In late August, cybersecurity giant CrowdStrike announced that it agreed to acquire real-time telemetry pipeline management company Onum for $290 million. The company said the acquisition would transform the security operations center (SOC) for the agentic AI era by turbocharging real-time data and analysis into threat intelligence in “milliseconds.”
Today at CrowdStrike’s annual Fal.Con event in Las Vegas, the company is taking the wraps off two initiatives that aim to build on the Onum platform in hopes of helping enterprises create and maintain cutting-edge cybersecurity projects that employ agentic AI.
The first initiative is its Agentic Security Platform, a cluster of innovations the company says will speed security responses by expanding agentic capabilities across users’ assets. The second initiative is CrowdStrike’s Agentic Security Workforce, which aims to eliminate repetitive tasks for security analysts to free them up for more strategic pursuits.
Taking on an AI-powered threat landscape
CrowdStrike, like most big cybersecurity providers, is diving headfirst into agentic AI as an early adopter to jump on the rapidly advancing AI train and exploit the benefits of this disruptive and complex technology. But it is, perhaps more importantly, trying to counter threat actors who are also quickly embracing various forms of AI to achieve their malicious ends.
“We need to enable defenders to operate at scale and faster to be able to keep pace with these adversaries,” Adam Meyers, head of counter adversary operations at CrowdStrike, said during a press briefing. “A good example of this is Famous Chollima,” the group of North Korean threat actors who are getting remote IT jobs to generate revenue for the country’s ruling regime.
“We’ve seen them use generative AI in every step of the kill chain,” said Meyers, explaining that the group uses LLMs and generative AI to create LinkedIn profiles and resumes, uses deepfake technology to mask its members’ appearances during interviews, and uses generative AI to answer questions during those interviews.
Moreover, “once they get employed, they’re heavily relying on Copilot coding to be able to hold 50, 60, 80, 90 jobs at scale, which can generate millions and millions of dollars for the regime. And by using generative AI to help with their coding tasks, they’re able to do that at scale as well,” Meyers said.
CrowdStrike’s Agentic Security Platform
CrowdStrike developed its Agentic Security Platform precisely to help organizations keep pace with increasingly AI-equipped adversaries. “The increasing speed of the adversary, the increasing use of generative AI means from a defensive standpoint, we want to leverage these technologies as well to match and hopefully exceed the speed and efficiency of the adversaries,” CrowdStrike’s CTO Elia Zaitsev said during the briefing.
CrowdStrike entered the generative AI era last year with the release of its Charlotte AI chatbot, but now the company plans to head “into an even deeper layer of autonomy where we are really after what we call the agentic SOC,” Zaitsev said. “We want multiple agents working in an orchestrated ensemble fashion to progressively automate more and more aspects of what a human analyst does today.”
To get there, CrowdStrike will rely on what it calls its “enterprise graph,” which is not a new graph database in the traditional sense. Instead, it is what Zaitsev called “an amalgamation and an abstraction of all the other things that we built in our platform and have invested in over almost 15 years now.”
The enterprise graph relies on the Onum platform as its foundation layer, atop which is a data layer graph with a time-series contextualization of detection and response, asset data, risks, and intelligence. These layers feed into an utmost layer consisting of a semantic data model that enables human analysts and AI agents to take actions.
The real innovation is a common language, a ‘Rosetta Stone’
All the systems CrowdStrike has built into its enterprise graph look and work differently, with different schemas, different ways of naming and calling the same objects, different query faces, and different APIs, which can be a challenge for not only human interfaces but also AI agents.
The real innovation in CrowdStrike’s Agentic Security Platform, then, is that the top two levels of the enterprise graph “act as abstraction layers that hide all this complexity away from both human and agentic AI users,” Zaitsev said. “The semantic data model essentially gives you one common language, a Rosetta Stone that we can use to abstract away the differences between all these different security domains, all these different vendors, and proprietary schemas. And we do it essentially in plain, simple English.”
An example illustrates how this innovation operates. “One vendor like CrowdStrike might call something an IPv4 in a log event, and another vendor may call something an IP underscore four,” Zaitsev said. “As humans, we kind of intuitively know if you have a cybersecurity background, they’re talking about an IP address version four.”
But “protocol machines don’t typically work that way, though they need that mapping done for them. So not only have we done that mapping without disturbing the underlying data, but we’re also using plain, simple semantic meaning — concepts that any agentic system will understand out of the box without any specialized training or fine-tuning,” he said.
The semantic meanings are used as a data catalog of sorts for the global query and global command engine. “These are abstraction layers that both query these underlying systems and also allow response actions to be taken with them as well,” Zaitsev said.
He explained that “with the global query engine, a human analyst or a machine analyst will write a simple one-line query that uses those plain English language semantic data model concepts, and the engine will automatically identify which of these underlying data systems, and sometimes it may require multiple of these systems, are best suited or most optimized to answer that complex query. And then it will automatically translate it into all the underlying systems, schemas, API calls, and languages, bring all that information back, and then return that as one unified set of results.”
As part of the Agentic Security Platform, CrowdStrike will release an even more intensive AI version of its Charlotte platform called Agent Works, which is “a no-code platform for customers to be able to securely test, develop, orchestrate, and deploy their own agentic systems with their own custom data sets and enterprise- or organizational-specific knowledge baked into it,” Zaitsev said.
Agent Works can also develop agents through generative AI using natural language. “We’re actually at the point now where we have agents building out other agents,” Zaitsev said.
For customers who want to integrate the wide variety of other AI systems and applications in the marketplace with the Falcon platform, the Agentic Security Platform also offers the ability to integrate all the solutions through what CrowdStrike calls its operating center.
Finally, the Agentic Security Platform offers a dynamic user experience, through which “analysts as well as agent systems can dynamically customize and develop their own user experience, their own workflows on the fly, which can span multiple different modules, data sets, and repositories,” Zaitsev said.
Agentic Security Workforce
Meanwhile, CrowdStrike’s Agentic Security Workforce platform was developed to help security analysts who are overwhelmed by time-consuming tasks and in cases where traditional security measures cannot keep up with AI-powered threats.
This virtual workforce delivers automated mission-ready agents inside Falcon sensors, transcending “ask-and-respond” copilots. “One of the top concerns we’ve heard from CISOs is that their enterprises, their end-users, are rushing to adopt AI technologies,” Zaitsev said.
“CISOs are in a tough place,” he added. “They don’t want to stop that innovation. They don’t want to be a hindrance to organizational adoption, but they’re also terrified about data leaving the front door and going to all these third-party systems that they have no visibility over, no control over, et cetera.”
“So, a couple of months ago, we launched the capability through our data protection application to identify in the browser usage and the ability to detect and prevent usage of unapproved versus approved generative AI services,” he said. “We’re extending that capability now to go across the entire endpoint.”
For example, “we can detect that there are secrets or passwords or source code that are unintentionally left exposed,” Zaitsev said. “If a developer then tries to send that source code to an unapproved gen AI code assistant, we can identify and block that. But conversely, we can allow them to continue to use that with an approved enterprise coding assistant, where they would be allowed to send things like secrets because it’s controlled and audited.”
No Responses