CrowdStrike: Can AI Agents Replace Security Analysts?

CrowdStrike has announced Charlotte Agentic SOAR, an orchestration layer designed to coordinate AI-powered agents across prevention, detection, investigation and response.

Charlotte Agentic SOAR connects CrowdStrike’s native agents with custom-built and third-party agents, with analysts able to use natural language and drag-and-drop controls to direct these agents without writing code.

“Security operations can’t match the speed of AI-accelerated adversaries with static automation and rule-based playbooks,” says Michael Sentonas, President of CrowdStrike. “Charlotte Agentic SOAR brings reasoning and coordination to the agentic SOC, where analysts orchestrate AI-powered agents in real time to stop breaches with speed, precision and control.”

Charlotte Agentic SOAR replaces static playbook systems

Most SOAR tools work through static playbooks that tell security teams to follow predetermined steps when specific events occur. The problem is that attackers change tactics faster than teams can update their playbooks, which means analysts spend considerable time rewriting instructions and manually connecting different security tools.

Charlotte Agentic SOAR takes a different approach by allowing agents to assess situations dynamically. Instead of following fixed instructions, agents examine what’s happening, review what previous actions achieved and decide what to do next based on current conditions, adjusting their responses as the situation evolves rather than sticking to a predetermined sequence.

Security teams still set the parameters and define what agents can and can’t do, but they don't need to script every possible scenario or update playbooks every time threat actors shift their approach.

CrowdStrike built four layers into its agent platform

The foundation of the system is a data layer that pulls signals from endpoints, cloud systems, identity tools and data storage, then converts those signals into information that agents and analysts can act upon. This layer processes the raw telemetry from across an organisation’s infrastructure.

Above that sits a workforce of trained agents. CrowdStrike built these by studying how its Falcon Complete team responds to real incidents, with the managed security service providing a library of actual threat responses from customer environments. The agents learned from observing human experts handle live threats rather than following theoretical models.

The third layer gives organisations the ability to build their own agents through Charlotte AI AgentWorks. Security teams can create agents without coding skills, developing tools that fit their specific requirements and integrating them with CrowdStrike's existing capabilities and third-party products.

Charlotte Agentic SOAR sits at the top as the coordination layer, managing communication between all the agents regardless of their origin.

Charlotte Agentic SOAR manages communication between agents

When one agent finishes a task or discovers important information, it shares that data with other agents in the system. This coordination prevents different agents from duplicating work and helps them align their responses to threats.

Analysts set boundaries for what agents can do autonomously and when they need human approval. They communicate these limits through natural language rather than code, which means an analyst can instruct an agent to investigate an alert but request approval before blocking any network traffic. The system translates these instructions into operational parameters.

CrowdStrike’s Falcon platform covers endpoint protection, cloud workload security, identity protection and data security through its integrated approach. The Security Cloud processes threat intelligence and telemetry data, then delivers detections, automated responses, threat hunting capabilities and vulnerability information back to security teams.

The single agent approach means organisations deploy one piece of software that handles multiple security functions rather than installing separate agents for different capabilities. This architecture reduces the complexity of managing security infrastructure whilst maintaining comprehensive coverage.

Charlotte Agentic SOAR enters a market where several vendors already sell orchestration and automation tools for security operations centres. CrowdStrike argues that the difference lies in how its agents work together and adapt to changing threats rather than following static rules.

“If agents are expected to think, reason, and act like an expert analyst, they must be trained on expert experience, not legacy playbooks,” said George Kurtz, CEO and founder of CrowdStrike at Fal.Con Europe. “That’s the difference between static automation and true intelligence – playbooks train automation, people train intelligence. CrowdStrike’s agents learn from the world’s best SOC operators, giving them the judgment to act autonomously and the discipline to stay under defender command.”