VENDOR PROFILE
CrowdStrike: Combining Threat Intelligence and SaaS
Endpoint Protection
Christina Richmond
Robert Westervelt
IDC OPINION
CrowdStrike, a privately held company, is one of a number of disruptive security start-ups that are
gaining attention for bringing to market innovative products t designed to replace traditional antivirus
(AV) or augment it to improve detection of targeted attacks, custom malware, and zero-day threats.
Like many endpoint security vendors, CrowdStrike uses a mixture of standard techniques to detect
malware, including file hashes to detect known malware and blacklisting and whitelisting capabilities
with machine learning and behavioral-based detection. The CrowdStrike Falcon Platform is a native
cloud solution, with a unique differentiator being the functionality used by the CrowdStrike sensor or
agent to disrupt the attack kill chain by identifying signs of suspicious activity, or "Indicators of Attacks"
(IOAs). These IOAs can be in the form of attack techniques, such as manipulating desktop
management tools, the use of the Windows command line interface, or other administrative features.
CrowdStrike has been gaining attention and adoption from large enterprises. In July 2015, the
company reported a CAGR of 550% in annual recurring revenue, 700% increase in the number of
transactions that exceed $1 million, and 225% growth in annual contract value subscriptions. Also in
2015, the company received $100 million in a financing round led by CapitalG (formerly known as
Google Capital). IDC believes that CrowdStrike has staked out a niche and value proposition that
resonates with enterprise leaders who increasingly accept the likelihood of breaches and the risks
associated with cyberattacks. CrowdStrike's technology, expertise, and go-to-market strategy, which
incorporate elements of endpoint protection, managed security services (MSS), and threat intelligence
security services (TISS), should position the company for strong success in the coming years. Further:

CrowdStrike delivers a cloud-based endpoint protection and breach prevention solution, threat
intelligence, and services such as assessment and incident response (IR).

CrowdStrike positions its "next-generation endpoint protection" as a platform designed to stop
breaches and combines its threat detection capabilities with investigative tools for rapid
incident response and exploit prevention capabilities to stop drive-by attacks and memorybased threats.

CrowdStrike also provides an optional threat hunting service to augment its endpoint agent.
IN THIS VENDOR PROFILE
This IDC Vendor Profile analyzes CrowdStrike, a five-year-old company that has built a native cloud
solution to help enterprises thwart cyberattacks. This Vendor Profile reviews key success factors
including company strategy, product strategy, offerings, partnerships, and target markets.
November 2016, IDC #US41921716
SITUATION OVERVIEW
Like many endpoint security vendors, CrowdStrike uses a mixture of standard techniques to detect
malware, including file hashes to detect known malware and blacklisting and whitelisting capabilities
with machine learning and behavioral-based detection. The CrowdStrike Falcon Platform is a native
cloud solution, with a unique differentiator being the functionality used by the CrowdStrike sensor or
agent to disrupt the attack kill chain by identifying signs of suspicious activity, or "Indicators of Attacks."
These IOAs can be in the form of attack techniques, such as manipulating desktop management tools,
the use of the Windows command line interface, or other administrative features.
In November 2016, CrowdStrike announced it had achieved antivirus certification through independent
testing with AV-Comparatives. CrowdStrike Falcon was the only tested endpoint security solution
recognized as capable of fully replacing traditional AV by registering with Windows System Center as
antivirus/antispyware. CrowdStrike received independent validation from AV-Comparatives,
underscoring its solution's ease of deployment and updatability, modern and well-organized user
interface, and extensive capabilities in tracking and reporting on malicious activities on the endpoint.
Falcon Host achieved 100% detection efficacy on all exploits used in the testing. It also scored a range
of 98–99.2% for detection efficacy, with zero false positives on three separate malware tests performed
by AV-Comparatives.
CrowdStrike Falcon Platform was recently independently evaluated by Coalfire, a leading assessor for
global PCI and other compliance standards in industries such as financial services, government, and
healthcare. Coalfire determined that the Falcon Platform is a "suitable solution for addressing system
protection and monitoring requirements for PCI DSS v3.2" and a "suitable solution for addressing a
number of key technical requirements in the HIPAA Security and Privacy Rules." Coalfire also
released an independent assessment report on the use of Falcon Host with respect to the National
Institute of Standards and Technology (NIST) SP 800-53 framework for organizations dealing with
federal information. It outlines that "Falcon Host provides capabilities in detection and responding to
threats, and associated collection of activities, making CrowdStrike Falcon Host a suitable solution for
addressing the system protection and monitoring controls identified in NIST SP 800-53 Revision 4."
Company Overview
CrowdStrike was founded in 2011 to stop breaches by going beyond malware-based
countermeasures. The company's solution is designed to stop cyberattacks by seeing and stopping
malicious activity across the entire threat life cycle. This approach provides protection against both
commodity malware attacks and sophisticated attacks perpetrated by adversaries. The company's
headquarters office is located in Irvine, California, and approximately 460 employees work in the
United States, the United Kingdom, Australia, and New Zealand. CrowdStrike's revenue is estimated
to be $50 million.
Company Strategy
CrowdStrike's strategy is based on the belief that "modern attackers can easily bypass legacy security
solutions," and the company strives to prevent as many breaches as possible by stopping both
malware-based attacks and malware-free attacks. The security vendor has a strong threat intelligence
arm that uses data collected from sensors in more than 170 countries and threat researchers to
provide guidance and protection on newly detected targeted intrusion attack campaigns. By sharing
this threat information, CrowdStrike offers what it calls "community immunity" to its customers.
©2016 IDC
#US41921716
2
The company is going above and beyond standard compliance requirements, which is a smart marketleading move. Currently, the company's platform is compliant with standards such as PCI DSS v3.2,
NSA-CIRA, and SOC 2. With respect to PCI DSS compliance, Coalfire reports that the Falcon Platform
addresses five PCI DSS requirements compared with other endpoint security vendors that address
only one requirement — antivirus. Endorsements like the ones from Coalfire will do more than validate
CrowdStrike. These endorsements will help educate the market and push regulators to consider new
architectures and new standards.
Product Strategy
The CrowdStrike Falcon Platform is designed to both prevent and detect actual threat activity on
endpoints as well as provide visibility into the threat activity. It's a kernel-level driver that examines the
processes running on endpoints (Windows desktops and servers, macOS, and Linux on or off the
network), looking for malicious activity.
The CrowdStrike Falcon Sensor is designed to identify attackers that are attempting to move laterally
within the corporate network to gain access to systems containing more sensitive files or probe for
users with higher privileges. It can capture the IP address of malware communication from an external
system running Falcon Host to its command and control server.
CrowdStrike provides ways to integrate into an organization's existing security infrastructure. APIs,
applications, and tools, which are under the Falcon Connect umbrella, extend the Falcon Platform into
customers' security environments. The Falcon management dashboard provides users with
comprehensive visibility, priorities, attributions, and reports, including executive summaries. The
CrowdStrike Elevate Partner Program provides third-party partners with the ability to resell, integrate,
recommend, and refer CrowdStrike solutions to their customers.
CrowdStrike strikes a major differentiation from next-generation endpoint security products by arming
enterprise incident responders with tools and forensics data for rapid incident response. When an
attack takes place, CrowdStrike logs events in real time, and a feature called Threat Graph presents a
"chain of custody" that provides incident responders with correlated threat indicators, such as the time
stamp when an attacker establishes a backdoor and is leveraging a privileged account or is
manipulating a Windows PowerShell command prompt. These are common attack tactics that would
otherwise go undetected by traditional antivirus or modern solutions only focused on malware
detection.
The CrowdStrike solution is offered as a subscription-based software as a service (SaaS). No
hardware or software is installed in customer environments, with the exception of a sensor that
protects endpoints and connects them to the Falcon SaaS Platform. The sensor is lightweight and
deployable across organizations of all sizes. According to CrowdStrike, a sensor can be set up for
100,000 endpoints in a few hours.
In the cloud, there is practically no limit to the amount of data that can be stored, which enables robust
current and historical threat analysis.
Product/Service Offerings
The following CrowdStrike products and services make up the current offering portfolio:

The CrowdStrike Falcon Platform consists of Falcon Host, Falcon Overwatch, and Falcon
Intelligence.
©2016 IDC
#US41921716
3

Falcon DNS identifies and blocks malicious DNS callbacks.

Services include M&A Cyber Risk Assessment and incident response services, which are
customized to each situation.
Falcon Host includes elements that CrowdStrike believes are essential in true next-generation
solutions:


Antivirus functionality that goes beyond simply identifying and addressing known malware:

Leverages behavioral analytics and machine learning to provide a comprehensive yet
digestible view of both legitimate activity and malicious activity

Looks for signs of attack (Indicators of Attack) as they are occurring along with indicators
of compromise (IOC), which indicate an attack has already happened

Looks for behaviors that reveal IOAs — these may include indications that an attacker is
evading detection or that privileges are being changed to enable access

Includes CrowdStrike Threat Graph data modeling that's designed to analyze and
correlate the data that's collected from endpoint sensors worldwide for the purpose of
identifying patterns that could indicate an attack in progress
An endpoint detection and response (EDR) system that records all activities of interest to
enable inspection either in the moment or later: The system can hunt quickly through massive
amounts of data to find patterns of malicious activity. In addition, CrowdStrike's cloud
deployment model enables the EDR system to protect off-network or off-VPN systems, and
the EDR can assist with breach mitigation. API access to this recorded information provides
customers and third-party applications the ability to mine this information for other use cases.
Falcon Overwatch is a proactive managed threat hunting service by a team of cyberintrusion/detection
analysts and investigators. The Falcon Overwatch team monitors the CrowdStrike Threat Graph, which
consists of data from all Falcon sensors deployed globally as well as data from Falcon DNS.
Leveraging big data in this way allows the Overwatch team to find cutting-edge attack techniques and
reduce attacker dwell time from months to minutes.
Falcon Intelligence is a threat intelligence subscription service that's delivered via reports, feeds, and
APIs. It's intended to answer questions such as:

Is an attacker a risk?

What are the capabilities and intentions of an attacker?

Has the attacker been active or is currently active?
CrowdStrike provides a range of proactive and reactive incident response services. The M&A Cyber
Risk Assessment service helps assess the cybersecurity landscape of the companies involved in a
potential merger or acquisition. Early detection of vulnerabilities or compromised systems can prevent
or minimize liabilities and expenses that could be unpleasant surprises post-merger or postacquisition.
CrowdStrike believes its remote "day one" incident response services are an important differentiator
because of the speed with which it can respond. IR begins with the deployment of CrowdStrike Falcon
to enable endpoint visibility, use of threat intelligence, and appropriate remediation actions.
©2016 IDC
#US41921716
4
Go to Market
CrowdStrike is headquartered in Irvine, California, and in 2016, it expanded operations to Europe, with
a headquarters in London, and APAC, with a headquarters in Sydney. In addition to channel sales,
CrowdStrike is also ramping routes to market with MSSPs and IaaS offerings like Google Cloud
Platform.
Partnerships
The CrowdStrike Elevate Partner Program is open to systems integrators and consultants, solution
providers, managed service providers, cyberinsurance carriers, and technology partners. The program
provides APIs, applications, services, and tools to partners, along with education, training, comarketing, and joint sales planning.
Technology partners like Anomali integrate their solution with CrowdStrike threat intelligence APIs to
offer the intelligence service integrated into its platform, which aggregates intelligence across multiple
feeds. Other vendors like Cyphort will use the Connect APIs to share IOCs with the Falcon Platform.
Cloud providers like AWS and Google have partnered with CrowdStrike to ensure Falcon can be
deployed and managed seamlessly on all customer assets running in their cloud environments.
Many solution providers that resell CrowdStrike solutions, like Optiv and Guidepoint, are also using the
APIs to build a managed service to offer to their customers — thus complementing their business of
simply reselling software to providing a fully managed solution to the customer. Other vendors like
Rackspace are fully integrating the Falcon Platform into their overall security offering and selling the
customer a fully secure PaaS that is powered by CrowdStrike, which can be consumed as a monthly
subscription.
Systems integrators and consultants are also leveraging the Falcon Platform to provide their own
reactive incident response services to customers. The Elevate Program offers companies like
Navigant the tools, training, and licenses they need to deploy Falcon.
Cyberinsurance carriers like Chubb are offering loss prevention services that reduce cyberinsurance
costs for clients that use CrowdStrike. In addition, these carriers also refer clients to CrowdStrike
should the clients incur a data security breach.
Target Markets
In addition to technology companies — Rackspace is an example — CrowdStrike's customers include
three of the top 10 largest global companies by revenue, two of the top 10 credit card payment
processors, five of the top 10 largest banks, and three of the top 10 oil and gas companies.
CrowdStrike initially targeted the Fortune 1000 but has recently hired a corporate sales team to
expand downmarket. The emphasis on delivering less complex "next-generation antivirus" should
enable the team to expand to a broader base of upper midmarket and large enterprises.
IDC has validated CrowdStrike's assertions that the company is displacing competitive solutions. The
company now boasts a customer base consisting of 62 of the Fortune 500. A bank replaced a FireEye
(Mandiant) endpoint solution with CrowdStrike's to protect 12,000 endpoints. CrowdStrike is playing a
key role at organizations requiring security for systems with a small footprint, such as budget hardware
supporting customer-facing systems like self-check-in kiosks at airports and other major transportation
terminals.
©2016 IDC
#US41921716
5
The company had a competitive win over Carbon Black's whitelisting and endpoint response offerings
because the deployment could be done quickly and with minimal disruption. A management firm of
large apartment complexes ripped and replaced its traditional antivirus in favor of CrowdStrike. The
ability to roll out CrowdStrike in a day versus three months with an established endpoint security
vendor, and at a lower cost, sealed the deal.
FUTURE OUTLOOK
Challenges and Opportunities
CrowdStrike faces competitors that have expanded marketing spending, and one pure "nextgeneration antivirus" competitor, Cylance, has struck a key deal with Dell to sell its solution alongside
Dell business machines. CrowdStrike needs to expand its brand and demonstrate its customer
success stories to cross the chasm from its early adopter base to the pragmatist technology product
adopters that want a solution that functions out of the box, integrates with existing security
infrastructure, and produces measurable results. This requires CrowdStrike to seek partnerships with
established vendors that have already won over the pragmatist buyers, such as established IT
management providers and vulnerability management vendors. These efforts should result in strong
returns in the future.
IDC has identified several drivers in the cloud-hosted enterprise security service market (see
Worldwide Cloud Hosted Enterprise Security Services (Security as a Service) Forecast, 2015–2019,
IDC #257959, July 2015) that offer opportunities for service providers to differentiate themselves, all of
which CrowdStrike is focused on:

A focus on the midmarket (and channel). Cloud-based security solutions are best positioned
as channel-friendly offerings to midmarket and smaller customers. CrowdStrike sells to the
midmarket directly and through strong enablement of channel partners and integration with
service providers.

Offering of cloud-managed SaaS applications. The CrowdStrike solution is native to SaaS and
is managed through a cloud platform.

Integration with resources on-premises. As larger companies look to CHESS solutions, they
don't want multiple solutions to cover their broad architectural needs. That means clouddelivered solutions can't ignore on-premises resources. CrowdStrike deploys rapidly without
the need to integrate with on-premises tools.
IDC believes that threat intelligence is also a decisive factor in the selection of security products and
services vendors. Given the double-digit growth forecast of nearly $1.8 billion for the TISS market in
2020, vendors are likely to continue to create and refine offerings. However, in this young market,
there is confusion about the types of threat intelligence, what to buy, how to apply the information, how
to identify the most important threats, and how to prioritize actions.
Regardless, the opportunity is large for vendors and enterprises of all sizes. By engaging a vendor like
CrowdStrike, enterprises can implement security with a breach prevention emphasis that leverages
native cloud architecture, endpoint protection, threat intelligence, and incident response.
©2016 IDC
#US41921716
6
Meanwhile, there are challenges:

Integrating threat intelligence into a business is a complex endeavor. Organizations have to
navigate their own technologies as well as those proposed by vendors, and they struggle with
defining roles, responsibilities, communications, and processes.

While board members and executives are increasingly aware of and accepting the reality and
risks of cyberthreats, education must continue regarding the threat landscape, security
strategies, threat intelligence options, detection and response options, integration, budgeting,
and staffing.

A shortage of security talent is a continuing problem. Enterprises are increasingly evaluating
security services providers or outsourcing some tasks because of the difficulties associated
with staffing.
ESSENTIAL GUIDANCE
Advice for CrowdStrike
IDC believes that CrowdStrike is well positioned to continue its growth with its purpose-built cloud
solution and unique combination of capabilities. By operating with cloud speed and scale, CrowdStrike
can offer fast, easy deployment with no need for on-premises equipment. Further, the company offers
a number of community tools, use cases, and buyer checklists.
To support its continuing growth, CrowdStrike should:

Leverage the Coalfire reports in marketing and educational efforts to position itself as an
industry leader that is solving a big problem with an innovative approach

Elaborate on how "community immunity" is different and better than other crowdsourced threat
intelligence

Pursue partnerships that augment sales/distribution efforts and lead to more "pragmatist"
buyer engagements

Assist CXOs, IT leaders, and chief information security officers (CISOs) with educational
efforts about the security landscape and what every employee can do to minimize
vulnerabilities

Capitalize on buyers' preference for the opex business model
LEARN MORE
Related Research

IDC's Worldwide Security Services Taxonomy, 2016 (IDC #US41053315, March 2016)

Worldwide Threat Intelligence Security Services Forecast, 2016–2020: Strength in Numbers
(IDC #US41053415, March 2016)

Worldwide Endpoint Security Forecast, 2015–2019: The Influence of Specialized Threat
Detection (IDC #259807, November 2015)

Worldwide Cloud Hosted Enterprise Security Services (Security as a Service) Forecast, 2015–
2019 (IDC #257959, July 2015)
©2016 IDC
#US41921716
7

Worldwide Specialized Threat Analysis and Protection Forecast, 2015–2019: Defending
Against the Unknown (IDC #256354, May 2015)

Worldwide and U.S. Professional Security Services 2015–2019 Forecast: The Perfect Storm
(IDC #254562, March 2015)
©2016 IDC
#US41921716
8
About IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory
services, and events for the information technology, telecommunications and consumer technology
markets. IDC helps IT professionals, business executives, and the investment community make factbased decisions on technology purchases and business strategy. More than 1,100 IDC analysts
provide global, regional, and local expertise on technology and industry opportunities and trends in
over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients
achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology
media, research, and events company.
Global Headquarters
5 Speen Street
Framingham, MA-01701
USA
508.872.8200
Twitter: @IDC
idc-community.com
www.idc.com
Copyright Notice
This IDC research document was published as part of an IDC continuous intelligence service, providing written
research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC
subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please
contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or [email protected] for information on
applying the price of this document toward the purchase of an IDC service or for information on additional copies
or web rights.
Copyright 2016 IDC. Reproduction is forbidden unless authorized. All rights reserved.