CrowdStrike Falcon, Charlotte AI, and threat intel in 2026

Falcon Adversary Intelligence is CrowdStrike's threat-intelligence module that ships with Falcon (the endpoint detection and response platform). The intelligence content covers CrowdStrike's tracked adversary groups, named with the company's signature naming convention (Bear suffix for Russian-aligned actors, Panda for Chinese-aligned, Chollima for North Korean, Spider for cybercriminal, and so on). For each tracked actor, the intelligence includes a profile, observed TTPs, current campaign tracking, IoC feeds, and threat-hunt hypotheses for analysts.

The differentiator is the endpoint-telemetry foundation. CrowdStrike sees observed adversary activity across the Falcon-deployed customer base in real time; the intelligence reflects what is actually happening on endpoints rather than what is being discussed in underground forums. For an endpoint-first SOC, this telemetry-derived intelligence is the most actionable form: indicators surface because they have been observed in real attacks, and the corresponding detection content is already authored to catch them.

The tier structure has Elite (included in the Elite endpoint bundle) and Premium (additional cost). Premium adds the full curated report library, Adversary OverWatch managed threat hunting, and direct analyst access. Pricing for Falcon endpoint bundles is published per device per year: Falcon Go at $59.99, Pro at $99.99, Enterprise at $184.99, Elite at custom (typically $250-$400 per device per year for large fleets).

For the broader Falcon endpoint and pricing review, see CrowdStrike Falcon review. The intelligence module is part of the broader Falcon value proposition; evaluate them together.

Charlotte AI is CrowdStrike's generative AI assistant for Falcon. The product became generally available in 2024 and has expanded with multi-agent capabilities through 2025 and 2026. The interaction model is natural-language query: an analyst types a question in plain English and Charlotte translates it into Falcon Query Language (FQL) or LogScale queries, runs the query, and summarises the result.

Common query patterns: "show me hosts that have made DNS queries to recently registered domains in the past 24 hours" (returns a host list with DNS context); "summarise the detections fired in the past hour by severity" (returns a structured summary suitable for shift-handoff); "is this hash known to be associated with any tracked adversary?" (returns CrowdStrike Adversary Intelligence context if matched, or an unknown-hash assessment if not).

Charlotte AI is integrated with Falcon Adversary Intelligence, so actor-centric questions return sourced answers. The autonomous-action capability is more limited in 2026 than the Microsoft Security Copilot multi-agent pattern; Charlotte is primarily an analyst-productivity layer rather than a fully autonomous SOC agent. Expect CrowdStrike to expand the agentic capabilities through 2026 and 2027 in response to the Microsoft agentic SOC manifesto.

Pricing for Charlotte AI has historically been bundled with higher-tier Falcon subscriptions. Current packaging varies by contract; verify with CrowdStrike for your scope. For the broader agentic SOC architecture context, see agentic SOC buildout.

The CrowdStrike-IBM partnership announced in 2024 produced the ATOM (Active Threat Operations Management) integration, which bidirectionally connects Falcon Adversary Intelligence with QRadar through ATOM. The pattern is: Falcon-derived intelligence (actor profiles, IoCs, TTPs) flows into ATOM and onto QRadar correlation rules in real time; QRadar context (SIEM events, log data) flows back into Falcon for endpoint-side correlation and Charlotte AI grounding.

The integration targets large enterprise SOCs running QRadar as primary SIEM with Falcon as primary EDR. For these customers, the bidirectional flow reduces the swivel-chair between the SIEM and the EDR consoles that historically consumed substantial analyst time. The integration is meaningful in 2026; expect continued expansion as both vendors push deeper into the multi-agent SOC architecture.

For non-QRadar SOCs, the ATOM-specific integration is not directly applicable, but the pattern (bidirectional CTI plus SIEM flow) is implemented by various vendors. Splunk, Microsoft Sentinel, Chronicle, and Sumo Logic all have CrowdStrike Falcon connectors that achieve similar bidirectional capability at varying depths.

Falcon Foundry is the CrowdStrike platform-as-a-service offering that exposes Falcon data and APIs for third-party app development. Vendors and customers can build apps that integrate with Falcon at the console level (custom dashboards, custom workflow integrations, data-access plugins). The Foundry marketplace in 2026 includes apps from major CTI vendors who want to surface their data directly inside Falcon rather than requiring analysts to switch contexts.

CTI vendors with Foundry apps as of 2026 include Recorded Future (surfaces Insikt reporting and risk scores in the Falcon investigation pane), Mandiant (Mandiant Advantage intelligence integrated with Falcon detections), DomainTools (Iris risk score and passive DNS surfaced for Falcon-observed domains), and various smaller specialist tools. For Falcon-centric SOCs, the Foundry apps reduce the swivel-chair tax of context-switching between Falcon, the SIEM, and the standalone CTI tools.

Foundry apps are typically priced as add-ons to the underlying vendor subscription; the Foundry layer itself is part of the Falcon platform. For customers evaluating multi-vendor CTI strategies, the Foundry presence (or absence) of a vendor in Falcon is a meaningful integration-depth signal.

For genuinely endpoint-first SOCs (where Falcon is the primary detection surface and EDR-derived telemetry is the foundation of investigation), Falcon plus Adversary Intelligence plus Charlotte AI is a coherent single-vendor stack. The telemetry-derived intelligence is highly actionable, the natural-language interface accelerates analyst workflow, and the bidirectional integrations with IBM QRadar (via ATOM) and the broader Foundry app ecosystem reduce context-switching.

For SOCs where the SIEM is the primary correlation surface and EDR is one of several data sources, Falcon as the CTI primary is an awkward fit. The intelligence depth is real but the centre of gravity is in the wrong place for SIEM-led workflows. The recommended pattern in this case is to use Falcon Adversary Intelligence for EDR-derived signal and use a SIEM-native or platform-native CTI tool (Recorded Future for Splunk, MDTI for Sentinel, Mandiant for Chronicle) as the broader CTI primary.

The pricing is at the premium end of the market. Falcon Enterprise at $184.99 per device per year plus Adversary Intelligence as a premium add-on plus Charlotte AI in the higher-tier bundles can produce six-figure annual costs for mid-size environments. The cost is defensible when the SOC is endpoint-first; less defensible when the SOC is SIEM-first and Falcon would be a parallel investment.