CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

CONFIDENTIAL – SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

CROWDSTRIKE ENDPOINT BATTLECARD

Vendor Profile Product Description Sophos Equivalent
Falcon Prevent Endpoint protection Intercept X Essentials / Advanced
CrowdStrike was founded in 2011 and originally
focused on post incident detection and response. More Falcon Insight Endpoint detection and response (EDR) Intercept X Advanced with XDR
recently it has added proactive prevention features, Falcon Spotlight Vulnerability and patch assessment -
and tools based around IT hygiene. Live Discover can be used, App Control
Falcon Discover Application, device and user inventory

Competitor Strengths Competitor Weaknesses

Single agent and management console – Products use the same Falcon agent and are managed through a cloud hosted
console
EDR – Detailed threat information is available, and the Insight product allows in depth event searching
IT hygiene – Falcon Spotlight and Discover provide tools to identify vulnerable devices and applications
Threat exposure – CrowdStrike has limited tools to prevent exposure to threats, and lacks features such as web protection or
application control
Strength of protection – In addition to the threat exposure limitations noted above, the anti-exploit and anti-ransomware
features are only a subset of those available in Intercept X
Total cost – Customers report the high cost of CrowdStrike licenses to analyst firm Gartner. Furthermore, CrowdStrike products
are rarely sold without additional services.

Why Sophos Wins

Comprehensive Protection
Machine learning technology is complemented by industry leading exploit
prevention and powerful ransomware protection. Multiple other layers such as web
filtering, application control, and data loss prevention combine to enhance
protection further.
Simplicity
Sophos focus on providing leading protection. With control features and
supplementing technologies, the attack surface is reduced thus eliminating the
need for employing a SOC team or paying for expensive services.
Synchronized Security
Customers benefit by adding Sophos Firewall and SafeGuard Encryption. Both work
with Sophos Central to deliver automated response and enhanced protection.
Furthermore, Sophos Central offers unified management of endpoint, server,
mobile, data, email, and wireless security.

Sophos CrowdStrike
Intercept X
Endpoint License Comparison Intercept X
Advanced Falcon Pro Falcon Enterprise Falcon Elite Falcon Go
Advanced
with XDR
Web Security and Control   × × × ×
Device Control (e.g., USB)      
Category Based Application Control   × × × ×
PREVENT Exploit Prevention      
Machine Learning      
Application Inventory ×  × ×  ×
Live Discover
Runtime Behavior Analysis / HIPS   × × × ×
Detection but Detection but Detection but Detection but
DETECT Behavior Based Ransomware Detection and Rollback   no rollback no rollback no rollback no rollback
Active Adversary Mitigations   × × × ×
Automated Malware Cleanup   × × × ×
RESPOND
Synchronized Security Heartbeat   × × × ×
Endpoint Detection and Response (EDR) ×  ×   ×
Extended Detection and Response (XDR) ×  × × × ×
The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to
change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners NOVEMBER 2022
may use only the most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 1 of 5
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Note: Falcon Go is a new bundle (announced in July 2022), available exclusively to SMBs. It is sold direct on CrowdStrike's website using a trial purchase process, to net-new customers only. The wiki page (Sophos internal only) for CrowdStrike lists more
information on the bundle.

Feature Shoot-Out
Sophos CrowdStrike See these Detailed Comparison sections for more info
Comprehensive Exploit and Ransomware Protection  × ‘Anti-Exploit’, ‘Anti-Ransomware’

Synchronized Security  × ‘Synchronized Security’

Web Protection and Control  × ‘Web Protection’, ‘Web Control’

Application Control  × ‘Application Control’

Data Loss Prevention  × ‘Data Loss Prevention’

Server Specific Policies and Protection  × ‘Server Protection’

Localized admin interface  × ‘Security Ecosystem’

Third Party Views

Comments Context
The report also comments on the high price tag of CrowdStrike licenses requiring extra options
CrowdStrike is in the ‘Leaders’ quadrant of the 2021 Gartner Magic Quadrant for
to provide the full range of capabilities and data retention beyond the standard seven days.
Gartner Endpoint Protection. The report notes the single agent and the products suitability for
Sophos has been positioned in the Leaders quadrant of this report since it was first published in
organizations without a dedicated SOC.
2007.

CrowdStrike regularly participates in SE Labs Enterprise tests and achieves the ‘AAA’ Sophos achieves the top ‘AAA’ rating in the same tests and consistently demonstrates higher
SE Labs
rating. protection ratings.

AV-Test CrowdStrike has not appeared in AV-Test reports. Sophos has participated in these tests for many years and achieves strong scores.

Various AV-Comparatives reports are referenced on CrowdStrike’s website. Most of

Sophos participates with Intercept X achieving the Approved rating and generally much higher
AV-Comparatives these relate to the ‘Real World Protection Test’ where CrowdStrike has achieved mixed
protection results than CrowdStrike.
results.

CrowdStrike is placed in the ‘Leaders’ section of the 2021 Forrester Wave Endpoint The report highlighted CrowdStrike’s growth over the last year, although noted weak data
Forrester Wave
Security Suite. security capabilities. Sophos was named a Strong Contender in this report.

Watch Out For

Endpoint Detection and Response (EDR)
CrowdStrike originally focused on post incident detection and response, meaning
it is strong on EDR features such as threat detail and isolation of compromised
endpoints. The OverWatch managed service is also available (and bundled with
most licenses) to help draw attention to hard-to-spot threats.
Lightweight Agent
The same Falcon agent (referred to as a “sensor”) is used for each of the various
CrowdStrike products. CrowdStrike state that the agent is around 20 MB in size
and uses 1% or less CPU. Of course, the agent includes significantly fewer
protection features than Intercept X, so this should be taken into consideration.
Integration with 3rd Party Applications
CrowdStrike provide a range of APIs to integrate with several SIEMs and threat
intelligence feeds. CrowdStrike has also announced partnerships with IT service
management providers Ivanti and ServiceNow. Sophos Central does include an
API for sending events to a SIEM, but it is not as extensive as what CrowdStrike
offers.

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to
change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners NOVEMBER 2022
may use only the most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 2 of 5

How Sophos does it
Machine Learning Intercept X’s deep learning model detects unknown malware and
potentially unwanted applications. The model can take a file, extract
millions of features, run it through the host-based model, and determine
if it is malicious before it executes. It does all of this in about 20
milliseconds with a model that is under 20 MB in size.
Our machine learning experience began as part of a 2010 DARPA project,
and we have proven high speed, low impact performance.
Anti-Malware Potentially Unwanted Applications (PUA) - Beyond traditional detection
and blocking of known malware, CIXA can block applications that are
unwanted and could pose a security risk in an organization.
Anti-Exploit Sophos anti-exploit technology protects against the techniques that
attackers may use to exploit a software vulnerability. Intercept X delivers
more than 25 exploit prevention techniques to ensure protection against
attacks that leverage previously unknown vulnerabilities.
Intercept X also uses an unused hardware feature in mainstream Intel
processors to track code execution and augment the analysis and
detection of advanced exploit attacks at run time.
Anti-Ransomware CryptoGuard technology detects ransomware through its behavior,
stopping it from encrypting files, and then automatically rolls back any
files that were encrypted before detection. WipeGuard protects from
attacks that encrypt the MBR and render the machine unable to boot
into the operating system.
Cross-platform Block all malware on all platforms – Intercept X provides detection and
Protection blocking of non-native malware across all platforms.
Synchronized With Synchronized Security, Sophos products communicate with each
Security other both across the network and on endpoints to mitigate risks and
stop data loss. Security information is shared and acted on automatically,
isolating infected endpoints before the threat can spread and slashing
incident response time.
Web Protection Sophos web protection blocks users from accessing websites that are
hosting malware or phishing attacks.
Web protection is fully integrated into the existing endpoint agent with
no configuration required.
The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to
change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners
may use only the most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE
Detailed Comparison
How CrowdStrike does it How we win
Falcon Prevent uses a client-based machine learning engine for analyzing executable Proven effectiveness
files pre-execution and has access to CrowdStrike’s cloud-based machine learning
engine. Administrators choose whether they want to use one or both and are also Show: Our extensive publications and videos on our
able to configure how readily it will convict suspicious files (from Cautious to website, Invincea NSS Labs report; invite the
Aggressive). Anecdotal reports suggest that CrowdStrike’s ML detection catches less customer to look at historic VirusTotal feedback.
malware and generates more false positives than Sophos’ deep learning.
CrowdStrike does not include the option to block predefined PUAs.
Falcon Prevent includes a small number of exploit mitigation techniques, such as Protection against a wide range of exploits
detecting ASLR bypass attempts and heap spray attacks. It also has an ‘Exploitation
Behavior Prevention’ module, which provides protection against suspicious Ask: What would it mean to you if you could run one
executables being created by browsers (drive by downloads) and attempts to stop of the industry’s most comprehensive exploit
an exploited browser or plugin from creating processes. However, this is still a protection tools?
subset of the range of protection techniques delivered in Intercept X.
Point out: Sophos Intercept X covers more than 25
types of exploit prevention techniques.
Falcon Prevent’s anti-ransomware protection blocks processes associated with the Comprehensive protection
Locky and CryptoWall families. It also includes more generic detection to look for
deletion of backup files (a common action performed by ransomware) and identify Point out: CrytoGuard monitors behavior and
any files with a known ransomware extension. It does not include the capability to recovers the first files encrypted in an attack. It also
roll back the initially encrypted files, or specific protection of the MBR. protects against ransomware that stops machines
booting up.
CrowdStrike Falcon does not detect or block Windows malware on macOS. Non-native malware protection
Point out: Other platforms can still carry and
spread malware not native to the platform.
CrowdStrike does not offer its own network or encryption products. It does provide Simple setup, powerful features
an extensive set of APIs that allow integration with third-party threat intelligence
feeds, SIEMs and other products. However, this would need to be manually set up Ask: If your firewall alerted you to suspicious traffic
and configured by the customer. on your network, how long would it take you to
locate and isolate the computer?
Show: Synchronized Security automatically
isolating a compromised endpoint client
CrowdStrike products do not provide web protection, meaning endpoints are Prevent malware from reaching machines in the first place
exposed to one of the key malware delivery routes. A customer would need to
ensure such protection is instead provided by a supplementary web filtering or Ask: How do you stop users from accessing
firewall appliance on the corporate network. When employees are outside the websites that are hosting malware?
network perimeter, they may not have the benefit of the robust firewall or web
gateway, leaving them exposed to threats arriving via the web.
NOVEMBER 2022
Page 3 of 5
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How CrowdStrike does it How we win
Extended Detection Intercept X Advanced with XDR suits both IT administrators and security CrowdStrike provides wide-ranging EDR functionality, but it is mainly aimed at Add expertise, not headcount
& Response (EDR analysts. While it is accessible to IT generalists by replicating tasks trained analysts. Significant resources are required to get the most from the tools
and XDR) normally performed by skilled analysts, it also provides the core manual on offer. Ask: What resources do you have available to
tools that trained analysts would expect. dedicate to threat hunting and investigation? Have
It launched its XDR solution, Falcon XDR, only recently in February 2022. Based on you factored in the cost of additional services?
its 2021 acquisition of Humio, Falcon XDR provides the ability to ingest, analyze and
Threat Visibility: query data from multiple sources. Show: Sophos EDR’s guided investigations provide
Deep Learning Threat Indicators and Analysis suggested next steps
For the grey area between known-good and known-bad, deep (machine) Threat Visibility
learning prioritizes a list of suspicious files for further investigation. The Threat detections show detailed information about the applications/processes Point out: Synchronized Security automatically
comprehensive file analysis report enables customers to quickly involved, the activity that triggered the detection (e.g., a PowerShell process isolates low health machines, reducing the reliance
determine if a suspicious file should be blocked or allowed. executed, compressed, encoded command line content) along with a visualization on manual intervention by the administrator
of the threat chain.
Threat Hunting:
Threat Hunting
Live Discover search: Allows customers to quickly discover IT operations
The Falcon Insight module offers granular threat hunting (queries are constructed
issues or to hunt down suspicious activity on both Windows and Mac. using the Splunk language syntax) and the option to upload a list of known bad files
- On-disk data: Windows and Mac endpoint data store with or domains to see if they have been seen on endpoints.
super detailed, live data covering up to the last 90 days
- Cloud data lake: Cross product data with 30 days’ worth of Queries return data from computers that are currently online or offline. Unlike
data Sophos Live Discover, the data is not live and is limited to what the CS agent uploads
- XDR Platforms: Endpoint, Server, Firewall, Email, Mobile, to the cloud as there is no on-disk endpoint data. By default, cloud storage is limited
Cloud Optix, Microsoft 365 connector (Azure AD, Exchange, to 7 days, which can be extended to 90 days at an additional cost.
Teams, SharePoint)
Response
- Air to ground reconnaissance: Quickly scan an entire estate
CrowdStrike’s offerings are primarily designed with trained incident response
and then drill down to file content on a single device experts in mind. Less of the response is automated. Remediation actions, such as
- Flexible: Includes out-of-the-box, fully customizable SQL endpoint isolation, are available, but the customer needs to bear the burden of
queries. Customers can create completely new, custom interpreting the detailed information before taking manual action.
queries
- Schedule: Retrieve critical data from the data lake overnight Real Time Response provides command line access to remote Windows, Mac and
- Comprehensive: Provides up to 90 days fast access to Linux hosts.
current and historical on-disk data. Data includes insight
into artifacts’ reputation and machine learning scores from
SophosLabs and Sophos AI

Response:
Automatic response – The intelligent Sophos endpoint agent can
automatically clean up or block threats. It is also capable of isolating the
endpoint.

Live Response command line: Customers can remotely access Windows,

Mac and Linux devices via a native command line to perform further
investigation, install and uninstall software, or remediate any issues that
Intercept X cannot address automatically. It can also be used for IT
operational actions such as rebooting or installing and uninstalling
software.

Web Control Web control allows the administrator to block access to unwanted Web control is not available. The customer would need to purchase and maintain a Prevent users accessing risky websites
websites. Website categories come pre-configured, meaning separate product to control which websites staff can access.
administrators can easily block endpoints from accessing inappropriate Ask: Do you need to demonstrate compliance
sites such as adult, gambling, hate, crime. with company policies on responsible internet
usage?
Show this: Create a policy to block access to
social media sites

Application Control
Administrators can control installation, track usage or block execution of There is no category-based application control. Hash based black/white listing Control which applications run on client machines
unauthorized applications within a few clicks using a supplied list of allows the administrator to block access to specific files, but this involves more work Simply choose from a pre-populated list
applications. This reduces threat vectors, and administration is kept to a for the customer and is less robust as the file hash will change each time an Show: Demonstrate how easy it is in Sophos
minimum as the list of applications is automatically updated and application is updated. Central to create a policy that blocks file sharing
maintained by Sophos Labs. tools such as BitTorrent

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to
change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners NOVEMBER 2022
may use only the most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 4 of 5
 CONFIDENTIAL - SOPHOS INTERNAL AND CHANNEL PARTNERS ONLY - DO NOT REDISTRIBUTE

Detailed Comparison
How Sophos does it How CrowdStrike does it How we win
Device Control We enable you to define which storage devices or network interfaces to Device control is available but only for Windows machines. It requires an additional Cross platform support
block, set to read only or allow full access to. It is simple to set license, along with a license for Falcon Insight.
exceptions for specific devices, as they can easily be identified in the
event log. Device control is available for both Windows and Mac devices.

Data Loss DLP is integrated into Sophos Endpoint meaning no additional plugins Data loss prevention is not available. Sophos Endpoint helps protect against data loss
Prevention (DLP) are required. There are a large set of predefined detection rules for
common data types, and, if required, customers can build their own Ask: What measures do you have in place to
custom rules using regular expressions. prevent important data leaving the organization?

Server Protection Sophos Central protects physical and virtual Windows and Linux servers. The Falcon agent provides ML-based protection and EDR on Windows and Linux Policies tailored to server operating systems
Advanced protection features such as deep learning, exploit prevention servers, but there are no server specific policies. This means customers need to One-click server lockdown
and anti-ransomware are coupled with server specific capabilities such manually configure all necessary file and folder exclusions. Advanced features such
as cloud workload discovery, server lockdown, file integrity monitoring, as file integrity monitoring, server lockdown, and ransomware protection for file Ask: Are you considering application whitelisting
and automatic scan exclusions. Unlike solutions that are designed for shares are also unavailable. (default deny/lockdown) for your servers?
end-user workstations, Sophos Server Protection protects servers while
minimizing the impact on performance. Show this: Trigger lockdown on a server

Security Eco-system
In addition to endpoint protection, Sophos Central allows customers to CrowdStrike offers two products aimed at improving IT hygiene. Falcon Spotlight Reduce administration burden with Sophos Central
expand their protection to a range of other areas. All through the same highlights machines running unpatched applications and operating systems, and
management console. These include: Falcon Discover provides machine asset and application usage information. Point out: Customers can consolidate
▪ Device Encryption management of various security technologies
▪ Email Gateway Customers will need to buy point solutions for areas like encryption, email through the Sophos Central console
▪ Wireless Networks protection, network security and so on. These point-solutions would need to be Synchronized Security provides improved value
▪ Phish Threat (user education) individually managed and provide little in terms of integration with each other. due to cross-product synergies

Sophos Central supports nine different languages, including English. The CrowdStrike Falcon console is not localized and is only available in English.

Managed Detection Sophos MDR is a fully managed threat hunting, detection and response
and Response service that provides organizations with a dedicated 24/7 security team
(MDR) to not only detect but neutralize threats. Regardless of the service tier
selected (Threat Advisor, MDR, or MDR Complete), customers can opt to
have the MDR team operate in any of three Response Modes to
accommodate their unique needs.
- Fully managed – allows customer to effectively outsource its SOC
- Three operational modes – Collaborate, Collaborate and Authorize
if not reachable, or Authorize
- Compatible with third-party products – Sophos MDR is compatible
with security telemetry from several third-party vendors including
Microsoft, CrowdStrike, Fortinet etc. Telemetry is automatically
consolidated, correlated, and prioritized with insights from the
Sophos Adaptive Cybersecurity Ecosystem (ACE) and Sophos X-Ops
threat intelligence unit.
- Any size customer – from SMB to enterprise
- Best protection – based on Intercept X ensure maximum
protection
CrowdStrike Falcon Complete is a fully managed endpoint detection service based Strongest endpoint protection and automated cleanup
around the Flacon Prevent/Insight endpoint and Overwatch threat hunting.
MDR can be delivered via our proprietary technology or using
- Weaker protection – Flacon Prevent provides less effective protection your existing cybersecurity technology investments
meaning the Falcon Complete team and customer will have to spend more
time dealing with suspicious events
- Limited automated response – customer or Complete team will have to
manually remediate some threats that Intercept X handles automatically
- Not compatible with third-party products – unlike Sophos MDR, no possibility
to leverage a customer’s existing cybersecurity technologies to detect and
respond to threats

The information in this document is based on Sophos’s interpretation of data publicly available as of the date it was prepared. Other companies named in the document had no part in its preparation. The information contained in this comparison may be incomplete or inaccurate and is subject to
change. The information is intended for informational purposes only and is not intended to be relied upon in making any purchase decision. The information is provided "as is" without warranties of any kind either expressed or implied. This document is Sophos confidential information. Partners NOVEMBER 2022
may use only the most up-to-date version, and only if permitted by law in their Territory. Distribution to any third party other than a Sophos authorized partner is strictly prohibited.
Copyright 2022 Sophos Group. All Rights Reserved.
Page 5 of 5