Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more. Today’s sophisticated attackers are going “beyond malware” to breach organizations, increasingly relying on exploits, zero days, and hard-to-detect methods such as credential theft and tools that are already part of the victim’s environment or operating system, such as PowerShell. CrowdStrike Falcon® responds to those challenges with a powerful yet lightweight solution that unifies next-generation antivirus (NGAV), endpoint detection and response (EDR), cyber threat intelligence,managed threat hunting capabilities and security hygiene — all contained in a tiny, single, lightweight sensor that is cloud-managed and delivered.
What is CrowdStrike?
Falcon platform FAQ
Want to see the CrowdStrike Falcon® platform in action? Start with a free trial of next-gen antivirus:
The CrowdStrike Falcon® platform includes:
Endpoint Security Solutions
Security & IT Operations
- Falcon OverWatch — Managed Threat Hunting
- Falcon Discover — Security Hygiene
- Falcon Spotlight — Vulnerability Management
Threat Intelligence
- CrowdStrike Falcon® Intelligence — Threat Intelligence
- Falcon Search Engine — The Fastest Malware Search Engine
- Falcon Sandbox — Automated Malware Analysis
Cloud Security Solutions
- Falcon Cloud Workload Protection — For AWS, Azure and GCP
- Falcon Horizon — Cloud Security Posture Management (CSPM)
- Container Security
Identity Protection Solutions
Falcon Fusion SOAR, a native feature of the Falcon platform, is an integrated set of Security Orchestration, Automation and Response (SOAR) capabilities. With Falcon® Fusion SOAR, you can easily deploy workflow automation to enable data collection, enrichments, response actions and notifications by simply selecting the trigger, defining conditions and configuring actions. Falcon Fusion SOAR seamlessly integrates with Falcon Next-Gen SIEM to accelerate threat detection, investigation and response.
Falcon Fusion SOAR is a native capability of the Falcon platform, therefore it integrates with the platform and its modules including Falcon Prevent, Falcon Insight, Falcon Discover, Falcon Exposure Management, Falcon Sandbox, Falcon Recon, Falcon Spotlight, Falcon Identity Protection, Falcon Cloud Security, and Falcon Next-Gen SIEM.
Falcon Prevent provides next generation antivirus (NGAV) capabilities, delivering comprehensive and proven protection to defend your organization against both malware and malware-free attacks. Incorporating identification of known malware, machine learning for unknown malware, exploit blocking and advanced Indicator of Attack (IOA) behavioral techniques, CrowdStrike Falcon® Prevent allows organizations to confidently replace their existing legacy AV solutions.
Falcon Insight provides endpoint detection and response (EDR) capabilities, allowing for continuous and comprehensive visibility to tell you what’s happening on your endpoints in real time. The extensive capabilities of Falcon Insight span across detection, response and forensics, to ensure nothing is missed, so potential breaches can be stopped before your operations are compromised.
Falcon OverWatch is a managed threat hunting solution. To defeat sophisticated adversaries focused on breaching your organization, you need a dedicated team working for you 24/7 to proactively identify attacks. The global Falcon OverWatch team seamlessly augments your in-house security resources to pinpoint malicious activities at the earliest possible stage, stopping adversaries in their tracks.
Falcon Discover is an IT hygiene solution that identifies unauthorized systems and applications, and monitors the use of privileged user accounts anywhere in your environment — all in real time, enabling remediation as needed to improve your overall security posture.
CrowdStrike Falcon Foundry is cybersecurity’s first low-code application platform. It unlocks cybersecurity innovation by enabling you to build custom apps to extend the power of the industry-leading, AI-powered Falcon platform and implement an unlimited array of security and IT use cases.
Falcon Fusion SOAR is an integral component of Falcon Foundry. While Falcon Fusion SOAR allows you to deploy workflow automation, Falcon Foundry lets you create an application to solve a unique security or IT challenge. This new application can bring together the required data, business logic, compute, storage and visualizations necessary to deploy it, in just a few clicks.
Yes, CrowdStrike Falcon® Prevent allows organizations to confidently replace their existing legacy AV solutions. Incorporating identification and prevention of known malware, machine learning for unknown malware, exploit blocking and advanced Indicator of Attack (IOA) behavioral techniques, Falcon Prevent protects against attacks whether your endpoints are online or offline. Falcon Prevent also features integration with Windows System Center, for those organizations who need to prove compliance with appropriate regulatory requirements.
Yes, CrowdStrike Falcon® has been certified by independent third parties as an AV replacement solution.
The extensive capabilities of CrowdStrike Falcon® allows customers to consider replacing existing products and capabilities that they may already have, such as:
- Antivirus
- Host intrusion prevention (HIPS) and/or exploit mitigation solutions
- Behavioral analytics
- Endpoint Detection and Response (EDR) tools
- Indicator of compromise (IOC) search tools
- Sandboxes or dynamic execution analysis
- Log analysis
- Managed Detection and Response
- Threat Intel services
- IT Hygiene tools
Yes, CrowdStrike Falcon® can help organizations in their efforts to meet numerous compliance and certification requirements. Falcon has received third-party validation for the following regulations: PCI DSS v3.2 | HIPAA | NIST | FFIEC | PCI Forensics | NSA-CIRA | SOC 2 | CSA-STAR | AMTSO | AV Comparatives.
CrowdStrike is the pioneer of cloud-delivered endpoint protection. CrowdStrike Falcon® has revolutionized endpoint security by being the first and only solution to unify next-generation antivirus, endpoint detection and response (EDR), and a 24/7 threat hunting service — all delivered via a single lightweight agent. Using its purpose-built cloud native architecture, CrowdStrike collects and analyzes more than 30 billion endpoint events per day from millions of sensors deployed across 176 countries. The unique benefits of this unified and lightweight approach include immediate time-to-value, better performance, reduced cost and complexity, and better protection that goes beyond detecting malware to stop breaches before they occur. These capabilities are based on a unique combination of prevention technologies such as machine learning, Indicators of Attack (IOA), exploit blocking, unparalleled real-time visibility and 24×7 managed hunting to discover and track even the stealthiest attackers before they do damage.
Absolutely, CrowdStrike Falcon is used extensively for incident response. Falcon Insight provides visibility across endpoints throughout the environment, enabling instant access to the “who, what, when, where, and how” of an attack. Additionally, you can leverage Falcon Fusion SOAR’s workflow automation to accelerate threat investigation and incident response. The cloud-based architecture of Falcon Insights enables significantly faster incident response.
Yes, Falcon Prevent offers powerful and comprehensive prevention capabilities. Falcon Prevent can stop execution of malicious code, block zero-day exploits, kill processes and contain command and control callbacks.
Yes, indeed, the lightweight Falcon sensor that runs on each endpoint includes all the prevention technologies required to protect the endpoint, whether it is online or offline. Those technologies include machine learning to protect against known and zero-day malware, exploit blocking, hash blocking and CrowdStrike’s behavioral artificial intelligence heuristic algorithms, known as Indicators of Attack (IOAs).
No, CrowdStrike Falcon® delivers next-generation endpoint protection software via the cloud. A key element of “next gen” is reducing overhead, friction and cost in protecting your environment. There is no on-premises equipment to be maintained, managed or updated. The Falcon sensor is unobtrusive in terms of endpoint system resources and updates are seamless, requiring no re-boots. The Falcon web-based management console provides an intuitive and informative view of your complete environment.
No, Falcon was designed to interoperate without obstructing other endpoint security solutions, including third-party AV and malware detection systems.
Falcon Connect has been created to fully leverage the power of Falcon platform. Falcon Connect provides the APIs, resources and tools needed by customers and partners to develop, integrate and extend the use of the Falcon platform itself, and to provide interoperability with other security platforms and tools. Find out more about the Falcon APIs: Falcon Connect and APIs.
Yes, Falcon offers two points of integration with SIEM solutions:
- Customers can import IOCs (Indicator of Compromise) from their SIEM into the Falcon platform, using an API.
- Customers can forward CrowdStrike Falcon® events to their SIEM using the Falcon SIEM Connector. The Falcon SIEM Connector enables integration with most SIEM offerings, such as HP ArcSight, IBM QRadar, and Splunk. Additionally, the Falcon Streaming API is available to customers who wish to build their own custom integration.
Literally minutes — a single lightweight sensor is deployed to your endpoints as you monitor and manage your environment via a web console. With CrowdStrike Falcon® there are no controllers to be installed, configured, updated or maintained: there is no on-premises equipment.
The Falcon sensor’s design makes it extremely lightweight (consuming 1% or less of CPU) and unobtrusive: there’s no UI, no pop-ups, no reboots, and all updates are performed silently and automatically.
Only these operating systems are supported for use with the Falcon sensor for Windows. Note: For identity protection functionality, you must install the sensor on your domain controllers, which must be running a 64-bit server OS.
64-bit Server OSes:
- Server 2022
- Server Core 2022
- Server 2019
- Server Core 2019
- Server 2016
- Server Core 2016
- Server 2012 R2
- Storage Server 2012 R2
- Server 2012
- Server 2008 R2 SP1
Microsoft ARM64:
- Windows 11
- Windows 10
Desktop OSes:
- Windows 11 23H2
- Windows 11 22H2
- Windows 11 21H2
- Windows 10 22H2
- Windows 10 21H2
- Windows 10 1809
- Windows 10 1607
- Windows 10 1507
- Windows 7 SP1
- Windows 7 Embedded POS Ready
We support x86_64, Graviton 64, and s390x zLinux versions of these Linux server OSes:
x86_64
- Alma Linux
- 9.4: sensor version 7.16.16903 and later
- 9.3: sensor version 7.07.16203 and later
- 9.2: sensor version 7.03.15805 and later
- 9.1: sensor version 7.02.15705 and later
- 9.0: sensor version 6.41.13804 and later
- 8.10: sensor version 7.16.16903 and later
- 8.9: sensor version 7.07.16203 and later
- 8.8: sensor version 6.57.15402 and later
- 8.7: sensor version 6.48.14504 and later
- 8.6: sensor version 6.41.13803 and later
- 8.5: sensor version 6.33.13003 and later
- 8.4: sensor version 6.29.12606 and later
- Amazon Linux 2
- Amazon Linux 2023: sensor version 7.10.16303 and later
- CentOS Stream
- 9 sensor version 7.16.16903
- CentOS
- 8.5: sensor version 6.33.13003 and later
- 8.4: sensor version 6.24.12104 and later
- 8.3
- 8.2: sensor version 5.34.9917 and later
- 8.1: sensor version 5.27.9101 and later
- 8.0
- Debian
- 12: sensor version 7.10.16303 and later
- 11: sensor version 6.34.13108 and later
- 10: sensor version 6.20.11711 and later
- 9.1-9.4: sensor version 5.33.9804 and later
- ElRepo
- ElRepo 7.x (5.4 kernel)
- ElRepo 8.x (5.4 kernel)
- Oracle Linux
- Oracle Linux 9 - UEK 7: sensor version 6.50.14712
- Oracle Linux 8 - UEK 6
- Oracle Linux 7 - UEK 6: sensor version 6.19.11610 and later
- Oracle Linux 7 - UEK 3, 4, 5
- Oracle Linux 6 - UEK 3, 4
- Red Hat Compatible Kernels (supported RHCK kernels are the same as for RHEL)
- Red Hat Enterprise Linux CoreOS (RHCOS) Note: For DaemonSet deployment only.
- 4.15: sensor version 7.13.16604 and later
- 4.14: sensor version 7.13.16604 and later
- 4.13: sensor version 7.04.15907 and later
- 4.12: sensor version 6.54.15110 and later
- 4.11: sensor version 6.46.14306 and later
- 4.10: sensor version 6.46.14306 and later
- 4.9: sensor version 6.39.13601 and later
- 4.8: sensor version 6.39.13601 and later
- 4.7: sensor version 6.39.13601 and later
- Red Hat Enterprise Linux (RHEL)
- 9.4: sensor version 7.16.16903 and later
- 9.3: sensor version 7.07.16203 and later
- 9.2: sensor version 7.03.15805 and later
- 9.1: sensor version 7.02.15705 and later
- 9.0: sensor version 6.41.13804 and later
- 8.10: sensor version 7.16.16903 and later
- 8.9: sensor version 7.07.16203 and later
- 8.8: sensor version 6.57.15402 and later
- 8.7: sensor version 6.48.14504 and later
- 8.6: sensor version 6.41.13803 and later
- 8.5: sensor version 6.33.13003 and later
- 8.4: sensor version 6.24.12104 and later
- 8.3
- 8.2: sensor version 5.34.9917 and later
- 8.1: sensor version 5.27.9101 and later
- 8.0
- 7.9: sensor version 5.43.10803 and later
- 7.8: sensor version 5.30.9510 and later
- 7.4 - 7.7
- Rocky Linux
- 9.4: sensor version 7.16.16903 and later
- 9.3: sensor version 7.07.16203 and later
- 9.2: sensor version 7.03.15805 and later
- 9.1: sensor version 7.02.15705 and later
- 9.0: sensor version 6.41.13804 and later
- 8.10: sensor version 7.16.16903 and later
- 8.9: sensor version 7.07.16203 and later
- 8.8: sensor version 6.57.15402 and later
- 8.7: sensor version 6.48.14504 and later
- 8.6: sensor version 6.41.13803 and later
- 8.5: sensor version 6.33.13003 and later
- 8.4: sensor version 6.29.12606 and later
- SUSE Linux Enterprise (SLES)
- 15.5 SLES 15 SP5: sensor version 7.04.15907 and later
- 15 - 15.4. SLES 15 SP4: sensor version 6.47.14408 and later
- 12.2 - 12.5
- OpenSuse LEAP
- 15.5: sensor version 7.04.15907 and later
- 15.4: sensor version 6.47.14408 and later
- 15.3: sensor version 6.39.13601 and later
- Note: Supported kernels are the same as SLES 15 SP3 and SLES 15 SP4
- Ubuntu
- 22.04 LTS: sensor version 6.41.13803 and later
- 20.04 LTS: sensor version 5.43.10807 and later
- 18-AWS
- 18.04 LTS
- 16-AWS
- 16.04 LTS and 16.04.5 LTS
Graviton
- Alma Linux ARM64
- 9.4: sensor version 7.16.16903 and later
- 9.3: sensor version 7.07.16203 and later
- 9.2: sensor version 7.03.15805 and later
- 9.1 ARM64: sensor version 7.02.15705 and later
- 9.0 ARM64: sensor version 6.51.14810 and later
- 8.10 ARM64: sensor version 7.16.16903 and later
- 8.9 ARM64: sensor version 7.07.16206 and later
- 8.8 ARM64: sensor version 6.56.15309 and later
- 8.7 ARM64: sensor version 6.48.14504 and later
- 8.6 ARM64: sensor version 6.43.14005 and later
- 8.5 ARM64: sensor version 6.41.13803 and later
- Amazon Linux 2. Note: Supports DaemonSet deployments
- Amazon Linux 2023
- CentOS ARM64
- 8.5 ARM64: sensor version 6.41.13803 and later
- Red Hat Enterprise Linux (RHEL) ARM64
- 9.4 ARM64: sensor version 7.16.16903 and later
- 9.3 ARM64: sensor version 7.07.16203 and later
- 9.2 ARM 64: sensor version 7.03.15805 and later
- 9.1 ARM64: sensor version 7.02.15705 and later
- 9.0 ARM64: sensor version 6.51.14810 and later
- 8.10 ARM64: sensor version 7.16.16903 and later
- 8.9 ARM64: sensor version 7.07.16206 and later
- 8.8 ARM64: sensor version 6.56.15309 and later
- 8.7 ARM64: sensor version 6.48.14504 and later
- 8.6 ARM64: sensor version 6.43.14005 and later
- 8.5 ARM64: sensor version 6.41.13803 and later
- Rocky Linux ARM64
- 9.4 ARM64: sensor version 7.16.16903 and later
- 9.3 ARM64: sensor version 7.07.16203 and later
- 9.2 ARM 64: sensor version 7.03.15805 and later
- 9.1 ARM64: sensor version 7.02.15705 and later
- 9.0 ARM64: sensor version 6.51.14810 and later
- 8.10 ARM64: sensor version 7.16.16903 and later
- 8.9 ARM64: sensor version 7.07.16206 and later
- 8.8 ARM64: sensor version 6.56.15309 and later
- 8.7 ARM64: sensor version 6.48.14504 and later
- 8.6 ARM64: sensor version 6.43.14005 and later
- 8.5 ARM64: sensor version 6.41.13803 and later
- Ubuntu
- 22.04 LTS: sensor version 7.11.16404 and later
- 22.04 Azure: sensor version 7.13.16604 and later
- 20.04 AWS: sensor version 6.47.14408 and later
- 20.04 Azure: sensor version 7.13.16604 and later
- 20.04 LTS: sensor version 6.44.14107 and later
- 18.04 LTS: sensor version 6.44.14107 and later
- 18.04 Azure: sensor version 7.04.15907 and later
- Note: Supports DaemonSet deployments
s390x, Falcon sensor for Linux on IBM zSystems
- Red Hat Enterprise Linux (RHEL)
- 9.3: sensor version 7.13.16604 and later
- 9.2: sensor version 7.04.15907 and later
- 9.1: sensor version 7.04.15907 and later
- 9.0: sensor version 7.04.15907 and later
- 8.9: sensor version 7.13.16604 and later
- 8.8: sensor version 6.57.15402 and later
- 8.7: sensor version 6.53.15003 and later
- 8.0 - 8.6: sensor version 6.49.14606 and later
- 7.7 - 7.9: sensor version 6.49.14606 and later
- Suse Linux Enterprise Server (SLES)
- 15 SP5: sensor version 7.06.16108 and later
- 15 SP4: sensor version 6.57.15402 and later
- 15 SP3: sensor version 6.57.15402 and later
- 15 SP2: sensor version 6.57.15402 and later
- 15 SP1: sensor version 6.57.15402 and later
- 15: sensor version 6.57.15402 and later
- 12 SP5: sensor version 6.54.15110 and later
- 12 SP4: sensor version 6.54.15110 and later
- 12 SP3: sensor version 6.54.15110 and later
- 12 SP2: sensor version 6.54.15110 and later
- 12 SP1: sensor version 6.54.15110 and later
- Ubuntu
- 22 LTS, ibm-gt: sensor version 7.10.16303 and later
- 22 LTS: sensor version 7.01.15604 and later
- 20 LTS: sensor version 6.58.15508 and later
- 18 LTS: sensor version 6.58.15508 and later
The Falcon sensor for Mac is currently supported on these macOS versions:
- Sequoia 15: Sensor version 6.58.17102 and later (Intel CPUs and Apple silicon native support included)
- Sonoma 14: Sensor version 6.58.17102 and later (Intel CPUs and Apple silicon native support included)
- Ventura 13: Sensor version 6.45.15801 and later (Intel CPUs and Apple silicon native support included)
- Monterey 12: Sensor version 6.31.14404 and later (M1, M1 Pro, and M1 Max native support included)
Falcon Insight for ChromeOS ingests event data directly from Google and does not require the deployment of a Falcon agent to the ChromeOS device. However, ChromeOS version 113 or higher is required. Contact sales for a complete list of supported hardware devices.
Falcon for Mobile supports iOS 15 and later. The CrowdStrike Falcon app supports the most recently released version of iOS plus the previous two versions.
Falcon for Mobile supports Android 9.0 and later.
Falcon Firewall Management allows you to easily create, enforce and maintain firewall rules and policies across your Windows and macOS environments
Yes, Falcon is a proven cloud-based platform enabling customers to scale seamlessly and with no performance impact across large environments. The platform’s “frictionless” deployment has been successfully verified across enterprise environments containing more than 100,000 endpoints.
- Amazon EC2 instances – on all major operating systems including AWS Graviton processors*
- AWS Fargate
- AWS Outposts
- Amazon WorkSpaces
- Amazon Elastic Container Service
- Amazon Elastic Kubernetes Service
- Amazon Elastic Container Registry
- Amazon EKS Anywhere
* Support for AWS Graviton is limited to the sensors that support Arm64 processors. Please refer to the product documentation for the list of operating systems and their respective supported kernel versions for the comprehensive list. All product capabilities are are supported with equal performance when operating on AWS Graviton processors.
CrowdStrike Falcon® is a 100 percent cloud-based solution, offering Security as a Service (SaaS) to customers. Falcon requires no servers or controllers to be installed, freeing you from the cost and hassle of managing, maintaining and updating on-premises software or equipment.
Yes, CrowdStrike’s US commercial cloud is compliant with Service Organization Control 2 standards and provides its Falcon customers with an SOC 2®️ report. Additional information on CrowdStrike certifications can be found on our Compliance and Certifications page.
All data transmitted from the sensor to the cloud is protected in an SSL/TLS-encrypted tunnel. On average, each sensor transmits about 5-8 MBs/day.
CrowdStrike Falcon® is designed to maximize customer visibility into real-time and historical endpoint security events by gathering event data needed to identify, understand and respond to attacks — but nothing more. This default set of system events focused on process execution is continually monitored for suspicious activity. When such activity is detected, additional data collection activities are initiated to better understand the situation and enable a timely response to the event, as needed or desired. Note that the specific data collected changes as we advance our capabilities and in response to changes in the threat landscape. Information related to activity on the endpoint is gathered via the Falcon sensor and made available to the customer via the secure Falcon web management console.
Yes, CrowdStrike recognizes that organizations must meet a wide range of compliance and policy requirements. In order to meet the needs of all types of organizations, CrowdStrike offers customers multiple data residency options. Contact CrowdStrike for more information about which cloud is best for your organization.
All data sent from the CrowdStrike Falcon® sensor is tagged with unique, anonymous identifier values. Data and identifiers are always stored separately. Once in our cloud, the data is heavily protected with strict data privacy and access control policies. All data access within the system is managed through constrained APIs that require a customer-specific token to access only that customer’s data. Our analysis engines act on the raw event data, and only leverage the anonymized identifier values for clustering of results.
While other security solutions rely solely on Indicators of Compromise (IOCs) — such as known malware signatures, hashes, domains, IPs and other clues left behind after a breach — CrowdStrike also can detect live Indicators of Attack (IOAs), identifying adversarial activity and behaviors across the entire attack timeline, all in real time. Falcon’s unique ability to detect IOAs allows you to stop attacks
For known threats, Falcon provides cloud-based antivirus and IOC detection capabilities. For unknown and zero-day threats, Falcon applies IOA detection, using machine learning techniques to build predictive models that can detect never-before-seen malicious activities with high accuracy. Driven by the CrowdStrike Threat Graph™ data model, this IOA analysis recognizes behavioral patterns to detect new attacks, whether they use malware or not. The range and capability of Falcon’s detection techniques far surpass other security solutions on the market, particularly with regard to unknown and previously undetectable emerging threats.
Falcon Prevent stops known and unknown malware by using an array of complementary methods:
- Machine learning
- Custom blocking (whitelisting and blacklisting)
- Exploit blocking
- IOA (Indicators of Attack) prevention
- Additional protection specific to ransomware
Customers can control and configure all of the prevention capabilities of Falcon within the configuration interface.
Yes, Falcon includes a feature called the Machine Learning Slider, that offers several options to control thresholds for machine learning. In addition, this unique feature allows users to set up independent thresholds for detection and prevention.
Falcon Prevent uses an array of complementary prevention and detection methods to protect against ransomware:
- Blocking of known ransomware
- Exploit blocking to stop the execution and spread of ransomware via unpatched vulnerabilities
- Machine learning for detection of previously unknown “zero-day” ransomware
- Indicators of Attack (IOAs) to identify and block additional unknown ransomware, as well as new categories of ransomware that do not use files to encrypt victims’ data
CrowdStrike Falcon® is equally effective against attacks occurring on-disk or in-memory. The platform continuously watches for suspicious processes, events and activities, wherever they may occur.