.
As a metaphor, it feels like I’m standing outside a room with a closed door. 🚪 I know something is going on in there, but I can’t see until the door opens and some shadowy figure hands me a memory. 🫴🎁
Thanks! But how did you do that? Where did you find it?
¯\_(ツ)_/¯
A Word from our Sponsor: 💰Watchlist Investing 💰
Investors face two main problems:
Identifying good businesses 🕵️♂️
Keeping track of them over time 👀
Watchlist Investing is a monthly newsletter devoted to studying great businesses and helping readers be ready to pounce when Mr. Market gets irrational (🤪).
Independent Research: Benefit from 40-50+ hours of primary research on each Deep Dive
Regular updates on Watchlist companies: Don’t miss opportunities by staying on top of important business and industry changes!
Other Benefits: Private Google Meetups, Detailed sum-of-the-parts Berkshire Hathaway valuation, Private Discord server, Subscriber introductions
Watchlist Investing founder Adam Mead spent over a decade in commercial credit, has skin in the game as a value investor, and is the author of ‘The Complete Financial History of Berkshire Hathaway’. 📕
⭐️ Sign up here and get 20% off your first year with the coupon code “Liberty20” ⭐️
Here’s a free taste from the back catalog:
🏦 💰 Liberty Capital 💳 💴
🏦🌎 Stock Market Size by Country: 1899 vs 2024
Look at the US!
Many will think that this anomaly is bound to revert to the mean. Some will call it a bubble.
I don’t think it’s that simple. Plenty has changed in the past 125 years — the best companies have access to almost the whole world and have longer runways of increasing returns to scale thanks to technology.
Nothing lasts forever, but power laws emerge naturally in many systems and it can be a stable configuration for a while.
🩻🔍 Heico 101 🕵️♂️🛩️🛰️⚙️🛠️
I’ve been following Heico for over a decade, it’s a very interesting company.
If you’re curious about it, a good place to start is this recent Business Breakdown episode. Eric Ruden gives a good overview of their history, what they do, and why they’ve been successful so far:
Here are a few highlights:
this is a market with extremely long product cycles.
Average life of an aircraft is anywhere from 25 to 30 years. The average production run for an aircraft platform is 10 to 20 years. So that gives you 35 to 40 years, sometimes more, to be selling parts into maintaining those aircraft
Followers of Transdigm will be very familiar with this dynamic.
Heico has a different angle on the industry, though:
HEICO's PMA business, which stands for Parts Manufacturer Approval, and that's the generic drug analogy.
What HEICO does is they will take an OEM part, reverse engineer it, so they don't have the same upfront design and development costs, it's much easier to make something once you know it's already been made.
And then they will go through a honestly more strenuous certification process with the FAA than even the original equipment manufacturer would have because when an original equipment part is certified, it's certified as part of the overall aircraft certification process.
[…] and then that part then has to get approved by the airlines themselves again. So there are multiple levels of qualification process before this ends up getting into the fleet, and that creates a pretty significant barrier to entry because you can really only run so fast in terms of new part development. [...]
because HEICO doesn't have the same upfront development costs as the OEMs are typically selling those parts to the airlines anywhere from a 30% to 40% discount.
And what's interesting is their strategy over time when it comes to pricing beyond just that initial discount is often to pass on a lot of the incremental savings over time to their customers.
That last part is important.
Heico has pricing power, but they hold back most of it and instead focus on accumulating customer goodwill and growing volumes.
They’d much rather have a customer try them and be so satisfied that they move over more parts to PMA than to squeeze the lemon as much as possible on part X and then have customers be less excited about expanding the relationship to other parts.
On the quality of PMA vs OEM:
[Heico] sold over 80 million parts over the company's life.
They've had 0 service bulletins issued, 0 airworthiness directives and 0 in-flight shutdowns because of any of those parts, which I don't think is something that there's any OEM that could say that.
Reputation is a big factor in their sales engine.
This reminds me a bit of how Costco built Kirkland’s brand. They create a store-brand version that is at least as good as the branded alternative, or better.
This seems to be Heico’s strategy to overcome the natural skepticism and risk aversion of airline operators when it comes to PMA.
I also love the tactic of going after only 30% market share per part (they have close to 20,000 SKUs):
when HEICO is going up against an OEM for any given part, the goal is to get to 30% market share and then leave the OEM alone.
And the rationale behind that is because if you run the math on the contribution margin of the OEM at a 30% premium at about a 50% margin and then HEICO at a 30% discount to that, typically something around a 30% margin, once you get above a 30% market share, you start incentivizing the OEM to cut price.
And if the OEM starts cutting prices, then there's really not a strong incentive for the airlines to stick with the PMA.
More in the podcast. 👋
🏴☠️🦅 Crowdstrike Q4 Highlights 🔥
Q4 results made CRWD stock gap up ˜20% after-hours. That melted a bit afterward, but the results still appear to have positively surprised Mr. Market:
Q4 Revenue: +33%
Full year Revenue: +36%
Q4 GAAP gross margin: 78% vs 75% YoY
Full year GAAP gross margin: 78% vs 76% YoY
Q4 free cash flow: +35%
Full year free cash flow: +38.6%
(of course, SBC affects this)
Net retention was 119% in Q4, 119% in Q3, 119% in Q2, and 122% in Q1.
29,000 subscription customers "excluding smaller customers served through MSSP partners".
M&A: Acquiring Flow Security, the industry's "first and only cloud data runtime security solution."
I’m curious to see how this leader in an increasingly important and mission-critical industry is doing. Let’s dig a bit deeper into both Q4 and a recent presentation by management.
My highlights:
the state of the threat landscape has never been more elevated:
First, attacks are faster than ever. What took adversaries hours has shrunk to minutes and seconds, attack speeds will only accelerate.
Second, the cloud is increasingly under attack. We tracked a 75% increase in cloud intrusion attempts. The cloud is today's battleground for cyberattacks.
And third, generative AI is an adversary force multiplier. Gen AI puts advanced cybercrime trade craft in the hands of attackers of all skill levels. Gen AI will dramatically grow the adversary population.
This last point is important.
While defenders can also use AI, the dynamic at play gives the advantage to attackers since they only have to be lucky against one target once, while millions of defenders have to succeed every time against countless attackers using varied techniques.
Crowdstrike attempts to leverage this scale and turn it into a positive rather than a negative:
Embedded in the Falcon platform is a virtuous data cycle where we collect cybersecurity's very best threat intelligence data, build and train robust preventative and generative models and protect CrowdStrike customers with community immunity.
The “crowd” in their name refers to the crowd immunity concept.
By looking at threats across all of their customers and reacting to them across the group as a whole, they both create a more sensitive sensor network to detect problems and new types of attacks early, but they can also react more quickly — as if the group is one entity, rather than having thousands and thousands of individual companies all having to deploy the latest counter-measures to protect themselves against the threats of the day.
the latest SEC breach disclosure regulation only increases the pressure on companies and their boards. We regularly assist boards with regulation readiness by bringing cybersecurity from the back room to the boardroom. This, alongside the severity of the threat landscape makes effective cybersecurity and increasingly mission-critical necessity.
I wrote about this in Edition #472, so I won’t repeat it here, but this is a big deal for the industry.
Our cloud security momentum accelerated in the quarter. With net new ARR growing nearly 200% year-over-year and more than $400 million in ending ARR [...]
we started with the hardest part first, which is cloud workload protection. […] So that took the better part of 10 years to build something as robust as what we've built.
We are protecting some of the world's largest clouds. We're protecting some of most of the world's largest SaaS platforms. So it is really high ground and what I call a barrier to entry to get a cloud workload protection agent in a critical workload.
Cloud protection is growing very fast for them, increasingly becoming a bigger part of the overall business and — if they can maintain velocity — it should help support the overall growth rate going forward, helping slow the decline.
the number of deals with 8 or more modules more than doubled year-over-year in Q4.
Subscription customers with 5 or more, 6 or more and 7 or more modules grew to 64%, 43% and 27% of subscription customers, respectively
Their bundling/cross-selling approach seems to still be kicking ass.
When they started tracking modules, they looked at customers with 3, 4, and 5 modules. Now 5 is the low end…
geographic mix of Q4 revenue consisted of approximately 68% U.S., 16% Europe, Middle East and Africa, 10% from the Asia Pacific region and 6% from all other markets.
Every time I see this mix, I can’t help but think that there’s a huge opportunity to go more international.
Cyber attacks don’t stop at borders. 🌐👀
Burt and I, our CFO, really focus on 2 things. One is ARR and two is cash. And that's how we sort of run the business.
Unlike most fast-growing saas companies, they’ve been GAAP profitable in 2023 for the first time (5 years after IPO), and the margins have been scaling as they grew.
In theory, software gives you great operating leverage, but in practice, a lot of companies from recent cohorts never get to realize it because they have to keep spending to avoid falling off a cliff…
Crowdstrike is starting to look like one of the exceptions.
There’s another great riff where the CEO explains that they bought an identity protection company in 2020, then spent 18 months rewriting and integrating their software before selling it. Today, identity is a $300m ARR business for them (Preempt, the acquisition, had $7m ARR).
I think it’s a good signal that they are taking their time to do things the right way, and over time it’ll pay dividends vs the approach of having a patchwork of non-integrated systems and agents cobbled together.
There’s more, but that’s enough for today 👋
🇸🇪 TIL: Even private companies have to publicly release annual reports in Sweden
These reports must be filed with the Swedish Companies Registration Office (Bolagsverket) within seven months from the company's financial year end.
Even small limited companies, which may choose not to have an auditor, are still required to submit an annual report. These reports can be obtained from the Bolagsverket, usually for a fee.
This isn’t unique to Sweden. It applies to most European Union limited liability companies.
It makes me wonder about the second-order effects of such transparency on competitors and entrepreneurs. What if the US was also like that? 🤔
✨ Constellation Software ✨ Q4 🚂 + Topicus Special Divvy
I was going to write something about this, but I kind of ran out of space and friend-of-the-show Leandro did a good job here.
He also touches on the Topicus special dividend. His conclusions are similar to mine.
🧪🔬 Liberty Labs 🧬 🔭
🔌 Understanding Why Our Power Grids are Becoming More Fragile and Less Reliable ⚡️
I won’t even try to summarize this one because it’s worth listening to for yourself:
In this podcast, David March, the CEO of Exergy/Energy, is interviewed by Dr. Chris Keefer.
💿 In the Lab: 1.6-petabit optical storage disc 👨🔬
What’s old is new again. When I was a kid, CDs, DVDs, and then Blurays were the new thing. Then over time, they became the old thing…
Are we due for a revival for optical media, at least in certain applications?
A 3D nanoscale optical disk memory with petabit capacity
we increase the capacity of ODS to the petabit level by extending the planar recording architecture to three dimensions with hundreds of layers, meanwhile breaking the optical diffraction limit barrier of the recorded spots. We develop an optical recording medium based on a photoresist film doped with aggregation-induced emission dye, which can be optically stimulated by femtosecond laser beams.
If these things can be made to be stable for a long-time, I can imagine all kinds of applications for cold-storage of data.
Though maybe — as I’ve written about before — this type of long-term data storage will be better done with DNA, which is proven stable and will never be something that we can’t sequence efficiently (for obvious reasons).
🎨 🎭 Liberty Studio 👩🎨 🎥
🎥🪱 Dune: Trio of Trivia 📙
TIL that 23 publishers passed on Frank Herbert’s Dune:
Frank Herbert's Dune was rejected by 23 publishers before it was finally accepted by Chilton Books, a company known mostly for their automotive manuals. Despite the initial struggles, Dune went on to win the Hugo and Nebula awards, become a New York Times Bestseller, and have many sequels written by Frank Herbert and his son Brian. It is now often described as the best-selling science fiction novel of all time
Speaking of Dune, I have a theory that many people who don't quite get into Villeneuve's Dune may just not be fans of Dune the science-fiction story and wish it was something other than what it is.
Kind of like saying “I’d like Lord of the Rings better if it had less high fantasy in it” 🧝🏻⚔️🛡️
It's just a hunch, but a lot of what I see is closer to criticism of the 900-page book as source material, and the limitations of the ‘film vs book medium’ super-imposed on top of it, because the film CAN’T be the book, rather than any specific choices that Villeneuve made.
I’m not saying some people just don’t vibe with Villeneuve. That’s totally fine!
But I suspect that very complex 60-year-old books full of politics and ecology and religious allegories aren’t everyone’s cup of tea 🫖
🎞️💻 Hybrid Finishing: Digital to Film (and Back)
Let’s do a triple Dune factoid Edition because this is fascinating:
To get a very specific look for both films, Villeneuve shot on digital cameras (mostly IMAX) and then transferred the digital images to analog film.
This isn’t the cool part yet!
By shooting digitally, they get all kinds of benefits over film (dynamic range, light sensitivity, lighter equipment that is less noisy, lower cost, ability to see footage more quickly, etc).
And when they transfer what they shot to old-school film, they aren’t limited by what a camera can do on set when it comes to exposure time, so they can get the very best quality out of analog film too:
Unlike a camera film, an intermediate film doesn't need to be sensitive, you can expose it with an enormous amount of light, in fact the intermediate film they used has a supremely low ISO rating of 1.
Roughly, that means it's more than 5 stops ie. 2^5 = 32x times less sensitive than a very low sensitivity camera film stock that is used for filming. That means the grain size is very small and the effective resolution very high, probably comfortably above 4k. But the low sensitivity means it can't be used for filming.
Will other analog film lovers like Nolan, Tarantino, Scorsese, etc, embrace this hybrid process that appears to provide the best of both worlds?
Personally, I think the film looks *stunning*. I’m going a second time on Friday. 🍿
Good variety of content here.
As far as creating undercover identities, if the NSA actually stores all phone voice/text messages in Utah and have installed equipment at phone companies to collect it, as Snowden revealed, then I wouldn’t be surprised if they’ve been injecting fake messages from controlled fake identities into the system all along to be available for future deep fake identities. And I wouldn’t be surprised if they have some secret AI working on it now either.
I’m glad I bought a small amount of HEI 20 years ago; the only other small stock I bought back then that has appreciated more is ISRG.
Dr. Chris Keefer (real emergency room physician) has a great energy podcast, and I also highly recommend the Exergy concierge utility episode. They probably have a good future since factories and data centers will need smooth reliable electricity and unless we build lots of new nuclear they have a pretty big market for a long time.