This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Privacy Notice.


Experienced a Breach?

Contact Us for Pre and Post Incident Response Services


Learn More

Falcon Host FAQ

Learn More About Next-Generation Endpoint Protection


What does Falcon Host do?

Falcon Host is focused on stopping breaches. While existing endpoint and server products are ineffective against sophisticated threats and adversaries — particularly attacks that are not dependent on malware — Falcon Host provides advanced detection, prevention, monitoring and search capabilities to close this security gap and keep adversaries off your endpoints and out of your environment.

How does Falcon Host compare to other “next-generation” endpoint protection solutions? What makes Falcon Host unique?

Falcon Host provides next-generation antivirus, EDR and managed hunting capabilities in a tiny 5MB sensor that is Cloud managed and delivered, and that can be deployed and operational in hours, on tens of thousands of endpoints.

The unique benefits of this unified and lightweight approach are immediate time to value and better protection that goes beyond detecting malware to stop breaches before they occur. This capability is based on our unique focus on detecting Indicators of Attack (IOA) in addition to other protection methods such as machine learning, exploit blocking, blacklisting and whitelisting. Another unique aspect is that Falcon Host is backed by the 24/7 Falcon Overwatch, CrowdStrike’s team of proactive hunters, creating an expertise and effectiveness multiplier to your internal security team.

How does Falcon Host work?

Falcon Host consists of two parts. First, a lightweight sensor is deployed to every endpoint, where it is responsible for gathering appropriate system events from the host. The sensor is intelligent and as such, can take proactive detection and prevention actions as needed. Secondly, data is transmitted continuously from the sensor to The CrowdStrike Threat Graph™, where we analyze and draw links between events across the entire Falcon Host sensor community. The Threat Graph™ employs a sophisticated and powerful graph data model, constantly analyzing data to establish behavioral patterns that indicate new attacks, whether they use malware or not.

What is Falcon Overwatch and do I get this as part of Falcon Host?

Falcon Overwatch is a service offered in combination with Falcon Host. It is a global team of intrusion response experts who proactively hunt for adversaries and attacks around the clock, augmenting your own security operations to ensure attacks don’t go undetected in your environment. For clarity, Falcon Overwatch is not a Managed Security Service in the conventional sense (responsible for clearing alerts, workflow, etc.), but is a service that provides additional hunting resources in concert with the Falcon Host product.

Can I use Falcon Host for incident response?

Absolutely. Falcon Host is used extensively for incident response. Falcon Host provides remote visibility across endpoints throughout the environment, enabling instant access to the “who, what, when, where and how” of an attack. The cloud-based architecture of Falcon Host enables significantly faster incident response and remediation times.

Can Falcon Host block attacks?

Yes. Falcon Host offers powerful prevention capabilities. Falcon Host can stop execution of malicious code, block zero-day exploits, kill processes and contain command, and control callbacks.

How does Falcon Host compare to other “next generation” endpoint protection solutions? What makes Falcon Host unique?

Falcon Host uniquely combines Next Generation Antivirus, Endpoint Detection and Response and Managed Hunting, delivered via the Cloud. CrowdStrike has pioneered the use of Indicators of Attack (IOA) to protect advanced and persistent threats – whether they use malware or not. Falcon Host is backed by the 24/7 Falcon Overwatch team, proactively hunting for adversaries and threats in your environment. This team of expert hunters provides an expertise and effectiveness multiplier to your internal security team.

How is Falcon Host involved in the antivirus community?

CrowdStrike is a member of the following organizations and participates to the following programs:

  • Microsoft Virus Information Alliance (VIA) and Microsoft Virus Initiative (MVI)
  • AMTSO Anti-Malware Testing Standards Organization


Do I need a large staff to maintain my Falcon Host environment?

No. Falcon Host delivers next-generation endpoint protection leveraging the Cloud. A key element of what we see as ‘next gen’ is reducing overhead, friction and cost in protecting the endpoint. There is no on-premise equipment to be maintained, managed or updated. The Falcon Host is unobtrusive in terms of endpoint system resources and updates are seamless, requiring no re-boots. The Falcon Host web console provides an intuitive and informative view of your complete environment.

Does Falcon Host interfere with other endpoint software?

Falcon Host was designed to interoperate without obstructing other endpoint software, including other endpoint security products, such as third-party AV and malware detection solutions.

How do I integrate with the Falcon Platform?

Falcon Connect has been created to fully leverage the power of Falcon Platform. Falcon It provides the APIs, resources and tools needed by customers and partners to develop, integrate and extend the use of the Falcon Platform itself and with other security platforms and tools.

Does Falcon Host integrate with my SIEM?

Falcon Host offers two points of integration with SIEM solutions:

  • Customers can import IOCs (Indicator of Compromise) from their SIEM into the Falcon Host Platform, using an API.
  • Customer can forward Falcon Host events to their SIEM using the Falcon SIEM Connector. The Falcon SIEM Connector enables integration with most SIEM such as HP ArchSight, IBM Q-Radar, and Splunk. Additionally, the Falcon Streaming API is available to customers who wish to build their own custom integration.

Does Falcon Host replace AntiVirus?

Customers can choose to operate Falcon Host side-by-side with antivirus or disable their antivirus.


How long does it take to get started with Falcon Host?

Literally minutes. A lightweight sensor (<10MB) is deployed to your endpoints and you monitor and manage your environment via a web console. With Falcon Host there are no controllers to be installed, configured, updated or maintained: there is no on-premise equipment.

Is the Falcon Host ‘sensor’ another agent? Will it slow down my endpoints?

The Falcon Host sensor’s design makes it extremely lightweight (consuming 1% or less of CPU), unobtrusive: there’s no UI, no pop-ups, no re-boots, and all updates are performed silently and automatically.

What operating systems does Falcon Host support?

Windows ServerWindowsMacLinux
Supported PlatformsWin Server 2008R2 SP1 and aboveWin 7 SP1 and aboveOSX 10.8 and above– RHEL 7.0-7.2
– RHEL 6.2-6.8
– CentOS 7.0-7.2
– CentOS 6.2-6.8
– Ubuntu 14.04 LTS (minimum kernel version 3.13.0-32)
– SUSE Linux Enterprise Server 11.3-11.4 (minimum kernel version 3.0.101-
– SUSE Linux Enterprise Server 12-12.1 (minimum kernel version 3.12.39-47)

Can Falcon Host scale to protect large environments with 100,000-plus endpoints?

Yes. Falcon Host is a proven cloud-based platform enabling customers to scale seamlessly and with no performance impact across large environments. The platform’s “frictionless” deployment has been successfully verified across enterprise environments containing more than 100,000 endpoints.


Is Falcon Host cloud-based or on-premise?

Falcon Host is a 100% cloud-based solution, offering Security as a Service to customers. Falcon Host requires no servers or controllers to be installed, freeing you from the cost and hassle of managing, maintaining and updating on-premise software or equipment.

Is Falcon Host SOC2 compliant?

Yes. CrowdStrike Falcon Host is SOC2 compliant. Additionally, we also are TRUSTe compliant.

How does the Falcon Host sensor talk to the Cloud and how much data does it send?

All data transmitted from the sensor to the cloud is protected in an SSL/TLS-encrypted tunnel. On average, each sensor transmits about 2-4MBs/day.

Is the Falcon Host ‘sensor’ another agent? Will it slow down my endpoints?

The Falcon Host sensor’s design makes it extremely lightweight (consuming 1% or less of CPU), unobtrusive: there’s no UI, no pop-ups, no re-boots, and all updates are performed silently and automatically. In fact, the Falcon Host sensor actually improves endpoint performance, because it does the work of (and thus replaces) nine discrete agents with a single agent that has zero impact on system performance or user productivity.

What data is sent to the CrowdStrike Cloud?

Falcon Host is designed to maximize customer visibility into real-time and historical endpoint security events by gathering event data needed to identify, understand and respond to attacks — but nothing more. This default set of system events focused on process execution is continually monitored for suspicious activity. When such activity is detected, additional data collection activities are initiated to better understand the situation and enable a timely response to the event, as needed or desired. Note that the specific data collected changes as we advance our capabilities and in response to changes in the threat landscape. Information related to activity on the endpoint is gathered via the Falcon Host sensor and is made available to the customer via the secure Falcon Host web management console.

How do you separate and safeguard data sent to your Cloud?

All data sent from the Falcon Host sensor is tagged with unique, anonymous identifier values. Data and identifiers are always stored separately. Once in our cloud, the data is heavily protected with strict data privacy and access control policies. All data access within the system is managed through constrained APIs that require a customer-specific token to access only that customer’s data. Our analysis engines act on the raw event data, and only leverage the anonymized identifier values for clustering of results.


What is an IOA?

While other security solutions rely solely on Indicators of Compromise (IOCs) — such as known malware signatures, hashes, domains, IPs and other clues left behind after a breach — CrowdStrike also can detect live Indicators of Attack (IOAs), identifying adversarial activity and behaviors across the entire attack timeline, all in real time. Falcon’s unique ability to detect IOAs allows you to stop attacks before a damaging breach occurs.

What detection capabilities does Falcon Host have?

For ‘known’ threats, Falcon Host provides cloud-based antivirus and IOC detection capabilities. For unknown and zero-day threats, Falcon Host applies IOA detection, using machine learning techniques to build predictive models that can detect never-before-seen malicious activities with high accuracy. Driven by the CrowdStrike Threat Graph™ data model, this IOA analysis recognizes behavioral patterns to detect new attacks, whether they use malware or not. The range and capability of Falcon Host’s detection techniques far surpass other security solutions on the market, particularly with regard to unknown and previously “undetectable” emerging threats.

Does Falcon Host provide malware prevention?

Falcon Host prevents known and unknown malware by using an array of complementary methods:

  1. Machine Learning
  2. Custom Blocking (Whitelisting and Blacklisting)
  3. Exploit Blocking
  4. IOA (Indicators of Attack) Prevention
  5. And additional protection specific to Ransomware

Customers can control and configure all of the prevention capabilities of Falcon Host within the response app.

Is the Falcon Host Machine Learning feature configurable?

Yes. Falcon Host includes a feature called the Machine Learning Slider, that offers several options to control thresholds for Machine Learning. In addition, this unique feature allows users to set up independent thresholds for detection and for prevention.

Does Falcon Host protect against Ransomware?

Falcon Host uses an array of complementary prevention and detection methods to protect against ransomware:

  • Blocking of known ransomware
  • Exploit Blocking – to stop the execution and spread of ransomware via un-patched vulnerabilities
  • Machine Learning for detection of previously unknown ‘zero-day’ ransomware
  • Indicators of Attacks (IOAs) to identify and block additional unknown ransomware, but also new categories of ransomware that does not use files to encrypt victim systems

Can Falcon Host detect in-memory attacks?

Falcon Host is equally effective against attacks occurring on-disk or in-memory. The platform continuously watches for suspicious processes, events and activities, wherever they may occur.

What prevention capabilities does Falcon Host have?

Falcon Host provides the following prevention capabilities: custom whitelisting, custom blacklisting, malware blocking, exploit blocking and IOA-based prevention.


See How You Can Stop Breaches request a live demo