Product(s): CrowdStrike Falcon
Overall Comment:"My overall experience has been excellent. As a previous customer for several years, I have brought Crowdstrike into several organizations. The main need has been to detect novel malicious and anomalous endpoint behavior. After evaluating several vendors, Crowdstrike was the clear winner. Key factors included the administrator interface, which is clean and intuitive for investigating alerts. This made it easy to track event sequences and determine responses to anomalies. While price was important, we also considered market share, innovation, and integrations with tools like our ticketing system, SIEM, and SOC, maximizing our investment. Measuring ROI is difficult, but the product has delivered value. It effectively handles events, quarantines malicious files, and prevents incidents, thus avoiding significant costs from investigations and threat spread. As a CISO, I have peace of mind knowing I can verify its monitoring and blocking. For example, I tested detection by downloading Mimikatz on a test machine, confirming the agent’s effectiveness. Deployment and onboarding were seamless thanks to mobile device management, enabling zero-touch installation of Crowdstrike agents and removal of our previous solution, migrating all devices in two weeks. The agent worked well with our unattended installation method and caused no compatibility issues with legacy systems; only offline devices (due to user leave) were missed—a common issue for any software. Crowdstrike Falcon scales well; it can support thousands of endpoints, and at around 500 now, I foresee no scaling issues as we grow. Its ability to detect advanced threats and suspicious behavior is very high. I’ve used Red Team tools like Stratus Red Team to simulate complex attacks (e.g., creating backdoor users, deploying scenarios across servers, laptops, and cloud). These tests validate its detection and provide a full assessment of our monitoring, SIEM, SOC, log analysis, and escalation processes."
The ability to detect novel malicious and anomalous behavior on endpoints was a critical factor in our selection. Crowdstrike’s cloud-based telemetry analysis enables rapid innovation—new tactics and techniques discovered in the wild are quickly addressed, often within hours. This is a major advantage over legacy signature-based protection, which may only update daily. Response, innovation, and monitoring improvements must be measured in hours, not days. Falcon has proven highly effective at detecting advanced threats and suspicious activity. I’ve used Red Team tools, especially Stratus Red Team (by Datadog), to verify detection of complex attack simulations, like creating a backdoor user. These tests offer a strong end-to-end assessment of our SOC processes, from alerting through log analysis and escalation. The administrator experience for investigating alerts is excellent; the interface is clean and intuitive, making it easy to trace events leading to an alert and determine the right response. While price is important, so are market share and innovation. Integrations are vital for maximizing value, and Crowdstrike connects seamlessly with our ticketing system, SIEM, SOC, and other endpoint health sources. Crowdstrike has addressed feedback such as enabling searches by device name—a previous gap, since alerts often reference device names rather than unique IDs. The ability to create department-focused protection profiles is extremely useful, letting us apply stricter monitoring or more aggressive protection for sensitive departments like finance, while roles with less sensitive data, like marketing interns, receive baseline protection. This allows for tailored rules based on departmental risk and data classification. I haven’t observed Crowdstrike agents negatively impacting endpoint performance, and in terms of capabilities, I don’t know of any tool doing a better job right now.
My primary concern with the product relates to the "shoot themselves in the foot incident", an outage that caused significant disruption. This incident led to questions from senior leadership regarding whether we should consider switching away from Crowdstrike, given its very large impact, even affecting global air travel for a few hours. It is important to note that this was a Windows Crowdstrike outage, not a Linux Crowdstrike outage. This distinction is significant because it highlights the inherent fragility of the Windows operating system, where a single file change can lead to a "blue screen of death" loop, often requiring manual intervention to restore functionality. In my view, Microsoft bears a share of the blame for this outage due to the design of their operating system. Crowdstrike, to their credit, acknowledged this as a root cause analysis and published commitments to prevent similar occurrences in the future. Their stated actions include more regression testing, automated testing, and Quality Assurance (QA) of changes. While the incident was disruptive, the company's response and commitment to preventing recurrence were positive