CrowdStrike Unveils AI-Powered Falcon Upgrades

CrowdStrike unveiled major updates to its Falcon cybersecurity platform and Falcon Next-Gen SIEM during the RSA Conference 2025, introducing AI-powered automation, expanded threat hunting capabilities, and integrated data protection features aimed at modernizing Security Operations Centers (SOC).

“Much of the data going into a SIEM already comes from CrowdStrike,” says Ajit Sancheti, General Manager, Falcon Next-Gen SIEM. “We replaced the former back end with our own LogScale technology, which allowed us to offer better retention, faster search, and cost-effective data logging.”

The introduction of these updates reflects the growing need for scalable, AI-integrated security operations frameworks capable of addressing the inefficiencies of legacy systems while supporting evolving enterprise environments. The expansion of the Falcon platform reinforces CrowdStrike’s strategy to transform itself from a leading endpoint detection and response (EDR) vendor into a comprehensive cybersecurity platform provider, reports Security Boulevard.

CrowdStrike recently integrated Humio, acquired in 2021, which brought high-speed logging and data indexing capabilities to its platform. This allowed the company to build LogScale, the foundation for Falcon Next-Gen SIEM. The updated SIEM offers log ingestion of up to 1PB per day, a 150-fold increase in search speed compared to traditional systems, and cost savings of up to 80% over three years. Falcon telemetry ingestion is free, while third-party data incurs adjustable retention-based costs.

The company also introduced the Charlotte AI system, which is designed to automate security workflows. Charlotte AI leverages agentic capabilities — such as automated root cause analysis and decision-based orchestration using SOAR methodologies — to streamline alert triage and response. The AI system was trained using the decision patterns of Falcon Complete managed detection and response (MDR) analysts, achieving over 98% accuracy in alert triage.

Charlotte AI’s new capabilities include:

• Agentic Response: Automates root cause analysis of security incidents.

• Agentic Workflows: Enables decision-making processes through security orchestration and automated response (SOAR).

• Identity Threat Triage: Prioritizes identity-related alerts to improve detection accuracy.

Additionally, CrowdStrike introduced AI Parsers, a feature that automatically generates parsers from proprietary log samples. This allows organizations to onboard data from custom or proprietary applications without manual configurations, optimizing analyst resources and minimizing operational friction.

CrowdStrike also expanded its Adversary OverWatch managed threat hunting service to cover third-party telemetry, such as logs from VPNs, email gateways, and unmanaged devices. These enhancements address environments not directly monitored by Falcon agents and are particularly relevant for small organizations or sectors with limited cybersecurity staffing, including rural healthcare providers.

“Extending MDR services to third-party data gives them the coverage they need. This includes mission-critical SOC services,” says Sancheti.

New OverWatch capabilities include real-time threat hunting across third-party logs, user and entity behavior analytics, integrated case management, and automated response workflows tied to identity-based telemetry.

This shift extends Falcon’s protective scope from internal infrastructure to external ecosystems, aligning with rising enterprise concerns around digital supply chain security. By enabling threat monitoring across interconnected vendor environments, CrowdStrike addresses a critical security layer for organizations with complex, federated IT landscapes.

Updates also spanned Falcon Cloud Security and Falcon Data Protection, particularly for enterprises deploying AI models and operating in multi-cloud environments. Key enhancements include:

• AI model scanning to detect manipulated or trojanized machine learning code.

• Shadow AI detection to monitor unregistered AI tools operating within networks.

• Generative AI data leak prevention using similarity analysis.

• eBPF-based runtime cloud data protection, enabling granular visibility at the kernel level.

These features aim to support zero-trust architectures, including capabilities like just-in-time privilege assignments within Falcon Identity Protection. This access control strategy ensures minimal exposure of sensitive functions, aligning with regulatory and enterprise-grade cybersecurity frameworks.

The updated Falcon Data Protection suite now supports runtime data protection across multiple platforms, including macOS, cloud workloads, and SaaS environments. It introduces identity-driven security models and encrypted file exfiltration detection, enhancing operational control over distributed infrastructures.

To facilitate implementation and operational optimization, CrowdStrike also introduced Pulse Services, a modular consulting framework designed to help clients improve SOC workflows, enhance risk management strategies, and prepare for evolving threat landscapes.

The cumulative effect of these upgrades is a more tightly integrated and automated platform intended to serve as a central operating layer for modern security operations. CrowdStrike’s enhancements are tailored to enterprises seeking to reduce mean time to detection and response (MTTD/MTTR), streamline SOC operations, and secure distributed or hybrid environments.