CrowdStrike Falcon Reviews

I'm a security analyst. We get alerts on the cloud side that appear in the CrowdStrike console and also in our email. We can consolidate them on the console and check the process tree. You can see the hostname, user details, and all the information on the right side.  On the file part, we can see whether the malicious file has been executed and decode it to see where the hash appears.

I worked with an event-tracking tool before I started working at this company, and any insights that were triggered in that tool would be noted in the infrastructure certificate tool. The information we gather from CrowdStrike will be updated in Azure, so all the information, resolutions, etc. will be added to Azure. We can check the activity and whether the malicious file is being blocked, quarantined, or allowed.

I like Falcon's threat detection and endpoint investigation features. It's a user-friendly solution. We determine the root cause of an alert and contact the end user via our Slack channel if necessary to gather additional information to determine whether they know about the activity. We can download and investigate the malicious file in the sandbox to see what's happening. We check to see if it has been executed. We can easily delete it in the CrowdStrike console if it hasn't.

I have used CrowdStrike for two years. 

I rate CrowdStrike Falcon ten out of ten for stability. 

I rate CrowdStrike Falcon ten out of ten for scalability. 

I rate CrowdStrike support eight out of ten. They respond quickly on weekdays, but the weekend response times are slower. 

Positive

I'm working on two projects. One is using CrowdStrike Falcon and the other is using Crowdstrike XDR, which is the advanced version.

Falcon is a cloud-based platform so deployment is easy. You only need to deploy the agent to the endpoints, but the data is stored in CrowdStrike. 

I rate CrowdStrike Falcon ten out of ten. I would recommend Falcon to others. 

Our organization uses CrowdStrike Falcon for a variety of security tasks, including incident response, investigations, malware analysis, and threat hunting. This comprehensive platform excels at detecting malware across various technologies and endpoints within our environment.

CrowdStrike Falcon functions as a threat detection platform. It identifies malware based on pre-defined signatures and rules. Upon detection, it triggers a response and provides a dashboard for further analysis. This allows us to assess if the malware poses a risk to our organization or if it's a false positive. For confirmed threats, we can then delve deeper for a thorough investigation to uncover any underlying malicious intent.

Our primary goal is to prevent malware-related risks proactively. By leveraging CrowdStrike Falcon, a premium endpoint detection and response tool, we can safeguard our organization from malware exploitation attempts employed by hackers.

The primary advantage of CrowdStrike Falcon is twofold: reducing malware risk and providing advanced investigation capabilities. Traditional antivirus solutions struggle to keep pace with ever-evolving malware threats. CrowdStrike Falcon utilizes cutting-edge technology to proactively prevent these threats, minimizing the risk of infection. Falcon also features a threat intelligence platform that keeps us informed about the latest global malware threats and compromised tactics. This real-time awareness empowers us to proactively prevent threats before they impact our environment.

Recently CrowdStrike Falcon detected and mitigated malware that would have compromised several vulnerabilities in our environment.

Falcon's real-time response capability ensures we can quickly access any compromised host. This is a valuable advantage over other EDR tools.

The most valuable features of CrowdStrike Falcon include Falcon Fusion workflows and endpoint detection capabilities.

I've found that CrowdStrike's technical support could benefit from increased technical expertise. In my experience, their representatives haven't been able to resolve my issues as effectively as I would have liked.

I have been using CrowdStrike Falcon for 1.5 years.

I would rate the stability of CrowdStrike Falcon nine out of ten.

I would rate the scalability of CrowdStrike Falcon eight out of ten.

I've found the technical support staff to be less knowledgeable than I'd expect. Ideally, they should have expertise in all CrowdStrike modules, as we utilize a wide range of them.

Neutral

We previously used security solutions from Symantec, Trend Micro, Trellix, and Mandiant. However, CrowdStrike Falcon stood out as a more premium offering. Its advanced capabilities and comprehensive approach to security ultimately led us to switch providers after careful consideration of several factors.

The initial deployment was straightforward and took less than 15 days to complete.

There were between 30 to 40 people involved in the deployment. 

Our security engineering team implemented CrowdStrike Falcon entirely in-house. We also received some support from our internal desktop team and leveraged the expertise of an internal managed service provider team. No third-party vendors were involved in the deployment.

CrowdStrike Falcon is more expensive than other EDR solutions with similar features.

I would rate CrowdStrike Falcon nine out of ten.

After deployment, there are some simple maintenance tasks to keep everything functioning well.

New users should learn about the different modules of CrowdStrike Falcon and their functionalities to work effectively with the tool.

We rely on CrowdStrike Falcon for comprehensive threat detection, prevention, and valuable insights. This robust solution also offers identity protection features. Our dedicated team of six professionals effectively manages the platform, ensuring its effectiveness across multiple locations, including our data centers and core facility.

CrowdStrike's advanced detection and prevention capabilities offer a superior level of protection against potential threats. Its unique feature of automated rules is designed to effectively confine threats at the device level. This automatic confinement of high alerts ensures that the device is secured immediately, buying crucial time for the dedicated response team to identify and neutralize the threat. This proactive strategy not only minimizes the potential impact of threats but also guarantees a rapid and efficient response to any security incidents, thereby enhancing the overall security posture.

We appreciate Falcon's network visibility feature as it allows us to monitor the evolution of threats on PCs and within the company network. The solution's real-time incident response is notably swift. Initially, we encountered numerous false positives during the project initiation phase. However, we managed to resolve most of them independently or with assistance from CrowdStrike support. Consequently, our security levels were significantly improved, and we elevated all parameters to their maximum. Currently, we seldom encounter false positives. Most of these were low-level alerts, while the high-level alerts were automatically quarantined.

While Falcon's advanced capabilities offer robust security solutions, it's worth noting that some of these features may come at a higher cost. This could potentially make it a less economical option for small to medium-sized businesses operating on tighter budgets. It's important for such companies to weigh the benefits of Falcon's comprehensive protection against their financial constraints to make an informed decision.

We have been using CrowdStrike Falcon for nearly five years already.

Crowdstrike Falcon demonstrates exceptional stability once it has been properly configured with the appropriate settings. While there may be a period of adaptation and configuration required to ensure optimal performance, once the solution is in place, it operates with remarkable stability. Users can rely on Crowdstrike Falcon to consistently deliver reliable and secure protection without significant disruptions or instability.

I would rate Crowdstrike Falcon a nine out of 10 for scalability. It offers seamless scalability, allowing easy expansion of the sensor deployment to accommodate growing needs. However, it's worth noting that the primary limitation one may encounter is the cost associated with deploying additional sensors.

I rate CrowdStrike support nine out of 10. It's fantastic. 

Positive

We made the switch from Symantec to Falcon because we required a solution that offered greater speed, reliability, and the ability to effectively handle the wide range of advanced threats present in the wild.

The initial setup of Crowdstrike Falcon was straightforward and efficient. The cloud-based deployment process was seamless for most components, with the exception of the sensors. Deploying the sensors to PCs was automated and hassle-free, requiring just a few minutes per device. However, to ensure the highest level of protection and customization, we opted to manually install the sensors on our servers. This hands-on approach allowed us to have greater control and assurance over the server deployment, ensuring the best possible protection for our critical infrastructure.

We've seen an ROI in terms of time saved. It's probably around 5 percent. 

While Falcon's advanced capabilities offer robust security solutions, it's worth noting that some of these features may come at a higher cost. This could potentially make it a less economical option for small to medium-sized businesses operating on tighter budgets. It's important for such companies to weigh the benefits of Falcon's comprehensive protection against their financial constraints to make an informed decision.

Of course but I can't disclose this information.

I rate Crowdstrike Falcon nine out of 10. 

We integrate the data from this solution with ExtraHop, which is an NDR. Being able to move between both platforms and have network-level data and transactions over the network feed into XDR CrowdStrike is really powerful. It helps us make better decisions, it makes better decisions without human intervention, and it hones the analytics a little bit. The EDR aspect of it works almost exactly the same as the regular Falcon product. I will say that it's probably a lot better at scale than what we're using it for. I work at a school district, so for the individual schools, it's nice to see and isolate issues and have reports built by individual school locations rather than just everything looking like a whole hodgepodge of computers.

It's ability to do threat hunting is really great, quite robust, and even allows you to do hygiene stuff, like look for old versions of applications that maybe you forgot about or find stuff that people are running that maybe you don't want on your network, and it lets you get rid of those. Also, its ability to do on-keyboard remote response and run PowerShell script through the sensor is pretty sick. It's ability to quarantine devices is also pretty great.

The ability to receive text alerts natively in the console would be kind of cool. Some people put their email on quiet hours, so having it natively in the system would be nice.

I know that they offer an identity piece and a firewall piece and we haven't subscribed to or purchased either of those, but having some of that data in the base program would be good, and then if you want more control, you pay for it. There's times where I want to look at an internet history of a device that's remote, or I want to see logins, successful or unsuccessful. I don't want to manage identity and I don't want CrowdStrike to alert on it, but it would be nice if the ability to see the data was included with the base product. Then that could kind of get your foot in the door with having the ability to look at that information, but not being able to do anything actionable with it.

I have been using this solution for two years. 

The solution has never failed. The only false positives that we get are ones that we test with. I do true and false positive testing every month to make sure stuff is working correctly and the solution picks up on it. 

The solution is very scalable. Our proof of concept was a few devices and now at full scale we have 50,000 devices. It's a cloud console, so if you do the implementation right and the sensor is put on in an automated process, it doesn't matter how many computers you have. It just runs. They have sensors for every kind of device: Macs, Windows, Linux, and I think even Android.

The support is great. They're quick to respond and you see the same names pretty consistently. They probably do it by region or account or something like that, so it's not just a random person every time.

The setup is as complex as you want to make it. They have engineers that help you. We did a proof of concept first and that was pretty seamless. If you want to build out a bunch of dynamic groups and have different policies affect the different groups separately, you can. If you want to purchase a bunch of licenses for integration with different products, they partner with a bunch of different security vendors and you can make it as complex or simple as you want. If you just want NextGen AV, you can just have NextGen AV and it's super simple and the sensor just sits on a computer, but if you have a bunch of data and want it to be really complicated and want to be able to do whatever you want, you can do that too. It's pretty flexible, in that sense.

Getting it off the ground took myself, one CrowdStrike engineer, and we could have done it with one systems engineer, but we had two because one was on the client side for the Windows hosts and one was for enterprise for the data center and servers. We did it with four people, and me and one other guy manage it ourselves.

We pay for Overwatch, which is kind of like a sock where someone that works for CrowdStrike monitors certain aspects of your network, and then they can make notes and quarantine devices for you, and they'll alert you at 2:00 in the morning. It's really great, but it takes two people to manage the alerts after a bit of tuning to make sure that the stuff that is on your network that you want to be there, that's getting picked up by CrowdStrike, is excluded. I get maybe ten alerts a day, but that comes from having good hygiene in other areas. If you're not preventing those alerts or fixing the problems that CrowdStrike is picking up, you're going to have a lot of work to do, but if you use CrowdStrike as a hygiene tool, it's a lot easier to manage.

My advice would be to automate as much of the management as you can. Sensor deployment can be really annoying, but if you figure out how to automate it in your environment, that will make it way easier. That way, as the devices are provisioned, they have the sensor on them and they just pop up into your console. I know some people do it by hand and that's a nightmare.

I would rate this solution as a nine out of ten. It's really good. 

Falcon helps my client improve productivity. About 5,000 users at the client company are using the product. 

CrowdStrike enables the infrastructure managers to visualize all the events and get information about the network.

It's important for the customer to have surety that all the workstations are protected. 

There are some areas where some customers would prefer a different service.

About four months ago, I and my other partners started preparing a presentation to propose CrowdStrike to a client.

Falcon is a highly stable product.

I rate CrowdStrike's support 10 out of 10. 

Positive

We worked with other solutions, like Trend Micro. CrowdStrike's advantage is that the agent is light, so it doesn't require many resources on the machines. It's easy to install, and the results are useful to the organization.

I'm not directly involved with the setup. I prepare a proposal, and another department deploys the solution. Falcon doesn't require maintenance because the product runs in a cloud environment.

We use a reseller and an integrator.

I rate CrowdStrike Falcon 10 out of 10 for ROI.

My customers pay for yearly licenses. I rate CrowdStrike Falcon 10 out of 10 for affordability.

I rate CrowdStrike Falcon 10 out of 10.

We primarily use the solution as advanced threat protection. It is used to protect all endpoints, servers, etc. 

They're very good at what they do. As far as the product is, in its current state, I don't have any complaints at all right now. They do a quarterly review with us, just so they can let us know how many viruses or how much malware they've stopped, etc. Those features are quite good. They also go through the portal step-by-step to describe whatever they improved or tightened up. They will explain everything clearly and in a way that a customer can understand.

They do also ask for feedback, which is nice. They'll ask things like "The last time we changed this, how was your experience?" or "Did you get a lot of false positives?" or "Did you get any complaints?" etc. That's pretty good. Not many companies do that.

The UI is simple and self-explanatory. Everything is easy to understand.

So far, in the past three years, they've been absolutely great. They've been more proactive than the solution we had previously was. They even introduced new products in their line and they came back and told us that they could add that product to our current solution. At first, we added them, then we decided we had sufficient resources in house to manage it ourselves and removed it. They were great about the change. 

They've caught quite a lot of viruses and malware that have been sent through improper links, which is very reassuring. 

They report any network isolation that has been done on certain endpoints if they detect a malicious file or malware on the device that couldn't be cleaned by automation. They isolate it or us. The end-user can contact the service desk and say, "Hey, I'm not able to surf the internet. I can't do anything, so can you help me?" or we're able to look at the endpoint and see "oh, your PC is infected, that's why you aren't allowed on." It's protecting us well.

Even though the users are somewhere else, even when they're not at headquarters, we are able to remediate everything before we put them on the network again. Those network isolations are great when we detect high threat malicious items. Those are valuable tools that we appreciate.

If an operating system is stopped by support by the original vendor like Microsoft, or maybe Apple, within a few weeks, CrowdStrike will also decide they no longer support it, and they kind of move on. I understand their model. However, if we still have the OS, it's hard to keep it protected. So, for example, if Microsoft decides to stop supporting or patching a solution, Crowdstrike too will stop supporting it and making updates. It's still a useable product, it's just not getting updates or patches and therefore may be vulnerable. 

The result is that we can't guarantee we're going to be able to protect that hardware or operating system. We either have to upgrade to a newer platform, which sometimes is not possible because you have a legacy application. Whatever that constraint is, sometimes we're not able to move things. We still have to rely on other products to support that. That's the only quandary I have with them. 

Basically, they don't cover legacy OS or applications. That's the only issue we're concerned about.

When a file is infected or it detects a ransomware file network, when it does remediate, it should self-heal as Sophos does. That's a good feature to have, but I don't know enough pros and cons about that to kind of recommend that because if it is a false positive, that may be a problem. If it detected a valid file and if for some reason it decides, "Oh, this looks like an infection," and maybe it's not actually infected, and if it goes in and remediates it by replacing it with an older file, that may be a problem. However, I don't know, because I've never used that feature or heard anybody say that's a problem.

I've been using the solution for about three years now.

I have two engineers that regularly watch everything. We all get alerts. We'll see if something gets isolated, or a user will tell us. We isolate the issues and work on them so nothing gets through the endpoints into the system. Within 30 minutes to an hour, an issue can be cleared.

It's therefore very stable. We're able to catch everything before it can get it. It's reliable for sure.

They're so pro-active there's very little intervention that we have to do on our end.

The solution is easily scalable. A company shouldn't have any issues with that aspect of the solution.

Technical support is great. We've never had to contact them at all. Instead, they've always been proactive and reached out to us.

Their quarterly review manager will contact us every three months. They schedule it months ahead and we actually jump on a Zoom or WebEx meeting. They actually go through the improvements, how much detections they go through, all of our features, anything new that has been added, anything they're seeing out in the world in terms of threats, and where we need to tighten up the roles.

They would improve the sensitivity level or they will decrease the sensitivity level for some false positives. For example, they might say "Hey, we detect these, but they're not really a threat because this is just a Word document that's produced in an older format. It's not something that's malicious." Then they would decrease the sensitivity in certain areas, to eliminate the issue going forward. They always ask permission before tweaking anything. They will come to us and say, "this is what we're considering doing it and why we want to do it. Is that okay?" We usually agree to that and then they go ahead and do it.

It's just a phenomenal company. If they ever stopped the way they handle their customer service, then I would probably move on to a different company. So far they've been pretty good. For the last three years, they contacted us always and told us about every aspect of the solution. I don't think I missed a quarterly meeting so far with them due to the fact that it's all been so valuable.

Originally, we had Webroot. We used to get, every so often, a slew of viruses that would get through the cracks. I don't know if Webroot's definition didn't get updated in a timely manner or if they were just delayed in something, however, whatever it was, we used to get that intrusion quite a bit. Then we would patch it and we would have to remediate everything. It wasn't ideal. 

We were looking for a product that would be more proactive than a reactive solution, and after doing a bunch of research, we decided on CrowdStrike. 

The solution's initial setup was very simple. The only thing we had an issue with is our network operation. Is a separate organization that manages it. We have a network operation that we used for 24 hour monitoring. They don't support CrowdStrike and they were not experts in it. They stood us we would have to manage it ourselves. In the beginning, we were kind of worried about it. However, after that initial stage, the simplicity of how to install it, configure it was like a breeze.

We manage the entire solution in house. For maintenance, we have me and two engineers, plus a second level of support. There are around five people altogether.

I'm not sure of the exact cost of the solution. That's a detail our finance department handles.

We did research on Cylance. We looked at Norton as well. We went through a bunch of products and we decided CrowdStrike was probably the most advanced threat protection at that time, which was three years ago. 

One of the products we were looking at is Sophos. The reason we were looking at Sophos is we were purchasing a backup and disaster recovery tool. In that tool, they had a built-in Sophos pack; they integrated Sophos in to protect the backup and replication and recovery. That way, if a backup had infections, for some reason, and they weren't picked up, and it got into our backup product, then Sophos could kick in and pick it up. It has automated remediation, meaning it reverses back the infection before infection if that makes sense.

Sophos has a self-healing technology built into it, which is an AI technology that they invented. We were looking at that because we thought that may be a better product. We were doing some homework on that and trying to figure out more about it. We're still in the process of purchasing a backup and recovery tool, so we're still doing our homework.

We're just customers. We don't have a business relationship with the company.

I'm not sure which version of the solution we're using. The last time I checked, it was version 5.6. It is up-to-date, however. I get a report every so often saying, we've updated the sensors, or current version, etc. It's an auto-update and it does that. Whenever it's missing something or it couldn't reach an endpoint, the company will send me a report of that, saying these endpoints are not updated because we couldn't detect it on the network any longer.

The only advice I would say to others considering the solution is, if they have an unsupported operating system or legacy application, to look closely at CrowdStrike to see if the solution actually makes sense for them. This is due to the fact that they're not going to be able to support it. If they have thousands of servers and 20% of them are legacy applications, they may not want to think about CrowdStrike because the solution doesn't support legacy products. Other than that, I fully recommend CrowdStrike. The advanced threat protection they have has always been great.

I'd rate the solution a solid nine out of ten.

We use the solution for Windows and non-Windows infrastructure. We have Falcon clients on all our machines.

We integrate with CyberArk, which includes DNA reporting, particularly for identifying old and ticket-based attacks. We’ve implemented this integration to receive risk-based scoring. Our strategy focuses on preventing privilege escalation, as our last major incident, NotPetya, resulted from this vulnerability. To address this, we’ve implemented measures through CyberArk and CrowdStrike.

When we encounter phishing attacks via email, we sandbox any reported items. Whenever a suspicious email is reported, we conduct sandboxing in CrowdStrike and block emails, domains, and IPs based on the resulting threat intelligence.

The most critical aspect is preventing privilege escalation, particularly for domain admins with the highest credentials. With our integration of CyberArk, passwords are never transmitted to the endpoint. Instead, a secure RDP file is created, and Falcon is used to prevent privilege escalation attempts.

As customers, we always update our systems whenever a new release is available, with clients connecting directly to the Internet for these updates. We have an agent who manages these updates on the clients, but as an organization, we don’t have control over them. CrowdStrike should assess the impact on endpoints before releasing such updates.

Our organization now seeks AI-based stock monitoring to prioritize thousands of alerts generated across various platforms. The AI integration is still in its early stages, so we would like to see Falcon develop tools that can integrate with multiple platforms and help identify the highest-priority alerts.

I have been using CrowdStrike Falcon Threat Intelligence since 2017. We are using the latest version of the solution.

I rate the solution’s stability a nine out of ten.

The integration part is very good. CrowdStrike collaborates with most security vendors, so it's very easy to get one platform for our risk factors across the enterprise.

40 thousand devices are using this solution. We get many alerts from Falcon, sometimes from end users and sometimes from Internet-facing servers.

I rate the solution's scalability a nine out of ten.

We struggle to get specialized resources from CrowdStrike in a few cases.

Neutral

CrowdStrike Falcon Black is an on-premise solution that was very complicated, so we faced performance issues. The main reason for the switch is the performance issues reported by multiple application owners.

Initially, we faced many challenges because we had to open ports from each of our subnets to Falcon, as it’s a SaaS solution. Each client needs to communicate with Falcon servers for threat intelligence. Due to the complexity of our network, we had to carefully consider all security aspects when opening the external communication ports to Falcon.

It took 25 to 30 days to deploy it completely.

We began with our Tier 0 servers, which had the most critical and highest privileges. After securing those, we moved on to Tier 1 and Tier 2 as we continued deployment. Our approach was to first address the highest risk factors across the enterprise and then gradually move on to securing endpoints like user desktops and laptops.

I rate the initial setup as seven out of ten, where one is difficult, and ten is easy.

We took professional services from CrowdStrike, so it was done in-house with only two people: one from the execution team and one from the cybersecurity team.

When we track the annual priority cases, especially the security incidents, we have made many improvements. That is ROI in terms of tracking security incidents.

I rate the product’s pricing a six out of ten, where one is cheap and ten is expensive.

Most customer requirements focus on email security, so we’ve implemented Mimecast. CrowdStrike Falcon integrates with Mimecast, allowing us to provide advanced security beyond Office 365’s capabilities. With DMARC in place, Falcon helps us identify domains that pose a risk to the organization.

I advise you to look for customer feedback, and then they should also look for Gartner and other industry leaders so you get the ranking.

Overall, I rate the solution a seven out of ten.

Due to compliance requirements, our organization utilizes CrowdStrike Falcon as our Endpoint Detection and Response solution. This decision was particularly driven by the need to address a surge of ransomware attacks within our environment, experiencing between ten and 15 incidents at the time. The implementation of an EDR solution became crucial for effectively responding to these threats.

Our existing system lacked real-time monitoring and visibility, causing detection delays of even several minutes. CrowdStrike addressed this by offering near-instantaneous detection across the entire system. Furthermore, it allows for manual or automated response actions, significantly improving our overall incident response speed.

Integrating CrowdStrike Falcon with other solutions such as our SIEM was easy.

The key aspect of CrowdStrike Falcon is its behavioral detection approach. Unlike traditional signature-based platforms that rely on pre-defined patterns, Falcon analyzes an application's behavior to identify and respond to threats much faster. This makes it lightweight and minimizes impact on system performance. The sandbox feature is also valuable, while it incurs an additional cost, it can be valuable for deeper investigation.

The UI is not efficient. We are required to dig down to get more information, jumping from screen to screen.

I have been using CrowdStrike Falcon for three and a half years.

CrowdStrike Falcon generally ran smoothly with minimal lag.

CrowdStrike Falcon meets our scaling needs. To increase usage we simply add more agents.

Frustrated by CrowdStrike's slow and inconsistent technical support, we ended up having more success researching and resolving the issue ourselves.

Neutral

Leveraging the cloud platform, the initial deployment was straightforward. We simply needed to activate and deploy the agents. While configuration for a seasoned professional only took one to two hours, the entire deployment process typically takes a couple of days.

CrowdStrike Falcon can be more expensive than some competitors, and its base price doesn't cover every feature. For instance, adding sandboxing for advanced malware analysis incurs an extra cost.

We evaluated CrowdStrike and SentinelOne. However, since we bought the CrowdStrike, we did not move forward with SentinelOne.

CrowdStrike stands out for its superior threat detection speed, lightweight agents that don't impact system performance, and its helpful recommendations for responding to threats. This combination allows us to swiftly stop even unknown threats in their tracks.

I would rate CrowdStrike Falcon eight out of ten.

Two engineers max are required for maintenance.

We have 5,000 CrowdStrike Falcon users within our organization.

CrowdStrike Falcon utilizes a behavioral approach to security, proactively identifying threats based on their actions rather than relying on pre-defined signatures. This allows for faster response times compared to traditional signature-based systems.