How PIB Group Standardized Security During Hyper-Growth With CrowdStrike Falcon Complete Next-Gen MDR

PIB Group grew at a pace that breaks most security programs. In eight years, the UK-based insurance intermediary acquired more than 140 companies and scaled from roughly 12 employees to more than 4,500.

That acquisition strategy meant PIB Group was constantly inheriting new environments. Each acquisition brought its own endpoints, servers, domains, and identity stores, often with limited documentation and inconsistent controls. Visibility into what had actually been deployed, configured, or left behind was uneven, particularly in the early stages of integration.

When Jason Ozin joined as Group CISO, PIB Group’s existing security approach wasn’t designed to operate at that scale. Traditional antivirus could flag activity on individual machines, but it didn’t provide the centralized visibility or operational support required to manage risk across dozens of newly acquired businesses.

“The AV tool was doing its job, but no one was actually looking at the alerts,” said Ozin.

As the business continued to expand, Ozin needed a way to establish consistent security controls across acquisitions, gain visibility into inherited risk, and secure the enterprise without building a large internal SOC. PIB Group ultimately consolidated on the AI-native CrowdStrike Falcon® platform and added CrowdStrike Falcon® Complete Next-Gen MDR for 24/7 managed detection and response.

PIB Group started with CrowdStrike Falcon® Insight XDR for endpoint security. By using  Falcon Complete Next-Gen MDR to manage that deployment, the company gained expert-led monitoring, investigation, and hands-on remediation to manage and stop threats on its behalf.

Ozin described Falcon Complete as the core of its security operations because it allows the organization to operate continuously without expanding internal headcount.

“Being able to have somebody deal with an issue at three o’clock in the morning is critical. If they ring me, it’s to tell me they’ve dealt with the issue,” said Ozin.

That operating model matters because PIB Group’s environment is in constant flux. New companies and endpoints are being onboarded regularly, often with uneven security maturity. By standardizing on the Falcon platform and Falcon Complete Next-Gen MDR, PIB Group can quickly integrate new acquisitions without increasing operational overhead.

Ozin also emphasized the importance of reducing endpoint complexity. He wanted to avoid deploying multiple agents and preferred a single sensor that could support multiple security functions through one console. He got that with the unified Falcon platform.

As PIB Group’s security program matured, it added CrowdStrike Falcon® Adversary Intelligence, including Recon capabilities for monitoring the dark web and open web. The team uses this intelligence to track exposure tied to executive names, IP addresses, and the hundreds of domains accumulated through acquisitions. This helps identify leaked credentials or exposure related to newly acquired entities, and enables faster cleanup actions.

PIB Group also deployed CrowdStrike Falcon® Next-Gen Identity Security to gain visibility into identity risk inherited through acquisitions. Identity data allows the team to validate what they’re hearing from local IT teams and uncover risks that might otherwise remain hidden.

“We think we know what we’ve got, and then identity tells us we’ve got an account that hasn’t been used for three years and it’s got admin rights,” noted Ozin.

That visibility proves especially valuable during acquisitions, where dormant admin accounts, unchanged passwords, and legacy servers are common. With identity insights available in the same Falcon platform console as endpoint and threat data, PIB Group can identify and remediate those risks early in the integration process.

Before adopting CrowdStrike Falcon® Next-Gen SIEM, PIB Group relied on outsourced SOC services. Ozin worked with multiple providers but found they couldn’t keep pace with modern threats. “Every alert that we dealt with in the last four years, CrowdStrike got to it before our SOC,” he said.

In some cases, his outsourced SOCs took up to 24 hours to flag an issue. That delay was unacceptable given modern breakout times of just 29 minutes on average. “Twenty-four hours is a long time in cybersecurity. Breakouts can be minutes nowadays,” explained Ozin.

By moving to Falcon Next-Gen SIEM, PIB Group eliminated delays introduced by outsourced monitoring. Threats are still stopped at the endpoint, but detections and context flow directly into the Falcon platform, allowing CrowdStrike analysts to review and act on events within minutes rather than hours.

A targeted social engineering attack reinforced PIB Group’s decision to consolidate on the Falcon platform. The incident began with unusual email activity targeting multiple employees, a common tactic used to distract users while attackers attempt to gain access.

In one case, an employee was contacted by an attacker impersonating internal IT and was persuaded to install unauthorized remote access software. As soon as malicious activity was executed on the endpoint, the Falcon sensor detected the behavior and automatically contained the machine. Falcon Complete analysts immediately investigated the activity and confirmed the attempted ransomware attack, preventing it from progressing further.

Because detection, containment, investigation, and remediation all occurred within the Falcon platform, PIB Group didn’t need to escalate the incident internally or rely on third-party monitoring. The response was handled end to end by CrowdStrike, allowing the security team to focus on follow-up actions rather than emergency response.

PIB Group later blocked the remote access tool involved and used the incident as an internal education opportunity. The affected employee participated in an internal awareness video explaining what happened, which Ozin said became one of the most viewed pieces of content on the company intranet.

“What was great about that is CrowdStrike stopped it there and then immediately,” said Ozin. “It changed it from being a serious incident into a lesson learned for the whole organization.”