Analyst(s): Fernando Montenegro
Publication Date: April 1, 2026

CrowdStrike expanded its Charlotte AI ecosystem across partners, IBM, and Intel to accelerate agentic SOC transformation and AI endpoint security. The move strengthens platform reach, but execution depends on real-world adoption, integration, and monetization.

What is Covered in This Article:

• CrowdStrike launched the Charlotte AI AgentWorks ecosystem with major partners to build and scale custom security agents
• Expanded collaboration with IBM integrates Charlotte AI with ATOM for coordinated, machine-speed SOC response
• Strategic partnership with Intel brings Falcon platform capabilities to AI PCs for endpoint-level AI security
• Agentic SOC model aims to reduce manual workloads, improve response times, and enable partner-led security businesses
• Monetization and execution depend on the adoption of Falcon modules, partner enablement, and enterprise deployment cycles

The News: CrowdStrike introduced the Charlotte AI AgentWorks Ecosystem at RSA 2026, enabling customers and partners to build, test, deploy, and orchestrate custom security agents using a no-code platform integrated with AI models from Anthropic, NVIDIA, and OpenAI, as well as AWS infrastructure. The ecosystem includes partners such as Accenture, Deloitte, Kroll, Salesforce, and Telefónica Tech, and is supported by Charlotte Agentic SOAR for orchestration, governance, and coordination across agents and workflows.

The company also expanded strategic collaborations with IBM and Intel. The IBM integration combines Charlotte AI with IBM’s Autonomous Threat Operations Machine (ATOM) to enable coordinated investigation and containment across endpoint, identity, and cloud environments, while embedding Falcon into IBM’s managed security services and Cyber Range simulations. Separately, CrowdStrike optimized the Falcon platform for Intel-powered AI PCs, enabling real-time threat detection, data protection, and unified telemetry across AI-driven workflows at the endpoint.

CrowdStrike Deepens Agentic SOC Strategy Across Partners, Services, and Devices

Analyst Take: CrowdStrike’s agentic SOC strategy centers on expanding the Charlotte AI AgentWorks ecosystem, integrating with IBM’s ATOM, and extending Falcon into Intel-powered AI PCs to enable coordinated, machine-speed security operations. The platform enables no-code development of security agents, integrates with multiple frontier AI models, and is designed to reduce manual workloads while improving response accuracy. Reported outcomes include a 70% reduction in manual investigation workloads, more than 40 hours of weekly capacity restored, and greater than 98% decision accuracy. At the same time, threat dynamics are accelerating, with eCrime breakout times as fast as 27 seconds and AI-driven attacks increasing 89% year-over-year. These moves collectively expand CrowdStrike’s presence across ecosystem development, managed SOC execution, and endpoint-level AI security. The combined initiatives position CrowdStrike to operationalize agentic SOC models across partners, services, and endpoints.

Ecosystem-led Agent Creation Shifts Security Execution Toward Partners

CrowdStrike’s Charlotte AI AgentWorks ecosystem is structured to enable partners and customers to build custom security agents without writing code by integrating with models from Anthropic, NVIDIA, and OpenAI. Partners, including Accenture, Deloitte, Kroll, Salesforce, and Telefónica Tech, are already using the platform to design agents tailored to specific customer outcomes. Feedback from partners and customers indicates demand for rapidly creating agents for defined security tasks, rather than relying on pre-built workflows. The ecosystem also creates opportunities for partners to build agentic security businesses on the Falcon platform, aligning service delivery directly with platform capabilities. This positions CrowdStrike’s growth in agentic SOC not just on product adoption, but on partner-led execution and customization at scale.

IBM Integration Targets Operational Bottlenecks in Real-world SOC Environments

The integration of Charlotte AI with IBM’s Autonomous Threat Operations Machine (ATOM) aims to reduce delays in detection, analysis, and containment within security operations centers. The combined system analyzes signals across endpoint, identity, and cloud environments and coordinates response actions in real time, reducing manual handoffs between tools and teams. This is critical as attacker breakout times have dropped to 29 minutes on average, with the fastest at 27 seconds, and attacks on public-facing applications are rising 44% year-over-year. Embedding Falcon into IBM’s managed detection and response services also connects platform-level telemetry directly into service delivery for customers relying on external SOC operations. The collaboration reflects a shift toward integrated systems that can investigate and act without waiting for human intervention.

Intel Collaboration Extends Security into the AI Endpoint Layer

CrowdStrike’s expansion with Intel brings Falcon platform capabilities into AI PCs, where AI workloads are increasingly processed directly on the device. The integration combines Falcon’s threat intelligence with Intel’s NPUs, silicon-level telemetry, and Intel Threat Detection Technology to enable real-time detection and protection within AI-driven workflows. It also introduces capabilities such as data classification during interactions with local AI tools, unified telemetry across endpoint, identity, and cloud layers, and hardware-assisted recovery through Intel vPro. This expansion reflects a broader move to extend Falcon into AI PC reference architectures and enterprise endpoint environments, building on existing hardware-assisted detection frameworks and scaling them across enterprise fleets. The context for this shift is the expansion of the attack surface as AI assistants process sensitive data locally, with CrowdStrike identifying more than 1,800 AI applications and nearly 160 million unique app instances across its customer base. This collaboration extends security to where AI execution and risk increasingly reside.

Monetization Hinges on Module Adoption and Enterprise Deployment Cycles

The expansion across ecosystem, services, and endpoint layers creates multiple pathways for CrowdStrike to drive platform usage, but the revenue impact depends on converting to paid modules and achieving enterprise adoption. Falcon Data Security, which enables discovery, classification, and policy enforcement for AI interactions, represents a key monetization vector tied to data protection and AI governance. CrowdStrike reported FY 2026 ARR of $5.25 billion, up 24% year-over-year, with a valuation that implies continued multi-module expansion. However, the Intel collaboration reflects an architectural extension of existing capabilities rather than a fully new product suite, and some elements remain in development. The near-term impact is therefore tied less to announcements and more to whether enterprises deploy these capabilities at scale and convert them into incremental spending. Together, these initiatives position CrowdStrike across the full agentic SOC stack — from agent creation and orchestration to service delivery and endpoint execution.

What to Watch:

• Do enterprises have the ability to deploy and manage custom security agents at scale without increasing operational complexity? As teams struggle with multiple demands, this efficiency is key.
• Will we see the adoption of Falcon Data Security and other modules linked to AI governance and endpoint protection? Success in enterprise cybersecurity increasingly means a broad view of environments, well beyond endpoints.
• Will the effectiveness of IBM integration in reducing response times and eliminating manual SOC handoffs materialize? The effort may not yield many results unless organizations see real value in terms of efficiency.
• How will the pace of enterprise AI PC refresh cycles impact the adoption of endpoint-level AI security capabilities? The presence of improved endpoint capabilities opens the door for innovations in endpoint security.
• How will the partner-driven execution of agentic SOC use cases and creation of agentic security services on the Falcon platform fare against competitors? CrowdStrike has been known as a premium brand and must now navigate the pressure to automate SOC workflows.

See the complete press release on the launch of the Charlotte AI AgentWorks ecosystem and related collaborations on the company’s website.

Declaration of generative AI and AI-assisted technologies in the writing process: This content has been generated with the support of artificial intelligence technologies. Due to the fast pace of content creation and the continuous evolution of data and information, The Futurum Group and its analysts strive to ensure the accuracy and factual integrity of the information presented. However, the opinions and interpretations expressed in this content reflect those of the individual author/analyst. The Futurum Group makes no guarantees regarding the completeness, accuracy, or reliability of any information contained herein. Readers are encouraged to verify facts independently and consult relevant sources for further clarification.

Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.

Other Insights from Futurum:

Will CrowdStrike Flex Force a Rethink of Cybersecurity’s Pricing Status Quo?

CrowdStrike Q4 FY 2026 Earnings Extend ARR Scale and AI Security Focus

As CrowdStrike Buys Seraphic, Is Browser Security Destined to Be Just a Feature?

Author Information

Fernando Montenegro

Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.

Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.

Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.