CrowdStrike used Fal.con 2025 to harden its ongoing value proposition that security is a speed game. But the company extended its messaging emphasizing that platforms which orchestrate fleets of AI agents will set the bar for the future of security. In our view, George Kurtz’s keynote and theCUBE interview (below) mark a goal to create a clean hand-off from “assistive AI” to an agentic operating model that aims at an autonomous SOC and, ultimately, an aspirational north star toward “Security AGI.”
In this special Breaking Analysis we draw on George Kurtz’s keynote and our interview with him at Fal.con 2025. George Kurtz laid out a bold vision for cybersecurity’s next era and put forth a vision where cybersecurity is defined not by human analysts chasing alerts but by fleets of intelligent agents operating at machine speed. The keynote and his subsequent conversation on theCUBE reinforced a central theme that CrowdStrike is an integrated security platform company with designs on full autonomy. In our opinion, this represents both the culmination of a decade-long transformation and a strong answer to critics who doubted the firm’s durability after the July 19, 2024 outage.
We believe the key message is that the security industry’s rules are being rewritten around time, data, intelligence and autonomy. Time-to-detect is now measured in seconds, not days. Data gravity is the moat that separates generic AI from domain-specific AI. And autonomy is the destination – first at the level of analyst assistance, eventually at the level of the holy grail of Security AGI.
Security parallels the innovation curve
Kurtz opened his keynote by framing security’s trajectory alongside industrial revolutions from steam>electricity>the digital era>AI. The premise is every new technology wave creates fresh attack surfaces, and each needs a new security paradigm before it can scale safely. According to Kurtz:
“Security parallels the slope of the technology curve. As innovation advances, security has to evolve for that innovation to take hold.”
The historical markers – e.g. Windows 1.0, Netscape, the iPhone – were not just key products. Rather Kurtz reminded the audience that security has always been reactive, bolted on after attackers expose weaknesses. What’s different in 2025, Kurtz argued, is the velocity of attack innovation. Malware that once took weeks to develop now mutates in seconds, often with the help of generative AI.
Why the SOC must be reimagined
The heart of Kurtz’s thesis is that the traditional SOC is obsolete. Analysts are overwhelmed by alert volumes, starved for context, and forced to fight “21st century wars with 20th century weapons.” The attack timeline has collapsed:
- Yesterday: weeks or days to detect.
- Recently: hours or minutes.
- Today: seconds.
In Kurtz’s words:
“The SOC analyst is overloaded… the traditional SOC can’t keep up. We have to reimagine what the SOC is going to be.”
The answer is what he calls the agentic SOC: a new architecture where specialized AI agents don’t just assist analysts but reason, decide, and act across domains – endpoint, identity, cloud, SaaS, and beyond. Over time, the destination is an autonomous SOC analyst, governed by humans, but capable of end-to-end triage, investigation, and remediation at scale.
Charlotte and the rise of the agent workforce
Central to this vision is Charlotte, originally launched as an orchestrator but now repositioned as the “brain of the agentic SOC.” Kurtz announced the Agentic Security Workforce, seven new agents purpose-built for tasks like exposure prioritization, malware analysis, hunting, search, correlation, data transformation, and workflow generation.
“We’re delivering the first agentic SOC empowered by intelligence agents that don’t just assist but reason, decide, and act.”
According to Kurtz, these agents are not static assistants – they learn from workflows, create new automations, and increasingly mirror the reasoning patterns of human analysts. Importantly, customers can now build their own specialized agents via a new offering called AgentWorks, extending CrowdStrike’s platform into a customizable, agentic platform.
The strategy raises an obvious question that we raised with Kurtz – i.e. why CrowdStrike instead of Google or AWS agent builders? Kurtz’s answer is simple and lies in the data. The Falcon platform, he claims, is not just a control plane. Rather it’s a data moat enriched over 14 years with trillions of telemetry events, annotated MDR data, frontline threat intelligence, and incident response findings. According to Kurtz:
“You can’t build these models without the correct data. We didn’t know GenAI was coming, but because we labeled all of this threat data, it’s perfect for training.”
What follows is our conceptual depiction of “why CrowdStrike’s agent builder relative to other approaches that are not security-specific.
Security AGI: vision or reality?
Perhaps the most ambitious declaration was Kurtz’s introduction of Security AGI – a concept parallel to George Gilbert’s coining of enterprise AGI; but domain-specific to cybersecurity. His analogy to autonomous driving levels was instructive:
- Level 0: No automation.
- Level 1: Assistive alerts.
- Level 2: Partial automation.
- Level 3: Conditional autonomy (AI triages, humans supervise).
- Level 4: High autonomy (AI executes responses, humans optional).
- Level 5: Full autonomy (end-to-end detection, triage, response, reporting, 24×7).
Kurtz was careful not to over-promise:
“AGI may be three, five, ten years out. But our goal is to be the first to create Security AGI – self-operating, continuously learning, and beyond what a human can do.”
This is aspirational, but it establishes a roadmap customers can follow incrementally while CrowdStrike lays down the architecture and the framework.
The licensing innovation: Falcon Flex
Equally important, though perhaps less glamorous, is CrowdStrike’s licensing model. Flex, introduced in 2023, replaces consumption pricing with a commitment model that opens the entire product catalog. Kurtz underscored that this innovation is being widely being widely copied – even down to the name. He told theCUBE:
“Over $3 billion in Falcon Flex total value contracts. Customers don’t have to wait for SKUs or new procurement cycles. They just pull it down.”
We believe Flex is as much a platform enabler as is Charlotte. By lowering procurement friction, it incentivizes customers to consolidate modules onto the Falcon platform. The caveat is adoption as our research indicates most customers are still not on Flex, and most have not operationalized Charlotte at scale. Until that changes, Flex and Charlotte remain strategic levers rather than universal practice.
The acquisitions: Onum and Pangea
Two recent tuck-ins illustrate Kurtz’s platform discipline. Onum, a data pipeline specialist, extends Falcon’s control over “the railroad tracks” of security data, enabling detections to be pushed to the edge while reducing costs of third-party IT data processing.
Pangea, meanwhile, secures AI agents at the prompt layer. Kurtz described it as essential:
“An AI agent is like giving an intern full access to your network—that’s scary. You need guardrails, visibility, compliance. No bank will deploy an agent without it.”
We see these moves as consistent with CrowdStrike’s “one platform” promise. As Kurtz put it:
“Customers don’t want four platforms. That’s just digital taxidermy—it looks alive, but it’s Frankenstein underneath.”
The platform story: post-outage to durable growth
This platform narrative matters most because it validates CrowdStrike’s comeback from the July 2024 outage. At the time, competitors, investors and customers questioned the company’s resilience. Today, Fal.Con 2025 shows a firm doubling down on integration, data leverage, and customer-centric licensing.
The metrics bear it out. Module adoption percentages continue to rise, Flex total contract values above $3 billion, and 8,000 attendees filled the keynote hall at Fal.Con 2025. Customers may still hesitate to pay for Charlotte or commit to Flex, but we believe the trajectory is directionally encouraging. In April of this year, ETR survey data indicated that around 30% of customers were using Flex (N=90), with just over 10% leaning into Flex after the outage. These percentages have likely continued to increase over the summer. In our view, the outage served as a forcing function as it accelerated the platform story and compelled CrowdStrike to demonstrate resilience through product velocity and care.
Implications for customers and the industry
We believe enterprises should view CrowdStrike’s trajectory through three lenses:
- Autonomy adoption. Plot where you want to be on the autonomy ladder in 12–24 months. Use Charlotte agents for narrow use cases first (exposure, malware triage) and expand.
- Data advantage. Evaluate agent builders not by UI beauty, but by access to labeled, domain-specific data. That is where Falcon’s moat can create customer value in our view.
- Compliance and governance. Treat AI agents as identities with privileges- almost the way you’d treat employees. Insist on AI detection and response level guardrails before scaling agent deployments.
For the industry, CrowdStrike’s pivot – or perhaps we should call it a “line extension,” raises the stakes. Hyperscalers will push their agent frameworks, but CrowdStrike’s proprietary security increases the platform’s relevance. Legacy point products that cling to niches will become less relevant and the gravitational pull of a platform with integrated data, licensing, and automation is compelling in our view.
Closing thoughts
In our opinion, Fal.Con 2025 was the clearest articulation yet of CrowdStrike’s platform transformation toward agentic AI and platform to autonomy. Kurtz’s message was that the firm intends to win the race to Security AGI. Whether that milestone is three years away or ten, the direction North Star is set.
The reality check is adoption. Based on our discussions with customers at Fal.Con, Charlotte remains underutilized but interest is growing. Flex as well has significant upside. The near-term priority for CrowdStrike in our view is to turn bold keynote slides, statements and demos into measurable outcomes that meaningfully reduce security breaches, economic losses and result in a substantially better SOC analyst experience – i.e. fewer tickets per analyst, faster containment. If CrowdStrike can close today’s current gaps, it will not only cement its post-outage rebound but also reset expectations for what a security platform can deliver in the AI era.
“Winning for us is making sure our customers are protected. If we are the first to deliver a fully autonomous SOC analyst, that’s the win.” – George Kurtz
