Blackbaud Achieves 3x Faster Threat Response with Charlotte AI

As the leader in AI for social impact, Blackbaud enables millions of users to drive more than $100 billion in annual giving each year. With customers spanning 100+ countries, protecting sensitive donor and constituent data is essential to the company’s mission.

“Our customers handle sensitive information every day,” explained Don Rahn, Senior Director of Global Cyber Operations at Blackbaud. “We have to make sure our platforms are safe for them to use, no matter where threats originate.”

When Rahn joined the company, the CrowdStrike Falcon® cybersecurity platform was already securing Blackbaud’s global, remote-first workforce. But what began as endpoint protection has evolved into a broader transformation of how the company defends its environment. Today, Blackbaud has consolidated on CrowdStrike and embraced agentic SOC transformation to accelerate threat detection and response.

“We’ve had a great relationship with CrowdStrike since the beginning,” Rahn said. “They’ve been transparent with their roadmap and responsive to our feedback. Over time, that transparency has built trust … and trust is what lets you grow together.”

That growth in security maturity reached a new level when Jake Daniels, Senior Manager of Defensive Cyber Operations, joined Blackbaud to lead the company’s SOC transformation. His first priority was consolidating visibility across the entire threat landscape.

“When I started, we were using a legacy set of products that we’d cobbled together,” he said. “It was workable, but it wasn’t scalable. We needed something faster, unified, and modern.”

The team turned to CrowdStrike Falcon® Next-Gen SIEM, a ground-up reimagining of the SIEM experience that transforms how analysts work. Instead of pivoting between tools, the Blackbaud team has the whole picture of their security posture in one console. 

“Our analysts can run enrichment, automation, and agentic investigations without ever leaving the event pane,” Daniels said. “Everything happens in one place.” 

Paired with CrowdStrike® Charlotte AI™, CrowdStrike’s agentic security analyst, Falcon Next-Gen SIEM became the team’s central nervous system for detection and response. Analysts now use Charlotte AI daily for CrowdStrike Query Language (CQL) queries, threat hunting, and data parsing — automating tasks that once required hours of manual effort. 

The team also runs Charlotte AI automatically on every detection flowing through the Falcon platform, using the AI-generated event timeline to accelerate triage and investigation.

“Charlotte lets analysts think in plain language instead of writing complex queries,” Daniels said. “They can ask natural-language questions, get results instantly, and shift from running searches to solving problems.”

The impact has been immediate and measurable. Daniels noted, “We’ve used Charlotte AI over 30,000 times in 30 days, achieving a 3x faster mean time to respond.”

While AI has accelerated detection and response, human intelligence remains at the core of Blackbaud’s defense strategy. Through CrowdStrike Falcon® Adversary OverWatch™ and CrowdStrike Falcon® Counter Adversary Operations Elite, the company gains access to world-class expertise and 24/7 threat hunting that extends its own team’s capabilities.

“Our CAO partnership is a force multiplier,” Daniels said. “We get real-time intelligence briefings and direct access to subject matter experts who can contextualize threats we haven’t seen before. That level of connection gives us insights we simply can’t get from a report.”

OverWatch provides an additional layer of proactive protection. By continuously hunting across Blackbaud’s environment — and, increasingly, across third-party telemetry through Falcon Next-Gen SIEM — OverWatch helps the team identify emerging tactics before they can impact operations.

“They’re threat hunting 24/7, 365 days a year,” Daniels said. “They can warn us the moment something new appears, like a supply chain attack or novel intrusion technique. We know that while we’re sleeping, CrowdStrike is watching.”

This intelligence-led approach has become a defining feature of Blackbaud’s maturity. The team aligns their threat detection and hunting activities around the most relevant adversaries and intelligence sources. “We’ve reached a point where intelligence drives operations,” Rahn said. “That’s exactly where we want to be.”

Blackbaud declared 2025 “the year of tool rationalization.” The initiative aimed to reduce complexity, cut redundant technologies, and invest in platforms that delivered both breadth and depth. CrowdStrike became central to that effort.

“When you’re running 30 different security tools, efficiency becomes your biggest challenge,” Rahn explained. “You waste time pivoting between systems. The Falcon platform solves that. Everything we need … endpoint, identity, cloud, threat intel … is all in one place.”

The decision to consolidate on CrowdStrike was driven by trust as much as capability. Blackbaud had seen other vendors retrofit legacy architectures to keep pace with modern threats. CrowdStrike, by contrast, continues to deliver cloud-native solutions built for speed and scale, with agentic AI woven throughout.

By unifying multiple data sources and workflows inside the Falcon platform, Blackbaud has reduced redundant spend, strengthened internal collaboration, and streamlined investigations across its 40-person cybersecurity team. The impact on performance has been significant.

“Our internal security team now outperforms our managed service provider,” Daniels said. “That’s a powerful indicator of how much we’ve grown with CrowdStrike.”