CrowdStrike unveils agentic AI for SOCs at Fal.Con 2025 with Falcon data layer and collaborative agents

CrowdStrike introduces agentic SOC: a practical shift for operations leaders

CrowdStrike opened Fal.Con 2025 in Las Vegas with two launches aimed at AI-era security operations: the Agentic Security Platform and the Agentic Security Workforce. Chief Executive George Kurtz framed the change plainly: "The old model can't keep up. The legacy SOC can't compete." The direction is clear-move to an agentic SOC where human analysts and AI agents work in one governed system.

What's in the Agentic Security Platform

The platform adds an AI-ready data layer to Falcon to deal with a core bottleneck: legacy architectures weren't built for AI-driven operations. Data, intelligence, agents, and governance live in one environment so decisions can move at task speed, not ticket speed.

At the center is an Enterprise Graph that unifies telemetry across the enterprise into a living, connected model. It uses a single, AI-optimized query language so every signal can trigger action-by an analyst or an autonomous agent-without handoffs or translation.

Charlotte AI AgentWorks brings a no-code way to build, test, deploy, and orchestrate security agents at scale. Teams can set the mission, define the data, and control behavior without writing code, which broadens who can contribute to automation safely.

An operating center connects agents through the Model Context Protocol (MCP) and applies Falcon-grade governance for safe collaboration. A persona-aware design provides natural language queries and role-specific workspaces to reduce friction for analysts and responders.

What's in the Agentic Security Workforce

CrowdStrike is also offering a fleet of AI agents trained on millions of expert SOC decisions with built-in reasoning and guardrails. The target: repetitive, time-consuming tasks that keep teams from focusing on high-value investigation, response, and threat hunting.

Agentic Response Collaboration lets Charlotte AI agents securely interoperate with trusted third-party agents and automate Falcon-native workflows. The result: fewer manual loops, consistent governance, and a path where analysts and agents operate side by side.

Why operations leaders should care

• Response speed: Unifying data and actions under one query layer cuts dwell time and handoffs.
• Workflow clarity: No-code agent missions reduce backlog without creating shadow automation.
• Governance first: Falcon-grade controls and MCP-based interop help keep automation auditable.
• Scale with guardrails: Agents trained on expert decisions embed consistency into daily ops.
• Talent leverage: Free analysts from repetitive closure work; focus them on triage, containment, and recovery.

Key questions to ask your team and your vendor

• Data: What telemetry feeds the Enterprise Graph? How are retention, lineage, and quality validated?
• Query layer: Can the single query language map to our existing SIEM/SOAR queries without loss?
• Integrations: How does it connect with ITSM, EDR, identity, cloud, and ticketing systems we use today?
• Access control: How are agent permissions scoped (data, actions, environments)? What's the approval model?
• Audit: Do we get full trails for agent decisions, prompts, inputs, outputs, and overrides?
• Reliability: What are fail-safes if an agent stalls or a dependency is unavailable? Who gets paged?
• Cost: How is usage metered (agents, actions, data scans)? What are the tradeoffs for storing more telemetry?
• Deployment: Cloud, on-prem, or hybrid? Any data residency or sovereignty limitations?
• Portability: If we adopt MCP, how easily can we bring in or swap third-party agents later?

Practical next steps

• Run a 90-day pilot: Pick 3-5 high-volume tasks (alert triage, enrichment, phishing, user lockouts, containment steps).
• Set clear KPIs: Track MTTD, MTTR, alert closure rate, false positive rate, and the human-to-agent task ratio.
• Codify runbooks: Convert proven procedures into agent missions with explicit guardrails and escalation paths.
• Define governance: Create an agent policy for approvals, identity, data access, logging, rollback, and red-teaming.
• Upskill: Train analysts on natural language querying, agent behavior controls, and exception handling.
• Stage integrations: Start with Falcon-native workflows, then add third-party agents via MCP once baseline stability is met.

Standards and interoperability

Inter-agent communication hinges on common protocols. If you plan to connect multiple vendors' agents, assess Model Context Protocol support and how it's implemented across your stack.

• Model Context Protocol (MCP)
• NIST AI Risk Management Framework

Skill up your operations team

If you're moving to agent-led workflows, invest in practical training on prompts, guardrails, and SOC automation patterns. These resources can help your team adopt faster and safer.

• AI courses by job role
• Certification: AI Automation

Bottom line

The agentic SOC is moving from concept to execution. If your operations teams are stuck clearing repetitive work while threats move faster, this approach-unifying data, agents, and governance-offers a concrete path to better response times and more predictable outcomes.