CrowdStrike obtains an identity-centric view of zero trust with Preempt purchase

September 24 2020
by Fernando Montenegro, Garrett Bekker


As the pandemic persists and work patterns are severely disrupted, organizations are looking to ensure that they can detect and respond to security incidents regardless of how their systems are used. To that end, making security decisions based on user identities has emerged as a valuable approach, since these identities are more stable across devices and potentially easier to model.

This identity-centric view of the world complements a device-centric view when implementing newer remote access architectures based on conditional access and zero trust. CrowdStrike is now aiming to claim a bigger role in these architectures with the acquisition of Preempt Security, looking to incorporate the target's functionality into its growing cloud-based Falcon offering.

Snapshot Snapshot




Preempt Security


Endpoint security

Deal value


Date announced

September 23, 2020

Closing date, expected

By October 31, 2020

The 451 Take

Defending the modern remote worker – even if they are not necessarily mobile because of the current crisis – requires having a comprehensive view of their environment and activities. Security teams have built on this by integrating multiple streams of data – from endpoints, applications, user identities, and others – themselves, either via SIEM or, more recently, newer trends such as extended detection and response.

CrowdStrike's purchase of Preempt is a step in the direction of having that more comprehensive view. The deal dovetails with the offerings from the acquirer's marketplace and its recent partnership announcement with Netskope, Okta and Proofpoint. It demonstrates that CrowdStrike is seeking to capitalize on its existing endpoint traction and, well, 'preempt' customers from looking elsewhere when designing and deploying these new architectures. As it adds more identity capabilities, CrowdStrike also comes into closer competition with vendors that have traditionally had larger portfolios and a head start on the domain. The company will need to quickly demonstrate that it can not only articulate but also execute a broader vision beyond the endpoint.

Deal details and rationale

CrowdStrike is spending $96m for Preempt Security ($10m of that will be paid in stock). According to 451 Research, this marks the buyer's first acquisition. The transaction is expected to close by October 31.

The move brings to light the importance of using the right kind of telemetry to effectively detect the broad spectrum of attacks that organizations face. The identity-centric view that Preempt brings to the table nicely complements the endpoint-centric view that CrowdStrike possesses. The acquirer argues that the new capabilities it is obtaining with Preempt, coupled with both the offerings from its existing marketplace partners and recent partnership announcement with other vendors, enables it to better contend for newer opportunities. The firm highlights protection against insider threats and enabling access for remote work as two of these areas.

Remote access has been one of the items of interest given the outbreak. As can be seen from the figure below, which is derived from a 451 Research Digital Pulse survey, security investments remain a critical area of interest as organizations respond to the pandemic.

Figure 1

Even Faced with COVID-19, Security Investments Continue
451 Research, Digital Pulse, Coronavirus Flash Survey June 2020

Target profile

San Francisco-based Preempt Security was founded in 2014 by Ajit Sancheti and Roman Blachman. The vendor first launched a commercial product in 2016 and has about 55 employees. It has raised a total of $27.5m in funding, most recently a $17.5m series B round in mid-2018. Preempt's syndicate of investors includes General Catalyst, Intel Capital, Blackstone and ClearSky Ventures.

The company has focused on analyzing identity-based information activity to derive risk scoring with the aim of blocking credential-based attacks. It initially deployed a proxy-based approach to deriving telemetry, but more recently shifted to an agent-based strategy with software that sits directly on top of the domain controller and can be run in either active or passive mode.

Acquirer profile

Sunnyvale, California-based CrowdStrike was founded by Dmitri Alperovitch, George Kurtz and Gregg Marston in 2011. The company went public in 2019 on the Nasdaq and currently has approximately 2,700 employees across the world. CrowdStrike has built a cloud-based security offering initially heavily centered on endpoint security. This includes a combination of endpoint prevention, endpoint detection and response, device control, threat intelligence, and more. The vendor recently launched a marketplace for adding functionality from partners and announced a collaboration with Okta, Proofpoint and NetSkope aimed at addressing the needs associated with securing a remote workforce.


When Preempt was a stand-alone company, its pool of competitors was relatively small, consisting primarily of fellow startup Silverfort as a more direct rival, with a broader set including Auth0, CallSign, Entrust, RSA Security, SecureAuth, Thales (Gemalto) and Transmit Security, with some caveats between consumer and enterprise use cases.

For CrowdStrike, the competitive landscape looks quite different. The vendor encounters a wide swath of endpoint specialists including but not limited to McAfee, Broadcom, Trend Micro, Kaspersky, Tanium, FireEye, SentinelOne, Cybereason, and many others.

It's also worth highlighting specific competition from four firms: BlackBerry (via its acquisition of Cylance), VMware (Carbon Black), Cisco (Duo Security) and Microsoft. All of these providers have unveiled versions of conditional access or zero trust that incorporate similar concepts as the combined CrowdStrike-Preempt offering.