Lumen Technologies Consolidates Security Operations with CrowdStrike

Lumen Technologies operates one of the world’s largest communications infrastructures, delivering essential connectivity to businesses across the United States. Securing its 25,000-person workforce and systems is mission-critical, because any disruption directly impacts the customers and services that depend on Lumen’s network every day.

To meet that challenge, Lumen consolidated its security operations on the AI-native CrowdStrike Falcon® cybersecurity platform. By moving away from fragmented tools, the organization gained unified visibility across its environment and a better way to detect and respond to threats. The shift also reduced operational friction for security teams by replacing disconnected point solutions with a single platform approach.

This is the story of how Lumen consolidated its security operations to protect its business, strengthen resilience, and operate with greater speed and confidence.

Like many large enterprises, Lumen’s security environment had grown increasingly complex over time. Mergers and acquisitions left the organization with a patchwork of security tools from multiple vendors, each operating in isolation.

The lack of consolidation created visibility gaps and operational inefficiencies. Security teams were forced to pivot between multiple dashboards, slowing investigations and increasing the burden on already stretched resources. More critically, Lumen’s previous endpoint detection and response (EDR) solution protected only Windows systems, leaving others exposed.

“We had pockets of security tools and infrastructure. Some worked well, but we had major gaps,” explained Brett Wentworth, VP and Deputy CISO at Lumen. “Our previous EDR solution only covered Windows, leaving our Linux and Unix systems exposed. We needed a platform that could consolidate security and give us full coverage.”

As cyber threats accelerated beginning in 2020 — particularly from sophisticated, nation-state adversaries — these limitations became impossible to ignore. Lumen needed a modern platform approach that could scale with its environment and threat landscape.

After evaluating multiple vendors, Lumen selected CrowdStrike in 2021 as the foundation of its endpoint security strategy. Peer recommendations, CrowdStrike’s industry reputation, and a hands-on proof of value (POV) all factored into the decision.

“We heard nothing but great things about CrowdStrike from peers at RSA, Black Hat, and DEF CON,” Wentworth said.

The POV delivered immediate validation. When the Falcon platform was deployed to just 10% of Lumen’s environment, the security team uncovered previously undetected malware and backdoors that other tools had missed.

“That alone justified expanding the deployment,” Wentworth said. “We knew we needed CrowdStrike everywhere, fast.”

Within the first year, Lumen deployed the Falcon platform across approximately 85% of its environment, achieving comprehensive endpoint protection across Windows, Linux, and Unix systems — spanning both on-premises and cloud environments.

With a unified endpoint foundation in place, Lumen expanded its use of CrowdStrike to strengthen detection and response.

The organization adopted CrowdStrike Falcon® Counter Adversary Operations Elite, which includes CrowdStrike Falcon® Adversary OverWatch, to add 24/7 proactive threat hunting and an additional layer of defense alongside Lumen’s internal security operations center (SOC).

“OverWatch saved the day more than once,” Wentworth said. “They detected threats before we could, giving us an early warning and a strategic advantage. The global visibility they provide is invaluable.”

Lumen also deployed Recon, a capability of Falcon Adversary Intelligence, to monitor the dark web for exposed credentials and emerging threats targeting the organization. This intelligence allows the security team to proactively mitigate risks before attackers can exploit them.

“Recon gives us an additional security control that we lacked going into this partnership,” Wentworth said. “That’s the single most frequent reliable and high-fidelity intel source that we have now. It provides really good indicators of compromise, and observable and huntable tactics, techniques, and procedures.”

As identity-based attacks grew more prevalent, Lumen extended its Falcon platform deployment to CrowdStrike Falcon® Next-Gen Identity Security, gaining visibility into risky user behaviors, misconfigurations, and identity attack paths that were previously difficult to detect.

“Identity protection gives us insights into fundamental security issues, like service accounts with weak passwords or unchanged credentials,” Wentworth said. “That visibility was a game changer.”

Lumen also added CrowdStrike Falcon® AIDR for AI-powered detection and response, and CrowdStrike Falcon® Next-Gen SIEM to modernize its SOC. These capabilities, along with the other Falcon platform modules deployed, helped the security team reduce mean-time-to-detect and mean-time-to-respond, while also lowering alert noise and manual investigation effort.

According to Wentworth, consolidating on CrowdStrike has also improved predictability and agility across Lumen’s security program. The company standardized on Falcon Flex to simplify how new capabilities are adopted as needs evolve.

“With Falcon Flex, we can be more predictive in terms of what we spend, and we can swap out modules depending on what our threat landscape looks like,” Wentworth said.

For Lumen, this flexibility streamlines procurement, reduces operational overhead, and ensures the organization can quickly adapt protections without reintroducing complexity.

Today, Lumen’s security program is built on a consolidated, AI-native platform that delivers unified visibility across endpoint, identity, AI, and threat intelligence — supported by managed threat hunting and a modern SOC architecture.

“CrowdStrike didn’t just replace our previous tools,” Wentworth concluded. “It transformed our security operations. It’s a strategic partnership that keeps getting stronger.”