CrowdStrike’s AI slashes manual triage by over 40 hours a week

As security operations center (SOC) teams struggle with mounting alert volumes, CrowdStrike is introducing Charlotte AI Detection Triage, which automates alert assessment with over 98% accuracy and cuts manual triage by more than 40 hours per week, all without losing control or precision.

“We couldn’t have done this without our Falcon Complete team,” Elia Zaitsev, CTO at CrowdStrike, told VentureBeat. “They do triage as part of their workflow, manually handling millions of detections. That high-quality, human-annotated dataset is what made over 98% accuracy possible.”

He continued: “We recognized that adversaries are increasingly leveraging AI to accelerate attacks. With Charlotte AI, we’re giving defenders an equal footing — amplifying their efficiency and ensuring they can keep pace with attackers in real-time.”

How Charlotte AI Detection Triage brings greater scale and speed to SOCs

SOC teams are in a race against time every day, especially when it comes to containing breakout times. CrowdStrike’s recent global threat report found that adversaries now break out within 2 minutes and 7 seconds after gaining initial access.

Core to Charlotte AI Detection Triage’s architectural goals is automating SOC triage and reducing manual workloads while maintaining over 98% accuracy in threat assessment. CrowdStrike reports this accuracy figure based on continuous real-world data from the Falcon Complete environment, which processes millions of triage decisions monthly.

Designed to integrate into existing security workflows and continuously adapt to evolving threats, the platform enables SOC teams to operate more efficiently and respond to critical incidents faster.

Key features include:  

Autonomous triage and low-risk alert closure: Filters out false positives and closes low-risk alerts, allowing analysts to focus on genuine threats​. This process reduces noise and enables SOC teams to prioritize high-impact incidents while minimizing alert fatigue​.

Falcon Fusion integration for automated response. Incorporates CrowdStrike’s security orchestration, automation and response (SOAR) platform to streamline detection triage and automate response workflows​. These are based on confidence thresholds and reduce mean time to respond (MTTR) and ensures analysts receive only the most relevant, high-fidelity detections​.

“In earlier AI iterations, an analyst had to invoke Charlotte manually,” Elia Zaitsev, CTO at CrowdStrike, told VentureBeat. “Now, through Fusion, it can run autonomously — triaging thousands of alerts automatically and even triggering responses when confidence is high. That scale is what excites me most.”

Continuous learning from the industry’s largest SOC dataset: By continuously learning from millions of expert-labeled triage decisions within Falcon Complete, Charlotte AI Detection Triage adapts to emerging attack techniques in real time. Unlike generic AI models, which rely on static datasets, it refines its precision based on real-world SOC data, ensuring accuracy even as adversaries evolve their tactics.

“What actually has me more excited is that [our customers] can hook it up into the automation of the platform and just have it triage automatically all the detections,” said Zaitsev. “Not just triage all the detections, but we can take the output using Fusion and use that to drive additional decision making.”   

He explained: “For example, Charlotte says it’s a true positive with high confidence, takes the summary and opens up a support case or a ticket, routes it to the team, which takes an automated action like ‘contain the system.’ This is all happening at a much, much higher volume and scale, which is the other part that really excites me about this capability.”​

CrowdStrike unleashes “deploying the droids” multi-AI architecture on SOC challenges  

The nature of threats a SOC faces is changing faster than many manual approaches can keep up with, at times overwhelming automated systems. The growing challenges of high alert volumes and resource constraints are turning out to be a compelling use case for deploying multiple specialized AI agents.  

CrowdStrike refers to its multi-AI architecture as a “deploying the droids” approach, where each specialized agent or “droid” is trained for specific tasks. Instead of relying on a single AI model, Charlotte AI coordinates multiple specialized AI agents, each trained for particular tasks. These AI agents work together to analyze, interpret and respond to security incidents, improving accuracy and reducing the burden on analysts.

As Marian Radu of CrowdStrike details in Deploying the droids: Optimizing Charlotte AI’s performance with a multi-AI architecture, this system integrates advancements in generative AI research, CrowdStrike’s extensive threat intelligence dataset and cross-domain telemetry that includes over a decade of expertly labeled security data. By dynamically selecting the best series of AI agents for each task, Charlotte AI improves threat detection and response, reducing false positives and streamlining SOC workflows.

The diagram below illustrates how Charlotte AI’s task-specific AI agents operate, breaking down each step in the process. This structured, AI-driven approach allows SOC teams to work more efficiently without sacrificing accuracy or control.

Charlotte AI processes user queries through a coordinated system of specialized AI agents. Each agent is assigned a distinct role, from entity enrichment and answer planning to validation and summarization, ensuring accurate and efficient responses for SOC teams.

Agentic AI is the new DNA of SOC security

CrowdStrike’s recent State of AI in Cybersecurity Survey is based on interviews with more than 1,000 cybersecurity professionals and highlights the critical drivers of AI adoption in SOCs.

Key insights include:

Platform-first AI adoption: 80% of respondents prefer gen AI integrated into a cybersecurity platform rather than as a standalone tool.

Purpose-built AI for security: 76% believe gen AI must be specifically designed for cybersecurity, requiring deep security expertise.

Breach concerns fuel AI demand: 74% of respondents have been breached in the past 12 to 18 months or fear vulnerability, reinforcing the urgency for AI-driven security automation.

ROI over cost: CISOs prioritize AI solutions that measurably improve detection and response speed rather than focusing solely on price.

Security and governance matter: AI adoption is contingent on clear safety, privacy and governance structures.

“Security teams want gen AI tools built for cybersecurity by cybersecurity experts,” the report reads. “Organizations will evaluate their AI investments based on tangible outcomes: faster response times, enhanced decision-making and measurable ROI through streamlined security operations.”

Securing AI through ‘bounded autonomy”: How CrowdStrike guides responsible Charlotte adoption

CrowdStrikes’ survey shows that 87% of security leaders have implemented or are developing new policies to govern AI adoption, driven by concerns about data exposure, adversarial attacks and “hallucinations” yielding misleading insights.

These challenges are especially relevant for Charlotte AI Detection Triage, which leverages AI at scale to automate SOC workflows.

In Five Questions Security Teams Need to Ask to Use Generative AI Responsibly, Mike Petronaci and Ted Driggs note that gen AI lowers barriers for attackers, enabling more sophisticated threats.

CrowdStrike mitigates these risks with a concept Zaitsev describes as “bounded autonomy” — giving customers control over how much authority AI has in triage and response.

As Zaitsev explains: “Different organizations are going to have different levels of skepticism and different risk tolerances… One of the nice things, because of the way we’ve integrated [Charlotte AI] with the automation system, is our customers actually get to determine, by taking advantage of this Fusion integration, where, when and how you trust the system… Ultimately, we are giving our customers the control the latitude to decide just how and where they want that automation to be. Skepticism is just a way of reflecting your tolerance for risk.”

By continuously learning from real-world SOC data within Falcon Complete, Charlotte AI Detection Triage adapts to evolving threats while reducing alert fatigue. Through “bounded autonomy,” security teams harness the speed and efficiency of AI-driven triage while preserving the guardrails needed for responsible, real-world adoption.