Introducing

Analyzing the Market Impact of the CrowdStrike Outage

Aug 21, 2024

In this tutorial, we will look into the July 2024 CrowdStrike outage, which offers an interesting case study on the impacts for the Stock and Options markets when a major event happens. Our analysis, powered by Polygon.io’s comprehensive datasets, captures a dramatic surge in market trading activity, causing the stock to drop

over two days, with stock trade volumes reaching nearly 7x their normal levels. We also observed a notable increase in speculative options trading, including a significant number of sweep trades, indicating that sophisticated professionals were actively participating. While the situation with CrowdStrike was very unfortunate, our focus here is purely educational, aiming to provide insights through data analysis.

What Happened?

CrowdStrike is a leading global cybersecurity firm that provides endpoint protection and continuously updates its software, similar to how a virus scanner gets updated with the latest signatures, for detecting threats on desktops and servers. On July 19, 2024, a routine software update intended to enhance threat detection capabilities inadvertently included a critical error. This error quickly caused the infamous "blue screen of death" (BSOD) on Windows systems, rendering about 8.5 million desktops and servers totally unusable and severely disrupting various sectors. Here’s some highlights:

• Global Impact: The malfunction made many devices, including those crucial for monitoring and repairs, totally inoperable. Since CrowdStrike was installed widely across many companies it essentially took everything offline at once including systems used for repairs.
• Airlines: More than 5,000+ flights globally were canceled, causing widespread delays and rebooking chaos lasting many days.
• Healthcare: Inaccessibility to patient records led to delays and cancellations of medical procedures.
• Finance: Disruptions at major financial institutions as they worked to recover from failures.

CrowdStrike and Microsoft worked quickly to coordinate and rollback the update along with implementing remediation steps, but the resolution was complex and time consuming, highlighting just how quickly software updates happen now and the profound effects that errors can have on critical infrastructure.

Stock Market Reaction

In this section, we'll analyze how CrowdStrike's stock reacted to news of widespread system crashes, demonstrating how to use Polygon.io's Stocks API to uncover what happened. By examining raw data through the Aggregates (Bars) endpoint, we can see not just the significant price drops but also other market activities that reveal the underlying investor behavior during major events.

We will pull Open, High, Low, and Close data for CrowdStrike (

) from June to August 2024 to establish a baseline for comparison. This approach allows us to look beyond typical news analysis, offering a data-driven look into how the stock market responds to significant incidents. To follow along, you'll need an API key, obtained through signing up with Polygon.io on a Stocks plan, and we'll use Python along with the Polygon.io client-python library for data retrieval.

from polygon import RESTClient

client = RESTClient()

aggs = []
for a in client.list_aggs(
    "CRWD",
    1,
    "day",
    "2024-06-01",
    "2024-08-06",
    limit=50000,
):
    aggs.append(a)

print(aggs)

The Python script provided above retrieves the daily aggregate data for CrowdStrike (

) from Polygon.io's Stocks Aggregates (Bars) API. This data includes the open, high, low, and close prices, along with volume and number of trades, which are fundamental for analyzing stock performance over a specified period. For those interested in a more interactive analysis, the linked code snippet has been adapted to integrate with Highcharts, offering a dynamic visual representation of the stock's performance.

Here’s a snapshot of what you can visualize using Highcharts with the aggregated data.

Notice the significant drop of approximately

beginning on Friday July 19, 2024, with the market continuing to react adversely, following Monday July 22nd, 2024 another and in the subsequent days. Here's a table details the daily closing prices and percentage changes for CrowdStrike () during the event.

The number of trades can be a revealing indicator of market activity. On July 19, 2024, during the CrowdStrike outage, there was a significant spike in trades, with numbers soaring to over 852,824, almost 7x above the usual levels.

This analysis illustrates that the number of trades, rather than stock price changes alone, can be a more reliable indicator of significant market activity. Observing these patterns during major events like the CrowdStrike outage provides valuable insights into market dynamics. Such spikes in trade activity can often hint at unusual occurrences, offering a unique perspective often overlooked in traditional candlestick chart analysis. This understanding can be crucial for anticipating how markets might respond to similar future events.

Options Market Reactions

Now that we understand the stock market impact, let’s examine how the Options market reacted. At a high-level, Options are financial instruments that enable investors to bet on the future price of a stock by a specific date, making them highly active during market disruptions like the CrowdStrike outage. This section explores how both professional and retail traders likely used options to position themselves during the event.

Accessing detailed Options trading data requires a subscription plan with polygon.io. For our analysis, we used Flat Files, which consolidate all options trades across the entire market into manageable, single compressed CSV files. This method efficiently captures every trade linked to the

ticker, avoiding the need for thousands of API calls and ensuring complete coverage of the market activity.

Lets download options trades, using the

command, to get data from June to August 2024, just so that we can get a sense of what normal activity looks like. You can explore Flat Files data using the web-based interface or using a command-line tool like .

$ mc cp --recursive s3polygon/flatfiles/us_options_opra/trades_v1/2024/06/ .
$ mc cp --recursive s3polygon/flatfiles/us_options_opra/trades_v1/2024/07/ .
$ mc cp --recursive s3polygon/flatfiles/us_options_opra/trades_v1/2024/08/ .
$ gunzip *

This downloaded and uncompressed approximately 15GB of data:

$ ls
2024-06-03.csv 2024-06-12.csv 2024-06-24.csv 2024-07-03.csv 2024-07-15.csv 2024-07-24.csv 2024-08-02.csv
2024-06-04.csv 2024-06-13.csv 2024-06-25.csv 2024-07-05.csv 2024-07-16.csv 2024-07-25.csv 2024-08-05.csv
2024-06-05.csv 2024-06-14.csv 2024-06-26.csv 2024-07-08.csv 2024-07-17.csv 2024-07-26.csv
2024-06-06.csv 2024-06-17.csv 2024-06-27.csv 2024-07-09.csv 2024-07-18.csv 2024-07-29.csv
2024-06-07.csv 2024-06-18.csv 2024-06-28.csv 2024-07-10.csv 2024-07-19.csv 2024-07-30.csv
2024-06-10.csv 2024-06-20.csv 2024-07-01.csv 2024-07-11.csv 2024-07-22.csv 2024-07-31.csv
2024-06-11.csv 2024-06-21.csv 2024-07-02.csv 2024-07-12.csv 2024-07-23.csv 2024-08-01.csv
$ du -hs
 15G	.

If we look at some of these files you’ll see the format, where it lists the contract, conditions, etc. Since these files contain all Options trades per day we'll need to extract trades for the

ticker.

$ head 2024-07-01.csv
ticker,conditions,correction,exchange,price,sip_timestamp,size
O:A240719C00120000,240,0,302,8.21,1719860177342000000,1
O:A240719C00125000,233,0,302,4.04,1719862281872000000,1
O:A240719C00130000,233,0,302,3.57,1719841971624000000,1
O:A240719C00130000,232,0,308,3.1,1719842658047000000,1
O:A240719C00130000,209,0,316,2.35,1719845268770000000,1
O:A240719C00130000,227,0,301,2.22,1719847551242000000,5
O:A240719C00130000,227,0,301,2.22,1719847551242000000,5
O:A240719C00130000,209,0,313,2.2,1719848252152000000,1
O:A240719C00130000,209,0,313,2.2,1719848252153000000,1

For initial data exploration, we used command-line tools for their speed, enabling us to quickly sift through the data and test ideas out. These quick tests can often help guide more detailed analyses, which might later involve transferring the data into a SQL database for complex queries or integrating it into a more sophisticated data management system.

We then proceeded to analyze the daily options trade volumes to identify any significant spikes on and around the date of the CrowdStrike outage:

for file in *.csv; do
  echo -n "$file: "
  grep -o 'CRWD' "$file" | wc -l
done

The output of the bash for loop looks something like this following:

2024-06-03.csv:    20191
2024-06-04.csv:    52233
2024-06-05.csv:    76447
2024-06-06.csv:    22969
2024-06-07.csv:    30137
2024-06-10.csv:    54864
2024-06-11.csv:    21481
2024-06-12.csv:    19808
...

This command-line script filters and counts occurrences of the

ticker in each file using a bash for loop, helping us pinpoint days with unusually high trading volumes, indicative of market reactions to the outage. If you plot this data you'll see something like the following:

As you can see, activity increased sharply compared to the average and highlights the market's quick reaction to the CrowdStrike outage news.

The next question I wanted to answer was how many of these were opportunities of short lived trades using something called Zero Days to Expiration (0DTE) Options? These are basically Options where they expire the same day and are often used during periods of extremely high volatility. We’ll modify our script a little to count trades that occur on the same day as the expiration date.

for file in *.csv; do
  # Extract the date from the filename
  file_date=$(echo $file | cut -d'.' -f1)

  # Convert to a format matching the ticker, e.g., 2024-07-01 to 240701
  # Assuming your options tickers follow a format like CRWD240701
  formatted_date=$(echo $file_date | sed 's/2024-//; s/-//g')

  # Grep for CRWD tickers with the same date and count them
  echo -n "$file: "
  grep -o "CRWD.*$formatted_date.*" "$file" | wc -l
done

Again, the output will look something like this following:

2024-06-03.csv:        7
2024-06-04.csv:       31
2024-06-05.csv:       56
2024-06-06.csv:       21
2024-06-07.csv:    14363
2024-06-10.csv:       56
2024-06-11.csv:       18
2024-06-12.csv:       12
...

When we plot this data you'll see something like the following snapshot:

The analysis shows a substantial increase in Zero Days to Expiration (0DTE) options trading on the day of the outage. This indicates that many traders were looking to capitalize on the immediate volatility, reflecting a blend of speculative trading and hedging strategies.

Finally, I was wondering how much of this was institutional traders? Typically, only they have access to something called Sweep Trades where they grab up large chunks of options contracts at a range of prices across exchanges. You typically will not see retail traders doing this so it can be a fingerprint that sophisticated traders have entered the room. When fetching Options Trades, they will have the conditions seen for that trade, and if you look up the conditions, you’ll see that Sweep Trades are tagged at condition

, so let's get a count of those.

for file in *.csv; do
  # Filter for CRWD tickers and condition code for sweep trades (assuming code 219 here)
  echo -n "$file: "
  grep "CRWD" "$file" | awk -F, '$2 == "219"' | wc -l
done

Again, the resulting data will look something like this:

2024-06-03.csv:      638
2024-06-04.csv:     1992
2024-06-05.csv:     3137
2024-06-06.csv:      796
2024-06-07.csv:     1051
2024-06-10.csv:     1652
2024-06-11.csv:      849
2024-06-12.csv:      581
...

When you plot this data you'll get a snapshot that looks like this:

As you can see, there was also a notable rise in sweep trades, suggesting that institutional investors were actively adjusting their positions in response to the outage's implications. Sweep trades are typically executed by very sophisticated investors and are a strong indicator of strategic, high-stakes trading.

Finally, the patterns observed in the trading activities, such as spikes in overall trades, a surge in Zero Days to Expiration (0DTE) Options, and an increase in sweep trades, serve as significant indicators of market sentiment and potential strategies in response to major events. These types of analyses can be applied universally, providing valuable insights into how markets might react under similar circumstances in the future.

By identifying these patterns, you can better anticipate market movements and refine your strategies to either mitigate risks or capitalize on expected price volatility.

Next Steps

This tutorial on the CrowdStrike outage of July 2024 serves as an interesting case study into the mechanics of market reactions during significant events. By analyzing the movements in both the Stocks and Options markets through polygon.io's datasets, we've uncovered key indicators such as trade activity spikes, Zero Days to Expiration (0DTE) options trades, and sweep trades, which are critical in understanding the cause-effect relationships within the markets. These indicators not only highlight immediate responses but also offer patterns that can predict market behaviors in similar future scenarios.

For those seeking to deepen their understanding or monitor market dynamics in real-time and historically, polygon.io provides Stock APIs, Options APIs, Flat Files, and streaming WebSocket API for complete historical and real-time market coverage. This analysis underscores the invaluable insights gained from robust data analysis, along with some interesting signals to watch for, which is essential for navigating market turbulence and seizing opportunities in the wake of unexpected events.

Happy exploring!

• 

  Team Polygon

  editor

  Read More