CrowdStrike held its Fal.Con 2025 conference at a new location, the MGM Grand in Las Vegas, during the week of September 15. The event attracted over 8,000 attendees (a 30% increase from last year) and more than 100 sponsors. The growth is indicative of CrowdStrike’s growth as a security platform provider and its focus on growing its community of practitioners.

As might be expected of a cybersecurity vendor event in 2025, AI dominated. In fact, “AI” was the first word uttered during the voiceover for the keynote opener and was oft repeated throughout the event, underscoring the emphasis that CrowdStrike is placing on its AI prowess.

Our highlights and takeaways from Fal.Con 2025 follow.

Two Acquisitions To Enhance Its Platform And Consolidation Story

Demonstrating that it has moved far from only being an endpoint vendor, CrowdStrike emphasized itself as a security platform provider throughout the event. Its acquisition announcements added to this as the vendor showed off its growing capabilities, providing more context about the Onum acquisition announced just before Fal.Con and announcing a brand-new acquisition: Pangea.

Onum introduces new data pipeline management capability for CrowdStrike. Given the evolving nature, velocity, and volume of threats, sending logs to a central platform for detection is no longer scalable. The goal now is to shift detection closer to the data source, even for third-party data. Integrating Onum may compete with or replace the current CrowdStream service, and CrowdStrike remains partnered with Cribl (one of the event sponsors). Clients should see how CrowdStrike integrates Onum’s capabilities into its platform as you build your security data pipeline management strategy.

Pangea focuses on AI security governance in visibility, detection, and response. Its broader aim is agent explainability and auditability in line with Forrester’s AEGIS framework. Pangea’s monitoring and PII detection features complementary Falcon Data Protection, which emphasizes detecting and responding to adversarial attacks, generative AI misuse, and insider risk over traditional DLP approaches. AI security will only increase in importance as its use increases and adversaries target these systems, so CrowdStrike customers should keep an eye on how quickly the vendor makes new AI security functionality available.

Enterprise Graph And Seven Agents Unveiled: Shifting The Agentic SOC From Aspirational To Operational … One Day

CrowdStrike introduced its Agentic Security Platform, an AI-based system combining endpoint, identity, cloud, and threat intelligence into a real-time enterprise graph. The platform features seven AI agents: Malware Analysis, Hunt, Exposure Prioritization, Search Analysis, Correlation Rule Generation, Data Transformation, and Workflow Generation. These agents are designed to automate tasks that previously required hours for human analysts to perform.

These agents do more than merely assist; they act. They can quickly reverse-engineer malware, spot threats, prioritize risks, and deliver insights. The agents also include an explainability layer for workflow oversight. They aren’t autonomous now, though, and it will be years before we get anywhere near that. During the opening keynote, CEO George Kurtz used the example of the stages of autonomous vehicles — which will become the most frequently used example in cybersecurity in 2025 and 2026 — for the transition from one level to the next over time.

CrowdStrike announced a future where human staff supervise AI workflows by: 1) validating outputs; 2) governing deployment; and 3) assuring that correct actions are taken. Charlotte AI AgentWorks lets teams build custom agents without code with simplified workflow tools.

In his day one keynote, Kurtz stated that achieving security AGI (Artificial General Intelligence) is CrowdStrike’s aspirational destination.

AI and agents are here today and ready to deploy, while fully agentic and autonomous systems remain longer-term visions. Now is the time to start integrating these capabilities in your SOC while keeping an eye on vendor advancements. New capabilities are emerging at an astonishing pace.

SOC Analysts Are Elevated — But Only The Ones With Experience

CrowdStrike noted that mid-to-senior analysts will remain vital in AI SOCs, overseeing agent orchestration and interpreting outputs. Kurtz stated that in security teams, leaders will be the “human conscience of cyber defense.” Still, the unspoken truth hung in the air at the MGM Grand — fewer practitioners will be required, especially those in traditional L1 SOC roles.

While demand for traditional Level 1 roles may decline, competition for experienced SecOps and IR professionals is expected to increase, creating an experience chasm not easily crossed without deliberate thought and planning on the part of security leaders. Start building a bench now and cultivate early-career talent by refining recruitment processes and providing hands-on skill and experience acquisition opportunities.

Shifting From Visibility To Action

Visibility was all the rage at Fal.Con 2024, with AI-generated parsers, improvement to analyst experience, and integrations with cloud providers. But Fal.Con 2025 shifted the focus to implementation and action. Beyond the major announcements, such as the unified data layer and AI agents, CrowdStrike introduced a critical component: the agentic gateway. This bidirectional interface enables Charlotte AI to securely access third-party data sources, advancing end-to-end AI implementation for users in a secure manner.

On the operations front, CrowdStrike launched the adversary strategy program. This unifies operations, services, and R&D to eliminate silos in data access, resources, and expertise to bolster and streamline incident response capabilities.

On day three, CTO Elia Zaitsev unveiled APEX (Anomalous Process Execution), a new classifier in CrowdStrike’s AI-powered indicators-of-attack model family, which reportedly detects malicious activity in legitimate processes with a 99.95% true positive rate, validated by over 32,000 alerts from 700 customers.

Windows Agent Enhancements

Chief Technology Innovation Officer Alex Ionescu described enhancements to the Windows endpoint agent to better utilize local resources to speed detection and response locally before sending intel to the cloud for review. He also outlined CrowdStrike’s ongoing work to make it compatible with Microsoft’s in-development Windows endpoint security platform and move the Falcon agent outside the kernel. Customers will have to keep CrowdStrike accountable to ensure that the use of more local resources doesn’t negatively impact their endpoint’s performance.

Pushing Into The IoT/OT Security Space

Through multiple sessions, CrowdStrike showed its efforts to protect IoT and OT devices. The vendor has had some success within OT environments with its traditional Falcon endpoint agent as well as its separate XIoT module. CrowdStrike customers UPS and Land O’Lakes joined sessions to discuss how they’ve employed CrowdStrike to protect their environments.

As an agent-based solution, CrowdStrike has some limitations deploying in some OT environments. Until more OT vendors validate and certify the Falcon agent to run on their endpoints, CrowdStrike’s progress in this space will be slow. Customers looking to use CrowdStrike for IoT/OT security should validate that the vendor is certified to work with their currently deployed technologies.

Data Protection Capabilities On The Rise

CrowdStrike announced updates to Falcon Data Protection and Falcon Next-Gen Identity Security, including beta releases and early access features. Highlights include a client network inspection beta for monitoring data flows and preventing unauthorized genAI interactions, an insider risk dashboard that combines protection and identity data, and early access to Falcon Privileged Access.

CrowdStrike Falcon Data Protection and Falcon Next-Gen Identity Security will not fully replace traditional tools — yet. But organizations with concerns around genAI use and insider risk should evaluate Falcon Data Protection. CrowdStrike is positioned for continued development in the areas of data and identity security controls.

Let’s Connect

Forrester clients who have questions or would like to discuss further can book an inquiry or guidance session with any of us.

Also, you can join us in person at the Forrester Security & Risk Summit from November 5–7 in Austin, Texas. The event is packed with visionary keynotes, informative breakout sessions, interactive workshops, insightful roundtables, and other special programs.