The enterprise security model built over the past two decades rests on a foundational assumption: software is passive. It waits to be called, executes a defined task, and stops. Access controls, perimeter defenses, and application monitoring were all designed around that assumption. AI agents violate it.
Agents take action autonomously, run commands, access data, trigger downstream workflows, and pursue goals across extended sessions, often without a human in the loop and often in ways that look indistinguishable from legitimate user activity in standard security logs.
Existing security controls were not built for this behavior, and the gap between what those controls can see and what agents actually do is the central security problem of AI deployment at enterprise scale.
CrowdStrike used the RSA Conference 2026 to announce a set of capabilities that directly address the problem of securing agentic workflows, based on the premise that the enterprise endpoint is the correct control plane for AI security governance.
Announcement Details
CrowdStrike’s RSAC announcements cover four interconnected capability areas, all operating within the Falcon platform and relying on the same sensor telemetry that underpins CrowdStrike’s core endpoint detection and response business.
The new capabilities each address a distinct phase of the AI agent lifecycle, from discovery through runtime control to incident response.
Shadow AI Discovery
Shadow AI Discovery identifies AI applications and agents running across enterprise endpoints, including those deployed without authorization from the security team. This allows CrowdStrike to allow, monitor, or block specific AI applications at the endpoint level.
AI Detection and Response (AIDR)
AIDR operates at the prompt layer, intercepting queries flowing to language models and providing enterprises with visibility and enforcement capabilities over what reaches the model.
The key distinction from prior approaches is its detection method. AIDR uses a language model for detection rather than relying on signature-based rules. This matters because prompt injection attacks evolve faster than static rule sets can be updated.
Capabilities include:
- Prompt interception and classification: AIDR categorizes query content and allows organizations to define policies that permit, block, or flag specific categories before they reach the model.
- Prompt injection defense: AIDR detects attempts to manipulate AI systems via malicious input, applicable to both internal enterprise deployments and developer-built agents and services exposed to external users.
- Microsoft Copilot Studio integration: AIDR extends coverage to Microsoft Copilot Studio environments, reflecting an active and expanding relationship between CrowdStrike and Microsoft.
- Tokenomics governance: Organizations are beginning to engage with CrowdStrike to manage token consumption, track which users and agents are consuming tokens, and identify potential abuse. AIDR provides visibility into these usage patterns at the enterprise level.
Charlotte AI AgentWorks
Charlotte AI AgentWorks opens the Falcon platform as a development environment for security agents built on external frontier models. Enterprises and partners can build custom security agents on Falcon using models from Anthropic, OpenAI, Google, and other providers, with Falcon providing the underlying telemetry, identity context, and enforcement layer.
The ecosystem partners include Accenture, Anthropic, AWS, Deloitte, Kroll, NVIDIA, OpenAI, Salesforce, Telefónica Tech, and IBM. The latter has integrated Charlotte AI with its Autonomous Threat Operations Machine to enable coordinated machine-speed investigation and response.
The platform is designed as a no-code agent development environment, lowering the implementation barrier for security operations teams.
Falcon Next-Gen SIEM
CrowdStrike extended Falcon Next-Gen SIEM to ingest Microsoft Defender for Endpoint telemetry without requiring a Falcon sensor, a capability designed to reduce adoption friction in Microsoft-centric environments. Organizations can use Falcon Next-Gen SIEM as their security operations platform using Defender telemetry alone, without committing to a full endpoint stack migration.
Additional SIEM enhancements include native Falcon Onum integration, which CrowdStrike says delivers five times faster data streaming, 50 percent lower storage costs, and 70 percent faster incident response through intelligent in-pipeline filtering and real-time detection.
A query translation agent converts legacy SIEM queries, such as Splunk searches, into CrowdStrike Query Language.
Analysis
CrowdStrike’s RSAC announcements address problems that lack adequate solutions in most current enterprise security stacks. The agent security problem requires new telemetry, new detection logic, and new policy frameworks. Security teams that have already standardized on Falcon have a clear upgrade path.
Competitive Landscape
The most credible alternatives to CrowdStrike’s approach come from Palo Alto Networks and Microsoft.
The competitive dynamics generally break down as follows:
- Palo Alto Networks: The most complete platform alternative to CrowdStrike for AI agent security. Prisma AIRS 3.0 is strong in cloud-native environments and adds agentic identity capabilities that address gaps in traditional approaches. Palo Alto’s differentiation is strongest among organizations already standardized on Prisma Cloud. Its endpoint footprint is narrower than CrowdStrike’s, limiting the telemetry depth available for agent behavioral analysis.
- Microsoft: The combination of Microsoft Sentinel, Security Copilot, and Defender for Endpoint forms a credible AI security architecture for organizations already on the Microsoft stack. CrowdStrike’s announcement that Falcon Next-Gen SIEM now ingests Defender telemetry without a sensor is a direct competitive move, allowing CrowdStrike to serve Microsoft-centric environments without requiring customers to displace Defender. The approach lowers the barrier to adoption while preserving CrowdStrike’s position as the analytics and detection layer.
- SentinelOne, Elastic, and others: Second-tier endpoint vendors face the widest capability gap. None have announced AI agent security capabilities matching the breadth of CrowdStrike’s RSAC portfolio. These vendors retain strong positions in price-sensitive segments and the mid-market, but the AI security capability gap is widening.
- Startups: HiddenLayer, Protect AI, and similar firms focus narrowly on machine learning model security, a technically deep but functionally limited scope relative to the full agent security problem. These vendors are more likely to be acquisition targets than standalone competitors at enterprise scale.
Final Thoughts
CrowdStrike’s announcements are coherent and strategically well-timed. The threat data is real, the capability gaps in existing security stacks are real, and the product portfolio CrowdStrike has assembled addresses those gaps across the full agent lifecycle, from discovery to runtime control to incident response.
At the same time, agentic security is still in its early days, with most enterprises still in the discovery phase of understanding what AI is running in their environments, let alone how to govern it. CrowdStrike’s endpoint-centric architecture is well-suited to the current landscape, but agent architectures will evolve toward more distributed, serverless, and cloud-native patterns, where endpoint telemetry is less complete.
Overall, CrowdStrike offers the strongest combination of endpoint telemetry, access to frontier models, and breadth of AI security products in the market.
