Introducing Charlotte AI, CrowdStrike’s Generative AI Security Analyst: Ushering in the Future of AI-Powered Cybersecurity

CrowdStrike has pioneered the use of artificial intelligence (AI) since we first introduced AI-powered protection to replace signature-based antivirus over 10 years ago, and we’ve continued to deeply integrate it across our platform since.

We combine the best in technology with the best of human expertise to protect customers and stop breaches. We believe the future of cybersecurity requires tight human-machine collaboration to deal with the speed, volume and advancing sophistication of the adversary. When done correctly, AI can rapidly surface hidden threats, accelerate the decision making of less experienced security analysts and simplify a multitude of complex tasks.

At CrowdStrike, AI has been fundamental to our approach from the beginning. Beyond replacing legacy AV, our platform uses analytics to help prioritize critical vulnerabilities that introduce risk and employs the power of AI to generate and validate new indicators of attack (IOAs). CrowdStrike has built AI into the core of the CrowdStrike Falcon® platform.

Today, we’re proud to introduce Charlotte AI, a new generative AI security analyst that uses the world’s highest-fidelity security data and is continuously improved by a tight feedback loop with CrowdStrike’s industry-leading threat hunters, managed detection and response operators, and incident response experts. This is the first offering built using our Charlotte AI engine and will help users of all skill levels improve their ability to stop breaches while reducing security operations complexity. Customers can ask questions in plain English and dozens of other languages to receive intuitive answers from the CrowdStrike Falcon platform.

Let’s take a look at three powerful use cases that show how Charlotte AI will democratize security and help every user — from novice to security expert — operate like a power user of the Falcon platform to speed detection, response, and help close the cybersecurity skills gap.

Use Case 1: Generative AI as a Democratizing Force: Every User Becomes a Power User

Charlotte AI is an intelligent security analyst that will be available to every user of the Falcon platform, helping them to better understand the threats and risks facing their organization.

Let’s look at an example of a CIO or a CISO preparing for a board meeting. Oversight of cybersecurity risk is a major focus for most boards of directors. Executives need to provide timely, relevant and actionable information on organizational security posture that empowers the board to make informed, risk-based decisions.

By asking a few simple, straightforward questions, Charlotte AI can provide real-time insight into an organization's risk profile, including its threat landscape, risk level against critical vulnerabilities, current security posture, compliance requirements, cybersecurity performance metrics and much more.

In this scenario, board prep is as easy as asking a few simple questions, such as:

  • “Do we have vulnerabilities involving Microsoft Outlook?
  • “What are the biggest risks facing our business critical assets?”
  • “Are we protected against the Log4j vulnerability? Where are we at risk?”

Use Case 2: Elevating Security Analysts with AI-Powered Threat Hunting

For less experienced IT and security professionals, Charlotte AI can help them make better decisions faster, reducing response time to critical incidents. If you have a new security analyst, such as a Tier 1 member of a SOC, who is just learning the Falcon platform, it will help them operate like a more advanced analyst with simple queries such as:

  • “Which threat actors target us?”
  • “What are the critical vulnerabilities being exploited by these adversaries?”
  • “Can you sweep my endpoint estate for any IOCs you found?”
  • “What are the top recommended remediation actions for the impacted endpoints?”

Let’s see Charlotte AI in action:

Use Case 3: Make Advanced Security Actions Easier and Automate Mundane Tasks

For the security expert, Charlotte AI is the ultimate force multiplier, automating repetitive and tedious tasks like data collection, extraction, and basic threat search and detection while making it easier to perform more advanced security actions. For example, with a simple natural language prompt, you can leverage the power of all of CrowdStrike’s APIs for any detection, investigation or response workflow to supercharge your platform experience — without needing to write a single line of code.

Charlotte AI further accelerates enterprise-wise XDR use cases across every attack surface and third-party product, directly from the Falcon platform. You can automate detection and response actions at scale, across the enterprise or down to a specific subset of endpoints. Hunting and remediating adversaries across your organization has never been faster and easier with simple queries like:

  • “Find lateral movement involving Windows hosts.”

Let’s see Charlotte AI in action:

Charlotte AI and the CrowdStrike Difference – It’s in Our DNA

The concept behind generative AI is to create new content or outputs based on examples it has previously seen. Traditional AI and machine learning focus on analyzing and classifying existing data. Generative AI opens up a new world of possibilities by creating net-new outputs based on the patterns and structures inherent to the training data. But the limiting factor will always be the quality, context and completeness of the underlying data.

The models powering the bevy of security chatbots, co-pilots and workbenches hitting the market will always be only as good as the data they utilize. Large language models (LLMs) are built to incorporate knowledge from external data stores, as well as data generated from technologies like the Falcon platform. We believe CrowdStrike has the industry’s best and highest-fidelity security data and human expertise to augment LLMs for security use cases and for powering the future of generative AI in security. While LLMs will be commoditized over time, the data the models use will not. This is why CrowdStrike customers are positioned to benefit now and in the future from new services built with the Charlotte AI engine.

The CrowdStrike difference is found in three critical data streams that are wholly unique to CrowdStrike and underpin the Falcon platform to form the most powerful security data set that LLMs can utilize, powering the future of generative AI applications.

1. Threat Intelligence: Understanding Adversary Tactics and Motivations CrowdStrike is a pioneer of adversary attribution and is widely recognized as an industry leader in threat intelligence. CrowdStrike Intelligence tracks 200+ adversaries to better understand the motives and increasingly sophisticated tactics and techniques the threat actors use to target and breach organizations. From governments to large enterprises, CrowdStrike’s threat intelligence is critical to stopping breaches across the globe.

Charlotte AI taps into a deep knowledge base of millions of intelligence findings that allows the engine to reason and understand adversary activity around the world.

2. The Richest Set of Security Telemetry Powered by the Modern XDR Platform The richness and accuracy of the proprietary data that an LLM can access is the determining factor in the effectiveness of the outputs, especially for security use cases. Unlike traditional machine learning models, generative AI only needs enough data to analyze patterns, capture variability, expand creativity in its outputs and give a contextual understanding to the events consumed.

The Falcon platform is one of the most tested next-gen security platforms and has consistently been ranked number one in third-party detection evaluations over multiple years — providing independent affirmation of what we know: The best data and platform stops the breach.

Charlotte AI utilizes the richest set of security and enterprise telemetry that underpins the Falcon platform and that our award winning MDR team utilizes to hunt and remediate threats. Only CrowdStrike delivers the powerful combination of:

  • Security Event Telemetry: Ingesting trillions of security events from a variety of platforms (Windows, Mac, Linux, IoS, Android and more) and across multiple sources, including endpoints, cloud workloads, identities and data infrastructure — as well as third-party sources.
  • Environmental and Asset Telemetry: Including managed and unmanaged assets from across the enterprise, complete with information on devices, users, accounts, identities, applications and more.
  • Vulnerability Data: Deep visibility on all CVEs, including prioritized vulnerabilities that pose a real and immediate risk to an organization’s environments.
  • Policy Control Data: Including access and policy controls across endpoints, cloud workloads, identities and data infrastructure.

3. The Human in the Loop: Insights from the World’s Best Practitioners

The most critical set of data — and one that no other vendor in the world can match — is CrowdStrike’s human-validated content. This is the massive data set of how our people — from across CrowdStrike® Falcon OverWatch™ managed threat hunting, CrowdStrike Falcon® Complete managed detection and response, CrowdStrike Services, CrowdStrike Intelligence and more — stop breaches in the real world.

CrowdStrike has always believed that the combination of human intelligence and expertise with AI will transform the industry and keep security practitioners ahead of the adversary. The adversary is continually looking for new ways to infiltrate an organization and break existing security rules. AI alone isn’t designed to identify these novel problems — human expertise is required to outthink and outmaneuver the adversary. This insight can then be codified into the training data to update the AI model to stop the identified tactics.

A good example of why this human-machine collaboration is critical is found in the difference between an AI playing chess versus driving a car. AI has become adept at games like chess because there are well-defined rules that can’t be broken, limited complexity and data sets with complete information capturing all aspects of gameplay.

Using AI for autonomous driving is completely different. Driving a car is dynamic and unpredictable because humans are continually looking to break rules, which creates imperfect training data sets. The actions of other drivers and pedestrians can be highly chaotic, making it difficult for AI to respond effectively to every situation. In this case, hacking is very similar to driving. The adversary is constantly breaking rules and changing tactics, making it hard for AI to respond without the right data to train the model.

This is why human-validated content is critical for AI to perform security use cases and give security teams the advantage over adversaries.

As the globally recognized leader in MDR services, CrowdStrike is in a unique position to codify the learnings of the world’s most elite threat hunters and security practitioners into our data set that Charlotte AI utilizes. This includes, but is not limited to:

  • Hundreds of thousands of messages sent to customers from Falcon OverWatch threat hunters describing threat actors and their related activity with rich details and narrative. Accurate prose in the data set enables an LLM to better emulate a real analyst.
  • Tens of thousands of security incidents from Falcon Complete on how they’ve triaged, investigated and remediated attacks at global organizations.
  • Thousands of CrowdStrike Services engagements — including breach investigations, risk assessments and advisory services.

Charlotte AI utilizes the comprehensive combination of these three massive data sets. While other vendors may have data sets from one of the aforementioned categories, CrowdStrike is the industry’s only vendor to bring the power of all three of them together.

Generative AI has the power to be a democratizing force for the security practitioner. From elevating the security novice to the level of a power user, to helping existing security practitioners level up their impact and become expert threat hunters, generative AI will transform security for the better.

Charlotte AI will provide the natural language interface to the Falcon platform that will enable every user, regardless of experience level or organization size, to be a power user of the Falcon platform — enabling them to experience and take full advantage of our best-in-class security suite.

Charlotte AI is currently available in private customer preview.

Breaches Stop Here