Crowdstrike's Acquisition - Preempt

Crowdstrike went out and acquired a security company called Preempt. Based on this article,… It appears that customers were asking CRWD to beef up their zero trust credentials so crwd went out and did something about it. I spent some more time digging into Preempt and came away pretty excited from a technology standpoint.

First a very basic primer on what CRWD does. CRWD has a multipronged approach to endpoint security that is broken down into the agent that is installed on each endpoint(for simplicity sake you can think of this as a computer) and their central database that they use to crowdsource threat information. I don’t want to get too into the weeds but I think it is important to understand from a basic level what they do so as to understand why Preempt is so cool.

CRWD’s main product monitors your endpoint(computer) for malicious activity. It is just looking for things that appear out of the ordinary. Some antivirus programs do this by looking for virus signatures…the digital fingerprints of the virus, others look for more indirect markers like suspicious activity, maybe a certain file growing too large as it gobles up data. Crowdstrike has amplified this (so have a few other companies) with their AI powered central database, so if suspicious activity is found somewhere then everyone that has crowdstrike across the world will now look for that activity.

They also have a firewall which prevents stuff getting into the endpoint or out of it. Their firewall has some nice features that we don’t really need to get into other than some of it is based on users or applications. More why this matters later.

They also have a product called IT hygiene. This is a service that companies can use to make sure applications are all updated, correct versions etc, how often they are used, what things certain users typically use.

They have a bunch of other services that are great but not totally germane to this conversation.

Lots of what crwd does (they do much more than this, but this generalization is useful ) is look at historic norms and if something deviates from that norm then it flags the activity as suspicious.

Now we are leaving CRWD for a second and talking about identity management. Most/all companies have some sort of identity service. People’s identity is tied into permissions or credentials which are rules that inform what they can access such as files, applications, networks. From an end user standpoint this model is nice because people just have to prove their identity and then they can use all their applications, access their files and networks. From a security standpoint this is nice because it allows for the zero trust model. The old model of security was basically a locked front door. If you had a key to the front door you had access to everything in the house. The zero trust model means you need a new key(credential) for each and every single thing you access or do in the house. You have to prove you can open the fridge, show your credentials turn on the tv, change the channel, etc etc.

Preempt is really interesting because they go into an organization and get the identities and credentials information from the IaaS (identity as a service) provider (OKTA, PING MSFT and many others) . Preempt then uses that information to build security profiles so they can see if an entity is accessing something unexpected or if the entity somehow has permissions it shouldn’t. They can look at security hygiene in a very robust way and spot insider attacks in real time. With the information Preempt can tell if an account is too high risk because it has access to too many things. All in all it is a very cool product that appears to make managing identity and permissions much more holistic as well as real time threat analysis.

The combination of Preempt and CRWD is going to be really powerful because CRWD is looking for patterns whereas Preempt has knowledge of exactly what the rules/permissions are, If those permissions are appropriate, and if credentials are being used in an appropriate way. Preempt will allow CRWD to have a much greater understanding of what should be happening as well as allow CRWD to give companies much greater insight into their security hygiene. This will make the security products that CRWD already has much more powerful. IT hygiene will be much more useful to companies , the firewall product will have a much greater understanding of what should be happening and the activity monitor now doesn’t just have to look at historical norms but has an understanding of what is actually allowed.

Preempt has a blurb that 80% of breaches involve credentials…I haven’t seen numbers from a neutral third party but that number certainly lines up with what I have heard from people who work in the industry. Makes a lot of sense for CRWD to strengthen their offering with much more robust knowledge of identity. Apple recently fixed a bunch of security vulnerabilities as discussed in this article,… . Some of the vulnerabilities were bugs that allowed accounts to escalate their privileges, others were accounts that had too privileged (too much access to too much information). Apple had no idea that they had those vulnerabilities. Preempt would have notified them the second an account started doing something it wasn’t supposed to and it would have flagged the account that was too privileged as part of their security hygiene report.

One of the concerns I had when discussing the merger with other board members was the focus on identity would increase the friction for installing CRWD. One of the things that I really liked about this investment was how easy it is for a company to adopt CRWD’s products. Identity and permissions/credentials are hard but the beauty of Preempt is they going into an environment where all that is already set up. Preempt only takes ONE HOUR to install and start getting useful information from it (some of the vulnerabilities in the apple case study would have been likely exposed in that hour) This is a match made in heaven for a technology standpoint as well as sales.

I can’t imagine that Preempt has much revenue. If you figure many of the security companies are going for 30x revenue that would put them only at 3ish million of revenue. I have a hard time imagining they had that little revenue though, The interwebs thinks they have somewhere between 7 million and 49 million of revenue. My guess is much closer to 7 million. Maybe Preempt had run into some bumps in the road so CRWD got a company that had good technology but was having business issues so they needed to sell. Preempt had raised 17 million dollars back in 2018, and a total of 27.5 million dollars since 2014. Back in February they said they were growing ARR 140% which doesn’t seem all that impressive to me from such a small base.

All in all, I think this is a very strong acquisition. Remains to be seen how they integrate it from a business standpoint.

I glossed over a lot of the technical stuff, inferred stuff from marketing material and generally made some guess. I’m fairly sure the overall gist is correct but I’m sure there are some minor errors. I welcome any feedback, corrections, or thoughts.


Excellent information ethan1234 - thanks.

A few other tidbits.

CRWD paid approximately $96M for Preempt.

According to the CRWD announcement “The addition of Preempt will also expand CrowdStrike’s total addressable market to include Identity Security, which is estimated to be $2 billion in 2020*.”

*Source: International Data Corporation #US45384120 – Worldwide Identity Forecast, 2020–2024 (Advanced Authentication market)

According to Preempt press release in Sep 2018 they grew FY18 ARR by 300%, doubled their headcount, and raised $17.5M in Series B. Not sure if that is 300% of $1 or 300% of something meaningful but clearly they believed they would grow further. Here is a link to that press release:…

It’s a little odd I could not find an FY19 update, although they are private and don’t have to, but would have PR if it were significant. As you mentioned, in Feb 2020 they reported 140% YoY increase in ARR and 100% growth in customers. Again I don’t know if that is growth from 10 customers to 20 or from 1000 to 2000 but they did report adding the following which gives them good credibility:

  • One of the world’s largest cosmetic companies
  • The world’s largest private agricultural company
  • The world’s largest franchisor
  • The world’s largest manufacturer of primary batteries and portable lighting products
  • Other wins in verticals such as energy, healthcare, and finance across the EMEA and APAC regions

Here is a link to that press release:…



Preempt only takes ONE HOUR to install and start getting useful information from it (some of the vulnerabilities in the apple case study would have been likely exposed in that hour) This is a match made in heaven for a technology standpoint as well as sales.

Ethan, that was a great summary. I had one question. Does it take an hour to install it onto each endpoint or does it take one hour to implement into all of the users of a large customer?



Does it take an hour to install it onto each endpoint or does it take one hour to implement into all of the users of a large customer?

Although I know nothing about Crowdstrike, I’m sure that type of update is done on a server and pushed out to endpoints without the end user even knowing it has happened.



Does it take an hour to install it onto each endpoint or does it take one hour to implement into all of the users of a large customer?
Quick note, one place they say one hour, another place they say two hours (haha, i don’t want to be accused of exaggerating ).

Their marketing material doesn’t say specifically but based on how they talk about it and where it sits in the network I can’t imagine it takes an hour to get setup on an endpoint. I’m 99% sure it takes an hour or two to get up and running , i.e integrating with the IaaS and domain controller.



Thanks for the write-up Ethan.

Here’s what I know…

CrowdStrike’s cloud based Falcon platform ( build on Graph database technology) is designed such that if there’s a new security need to be addressed, you can just build a security service or app on top of that Falcon platform.

The beauty of the Falcon platform design makes partners solutions integrate very easily. The partner apps in the CrowdStrike Store store its a good example of that. So, Preempt’s integration should be fairly straightforward.

Yes, the Preempt management server takes about 1 hour to install. AFAIK, they don’t need agents on endpoints. They have sensors that can be deployed on the network or on domain controllers to do real time traffic analysis. Their platform works with the authentication platform of the enterprises, which may be ADFS, federated platforms, on-prem and cloud SSO platforms like Okta and Ping.

CRWD’s agent/sensor that is installed on end-points is extremely lightweight and unobtrusive…there’s no UI, no pop-ups, no reboots, and all updates are performed silently and automatically. Requires less than 20 MB of disk space, less than 10 MB memory and less than 1% CPU when active. And installs in a few minutes. There are no controllers to be installed, configured, updated or maintained and no on-premises equipment.

I believe at least in one customer’s case, CRWDs sensors were deployed to over 70K nodes via silent installs in about 2 hours and no helpdesk calls!

Also unlike legacy signature based agent’s, the Cloudflare agent doesn’t need to worry about agent bloat as threats grow.

According to data, 4 out of 5 breaches are credentials related, so this is a great strategic acquisition by CrowdStrike to enhance Zero Trust in it’s Falcon platform.

Hope this helps!




Here’s what I know…

Thanks Ronjon, that was extremely helpful and useful. We all appreciate it.