CrowdStrike vs Darktrace

CrowdStrike is a cybersecurity consultancy that developed a range of security tools; Darktrace started up as a cybersecurity systems provider that deploys cutting-edge detection methods. Both of these system providers aim to supply total enterprise protection packages.

CrowdStrike and Darktrace both offer their services from cloud platforms but both also require programs to be installed locally on the systems that are being monitored and protected. CrowdStrike has a larger menu of services than Darktrace and the best way to compare these two providers is to narrow the focus on the one area that Darktrace covers, which is network-wide security; that function is provided by CrowdStrike Falcon XDR.

About CrowdStrike

Crowdstrike AI-native cybersecurity platform website

CrowdStrike began in 2011 as a cybersecurity consultancy and it started developing its own IT systems to sell to the business community in 2013. Both systems and consultancy divisions continue to operate and they collaborate to provide a third business strategy, which is managed services.

CrowdStrike’s competitive edge came from the publicity generated by the high-profile threats on which the company’s consultancy arm worked in 2015 and 2016. Notably, the Sony Pictures data leak in 2015 drew a lot of news media attention and got CrowdStrike’s name a great deal of exposure. This free publicity boosted the company’s cybersecurity systems sales. Brand awareness was further enhanced by CrowdStrike’s involvement in uncovering and mitigating the Democratic National Committee (DNC) email hacks in 2015 and 2016.  and the Democratic Party email hacks of 2015 and 2016.

CrowdStrike Holdings, Inc. was listed on NASDAQ in 2019. The company’s revenue reached $1.45 billion in 2021, making it a NASDAQ-100 component with a market valuation of more than $51 billion. CrowdStrike moved its headquarters from Sunnyvale, California to Austin, Texas in December 2021. The company now has 3,394 employees.

CrowdStrike’s systems run on cloud platforms and its main product line is called Falcon. The core system that the company offers is its first creation, which is CrowdStrike Falcon Prevent. This is an endpoint protection system, billed as a next-generation anti-virus service. The Prevent tool acts as a device agent for all of the other systems in the Falcon family, which are delivered from the cloud.

About Darktrace


Darktrace is a British cybersecurity business that started in 2013. The company’s history is closely linked with the business dealings of its founder, Mike Lynch. The business is based in Cambridge, UK, which is a hub for technology, thanks to the presence of Cambridge University, one of the world’s leading seats of learning.

Mike Lynch went to Cambridge University and eventually started up an innovative business called Autonomy Corporation, which used machine learning for search strategies. Lynch sold Autonomy to Hewlett-Packard for $11 billion in 2011. This sale has been contentious, however, with Hewlett-Packard later claiming that the valuation of the company was falsely inflated by accounting irregularities.

Lynch used the behavioral analytics system that lay at the heart of the Autonomy system as part of the core of Darktrace when he started up that business in 2013. Behavioral analytics is now part of most cybersecurity systems, including CrowdStrike XDR. Darktrace’s main package is called Darktrace Enterprise Immune System.

As the key detection mechanism of Darktrace has been adopted by rivals, the company’s competitive advantage has been eroded. The ongoing legal battle between Hewlett-Packard and Lynch has also damaged the valuation of Darktrace with its share price falling even though its income is increasing.

The company floated on the London Stock Exchange in April 2021 with a market capitalization of £2.5 billion ($3.26 billion). Shares rose in value quickly, giving the business a value of £7 billion ($9.14 billion) by late September 2021. However, the company has since fallen in value and currently (April 2021) has a market capitalization of £2.88 billion ($3.76 billion). The company’s turnover in 2021 was $281 million. Darktrace has 1,600 employees.

System-wide security

There are several different approaches possible for system-wide security. The basic requirement for such systems is to identify malicious activity and then block it. The way that task is performed usually depends on the technical expertise and history of the provider – businesses that developed firewalls will propose an edge solution and providers that started with anti-virus systems prefer endpoint scanning as a basis for their enterprise protection systems.

Detection systems fall into two categories: host-based and network-based. There are also two camps of detection methods: signature-based and anomaly-based.

An anomaly-based detection system looks at patterns of activity and then scans for deviations from those standards. A security system can establish a pattern of behavior per user or device; many services use both. The application of machine learning enables the assessment of what is considered to be “normal behavior” to be decided upon automatically and that baseline can be constantly tweaked by subsequent observations.

CrowdStrike vs Darktrace: Head-to-head

CrowdStrike and Darktrace are both anomaly-based detection systems. They use very similar methods to identify a threat – that might be manual, which is an intruder, or software-based, which is malware.

Machine learning lay at the heart of the Autonomy search engine system and was also applied to Darktrace. In cybersecurity, this methodology is called “user and entity behavior analytics” (UEBA). CrowdStrike also adopted this strategy for its cybersecurity systems, including Falcon XDR.

The big difference between CrowdStrike Falcon XDR and the Darktrace system is that CrowdStrike’s service is host-based, while Darktrace is network-based. The difference between these definitions is often one of nuance because network-based systems run on a computer, or “host” and host-based systems also look at network activity.

Intrusion detection systems (IDSs) become intrusion prevention systems (IPSs) when they include automated response mechanisms. Both Darktrace and CrowdStrike Falcon XDR are in the IPS category because they implement actions to shut down malicious activity without human intervention.

The CrowdStrike system uses security orchestration, automation, and response (SOAR) for threat detection and mitigation. This is a method of coordination with third-party security tools, such as access rights managers and firewalls, first to extract activity data and then implement responses. Typical threat mitigation with SOAR would be to suspend a user account in an access rights manager or to post a firewall rule that blocks traffic from an external IP address.

Darktrace’s threat mitigation system is called Antigena. This also deploys SOAR to block the network activity of a suspicious actor.

CrowdStrike Falcon XDR details

The basis of CrowdStrike Falcon XDR is the Falcon Prevent unit. Falcon Prevent is an anti-virus package that needs to be installed on each endpoint. The service can continue protecting a computer when it is disconnected from the network.

The cloud platform of the Falcon system keeps each Prevent installation up to date both with software updates and threat intelligence. The Prevent unit performs UEBA, establishing normal activity on that device, and then looks for anomalies. Periodically, the service updates activity records to the Falcon platform.

CrowdStrike has a service that is called Falcon Insight, which is an extended detection and response (EDR) package. This is also the main data processor of Falcon XDR. The difference between Falcon Insight and Falcon XDR is that the XDR system gathers extra activity data from third-party security tools, adding local logs to fill in the gaps between endpoints. This is particularly useful because the EDR strategy ignores firewalls and network devices, such as switches and routers.

Falcon XDR passes threat information back to each Prevent installation to spread the news of an attack reported by one endpoint, enabling all endpoints to harden and focus threat detection on that issue. CrowdStrike offers a global threat intelligence feed that can be added on for a fee. this is called Falcon X. The Falcon XDR adds communication with third-party tools to the mitigation strategies of Falcon Insight.

Darktrace Enterprise Immune System details

Darktrace Enterprise Immune System was originally designed as a tool to detect insider threats and account takeover events. These types of threats are difficult for traditional IDSs to deal with because authorized user accounts are implicitly trusted by most network security systems. The irregular activity of authorized accounts is the type of security incident that UEBA is designed to combat.

Darktrace’s strategy of looking for deviations from standard patterns of behavior was easily adapted to the scanning of all activities. Usually, business systems are designed to only allow outside traffic in if it is in response to requests generated from within the network. So, spotting unsolicited incoming packets is relatively easy – such rogue traffic should be rare, thanks to the blocking intervention of firewalls.

The entity behavior aspect of Darktrace caters to the risks engendered by software. Malware is just part of the hacker’s strategy because regular, authorized utilities on any endpoint can be invoked to perform to the hacker’s requirements – PowerShell scripts are an example of this phenomenon.

The Darktrace system has one big advantage over CrowdStrike Falcon XDR because it also covers traffic between the network and cloud platforms. CrowdStrike offers different products for this scenario. The cloud systems that Darktrace can cover are AWS, Azure, GCP services, Microsoft 365, Exchange Server, Google Workspaces, plus Okta, Slack, Box, Dropbox, Zoom, Teams, Duo, and Salesforce. The tool is also able to protect traffic with IoT devices.

The Darktrace system is based in the cloud and it reaches out to all protected networks through endpoint agents, called Darktrace for Endpoints. This is a lightweight equivalent of the Falcon Prevent package that operates in the CrowdStrike Falcon XDR ecosystem. The Darktrace system is also able to monitor activity on virtualization services and containers.

Darktrace has an extension to monitor the security of the remote devices used by work-from-home and roaming users. This is implemented through collaboration with Zscaler. There is also a version of Daktrace for industrial systems – that is called Darktrace Industrial Immune Systems.

Like CrowdStrike, Darktrace interacts with third-party security products to gather information and implement responses. The main threat response mechanism in Darktrace is called Antigena, which is a SOAR package.

CrowdStrike for Cloud and hybrid systems

CrowdStrike Falcon XDR doesn’t cover cloud services, although it can integrate the protection of remote worker devices and multiple sites. Businesses that use cloud services either exclusively or in addition to in-office networks, would need to look into CrowdStrike Cloud Workload protection (CWP) to cover those cloud resources.

CrowdStrike Falcon XDR and Darktrace Enterprise Immune System pricing

Neither CrowdStrike nor Darktrace publishes its prices. CrowdStrike offers a 15-day free trial of Falcon Prevent. However, there isn’t a trial or demo for the Falcon XDR system, other than a video on the CrowdStrike site. You can get a 30-day free trial of the Darktrace Enterprise Immune System.

CrowdStrike vs Darktrace: The verdict

CrowdStrike is a much larger enterprise and offers many more cybersecurity products than Darktrace. However, in the one area that Darktrace operates, it is probably a better provider than CrowdStrike.

Both systems use SOAR for data gathering and automated response and both have endpoint units. In the case of CrowdStrike Falcon XDR, that endpoint unit is a fully-blown next-gen AV system. That gives the system continuity of operation if the device is taken offline. However, the downside of that strategy is that the security software imposes a greater load on the endpoint’s processor.

The vital feature that gives Darktrace the edge over CrowdStrike is its hybrid capabilities that offer equal protection for cloud services in the same package as its network protection system. Both services can interlink the protection of multiple sites, but CrowdStrike requires users of cloud systems to add on an extra security product to get full security.

You can learn more about UEBA in our guide, What is UEBA (User and Entity Behavior Analytics)? You might also be interested in our article, What is SOAR (Security Orchestration, Automation and Response)?

CrowdStrike and Darktrace are not the only providers of XDR systems. To find out about other suppliers in this field, take a look at The Best XDR Tools and Software.