CrowdStrike Falcon

The ability to detect novel malicious and anomalous behavior on endpoints was a critical factor in our selection. Crowdstrikes cloud-based telemetry analysis enables rapid innovationnew tactics and techniques discovered in the wild are quickly addressed, often within hours. This is a major advantage over legacy signature-based protection, which may only update daily. Response, innovation, and monitoring improvements must be measured in hours, not days. Falcon has proven highly effective at detecting advanced threats and suspicious activity. Ive used Red Team tools, especially Stratus Red Team (by Datadog), to verify detection of complex attack simulations, like creating a backdoor user. These tests offer a strong end-to-end assessment of our SOC processes, from alerting through log analysis and escalation. The administrator experience for investigating alerts is excellent; the interface is clean and intuitive, making it easy to trace events leading to an alert and determine the right response. While price is important, so are market share and innovation. Integrations are vital for maximizing value, and Crowdstrike connects seamlessly with our ticketing system, SIEM, SOC, and other endpoint health sources. Crowdstrike has addressed feedback such as enabling searches by device namea previous gap, since alerts often reference device names rather than unique IDs. The ability to create department-focused protection profiles is extremely useful, letting us apply stricter monitoring or more aggressive protection for sensitive departments like finance, while roles with less sensitive data, like marketing interns, receive baseline protection. This allows for tailored rules based on departmental risk and data classification. I havent observed Crowdstrike agents negatively impacting endpoint performance, and in terms of capabilities, I dont know of any tool doing a better job right now.

The accuracy of the product is good unlike other EDRs, that is why its hard to move away from it, also the pricing is quite flexible.

What I like most about CrowdStrike Falcon is its proactive detection and rapid response to threats. The combination of real-time analysis, process behavior and cloud-based protection allows you to identify even unknown or fileless attacks that other traditional solutions could miss. For example, Falcon once detected suspicious activity on an endpoint that was running a legitimate script modified by an attacker. The platform automatically blocked the malicious execution and generated a detailed report with recommendations on how to enforce application policy, allowing the security team to remediate the situation without impacting operations. Additionally, the centralized interface and clear alerts make managing and monitoring all endpoints much simpler and more efficient. This gives me confidence that our devices are constantly protected without the need for constant manual intervention.

My primary concern with the product relates to the shoot themselves in the foot incident, an outage that caused significant disruption. This incident led to questions from senior leadership regarding whether we should consider switching away from Crowdstrike, given its very large impact, even affecting global air travel for a few hours. It is important to note that this was a Windows Crowdstrike outage, not a Linux Crowdstrike outage. This distinction is significant because it highlights the inherent fragility of the Windows operating system, where a single file change can lead to a blue screen of death loop, often requiring manual intervention to restore functionality. In my view, Microsoft bears a share of the blame for this outage due to the design of their operating system. Crowdstrike, to their credit, acknowledged this as a root cause analysis and published commitments to prevent similar occurrences in the future. Their stated actions include more regression testing, automated testing, and Quality Assurance (QA) of changes. While the incident was disruptive, the company's response and commitment to preventing recurrence were positive

The most The support it is hard to get anything from them it could have been better, they will be able to support integrations but for troubleshooting with them would be a pain.

What I like least about CrowdStrike Falcon Endpoint Protection is that, although the platform is very powerful, some reports and alerts can be too technical for non-specialized personnel. For example, when an alert is generated about advanced suspicious behavior, the report includes many details of processes and scripts that require in-depth knowledge to interpret correctly. This can slow down decision making if the team receiving the alert is not fully familiar with the terminology. Another minor point is that, at first, configuring certain advanced policies can be a bit complex, especially for organizations that do not have a dedicated security team or experience in PPE. However, these are minor aspects compared to the overall value and effectiveness of the platform.