How Green Thumb Industries Cut Incident Response Time by 90% with CrowdStrike

Green Thumb Industries (GTI) is one of the largest cannabis companies in the US, operating in 14 states with more than 110 retail locations, 14 cultivation centers, and over 5,000 employees. The company’s success is powered by a SaaS-first business model — entirely cloud-based, fast-moving, and constantly expanding.

This model accelerates innovation but also widens the attack surface. Every new application, user, and integration introduces risk. With a lean six-person security team, GTI needed tools that could deliver speed, automation, and accuracy at enterprise scale.

At the same time, the company operates in a federally restricted industry with limited government cybersecurity support.

“The cannabis industry faces all the same threats as any enterprise but without the same level of federal guidance or support,” explained Christopher Clai, Senior Director of Information Security. “That means we have to be self-reliant, and our cybersecurity program has to be bulletproof.”

To meet the challenge, GTI turned to the CrowdStrike Falcon® platform, unifying endpoint, identity, and data security in a single, cloud-native architecture. Since deployment, GTI has reduced incident response time to under 30 minutes, cut investigation times by more than 90%, and gained the confidence of a 24/7 SOC without the headcount or cost.

GTI’s early toolset of legacy AV and email filtering left critical visibility gaps. “We’d have 4,000 devices deployed but only 3,000 reporting,” Clai said. “We couldn’t tell if the others were healthy or compromised.”

Replacing legacy tools with CrowdStrike Falcon® Insight XDR restored real-time endpoint protection and gave analysts the evidence they needed to act. GTI then layered on CrowdStrike Falcon® Complete Next-Gen MDR for 24/7 managed protection.

During a side-by-side run with its previous MDR, the contrast was stark. “Falcon Complete responded to an incident in 17 minutes. They contained it, cleaned the system, and sent a full report showing every file and endpoint touched,” Clai said. “Two hours later, the old provider emailed to say, ‘We think we found something,’ but CrowdStrike had already solved it.”

With Falcon Complete handling detection and response, GTI cut average incident response time from 4-6 hours to less than 30 minutes — more than a 90% reduction.

As GTI expanded, insider risk became a major focus. The traditional data security solution it previously used was expensive, noisy, and built for on-premises environments. “Plus, it cost eight times more than CrowdStrike and wasn’t designed for a SaaS-first company like ours,” Clai added.

With CrowdStrike Falcon® Data Security, GTI gained continuous visibility into data movement across endpoints and SaaS applications. Behavioral analytics exposed risky activity — like employees uploading data to unauthorized cloud apps or connecting unapproved devices — and tied alerts directly to user behavior for faster triage.

“Falcon Data Security exposed the most common ways people try to exfiltrate data in a cloud-first company,” Clai said. “It helped us act before those issues became problems.”

That insight stopped one potential incident in its tracks: a departing employee attempting to copy files to a USB drive overnight. Falcon Data Security detected the behavior, automatically flagged the device, and allowed the team to encrypt and block the transfer before data left the environment. The experience prompted a companywide governance review, resulting in stronger offboarding processes and data-handling policies.

“It’s not just about stopping data loss,” Clai said. “It’s about building better awareness and culture.”

GTI also used Falcon Data Security to classify enterprise-sanctioned versus non-corporate applications, cutting alert noise and focusing analysts on high-risk activity. “We went from drowning in alerts to focusing on what matters,” he added.

For Clai, AI isn’t just an emerging risk, it’s also the key to staying ahead of those risks. As his team evaluated new AI-driven tools, they recognized that adversaries were also adopting AI to move faster, automate attacks, and exploit the same technologies defenders rely on.

To stay ahead, GTI adopted CrowdStrike® Charlotte AI, an agentic security assistant that brings the power of genAI directly into the Falcon console. Analysts can ask natural-language questions, generate complex queries, and receive prioritized, contextual responses — all grounded in the same CrowdStrike Falcon® telemetry that powers the platform.

“We’re using Charlotte AI across multiple platform modules,” Clai said. “It’s helped accelerate our team so they can focus on advanced threat hunting instead of manual research.”

The benefits compound when paired with other CrowdStrike capabilities. For example, Charlotte AI used alongside CrowdStrike Falcon® Exposure Management helps GTI identify vulnerabilities, model potential attack paths, and estimate remediation time — enabling the team to focus on the small subset of vulnerabilities that truly matter.

“You might have a hundred high CVEs, but only a few that actually pose risk to the business,” Clai said. “Charlotte AI combined with Falcon Exposure Management help us zero in on those with surgical precision.”

At the same time, GTI is realistic about AI’s risks. “A lot of AI platforms are going to market first before considering their impact,” Clai said. “We have to understand what data they’re trained on, how it’s used, and whether it could leak sensitive company information.” The Falcon platform’s unified visibility helps enforce that discipline, giving GTI oversight into how AI-enabled apps and data are used across the environment.

“We’re looking forward to having Charlotte AI across the entire platform,” Clai added. “It’s already delivering value, but it’s also the future of how small teams will operate …  guided, informed, and faster than ever before.”

GTI’s journey with CrowdStrike shows the platform effect in action. Each Falcon platform module adds telemetry and context that sharpens the next. This platform strategy has also enabled cybersecurity consolidation, allowing GTI to retire overlapping vendors and avoid costly legacy tools while unifying workflows in a single, cloud-native console.

“We’re not going to hire our way out of these threats,” Clai said. “Every module we add gives us more insight, more efficiency, and more confidence.”

In Clai’s 25 years in IT, the Falcon platform stands out. “It’s unlike anything else I’ve seen … the context, the speed, the way it elevates our team,” he concluded. “It lets us protect the business and keep pace with AI-driven change.”