Flexible access to CrowdStrike Services

Apply the Falcon Flex model to expert-led services with a standalone entitlement for incident response, proactive security services, advisory, platform services, and training.

Flex for Services gives organizations a more adaptable way to consume CrowdStrike expertise as priorities evolve. For qualifying new services customers, the Zero Dollar Flex Fund provides 200 hours at no initiation cost, including 160 hours of incident response and 40 hours of proactive services, through a standalone 12-month agreement.

Download

Original source Report a problem

CrowdStrike SOC Transformation Services

Modernize your SOC. Build agentic-ready foundations.

Expert-led SOC modernization on the CrowdStrike Falcon® platform to build the foundations for future agentic capabilities.

Just announced from RSA — SOC Transformation Services

You can’t layer agentic AI onto a legacy SOC

Yesterday’s architecture. Today’s threats.

Legacy SOC models weren’t designed for cross-domain, machine-speed detection and response, or future agentic operations.

Modernization is a heavy lift

Rebuilding SIEM, pipelines, workflows, and your operating model is a major effort in a 24/7 SOC.

Fragmented data limits what you can build

Siloed telemetry and brittle workflows limit scale, automation, and agentic SOC readiness.

Design: Clarify the SOC path forward

Gain a clear, evidence-based view of how your SOC operates today. Then define a phased modernization roadmap across SIEM, data pipelines, workflows, talent, and governance — establishing the foundation required for future agentic readiness.

Build: Turn the roadmap into reality

Upgrade to a modern SOC with CrowdStrike Falcon® Next-Gen SIEM at the core. Our experts take on migration, data onboarding, and workflow implementation — so your team can maintain standard operations while you rapidly level up with unified telemetry, streamlined operations, and faster time-to-value from your CrowdStrike Falcon® platform investment.

Optimize: Prove, refine, and advance

Test and refine your modern SOC through red team / blue team exercises, detection tuning, and governance improvements — validating performance today while preparing for safe, scalable agentic AI adoption tomorrow.

Featured Resources

Data Sheet

SOC Transformation Services

Guide

The Agentic SOC Guide: A Four-Step Journey to AI-Powered Security Operations

Start your SOC transformation journey

Build your agentic-ready SOC with CrowdStrike at your side.

Original source Report a problem

CrowdStrike® Charlotte AI™

Unleash mission-ready agents

Automate time-intensive tasks at machine speed, grounded in elite analyst judgment and always under defender control.

Get free credits

Download data sheet

Command your agentic security workforce

Deploy your agents to accelerate decisions, automate work, and orchestrate intelligence across security workflows.

Deploy mission-ready agents

Automate manual work with out-of-the-box agents.

Build your own agents

Design, test, and deploy agents with Charlotte AI™ AgentWorks.

Scale with AI

Your SOC force multiplier. Work smarter. Respond faster, 24/7.

Trained, tested, and reinforced by expert feedback

CrowdStrike Falcon® platform agents are fueled by a one-of-a-kind expert-AI feedback loop and engineered to deliver precision, scale, and governed execution at enterprise scale.

98%
Triage accuracy

70%
Reduced manual work in investigations

3X
Faster time to response (MTTR)

Explore mission-ready agents

AI Agents

Detection and Response

Detection Triage Agent

Classifies new detections and recommends next steps.

Watch demo

Detection and Response

Response Agent

Drives investigations with guiding questions and answers.

Watch demo

Threat Intelligence and Hunting

Malware Analysis Agent

Analyzes files, maps malware families, and builds YARA rules.

Watch demo

Threat Intelligence and Hunting

Hunt Agent

Automates threat hunting and scans for emerging threats.

Watch demo

Exposure Management

Exposure Prioritization Agent

Triages vulnerabilities and identifies exploitable risks.

Watch demo

Next-Gen SIEM

Data Onboarding Agent

Automates data pipeline creation to accelerate data onboarding.

Read blog

Next-Gen SIEM

Search Analysis Agent

Summarizes and interprets query results in seconds.

Read blog

Next-Gen SIEM

Correlation Rule Generation Agent

Recommends and tunes detection rules for advanced threats.

Read blog

Agentic SOAR

Data Transformation Agent

Normalizes and translates data across tools.

Watch demo

Agentic SOAR

Workflow Generation Agent

Converts natural language prompts into automated workflows.

Watch demo

Agentic SOAR

Foundry App Creation Agent

Builds security applications in CrowdStrike Falcon® Foundry.

Read blog

Next-Gen SIEM

Query Translation Agent

Translates queries into Falcon platform-native CQL.

Read blog

Transform security operations with an agentic fleet

From signal to decision at machine speed

Offload repetitive tasks to Charlotte AI's agents — from triage to risk analysis. Reduce toil, accelerate response, and refocus analyst time on high-impact work.

Scale security operations without adding headcount

Falcon platform-native agents inherit CrowdStrike’s unified telemetry and shared security context – extending your team’s impact across security workflows, 24/7.

Powered by a singular expert-AI feedback loop

Charlotte AI’s agents learn from frontline analyst decisions and are continuously validated by CrowdStrike’s elite incident responders. The result: agents that reason, decide, and act with analyst-grade precision — maintaining accuracy and resisting drift even as threats evolve.

Learn more

One platform to build, manage, and orchestrate agents

With Charlotte AI AgentWorks, build, test, and manage agents using natural language — and fueled by best-of-breed frontier AI models. Charlotte AI centralizes AI adoption across your team, providing full control over access, credit usage, and agent activity.

Always under analyst control

Agents operate within defined guardrails: clear explanations, inspectable source data, role-based access controls (RBAC) and audit-ready logs. Bounded autonomy keeps analysts in the loop.

Featured Resources

Data Sheet

Charlotte AI’s Mission-Ready Agents

Download

User Guide

Getting Started with Charlotte AI

Download

Blog

Inside CrowdStrike’s science-backed approach to building expert SOC agents

Read blog

Product

Charlotte Agentic SOAR

Learn more

CrowdCast

Making AI Real in the SOC

Register

Blog

Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security

Read blog

Start your agentic SOC transformation today

Unified intelligence. Machine speed. Total control.

Learn more

1 Accuracy rating is a measure of Charlotte AI triage decisions that match the expert decisions from the CrowdStrike Falcon Complete Next-Gen MDR team.

2 User-provided assessments of reduced manual work and accelerated time to response provided in customer case studies.

Original source Report a problem

Supercharge your agentic SOC with high-quality, real-time data

Eliminate noise, cut costs, and stop breaches at machine speed.

Schedule a demo
See it in action

Latest Innovations

Falcon Next-Gen SIEM for Defender transforms your SOC — no rip and replace required
Learn more

Powering the agentic SOC: Mission-ready agents from Charlotte AI
Learn more

Agentic Security Workforce: Mission-ready agents that turn complex security operations into AI-driven conversations
Read blog

Adversaries hide in your data noise

With overwhelming data and latency, AI-powered attackers move faster than defenders can respond.

1. 62% of alerts ignored amid overwhelming noise
2. More time spent managing data than analyzing it
3. 27s fastest breakout time: adversaries outpace your data
4. Blind spots are exploited by adversaries at scale

Accelerate your agentic SOC transformation with real-time data

Power agentic security operations with seamless onboarding, autonomous detection, and faster response.

70%
Faster incident response with in-pipeline detection

50%
Lower storage costs with smart filtering

40%
Less ingestion overhead, fueling better SOC outcomes

Cut the noise. Keep the signal.

Turn fragmented telemetry into structured, enriched data that matters. By cutting noise and amplifying context, Falcon Onum ensures CrowdStrike Falcon® Next-Gen SIEM and SOC teams act on high-fidelity insights, not clutter.

Speed for the agentic era

Falcon Onum delivers up to 5x more events per second than its nearest competitor, processing data in real-time versus legacy batch and store methods. SOCs detect and respond faster to outpace AI-powered adversaries.

Spend less. Defend more.

Don’t pay for data you don’t need. Falcon Onum intelligently filters and routes telemetry, cutting storage costs by up to 50% while freeing budget for what matters most: defending your business.

Stop threats in the data stream

Falcon Onum moves detection upstream into the pipeline, autonomously spotting malicious activity as data flows. By surfacing high-value signals instantly, security teams gain the speed to outpace AI-powered adversaries instead of reacting after the breach.

Pipeline control made simple

Traditional pipelines require heavy scripting and deep engineering. Falcon Onum’s intuitive drag-and-drop UI empowers SOC analysts at every level to shape, enrich, and route data themselves — unlocking agility without complexity.

Validated by analysts. Trusted by customers.

Named a Leader in the 2025 GigaOm Radar for SIEM
A Visionary: 2025 Gartner® Magic Quadrant™ for Security Information and Event Management
See why organizations trust Falcon Next-Gen SIEM

Adversary-informed intelligence. Delivered at scale. Trusted when it matters most.

Consolidating security on the Falcon platform allows us to address our unique security needs from a single, centralized interface. We can create custom dashboards, conduct tailored analyses, and quickly determine appropriate responses to incidents.”

Mathias Espeloer, Director of IT, HEUKING

We don't have the time or energy to go search into millions of logs. So having AI layered on top of CrowdStrike’s SIEM product is where we want to be.”

Wayne Cross, Director, Cybersecurity and Infrastructure Operations, BLG

With Falcon Next-Gen SIEM, we were writing custom detections and getting results on day one…We're super excited about Falcon Fusion. It's intuitive, and having that type of automation within the Falcon platform is huge for us. There's a lot of custom ad hoc rules that we leverage, and having that SOAR capability to automate any of those steps is valuable."

Nathan Kelly, Senior Information Security Engineer, TaylorMade

Featured Resources

Blog

CrowdStrike to Acquire Onum to Transform How Data Powers the Agentic SOC
Read blog

Data Sheet

Fuel every agentic workflow with a high-performance security data control plane
Download

Live Demo

Accelerate Your Agentic SOC Transformation with Falcon Onum
Register now

Accelerate your AI SOC transformation

Learn how Falcon Onum eliminates data migration bottlenecks, friction, and cost.

Schedule a demo

FAQs

Does Falcon Onum require Falcon Next-Gen SIEM?
How does Falcon Onum work with Falcon Next-Gen SIEM and CrowdStrike Falcon® Complete Next-Gen MDR?
What types of data transformations can Falcon Onum apply before sending data to Falcon Next-Gen SIEM?
Can Falcon Onum perform detections in motion? How does this differ when used with Falcon Next-Gen SIEM?

1. CrowdStrike 2026 Global Threat Report
2. “SOC Teams: Threat Detection Tools are Stifling Us”, Dark Reading
3. These numbers are projected estimates of average benefit based on company’s own internal analysis and recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on the customer's module deployment and environment.
4. Results are from a customer case study. Individual results may vary.

• As of June 2, 2025, CrowdStrike has an Overall Rating of 4.7 out of 5 and the most reviews in a 12 month period in the Security Information and Event Management, based on 184 reviews on Gartner Peer Insights™

Original source Report a problem

CrowdStrike Falcon® Next-Gen SIEM

Open. Unified.

Built for the agentic SOC.

Extend AI-native security operations to Microsoft Defender and your wider stack — improving speed, clarity, and control without rip-and-replace.

Schedule a demo

Discover CrowdStrike Marketplace

Adversaries exploit the gaps in your stack

Siloed tools create blind spots attackers chain together.

• 27 seconds fastest breakout — no time for handoffs
• 82% of attacks are malware-free, evading isolated defenses
• Disjointed tools leave gaps adversaries exploit
• Disconnected signals delay containment

Defend your entire security ecosystem from a single AI-native platform

The open foundation for your security stack.

150x

Faster search — investigate threats across domains in seconds, not minutes, with industry-leading performance.

5x

Faster streaming pipelines — transform diverse data in real-time with native CrowdStrike Falcon® Onum integration.

4,500+

SOAR third-party actions — automate response with proven SOAR workflows across your stack.

The operating system for your entire ecosystem

Open AI-native capabilities that defend across your entire technology ecosystem.

Ingest data from anywhere

Falcon Onum is natively integrated into the CrowdStrike Falcon® platform, delivering real-time pipelines that ingest and transform data from virtually any source. Process up to 5x more events per second than the nearest competitor and route telemetry intelligently — so high-quality data flows into Falcon Next-Gen SIEM without complex setup.

Learn more

Use our endpoint or bring your own

Deploy Falcon Next-Gen SIEM with Falcon EDR or integrate with third-party EDR platforms—starting with Microsoft Defender—to ingest endpoint alerts and telemetry from day one. Correlate Defender signals with logs and threat intelligence in a centralized AI-native workflow, modernizing your SOC without replacing existing agents.

Read blog

Activate third-party intelligence

Ingest, enrich, score and deduplicate third-party indicators of compromise through APIs or uploads. Apply rules to control matching and exports so only curated, high-confidence intelligence flows into Falcon Next-Gen SIEM — operationalizing your unique intel alongside CrowdStrike’s adversary intelligence.

Read blog

Search data where it lives

Query data in place across AWS Athena, CrowdStrike Falcon® LogScale and ExtraHop without duplicating or re-ingesting logs. Correlate results with Falcon platform telemetry to investigate seamlessly across environments while optimizing storage costs. Falcon Next-Gen SIEM is available in AWS Marketplace for streamlined procurement.

Read blog

Detect and respond across your ecosystem

Move from siloed alerts to coordinated defense. Leverage native detections and workflow automation — including purpose-built content for third-party endpoints, starting with Microsoft Defender — to uncover threats across your ecosystem and trigger integrated response across security and IT domains. All within Falcon Next-Gen SIEM.

Read blog

Watch Falcon Next-Gen SIEM in action

Transform your SOC with Falcon Next-Gen SIEM for Defender

Accelerate ingestion with Falcon Onum pipelines

Search across your entire data ecosystem in seconds

Streamline detection and response in one platform

Integrate security seamlessly across your AWS environment

Customer Stories

See why organizations trust Falcon Next-Gen SIEM.

We asked for better parsing, better correlation, and a stronger data model — and they delivered."

Emmett Koen, Senior Director of Cybersecurity Operations and North America Regional CISO, Mondelēz

Read their story

The built-in connectors were seamless, and CrowdStrike’s implementation team guided us from A to Z.”

Richard Lee, Director of Cybersecurity and Privacy, the ALDO Group

Read their story

The cool thing about Falcon Next-Gen SIEM is that we can integrate all of those logs into the [Falcon] platform and we can do the correlation.”

Wayne Cross, Director IT Cybersecurity & Infrastructure Operations, BLG LLP

Read their story

Featured Resources

Blog

Transform AWS Security Operations with Falcon Next-Gen SIEM

Read blog

Data Sheet

Falcon Onum: Clean, real-time data control for the Agentic SOC

Download data sheet

Data Sheet

Falcon Next-Gen SIEM for Third Party Data Sheet

Download data sheet

Original source Report a problem

Secure Kubernetes and containers from build to runtime

Mitigate risk before deployment and detect threats at runtime with full lifecycle security for containers, Kubernetes, and AI workloads.

Schedule a demo

Launch interactive demo

Watch video

Complete container protection from pipeline to production

Combine agentless image assessment, AI-driven runtime defense, and adversary-informed risk prioritization to secure containers and Kubernetes at every stage.

Reduce supply chain risk

Secure images and dependencies early to prevent vulnerabilities from reaching production.

Enforce security without slowing teams

Apply consistent policies from build to runtime while enabling development velocity.

Respond to threats fast

Prioritize and stop high-risk activity across cloud-native and AI workloads.

Prevent risky images before deployment

Reduce production risk by stopping vulnerable and non-compliant images from advancing through development pipelines:

• Detect vulnerabilities and dependencies across registries
• Generate SBOMs for supply chain transparency
• Prioritize exploitable risks using adversary intelligence
• Enforce security policies in CI/CD workflows
• Block high-risk builds before production

Comprehensive container visibility

Close blind spots across containers, Kubernetes, and serverless environments with continuous discovery and unified visibility:

• Discover containers across managed and self-managed clusters
• Identify rogue or attacker-spawned containers
• Surface unprotected assets requiring security coverage
• View clusters and workloads in a single console

Runtime threat detection for containers

Detect and prioritize active threats across containers, Kubernetes, and serverless environments using adversary intelligence and control plane visibility:

• Gain runtime visibility with a sensor optimized for containers
• Combine agent-based runtime monitoring with agentless detections across the Kubernetes API Server
• Correlate user and service account activity to container behavior
• Identify workload drift and unauthorized containers

Policy enforcement across the container lifecycle

Apply consistent guardrails from build to runtime without slowing development.

• Block risky deployments with the Kubernetes Admission Controller
• Enforce policies across containers, nodes, and functions
• Codify custom security requirements into programmable policies
• Continuously assess workloads against compliance benchmarks

Securing AI development with Trusted Container Images

Accelerate AI innovation by ensuring only verified, compliant container images power production AI environments:

• Assess images used in NVIDIA NIM and AI pipelines
• Enforce trusted image policies before deployment
• Apply consistent security controls across AI workflows

Built for the speed of DevOps

Featured Resources

White Paper

The Complete Guide to Kubernetes Security

Download

Press Release

CrowdStrike Named Frost & Sullivan’s 2026 Company of the Year for Cloud Workload Security

Read press release

Blog

CrowdStrike Uses Proven Detection Logic for Pre-Deployment Malware Scanning

Read blog

Trusted by industry leaders

"During peak shopping times, Target’s infrastructure must scale to support millions of transactions per second. This requires a cybersecurity platform that delivers both endpoint-to-cloud protection and ultra high performance."

Jennifer Czaplewski, Senior Director, Cybersecurity Target

Hear their story

Read all stories

Experience next-gen cloud security

Discover how CrowdStrike’s advanced protection can secure your cloud environment. No strings, no hassle.

Launch interactive demo

Find the adversaries targeting your industry

Discover the adversaries targeting your industry.

Explore Adversary Universe

Original source Report a problem

CrowdStrike Falcon® Exposure Management

Uncover the risks hiding in plain sight

Gain control of your organization’s browser extension risk to prevent breaches.

Request a test drive

Watch video

Eradicate extension risk blind spots

Uncover and neutralize hidden permission risks.

Unmask browser extensions

Gain a comprehensive view of all browser extensions across your organization.

Prioritize permission risks

Identify high-risk extensions with dangerous permission levels, and understand their potential impact.

Automate threat response with CrowdStrike Falcon® Fusion

Trigger instant alerts and streamline remediation workflows to swiftly eliminate extension risks.

Real-time continuous monitoring

Automate extension security with real-time, always-on evaluation. Free your team from manual assessments and gain valuable time back.

Comprehensive visibility

Gain full insight into browser extensions across major browser platforms (Chrome, Edge, Safari, Firefox).

Meaningful prioritization and rich insights

Heuristics-based risk severity translates complex permission details into easy-to-understand assessment. Rich artifacts and details facilitate informed decision-making.

Automate remediation and shut down threats

Seamless integration with Falcon Fusion automates alerts and ticketing to accelerate response and neutralize threats fast.

See Browser Extension Assessment in action

Intermex reduced critical vulnerabilities by 98% with Falcon Exposure Management

"In less than a year with Falcon Exposure Management, we reduced critical vulnerabilities by 98% in our DMZ, 92% across our entire server board and 86% on all workstations,” said Hereford. “Those are massive improvements that I was proud to present to the board."

Daniel Hereford, CISO, Intermex

Watch their story

Read all stories

Featured resources

Data sheet

Falcon Exposure Management

Learn more

Blog

Seeing the Unseen: Preventing Breaches by Spotting Malicious Browser Extensions

Learn more

Video

Demo Drill Down: Browser Extension Assessment

Watch now

Don’t let browser extensions expose your enterprise

Gain complete control and eliminate hidden risks with Falcon Exposure Management.

Get started now

Original source Report a problem

Continuous Visibility, new to Falcon Exposure Management, continuously evaluates vulnerability exposure without waiting for periodic scans.

When a new vulnerability is disclosed, security leaders want to know whether they’re exposed. In many organizations, the answer still depends on scan cycles that lag behind exposure — an architectural delay.

Adversaries are moving faster: The average eCrime breakout time fell to 29 minutes in 2025, and the fastest was only 27 seconds, the CrowdStrike 2026 Global Threat Report found. Some, such as OPERATOR PANDA, quickly weaponize newly disclosed vulnerabilities and move across environments before defenders can rescan or reprioritize the vulnerability.

Continuous Visibility, a recently added capability in CrowdStrike Falcon® Exposure Management, was built to help defenders act faster. It continuously evaluates cloud-based network asset data as vulnerability intelligence is updated so organizations can learn their exposure without waiting for the next periodic scan. Natively delivered from the CrowdStrike Falcon® platform, it integrates network exposure into the same unified workflows as endpoint, cloud, and identity risk.

Periodic scanning reflects a slower response model. Continuous Visibility aligns exposure evaluation to the pace of disclosure, helping organizations rapidly understand and respond to critical issues.

Continuous Visibility for Network‑based Assets

This new capability builds on Network Vulnerability Assessment, a Falcon Exposure Management feature that uses network scanning to assess routers, switches, appliances, and other unmanaged devices through the already deployed Falcon sensor. Continuous Visibility uses Falcon Exposure Management’s cloud-driven evaluation model to assess newly disclosed vulnerabilities against this previously collected network asset data without waiting for another scan to run.

Continuous Visibility evaluates vulnerabilities across all severity levels and automatically prioritizes the highest-risk issues while maintaining full context across the environment. When a new CVE is published and CrowdStrike releases detection content, that logic is immediately applied to network asset metadata already stored in the Falcon platform. If an exposure exists, it’s surfaced right away.

When a high-profile vulnerability is disclosed, teams need to move quickly and with confidence in the state of affected assets. This is why Continuous Visibility includes a targeted rescan capability: From the Falcon Exposure Management dashboard, teams can trigger a one-click rescan of only the assets associated with a newly identified vulnerability. The same scan routing is reused, with no reconfiguration required, and teams can quickly learn whether an exposure likely exists there.

With Continuous Visibility, teams gain immediate insight into exposures identified between scans within Falcon Exposure Management workflows. For vulnerability management and SecOps teams, this means less reactive scrambling. They can quickly identify affected network assets, prioritize remediation, and use targeted rescans for confirmation. In doing so, they can reduce their workloads, minimize alert fatigue, and close attack paths before adversaries can take advantage of them.

Figure 1. Dashboard view of a vulnerability management platform displaying vulnerabilities identified through the Falcon Exposure Management Continuous Visibility feature, including charts of vulnerability severity and risk ratings, and remediation compliance metrics

Figure 2. A table of critical findings such as deprecated SSL/TLS versions and insecure SSH configurations, with options to rescan affected assets

How It Works

The design mirrors the proven Falcon platform architecture:

• Network scans collect asset metadata and service details on a defined cadence
• This data is retained in Falcon Exposure Management
• Vulnerability signatures are continuously updated as new research and detections are released
• When signatures change, evaluation runs automatically against existing asset data

The result is instant awareness of new exposures that emerge between patching or scanning cycles. From an operator’s perspective, the experience is simple: New, high‑impact vulnerabilities appear as soon as the platform knows how to detect them.

This model intentionally separates scanning and evaluation. Scans gather facts. The cloud decides risk. That separation is what allows Falcon Exposure Management to move at the speed of disclosure.

Learn more about Network Vulnerability Assessment and Continuous Visibility in Falcon Exposure Management:

Play video Under The Light: Closing the Valley of Visibility in Network Vulnerability Assessment. Opens in a modal

Closing the Gap

When adversaries can operationalize vulnerabilities in minutes, time is the constraint. Continuous Visibility delivers near real-time clarity within Falcon Exposure Management’s unified exposure view, enabling faster, more confident decisions grounded in current context.

Falcon Exposure Management Continuous Visibility represents the next stage in the evolution of Network Vulnerability Assessment. It builds on a cloud-first foundation that decouples exposure evaluation from scan timing without increasing scan frequency or operational overhead.

Vulnerabilities don’t wait for scan schedules, and neither do adversaries. Continuous Visibility helps ensure that when something new emerges, security teams know immediately whether it matters to them with timely, defensible insight delivered through the Falcon platform.

Additional Resources

Download this guide to take the first step toward a smarter, faster, and more resilient approach to managing your organization’s exposure: Beyond the Scan: An Ultimate Buyer’s Guide to Modern Exposure Management.

Learn more about how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.

To learn more about Falcon Exposure Management features, visit our Tech Hub.

Fal.Con 2026 registration is now open. Join us in Las Vegas to explore what’s next in cybersecurity.

Original source Report a problem

Falcon for IT brings precision and control to the Windows Secure Boot certificate transition with the Windows Secure Boot Certificate Lifecycle Management content pack

Microsoft has announced the retirement of the Windows UEFI CA 2011 certificate and the transition to the Windows UEFI CA 2023 certificate, with hard enforcement beginning in 2026. This update is part of Microsoft’s ongoing effort to preserve the integrity of the Windows Secure Boot trust chain and ensure continued delivery of boot-level security updates.

For enterprise IT teams, this is not simply a certificate replacement. It is a structural shift in firmware trust that impacts every Secure Boot-enabled Windows endpoint across the enterprise. If not governed proactively, this transition can introduce deployment inconsistency, limit future boot-chain security updates, and create avoidable compliance drift across distributed environments.

Modern adversaries increasingly rely on stealth, persistence, and trusted system components to evade detection. When firmware trust is inconsistent or mismanaged, it creates blind spots below the operating system — areas traditional security controls cannot easily monitor. Secure Boot integrity therefore becomes a continuously validated control, not a one-time configuration task.

Devices that do not contain the Windows UEFI CA 2023 certificate within their UEFI firmware signature database before enforcement may be unable to receive future boot component updates, increasing long-term security and compatibility risk. At enterprise scale, unmanaged rollout introduces operational risk, including update failures, inconsistent deployment states, and potential firmware instability on certain hardware platforms.

CrowdStrike Falcon® for IT brings precision and control to the Windows Secure Boot certificate transition with the Windows Secure Boot Certificate Lifecycle Management content pack, which transforms enforcement from a reactive IT task into a governed, enterprise-scale program.

Why This Is Surfacing Now

While certificate expiration has been known for some time, awareness accelerated in early 2026 following Microsoft’s formal enforcement timeline and expanded deployment guidance.

IT teams are now evaluating:

• Readiness ahead of the June 2026 expiration window
• Virtualized environment compatibility (Hyper-V and VMware)
• Windows Server fleets requiring manual action
• Inconsistent reporting visibility across Intune-managed estates
• Firmware dependencies on specific OEM hardware platforms

The operational question has shifted from “Will Microsoft deliver the update?” to “Do we have verified visibility into firmware trust state across our fleet before enforcement milestones?”

Understanding the Secure Boot Certificate Rotation

What Is Changing

Microsoft is retiring the Windows UEFI CA 2011 certificate, which expires in 2026, and replacing it with the Windows UEFI CA 2023 certificate.

This change requires:

• Updating UEFI firmware signature databases
• Ensuring devices trust the new 2023 certificate
• Coordinating rollout through Microsoft’s managed deployment framework

Microsoft supports this transition through Windows Update, registry-based controls, Intune, Group Policy, and APIs.

Unlike Windows client platforms participating in Microsoft’s managed rollout, Windows Server environments require deliberate administrative execution to complete the transition.

Virtualized Environments Require Additional Validation

In virtualized environments, Secure Boot variables are often controlled or abstracted by the hypervisor platform. Some Hyper-V virtual machines have reported certificate update failures tied to protected firmware variables, while certain VMware environments require platform-level updates before guest operating systems can successfully write updated trust anchors.

This introduces additional validation requirements:

• Confirming hypervisor support for UEFI variable updates
• Identifying virtual machines with Secure Boot enabled
• Testing certificate enrollment behavior in representative VM pools
• Coordinating rollout sequencing between infrastructure and endpoint teams

For enterprises with significant Windows Server or VDI footprints, virtualization readiness should be validated before enabling large-scale managed rollout.

The challenge for most organizations is achieving complete enterprise-wide visibility into firmware readiness, coordinating deployment sequencing across endpoint, server, and virtualization teams, and preventing inconsistent rollout states at scale. While Microsoft provides the delivery mechanisms, enterprise teams still require centralized visibility, controlled automation, and audit-grade reporting to execute this transition safely across distributed environments. Delivery alone does not provide fleet-level trust validation, staged orchestration, or enforcement-aware posture governance.

Critical questions include:

• Which systems have Secure Boot enabled?
• Which systems are operating in Legacy BIOS mode?
• Which devices already contain the 2023 certificate?
• Which devices attempted the update but failed?
• Which hardware platforms require compatibility validation?
• Which endpoints must be temporarily blocked to prevent instability?

Without centralized assessment and controlled remediation, enforcement becomes reactive rather than predictable.

What This Transition Is Not

This is not an emergency patch event, and devices will not immediately stop booting when the 2011 certificate expires. Microsoft’s rollout is phased, and systems that have not yet transitioned will generally continue operating.

However, systems that remain on the legacy trust chain will be unable to receive future boot component security updates and revocations, gradually shifting into a degraded security posture.

The operational risk is not sudden outage. It is delayed visibility, inconsistent rollout states, and compressed remediation timelines as enforcement approaches.

Secure Boot Certificate Transition Timeline

• 2023: Microsoft introduces the Windows UEFI CA 2023 certificate and begins phased distribution through Windows Update mechanisms.
• Early 2026: Microsoft formalizes enforcement guidance and expands administrative controls for managed rollout.
• June 2026: Expiration of key 2011 Secure Boot certificates begins. Systems that have not transitioned may progressively lose eligibility to receive future boot component updates.
• October 2026: Additional 2011 certificate expirations occur, further narrowing compatibility for non-transitioned systems.

Recommended enterprise objective: Establish fleet-wide visibility and complete staged rollout prior to Q3 2026 to avoid compressed remediation timelines.

Falcon for IT Operationalizes the Transition

The Windows Secure Boot Certificate Lifecycle Management content pack is built on Falcon for IT’s automation framework and provides the structured capabilities required to manage this lifecycle event across enterprise Windows fleets.

It delivers:

• Fleet-wide Secure Boot and certificate posture assessment
• Controlled enrollment into Microsoft’s managed rollout process
• Emergency blocking for hardware with known compatibility concerns
• Centralized audit logging and execution tracking
• Real-time dashboard visibility for compliance and remediation

Supported platforms include Windows 10 version 1809 and later, Windows 11, and Windows Server 2019 and later.

Operational requirements include UEFI firmware, administrative privileges, and Secure Boot capability within firmware.

Legacy BIOS systems do not support Secure Boot and are not subject to the 2026 enforcement requirement.

Secure Boot Readiness Assessment

The Secure Boot Readiness Assessment provides deterministic validation of firmware trust state across the enterprise.

The query task evaluates:

• Secure Boot enablement status
• Presence of the Windows UEFI CA 2023 certificate within UEFI firmware
• Microsoft servicing registry records for update attempts
• Update status and associated error codes
• Managed rollout opt-in state
• Emergency update block state
• Operating system version details

This creates a defensible baseline before deployment begins and supports continuous monitoring throughout rollout. Importantly, Secure Boot certificate state should not be treated as a one-time project milestone. It represents an ongoing firmware trust lifecycle that must be monitored as part of continuous configuration governance.

A recommended execution cadence is weekly or monthly to maintain posture awareness and support audit requirements.

Controlled Rollout with Managed Opt-In

The Secure Boot Managed Rollout Opt-In task enables devices to participate in Microsoft’s gradual deployment process.

This remediation task sets or clears the MicrosoftUpdateManagedOptIn registry control, ensures required subkeys exist using .NET registry methods, performs read-after-write verification, and returns auditable success or failure status.

Enabling opt-in does not immediately install the certificate. Microsoft controls deployment timing, and devices may receive the update over the course of days or weeks.

A recommended deployment model includes:

1. Execute an initial fleet-wide assessment
2. Identify non-compliant systems
3. Select a representative pilot group
4. Enable managed rollout
5. Monitor deployment success and compatibility behavior
6. Expand deployment in staged waves

This approach reduces disruption risk and allows hardware validation before broader adoption.

Emergency Update Blocking

Certain hardware models may exhibit firmware instability during UEFI database updates.

The Secure Boot Emergency Update Block task enables controlled mitigation by setting or clearing the HighConfidenceOptOut registry control, clearing pending update triggers, performing read-after-write validation, and preventing firmware write operations on affected systems. This capability provides critical operational safety during staged rollout.

Blocking takes precedence over managed rollout enrollment. Devices that are blocked will not receive certificate updates until explicitly unblocked.

All blocked systems must be reviewed and remediated before enforcement to ensure continued eligibility for future boot-chain security updates and to avoid long-term compatibility exposure.

Secure Boot Certificate Management Dashboard

Figure 1. Secure Boot Certificate Management dashboard

The Secure Boot Certificate Management dashboard provides centralized, real-time visibility into:

• Total Secure Boot-enabled endpoints
• CA 2023 compliance rate
• Devices pending update
• Devices requiring managed rollout opt-in
• Update failures
• Blocked endpoints
• Compliance trend analysis over time
• Actionable device-level detail including OS version, update status, error codes, opt-in state, and block state

All dashboard components are filter-driven, allowing targeted analysis by hostname, OS version, update status, opt-in state, and block state.

This visibility converts firmware trust posture into a measurable, continuously monitored operational metric.

A Managed Lifecycle

The 2026 Secure Boot enforcement requirement represents a structural shift in firmware trust expectations across every Windows fleet.

Organizations without centralized posture awareness may discover readiness gaps late in the transition cycle. In complex enterprise environments, delayed visibility often translates into compressed remediation windows, cross-team coordination challenges, and inconsistent firmware trust states across the fleet.

Those using Falcon for IT will already understand their fleet’s state and will have controlled rollout underway. With continuous assessment, staged automation, and centralized governance, enforcement becomes a predictable milestone within an actively managed firmware trust lifecycle.

Secure Boot certificate rotation is a defined requirement with a fixed enforcement horizon and a clear window for proactive governance. Now is the time to assess your fleet, validate hardware compatibility, and implement a controlled rollout strategy before enforcement milestones compress remediation timelines.

To see how this lifecycle is operationalized in practice, watch this short demo, which shows how Falcon for IT identifies readiness gaps, prioritizes action, and enables controlled Secure Boot certificate rotation across the enterprise.

From there, engage your CrowdStrike team to operationalize Secure Boot certificate lifecycle governance within Falcon for IT and activate the Windows Secure Boot Certificate Lifecycle Management content pack to ensure your enterprise is fully prepared before enforcement milestones arrive.

Additional Resources

• Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.
• Check out the Falcon for IT product page.
• Watch this short video to learn more about Falcon for IT’s turnkey automation.

Original source Report a problem

Related Research and Context

CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research.

CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window.

CVE-2026-20929 represents a sophisticated attack vector that exploits the interaction between DNS CNAME records and Kerberos Service Principal Name (SPN) resolution. While this vulnerability can be exploited against various services, this blog focuses on one particularly dangerous attack vector: relaying Kerberos authentication to AD CS servers to enroll certificates for user accounts, providing persistent access that can last months or years.

Understanding CVE-2026-20929 requires context from prior Kerberos relay research:

• Kerberos Relay Fundamentals: In 2021, a security researcher demonstrated that Kerberos authentication can be relayed if an attacker can control the SPN used by a client. This research explored multiple techniques for influencing SPN selection across various protocols, challenging the assumption that Kerberos was inherently relay-proof.
• DNS-Based Kerberos Relay: In 2022, a security researcher demonstrated practical Kerberos relay techniques using mitm6 to relay DNS authentication to AD CS endpoints. His work showed how DHCPv6 spoofing combined with DNS manipulation could enable Kerberos relay attacks and resulted in the krbrelayx tool.
• AD CS Attack Vectors: The SpecterOps research team's "Certified Pre-Owned" work documented AD CS exploitation techniques, including ESC8 (relay to AD CS HTTP endpoints), establishing the foundation for understanding certificate-based attacks in Active Directory.

Understanding ESC8: NTLM Relay to AD CS HTTP Endpoints

Before diving into the Kerberos variant, it's important to understand the foundational attack: ESC8, documented in the SpecterOps "Certified Pre-Owned" research.

ESC8 Attack Overview

AD CS provides a web-based enrollment interface (accessible via the /certsrv endpoint) that allows users and computers to request certificates through a browser. This "Certification Authority Web Enrollment" component accepts both NTLM and Kerberos authentication. The ESC8 attack exploits this interface through NTLM relay:

1. The attacker coerces a victim (often a machine account or privileged user) to authenticate to an attacker-controlled server
2. The attacker relays the NTLM authentication to the AD CS web enrollment endpoint (/certsrv)
3. AD CS accepts the relayed authentication and issues a certificate in the victim's name
4. The attacker uses the certificate for persistent authentication as the victim

CVE-2026-20929 (Kerberos-Based ESC8)

• Uses Kerberos relay instead of NTLM
• Exploits CNAME-based SPN manipulation to control which service ticket the client requests
• Enables relay even in environments that have disabled NTLM
• Targets the same AD CS web enrollment endpoint (/certsrv)

How Channel Binding Token (CBT) Protection Works

• A channel binding token is derived from the server's TLS certificate
• This token is cryptographically bound to the authentication
• The server verifies the authentication came through its specific TLS channel
• If an attacker relays authentication to a different server (with a different certificate), the channel binding won't match and authentication fails

Why AD CS Web Enrollment Is an Attractive Relay Target

AD CS web enrollment represents a particularly attractive target for Kerberos relay attacks for several reasons:

• Many organizations still deploy web enrollment over HTTP for internal use; this prevents CBT protection
• Certificates provide persistent authentication (typically valid for 1+ years)
• Certificates are often less monitored than password-based authentication

Vulnerability Technical Analysis

CVE-2026-20929 exploits how Kerberos handles Service Principal Names during the DNS resolution process that precedes authentication.

DNS Manipulation Mechanism

Before a client can authenticate to a service, it must resolve the service hostname to an IP address via DNS. Attackers can manipulate this resolution step by crafting DNS responses that contain both:

• A CNAME record redirecting the requested hostname to a different target
• An A record in the same response providing the IP address for that target

Attack Flow

1. The victim tries to access a web server (web01.test.local)
2. A DNS query is sent to resolve web01.test.local
3. The attacker intercepts the request and responds with the CNAME CA01.test.local and the A record that points to the attacker-controlled IP address
4. The victim accesses the attacker-controlled web server
5. The malicious web server replies with a 401 and requests Kerberos authentication
6. The victim requests a Service ticket for HTTP/CA1.test.local from the DC
7. The DC responds with the Service ticket
8. The victim sends the HTTP/CA1.test.local service ticket to the malicious server
9. The attacker uses the TGS to authenticate the AD CS server and enroll a certificate for the victim

Impact Details

This combined DNS response causes the client to automatically request a Kerberos service ticket for the attacker-specified hostname while connecting to the attacker-controlled IP address. The client is unaware that the SPN in its Kerberos ticket doesn't match the actual service it's connecting to.

CrowdStrike Detection Approach

Detection Strategy Overview

CrowdStrike's detection leverages the CrowdStrike Falcon® platform's unique identity protection capabilities, which provide deep visibility into authentication traffic across the enterprise. Unlike traditional security solutions that rely on endpoint or network logs alone, CrowdStrike Falcon® Next-Gen Identity Security performs real-time inspection of authentication protocols including Kerberos, NTLM, and LDAP traffic.

Falcon Next-Gen Identity Security provides comprehensive authentication traffic visibility through:

• Real-time protocol inspection: Deep inspection of Kerberos, NTLM, and LDAP authentication flows as they occur
• Built-in behavioral detections: Pre-configured detections that identify anomalous authentication patterns, including the two informational detections used in this correlation
• Raw traffic forwarding to Falcon Next-Gen SIEM (powered by Falcon LogScale): All authentication traffic is sent to Falcon Next-Gen SIEM, enabling security teams to create custom hunting queries and detection logic tailored to their environment

This multi-layered approach enables both automated detection through correlation logic and proactive threat hunting through raw authentication data analysis.

This detection uses behavioral correlation to identify the complete attack chain rather than relying on individual indicators. This approach provides high-confidence detection while minimizing false positives by focusing on the temporal relationship between authentication relay and certificate usage.

Individual Detection Components

Detection 1: Anomalous Certificate-Based Authentication

This detection identifies unusual patterns in certificate authentication like:

• A user authenticates with a certificate from an endpoint or IP address they haven't used for certificate authentication before.

Detection 2: Unusual Service Access to an Endpoint

This detection monitors for abnormal service access patterns like:

• A user unexpectedly requests a Kerberos service ticket to a target.

Correlation Logic

The alert triggers when both detections occur within a close time and target an AD CS service:

Alert conditions:

1. Anomalous certificate-based authentication detected
2. Unusual service access to AD CS endpoint detected
3. Both events involve the same user account
4. Events occur within a short time window

To implement this detection capability, customers must manually enable the CRT through the Falcon Next-Gen SIEM platform by navigating to NGS → Monitor and investigate → Rules → Templates and searching for the relevant CRT: “CrowdStrike - Identity - Abnormal Certificate Authentication (CVE-2026-20929).”

Mitigation and Protection Strategies

The Falcon platform provides comprehensive protection capabilities that directly address these mitigation strategies.

CrowdStrike Falcon® Exposure Management delivers critical visibility for patch management initiatives, enabling organizations to rapidly identify vulnerable systems and prioritize remediation efforts based on actual risk exposure. This capability is essential for implementing the first mitigation strategy effectively, allowing critical patches like the CVE-2026-20929 fix to be deployed systematically across the enterprise.

Falcon Next-Gen Identity Security provides insights into Active Directory environment configurations, surfacing critical security risks that could enable Kerberos relay attacks. It continuously monitors and assesses AD security posture.

Beyond configuration assessment, Falcon Next-Gen Identity Security delivers account activity monitoring, including detailed Kerberos authentication tracking and behavioral analysis.

It provides multiple detections that can identify suspicious authentication patterns and potential relay attack attempts in real time.

Conclusion

CVE-2026-20929 represents a significant threat to organizations by enabling attackers to relay Kerberos authentication through DNS CNAME abuse. While this vulnerability can be exploited against multiple services, the AD CS relay vector is particularly dangerous as it enables attackers to obtain persistent access through certificate-based authentication, bypassing traditional password-based security controls. Understanding and detecting these attack patterns is crucial to maintaining security integrity in Active Directory environments.

The comprehensive Falcon platform provides multiple layers of protection:

• Real-time alerting when suspicious AD CS access patterns are detected
• Behavioral correlation detection through advanced analytics that identify the complete attack chain via Falcon Next-Gen SIEM
• Proactive threat hunting through CrowdStrike Falcon® Adversary OverWatch™

Additional Resources

• Be part of Fal.Con 2026 and connect with 10,000+ cybersecurity professionals shaping the future of the industry.
• Learn more about Falcon Next-Gen Identity Security and Falcon Next-Gen SIEM.

Original source Report a problem