RSA Conference 2024 | Elia Zaitsev | CrowdStrike

Clips
News
More from RSA Conference 2024

Elia Zaitsev

Global CTO

CrowdStrike

CrowdStrike shares rise on strong earnings and revenue beats

Shares in CrowdStrike Holdings Inc. rose 7% in late trading today after the cybersecurity company reported earnings, revenue and outlook beats in its fiscal 2025 first-quarter financial results.For the quarter that ended on April 30, CrowdStrike reported adjusted earnings per share of 93 cents, up from 57 cents in the same quarter of the previous year, on revenue of $921 million, up 33% year-over-year. Both were beats, as analysts were expecting 89 cents per share on revenue of $904.56 million.Customer acquisition drove the beats, as the company’s annual recurring revenue grew 33% year-over-year, to $3.65 billion as of April 30. The figure included $211

Three insights you might have missed from theCUBE’s coverage of the RSA Conference

In the 12 months since security practitioners gathered in San Francisco for the 2023 annual RSA Conference, the view of artificial intelligence has expanded. Where AI was once either bad for business or good for improving protection, it has now become a whole new challenge that will require a novel approach.This was one of the key themes to emerge from four days of coverage as theCUBE, SiliconANGLE Media’s livestreaming studio, interviewed industry executives, government officials and analysts to hear the most recent insights into the future direction of cybersecurity

CrowdStrike discusses next-gen SIEM amid calls for security consolidation

A common theme at this week’s RSA Conference with nearly every vendor is customer demand and desire for simplicity. That’s been on the mind of CrowdStrike Inc. in recent months with its Falcon platform.The company’s Raptor upgrade was its big push to bring in LogScale technology to the Falcon platform for all customers. The migration process has now been concluded, and all customers have now been brought onto the Raptor platform upgrade, according to Elia Zaitsev (pictured), chief technology officer of CrowdStrike Inc

play_circle_outline Introduction to the event and the guest, Elia Zaitsev, CTO of CrowdStrike.

play_circle_outline Announcement of the Next-Gen SIEM offering with Charlotte AI.

play_circle_outline The Next-Gen SIEM: Enhancing Productivity and Time-Saving with Charlotte AI in the SOC Analyst Experience

play_circle_outline Transforming Security: The shift from alert-driven to incident-based with AI augmenting human analysts

play_circle_outline AI as a solution for the skill shortage in security.

Info

Elia Zaitsev | CrowdStrike

Elia Zaitsev

Global CTO CrowdStrike

search

Shelly Kramer

>> Hello and welcome back to our coverage here at theCUBE. We are in beautiful downtown San Francisco at the Moscone Center at the RSA Conference, the place to be for all things enterprise security today. And I'm joined by my colleague, Dave Vellante and David Linthicum, who's actually not sitting here at this table today. And we are excited to have as our guest, Elia Zaitsev, the CTO of CrowdStrike. Welcome. It's great to have you.

Elia Zaitsev

>> Thank you for having me back again.

Shelly Kramer

>> Absolutely. Absolutely. So we were at your Falcon event last fall, and the big news coming out of that was Charlotte and your Raptor upgrade. And I know that you've got some exciting news coming out of this event. Lead us off, tell us what you're most excited about.

Elia Zaitsev

>> Yeah. Well, you kind of set the stage for me there. So Raptor was our big push to bring in the log scale technology into the Falcon platform for all of our customers. We had just started that migration process at Falcon, and I'm really excited because we've concluded it. We've brought all of our customers now onto that Raptor platform upgrade, and that in turn has set the stage for the big announcement that we had for this week, which was our Next-Gen SIEM offering with a whole lot of Charlotte AI magic added on top of that. So with that log scale technology now firmly rooted in place, we can open up the system and now customers can take all their third party data sets, telemetry, alerts, and bring that into the CrowdStrike platform with all of their endpoint identity cloud data protection information all in one place. So we're really excited about that.

Shelly Kramer

>> Yeah, it sounds like a theme that we keep running into in every conversation with every vendor at every event and otherwise, is a customer demand and desire for simplicity. And it sounds like this is a move that does that, consolidating everything, putting it all kind of in one place. Is that kind of the goal there?

Elia Zaitsev

>> Yeah, absolutely. And we're seeing it for a variety of reasons. One, we're just seeing this next wave of consolidation in security. I mean, I think we kind of kicked it off 10 years ago with the endpoint wars, if you will. I think we won that one pretty handily, getting rid of Legacy AV and a lot of the other point solutions on the endpoint. But now we're seeing increasingly customers are looking for broader consolidation beyond just the endpoint really bringing in all of their security telemetry into a single platform. They're doing it for a bunch of reasons. They're doing it for reduced complexity, increased speed, velocity, and cost savings as well. I mean, we're not in a 0% interest rate world anymore, right? Those dollars and cents really matter now because they want to make sure they're getting the most value out of what they're using.

>> So you guys are having some success there, I know. But broadly, the macro in the cybersecurity business, most customers are still adding new tools and new vendors at the broad level. Do you not see that?

Elia Zaitsev

>> We're kind of seeing the opposite there. Our customers are coming to us and asking us, "Help us streamline. Help us consolidate." We've got too many noise machines right now, and we're not sure what value we're getting out of it. You get to a point, this kind of critical mass, this tipping point where the overhead of managing all these tools of having to make sense of it all, bringing all the information in one place and jumping back and forth between multiple consoles, multiple platforms, managing multiple agents, it's having diminishing effects at this point. So they want to regain that speed advantage that they really need because we're seeing adversaries getting so much quicker.

>> I mean, I get the value prop and I believe when I talk to your customers that that's what they're doing. So I guess this means there's way more upside because our survey data, and Shelly you know this, it shows that only less than 10% of the customers are actually able to reduce the number of vendors in their stack. It's like half are increasing and the rest are staying the same. So that says to me, because I know you're having success there, so that says to me there's a big market ahead for you guys.

Elia Zaitsev

>> It's a massive market opportunity, not just on the consolidation front, but frankly customers just are getting fed up with their legacy SIEM technology. SIEM is now 20 years old, and we had this kind of fantasy idea that, "Hey, if we take all these data sets from different products and put it in one place, somehow that was going to lead to better outcomes," right? The one plus one equals three fallacy. It never really happened. And if anything, the SIEM started getting so slow and so expensive, the customers had to start making really hard decisions and decide, "Which information do I want to bring in? I can't bring it all in." And now you're defeating the whole purpose of getting all the data in one place to make it simpler. You're now bringing fragments of the data, so you're still hopping around to all these different tools and systems to try to find out what exactly was going on. So the SIEM promise just never really lived up to the hype, and I think we've got a real opportunity to not just make it faster, not just make it cheaper, but actually bring better outcomes, really transform the user experience. And at the end of the day, for us, for me, Next-Gen SIEM is the product, but the vision we're after is really a wholesale modernization of the SOC, really bringing AI native capabilities into the SOC to not just get all the data in one place, but lead to better outcomes, stop the breach more effectively.

>> So before we get into that, I want to touch on the SOC analyst experience, but what's different? I mean, I had a CISO tell me a couple years ago actually. He said, "I would get rid of my old SIEM if I could, but I can't because of audit compliance and so forth." So what's different between Next-Gen SIEM that you're announcing and old Gen SIEM?

Elia Zaitsev

>> Sure. Well, one, you still have to do all those basic use cases to make sure you can replace the old legacy technology.

>> Right.

Elia Zaitsev

>> But we're looking at it from a couple different areas. So if you think about it sequentially, we want to start with making it really easy to get the data in. So we have a huge ecosystem. We've announced hundreds of partners. And ISV is now working with us out of the box connectors, cloud to cloud. You just turn it on, put your credentials in., The data's already there. And really crucially for our customers, your CrowdStrike data is already there. We're hearing from customers that endpoint data, and then you add in on top of that identity and cloud, that's like 85 plus percent of the information that our customers are using to triage and investigate these alerts. Historically, they would take all that information and send it out somewhere else just so they could get the last 15%. We're making it super easy and say, "Hey, we've got 85%. Give us the last 15." That's a pretty simple math problem, right?

>> Go that route.

Elia Zaitsev

>> Oh, and we're doing it faster and cheaper at the same time. So that's step one. Making that data usable at scale is huge, right? We talked about the speed and performance improvements. If I can get all my information in one place, but it takes me several hours to run a query going back a few months and maybe it crashes and runs out of memory, it's not really benefiting me. You've got to actually make the data available and accessible. But even going further than that, doubling down on that user experience side, if you look at the traditional kind of SIEM workflow, you've got an analyst, they're learning a query language, they're writing some search, they're waiting a half hour if it doesn't crash, they're getting some information and then they've got a follow-up question. "Well, now I've got to do what? Export all that data into a spreadsheet and then do another search and then marry it up? That's insane." If you look at what we're doing with Incident Workbench, we're really transforming the user experience and we're moving SIEM away from being alert-driven. That's what SIEMs are today. "Here's a bunch of alerts from a bunch of different products."

Shelly Kramer

>> "Here's some ."

Elia Zaitsev

>> That's not what security teams are actually dealing with. They're dealing with incidents. They don't care about an alert. They care about an incident, detecting and identifying an incident and responding to it before it becomes a breach. So we are meeting the community where they're fighting the battle. We are giving them incidents. We are giving them not just all the raw data, but we're providing an intuitive visual graph-based interface to see and explore all that information, both again, the CrowdStrike ecosystem, but these hundreds of technology partners we're working with. Then on top of that, you add all the AI assistance techniques. So we just announced something called Investigate with Charlotte AI. It's a new Charlotte capability that allows an analyst to not only use Charlotte to explain to them, "What does this incident mean? What are the most important relevant points that I should care about? What are the key users, hosts, systems that are impacted?" They don't have to now read through hundreds of alerts. The AI technology's doing that for them. And it's also helping them with their investigation. It's crawling all of our graph systems, all of our backend data stores, and it's suggesting to them, "Hey, there are additional users, hosts, alerts that you didn't realize initially was part of this incident. We're doing that triage work for you, packaging it all up." And then finally, we run that all through our Fusion SOAR platform, which is built into the Next-Gen SIEM offering to not just respond, but respond automatically and at scale, again, both with CrowdStrike Technologies then also all the third-party integrations that we've brought into the platform as well.

Shelly Kramer

>> So that has to have some huge implications from a productivity standpoint and a time-savings management for the teams involved.

Elia Zaitsev

>> It's massive.

Shelly Kramer

>> Right. Yeah.

Elia Zaitsev

>> The data we've got shows that we are running 150 times quicker on search, and we're costing 80% less. So it's-

Shelly Kramer

>> Okay, well, what's not to like about that.

Elia Zaitsev

>> I mean, how often do you get something that's faster, cheaper, and better?

Shelly Kramer

>> Yeah.

Elia Zaitsev

>> That's very exciting.

>> Talk about a couple things I wanted to ask you about. One is Falcon for IT, all right? How's that going? What's the uptake look like? I was excited when I first saw it. I'm thinking, "Oh, this is going to solve some problems."

Elia Zaitsev

>> It's going fantastic. I think it's going to be... Well, I shouldn't talk about financials. My CFO will get mad at me.

>> No, you should not.

Elia Zaitsev

>> But I think it's going to be one of the fastest growing product launches we've had in a very long time. And actually, it does tie back into our vision of this modernized AI supercharged SOC, this transformation, because one of the gaps we have right now is when the security team identifies that there is an issue and they need to take steps to solve it, to remediate it, in many cases, they're basically creating a ticket, throwing it over to the wall for the IT team to then go resolve. All you're doing there though is you're taking the IT team that just like security is struggling with all these separate tools, they're having performance issues, they're having cost issues, you're just squeezing the balloon, right? You're taking the problem out of security and you're pushing it over to it. So Falcon for IT, not only are we giving them similar types of enhanced, simplified, faster, cheaper technology platforms, but it's the same platform that their security teams are using. So they can unify their response, standardize it on the same platform. So bringing security with IT together, we think is a really big part of this SOC modernization effort. Really solving the problem holistically once and for all. And the reception from our customers has been phenomenal. The uptake is just massive.

>> Yeah, I'm not surprised. I thought it would be. When you think about the SOC analyst experience, how should we think about that evolving? We had Ali Mellon last year. She's one of the few analysts I think that really has done hardcore research on this.

Elia Zaitsev

>> Big fan of Ali. She totally gets it, especially in the XDR space. And her and I were just talking last year, I believe, at the same falcon conference. We talked about this shift, this migration away from that alert-driven mentality to that incident-based paradigm.

>> So what does that look like? What role does Charlotte play in that experience and what does it mean for the life of a SOC analyst?

Elia Zaitsev

>> Yeah, so I think we talked about this a little bit when we launched Charlotte, Dave. Some people both in the analyst or press community, but also some SOC analysts, they're freaking out thinking, "Oh no, the machines are going to come and take my job." I don't see that happening. I don't see AI replacing humans. I see AI augmenting humans on the defensive side, which by the way is the same thing we're seeing attackers do, right? They're leveraging AI to get faster. So the humans need to leverage AI to get faster.

>> Right.

Elia Zaitsev

>> So with Charlotte, a bunch of new innovations that we brought in, we've added prompt books to Charlotte now. So basically pre-built sequences of instructions where you can just put in an input, like a vulnerability that you're interested in, and then automatically run through multiple steps of a play with Charlotte to speed up and automate these workflows for you that span across multiple products. We've integrated additional product capability into Charlotte. So now all of our unified detections are supported by Charlotte, whether it's endpoint, cloud, identity, all that is connected now. We've hooked up the log scale technology, so we can now do natural language querying. So you can just tell it, even if you don't know our data model, "Hey Charlotte, I'm looking for this kind of information." It'll write that log scale query for you. That's a huge analyst saver. We do it for Falcon for IT as well by the way.

>> Oh, okay.

Elia Zaitsev

>> We can write the Falcon for IT queries for you. That's a big time saver. And we've been going further than that. The chat interface, this explosion of conversational AI has been really big over the last year, but it's not always the right way to implement some of these new generative technologies. If I'm looking for example, in our next-Gen SIEM product, if I'm looking at a command line, an obfuscated command line, it's encoded. I don't know what it's doing. That's a lot of effort today for an analyst to translate it, go look up all the functions. And what it does, they can ask Charlotte if they're having a conversation with Charlotte, "Now, tell me about this command line. What does it mean?" But we're going even further now, and we're taking those generative AI capabilities and we're diffusing it throughout the platform. So if I'm not in Charlotte, if I'm in Next-Gen SIEM and I'm looking at a command line, I can just click a button right then and there and say, "Hey, Charlotte, explain what this command line means." It'll decode it. It'll translate it, and it'll answer questions for you. "What does it do? Is it calling out to a server? Is it downloading files?" So again, you can think about it as Charlotte as this guardian angel over your shoulder, assisting you as you go, making you significantly more productive.

Shelly Kramer

>> I think it's a perfect use case example of AI-powered solutions. And so many times the concern is AI's going to take all our jobs and blah, blah, blah. But the reality of it is the perfect use case is working together. And that's an example of that.

Elia Zaitsev

>> Yeah. Well, there's a huge skill shortage in security. AI isn't going to get rid of all those people. It's going to help solve the skill shortage by making those people much more productive.

Shelly Kramer

>> Absolutely.

Elia Zaitsev

>> It's going to let you take those junior analysts who are new to security and get them up and running much quicker. All of our documentation is now accessible by Charlotte, for example. So you have basic questions, "How do I do this? How do I do that?" It can tell you, "We can do it for you." And then of course, you take your experienced analysts and it's just making them that much quicker. Or somebody who's never used the CrowdStrike platform before but is a security professional, they know the kinds of things we can do, but maybe not the exact button clicks. So Charlotte can just automate all that for you with a conversation.

>> Charlotte, correct me if I'm wrong, it's not a CrowdStrike LLM? Or is it? Did you build your own LLM to do Charlotte?

Elia Zaitsev

>> So Charlotte is a multi-model or a multi-agent system, right? So we've got multiple different actors or agents that perform separate functions. Some of them are fine-tuned models that we've developed and run ourselves. Others are powerful frontier models, as we call them. For example, we've talked this week about how we're using, built on top of Amazon's bedrock offering, the Anthropic claude system.

>> Claude, yeah. Mm-hmm.

Elia Zaitsev

>> What we're finding is that LLMs, like most technologies, have strengths and weaknesses. Those really big foundational models like a ChatGPT like a cloud, they're really good at general instruction following, right? I'm asking you anything under the sun and it's got a pretty good idea of what you want to do. What they're not so good at are really specific tasks that they haven't been exposed to before. Security often falls into a lot of those categories. So what we do is we leverage those big foundational models to be that natural language front door for the analyst because they could ask about anything under the sun. But then we identify which of these task-specific agents that we've trained and fine-tuned are required to answer that use case because then we could tune it for just that one function and we can take multiple agents each focusing on one specific function. Not only do you get more effective results, it's faster and cheaper because the models are smaller, and in many cases they hallucinate less because they don't have extraneous information to accidentally reference that's unrelated to the task at hand. So the right solution, in our opinion, the way we designed Charlotte is that multi-model or multi-agent architecture.

>> And Bedrock is your kind of LLM garden. We should think about that. Or is that not necessarily the case?

Elia Zaitsev

>> Not entirely. So Bedrock, we use it for, again, some of those really large foundational models that are hosted for us. For example, a Claude from Anthropic. But then we use the SageMaker offering from AWS to host the LLMs that we've created internally.

>> And that's in Bedrock, right? So I think they've moved that into Bedrock. But SageMaker can be very painful to do, but you guys are smart you can deal with it.

Elia Zaitsev

>> We've got a couple of data scientists who do a thing or two.

Shelly Kramer

>> They're going to be okay.

>> Okay. So you announced-

Elia Zaitsev

>> We're doing just fine.

>> You showed Charlotte first at Black Hat, which was a pretty awesome demo. And then you did the mega demo last year at Falcon, which was amazing. And then you priced it. You announced pricing at Falcon last year. And now you're in the field. I think what are you charging? Like $30 an endpoint or something in a year, right?

Elia Zaitsev

>> 20.

>> less price. 20, yeah, that's right. So that's pretty attractive. It's not per month.

Elia Zaitsev

>> It's per year.

>> It's per year. So that was kind of cool to see. So that's in the field gaining traction now.

Elia Zaitsev

>> And customers, by the way, they're loving that predictability and understanding of what it costs and what they actually need to buy. And we're seeing other models that are based on compute units and, "How many compute units do I need? Do I spin them up? Do I spin them down?" The procurement teams are really struggling with understanding what they're actually buying and how much they need. It's very simple and straightforward. Just give us the number of people, the number of systems, we multiply it, here's the number.

>> It's like mobile gigabytes.

Shelly Kramer

>> That's nice.

>> But there's a lot of endpoints out there, so I'm sure the procurement people are watching that too.

Shelly Kramer

>> I want to ask one last question because I think we're kind of getting to time here. But you announced the findings of your global threat report. I looked at them briefly. I mean, some of these things were no surprises, dramatic increase in attack velocity. Of course, stealthiest spikes, attack spike of course.

Elia Zaitsev

>> Stop me if you've heard this one before, right?

Shelly Kramer

>> We've heard this often. What I'm interested in though is what findings came out of this report that surprised you?

Elia Zaitsev

>> I don't know if it surprised me, the element, but the magnitude is what surprised me. So the two big things stuck out. One is the dramatic increase in adversaries targeting the cloud. We call it cloud-conscious adversaries. And the other one was the huge increase in legitimate credentials, compromised stolen credentials being used to initiate a lot of these attacks, and the combination of the two, identity-based attacks against cloud services and also using identity as a initial vector and then moving laterally between the cloud and the on-premise environment. So it's not so much that adversaries are doing that, it's the volume and how quickly they've adapted to that.

>> The efficacy with which they're doing it is mind-blowing.

Elia Zaitsev

>> Ruthlessly effective.

Shelly Kramer

>> Ruthlessly effective.

>> All about speed like Kurt says.

Elia Zaitsev

>> That's why defenders got to keep up. They've got to adopt these new technologies and the new AI assistance to keep up with the adversaries. It's a bit of an arms race, unfortunately, but at least we know the tools we need to arm the defenders.

Shelly Kramer

>> Absolutely. Absolutely. Well, listen, Elia Zaitsev from CrowdStrike, thank you so much for spending time with us. And for our listening and our viewing audience, keep it here on theCUBE as we cover all things RSA from San Francisco. And we will be back here the rest of the day. So keep it on this channel.

Elia Zaitsev | CrowdStrike

search

Shelly Kramer

>> Hello and welcome back to our coverage here at theCUBE. We are in beautiful downtown San Francisco at the Moscone Center at the RSA Conference, the place to be for all things enterprise security today. And I'm joined by my colleague, Dave Vellante and David Linthicum, who's actually not sitting here at this table today. And we are excited to have as our guest, Elia Zaitsev, the CTO of CrowdStrike. Welcome. It's great to have you.

Elia Zaitsev

>> Thank you for having me back again.

Shelly Kramer

>> Absolutely. Absolutely. So we were at your Falcon event last fall, and the big news coming out of that was Charlotte and your Raptor upgrade. And I know that you've got some exciting news coming out of this event. Lead us off, tell us what you're most excited about.

Elia Zaitsev

>> Yeah. Well, you kind of set the stage for me there. So Raptor was our big push to bring in the log scale technology into the Falcon platform for all of our customers. We had just started that migration process at Falcon, and I'm really excited because we've concluded it. We've brought all of our customers now onto that Raptor platform upgrade, and that in turn has set the stage for the big announcement that we had for this week, which was our Next-Gen SIEM offering with a whole lot of Charlotte AI magic added on top of that. So with that log scale technology now firmly rooted in place, we can open up the system and now customers can take all their third party data sets, telemetry, alerts, and bring that into the CrowdStrike platform with all of their endpoint identity cloud data protection information all in one place. So we're really excited about that.

Shelly Kramer

>> Yeah, it sounds like a theme that we keep running into in every conversation with every vendor at every event and otherwise, is a customer demand and desire for simplicity. And it sounds like this is a move that does that, consolidating everything, putting it all kind of in one place. Is that kind of the goal there?

Elia Zaitsev

>> Yeah, absolutely. And we're seeing it for a variety of reasons. One, we're just seeing this next wave of consolidation in security. I mean, I think we kind of kicked it off 10 years ago with the endpoint wars, if you will. I think we won that one pretty handily, getting rid of Legacy AV and a lot of the other point solutions on the endpoint. But now we're seeing increasingly customers are looking for broader consolidation beyond just the endpoint really bringing in all of their security telemetry into a single platform. They're doing it for a bunch of reasons. They're doing it for reduced complexity, increased speed, velocity, and cost savings as well. I mean, we're not in a 0% interest rate world anymore, right? Those dollars and cents really matter now because they want to make sure they're getting the most value out of what they're using.

>> So you guys are having some success there, I know. But broadly, the macro in the cybersecurity business, most customers are still adding new tools and new vendors at the broad level. Do you not see that?

Elia Zaitsev

>> We're kind of seeing the opposite there. Our customers are coming to us and asking us, "Help us streamline. Help us consolidate." We've got too many noise machines right now, and we're not sure what value we're getting out of it. You get to a point, this kind of critical mass, this tipping point where the overhead of managing all these tools of having to make sense of it all, bringing all the information in one place and jumping back and forth between multiple consoles, multiple platforms, managing multiple agents, it's having diminishing effects at this point. So they want to regain that speed advantage that they really need because we're seeing adversaries getting so much quicker.

>> I mean, I get the value prop and I believe when I talk to your customers that that's what they're doing. So I guess this means there's way more upside because our survey data, and Shelly you know this, it shows that only less than 10% of the customers are actually able to reduce the number of vendors in their stack. It's like half are increasing and the rest are staying the same. So that says to me, because I know you're having success there, so that says to me there's a big market ahead for you guys.

Elia Zaitsev

>> It's a massive market opportunity, not just on the consolidation front, but frankly customers just are getting fed up with their legacy SIEM technology. SIEM is now 20 years old, and we had this kind of fantasy idea that, "Hey, if we take all these data sets from different products and put it in one place, somehow that was going to lead to better outcomes," right? The one plus one equals three fallacy. It never really happened. And if anything, the SIEM started getting so slow and so expensive, the customers had to start making really hard decisions and decide, "Which information do I want to bring in? I can't bring it all in." And now you're defeating the whole purpose of getting all the data in one place to make it simpler. You're now bringing fragments of the data, so you're still hopping around to all these different tools and systems to try to find out what exactly was going on. So the SIEM promise just never really lived up to the hype, and I think we've got a real opportunity to not just make it faster, not just make it cheaper, but actually bring better outcomes, really transform the user experience. And at the end of the day, for us, for me, Next-Gen SIEM is the product, but the vision we're after is really a wholesale modernization of the SOC, really bringing AI native capabilities into the SOC to not just get all the data in one place, but lead to better outcomes, stop the breach more effectively.

>> So before we get into that, I want to touch on the SOC analyst experience, but what's different? I mean, I had a CISO tell me a couple years ago actually. He said, "I would get rid of my old SIEM if I could, but I can't because of audit compliance and so forth." So what's different between Next-Gen SIEM that you're announcing and old Gen SIEM?

Elia Zaitsev

>> Sure. Well, one, you still have to do all those basic use cases to make sure you can replace the old legacy technology.

>> Right.

Elia Zaitsev

>> But we're looking at it from a couple different areas. So if you think about it sequentially, we want to start with making it really easy to get the data in. So we have a huge ecosystem. We've announced hundreds of partners. And ISV is now working with us out of the box connectors, cloud to cloud. You just turn it on, put your credentials in., The data's already there. And really crucially for our customers, your CrowdStrike data is already there. We're hearing from customers that endpoint data, and then you add in on top of that identity and cloud, that's like 85 plus percent of the information that our customers are using to triage and investigate these alerts. Historically, they would take all that information and send it out somewhere else just so they could get the last 15%. We're making it super easy and say, "Hey, we've got 85%. Give us the last 15." That's a pretty simple math problem, right?

>> Go that route.

Elia Zaitsev

>> Oh, and we're doing it faster and cheaper at the same time. So that's step one. Making that data usable at scale is huge, right? We talked about the speed and performance improvements. If I can get all my information in one place, but it takes me several hours to run a query going back a few months and maybe it crashes and runs out of memory, it's not really benefiting me. You've got to actually make the data available and accessible. But even going further than that, doubling down on that user experience side, if you look at the traditional kind of SIEM workflow, you've got an analyst, they're learning a query language, they're writing some search, they're waiting a half hour if it doesn't crash, they're getting some information and then they've got a follow-up question. "Well, now I've got to do what? Export all that data into a spreadsheet and then do another search and then marry it up? That's insane." If you look at what we're doing with Incident Workbench, we're really transforming the user experience and we're moving SIEM away from being alert-driven. That's what SIEMs are today. "Here's a bunch of alerts from a bunch of different products."

Shelly Kramer

>> "Here's some ."

Elia Zaitsev

>> That's not what security teams are actually dealing with. They're dealing with incidents. They don't care about an alert. They care about an incident, detecting and identifying an incident and responding to it before it becomes a breach. So we are meeting the community where they're fighting the battle. We are giving them incidents. We are giving them not just all the raw data, but we're providing an intuitive visual graph-based interface to see and explore all that information, both again, the CrowdStrike ecosystem, but these hundreds of technology partners we're working with. Then on top of that, you add all the AI assistance techniques. So we just announced something called Investigate with Charlotte AI. It's a new Charlotte capability that allows an analyst to not only use Charlotte to explain to them, "What does this incident mean? What are the most important relevant points that I should care about? What are the key users, hosts, systems that are impacted?" They don't have to now read through hundreds of alerts. The AI technology's doing that for them. And it's also helping them with their investigation. It's crawling all of our graph systems, all of our backend data stores, and it's suggesting to them, "Hey, there are additional users, hosts, alerts that you didn't realize initially was part of this incident. We're doing that triage work for you, packaging it all up." And then finally, we run that all through our Fusion SOAR platform, which is built into the Next-Gen SIEM offering to not just respond, but respond automatically and at scale, again, both with CrowdStrike Technologies then also all the third-party integrations that we've brought into the platform as well.

Shelly Kramer

>> So that has to have some huge implications from a productivity standpoint and a time-savings management for the teams involved.

Elia Zaitsev

>> It's massive.

Shelly Kramer

>> Right. Yeah.

Elia Zaitsev

>> The data we've got shows that we are running 150 times quicker on search, and we're costing 80% less. So it's-

Shelly Kramer

>> Okay, well, what's not to like about that.

Elia Zaitsev

>> I mean, how often do you get something that's faster, cheaper, and better?

Shelly Kramer

>> Yeah.

Elia Zaitsev

>> That's very exciting.

>> Talk about a couple things I wanted to ask you about. One is Falcon for IT, all right? How's that going? What's the uptake look like? I was excited when I first saw it. I'm thinking, "Oh, this is going to solve some problems."

Elia Zaitsev

>> It's going fantastic. I think it's going to be... Well, I shouldn't talk about financials. My CFO will get mad at me.

>> No, you should not.

Elia Zaitsev

>> But I think it's going to be one of the fastest growing product launches we've had in a very long time. And actually, it does tie back into our vision of this modernized AI supercharged SOC, this transformation, because one of the gaps we have right now is when the security team identifies that there is an issue and they need to take steps to solve it, to remediate it, in many cases, they're basically creating a ticket, throwing it over to the wall for the IT team to then go resolve. All you're doing there though is you're taking the IT team that just like security is struggling with all these separate tools, they're having performance issues, they're having cost issues, you're just squeezing the balloon, right? You're taking the problem out of security and you're pushing it over to it. So Falcon for IT, not only are we giving them similar types of enhanced, simplified, faster, cheaper technology platforms, but it's the same platform that their security teams are using. So they can unify their response, standardize it on the same platform. So bringing security with IT together, we think is a really big part of this SOC modernization effort. Really solving the problem holistically once and for all. And the reception from our customers has been phenomenal. The uptake is just massive.

>> Yeah, I'm not surprised. I thought it would be. When you think about the SOC analyst experience, how should we think about that evolving? We had Ali Mellon last year. She's one of the few analysts I think that really has done hardcore research on this.

Elia Zaitsev

>> Big fan of Ali. She totally gets it, especially in the XDR space. And her and I were just talking last year, I believe, at the same falcon conference. We talked about this shift, this migration away from that alert-driven mentality to that incident-based paradigm.

>> So what does that look like? What role does Charlotte play in that experience and what does it mean for the life of a SOC analyst?

Elia Zaitsev

>> Yeah, so I think we talked about this a little bit when we launched Charlotte, Dave. Some people both in the analyst or press community, but also some SOC analysts, they're freaking out thinking, "Oh no, the machines are going to come and take my job." I don't see that happening. I don't see AI replacing humans. I see AI augmenting humans on the defensive side, which by the way is the same thing we're seeing attackers do, right? They're leveraging AI to get faster. So the humans need to leverage AI to get faster.

>> Right.

Elia Zaitsev

>> So with Charlotte, a bunch of new innovations that we brought in, we've added prompt books to Charlotte now. So basically pre-built sequences of instructions where you can just put in an input, like a vulnerability that you're interested in, and then automatically run through multiple steps of a play with Charlotte to speed up and automate these workflows for you that span across multiple products. We've integrated additional product capability into Charlotte. So now all of our unified detections are supported by Charlotte, whether it's endpoint, cloud, identity, all that is connected now. We've hooked up the log scale technology, so we can now do natural language querying. So you can just tell it, even if you don't know our data model, "Hey Charlotte, I'm looking for this kind of information." It'll write that log scale query for you. That's a huge analyst saver. We do it for Falcon for IT as well by the way.

>> Oh, okay.

Elia Zaitsev

>> We can write the Falcon for IT queries for you. That's a big time saver. And we've been going further than that. The chat interface, this explosion of conversational AI has been really big over the last year, but it's not always the right way to implement some of these new generative technologies. If I'm looking for example, in our next-Gen SIEM product, if I'm looking at a command line, an obfuscated command line, it's encoded. I don't know what it's doing. That's a lot of effort today for an analyst to translate it, go look up all the functions. And what it does, they can ask Charlotte if they're having a conversation with Charlotte, "Now, tell me about this command line. What does it mean?" But we're going even further now, and we're taking those generative AI capabilities and we're diffusing it throughout the platform. So if I'm not in Charlotte, if I'm in Next-Gen SIEM and I'm looking at a command line, I can just click a button right then and there and say, "Hey, Charlotte, explain what this command line means." It'll decode it. It'll translate it, and it'll answer questions for you. "What does it do? Is it calling out to a server? Is it downloading files?" So again, you can think about it as Charlotte as this guardian angel over your shoulder, assisting you as you go, making you significantly more productive.

Shelly Kramer

>> I think it's a perfect use case example of AI-powered solutions. And so many times the concern is AI's going to take all our jobs and blah, blah, blah. But the reality of it is the perfect use case is working together. And that's an example of that.

Elia Zaitsev

>> Yeah. Well, there's a huge skill shortage in security. AI isn't going to get rid of all those people. It's going to help solve the skill shortage by making those people much more productive.

Shelly Kramer

>> Absolutely.

Elia Zaitsev

>> It's going to let you take those junior analysts who are new to security and get them up and running much quicker. All of our documentation is now accessible by Charlotte, for example. So you have basic questions, "How do I do this? How do I do that?" It can tell you, "We can do it for you." And then of course, you take your experienced analysts and it's just making them that much quicker. Or somebody who's never used the CrowdStrike platform before but is a security professional, they know the kinds of things we can do, but maybe not the exact button clicks. So Charlotte can just automate all that for you with a conversation.

>> Charlotte, correct me if I'm wrong, it's not a CrowdStrike LLM? Or is it? Did you build your own LLM to do Charlotte?

Elia Zaitsev

>> So Charlotte is a multi-model or a multi-agent system, right? So we've got multiple different actors or agents that perform separate functions. Some of them are fine-tuned models that we've developed and run ourselves. Others are powerful frontier models, as we call them. For example, we've talked this week about how we're using, built on top of Amazon's bedrock offering, the Anthropic claude system.

>> Claude, yeah. Mm-hmm.

Elia Zaitsev

>> What we're finding is that LLMs, like most technologies, have strengths and weaknesses. Those really big foundational models like a ChatGPT like a cloud, they're really good at general instruction following, right? I'm asking you anything under the sun and it's got a pretty good idea of what you want to do. What they're not so good at are really specific tasks that they haven't been exposed to before. Security often falls into a lot of those categories. So what we do is we leverage those big foundational models to be that natural language front door for the analyst because they could ask about anything under the sun. But then we identify which of these task-specific agents that we've trained and fine-tuned are required to answer that use case because then we could tune it for just that one function and we can take multiple agents each focusing on one specific function. Not only do you get more effective results, it's faster and cheaper because the models are smaller, and in many cases they hallucinate less because they don't have extraneous information to accidentally reference that's unrelated to the task at hand. So the right solution, in our opinion, the way we designed Charlotte is that multi-model or multi-agent architecture.

>> And Bedrock is your kind of LLM garden. We should think about that. Or is that not necessarily the case?

Elia Zaitsev

>> Not entirely. So Bedrock, we use it for, again, some of those really large foundational models that are hosted for us. For example, a Claude from Anthropic. But then we use the SageMaker offering from AWS to host the LLMs that we've created internally.

>> And that's in Bedrock, right? So I think they've moved that into Bedrock. But SageMaker can be very painful to do, but you guys are smart you can deal with it.

Elia Zaitsev

>> We've got a couple of data scientists who do a thing or two.

Shelly Kramer

>> They're going to be okay.

>> Okay. So you announced-

Elia Zaitsev

>> We're doing just fine.

>> You showed Charlotte first at Black Hat, which was a pretty awesome demo. And then you did the mega demo last year at Falcon, which was amazing. And then you priced it. You announced pricing at Falcon last year. And now you're in the field. I think what are you charging? Like $30 an endpoint or something in a year, right?

Elia Zaitsev

>> 20.

>> less price. 20, yeah, that's right. So that's pretty attractive. It's not per month.

Elia Zaitsev

>> It's per year.

>> It's per year. So that was kind of cool to see. So that's in the field gaining traction now.

Elia Zaitsev

>> And customers, by the way, they're loving that predictability and understanding of what it costs and what they actually need to buy. And we're seeing other models that are based on compute units and, "How many compute units do I need? Do I spin them up? Do I spin them down?" The procurement teams are really struggling with understanding what they're actually buying and how much they need. It's very simple and straightforward. Just give us the number of people, the number of systems, we multiply it, here's the number.

>> It's like mobile gigabytes.

Shelly Kramer

>> That's nice.

>> But there's a lot of endpoints out there, so I'm sure the procurement people are watching that too.

Shelly Kramer

>> I want to ask one last question because I think we're kind of getting to time here. But you announced the findings of your global threat report. I looked at them briefly. I mean, some of these things were no surprises, dramatic increase in attack velocity. Of course, stealthiest spikes, attack spike of course.

Elia Zaitsev

>> Stop me if you've heard this one before, right?

Shelly Kramer

>> We've heard this often. What I'm interested in though is what findings came out of this report that surprised you?

Elia Zaitsev

>> I don't know if it surprised me, the element, but the magnitude is what surprised me. So the two big things stuck out. One is the dramatic increase in adversaries targeting the cloud. We call it cloud-conscious adversaries. And the other one was the huge increase in legitimate credentials, compromised stolen credentials being used to initiate a lot of these attacks, and the combination of the two, identity-based attacks against cloud services and also using identity as a initial vector and then moving laterally between the cloud and the on-premise environment. So it's not so much that adversaries are doing that, it's the volume and how quickly they've adapted to that.

>> The efficacy with which they're doing it is mind-blowing.

Elia Zaitsev

>> Ruthlessly effective.

Shelly Kramer

>> Ruthlessly effective.

>> All about speed like Kurt says.

Elia Zaitsev

>> That's why defenders got to keep up. They've got to adopt these new technologies and the new AI assistance to keep up with the adversaries. It's a bit of an arms race, unfortunately, but at least we know the tools we need to arm the defenders.

Shelly Kramer

>> Absolutely. Absolutely. Well, listen, Elia Zaitsev from CrowdStrike, thank you so much for spending time with us. And for our listening and our viewing audience, keep it here on theCUBE as we cover all things RSA from San Francisco. And we will be back here the rest of the day. So keep it on this channel.