CrowdStrike Holdings, Inc.

Q4 2026 Earnings Call — March 3, 2026

Analyst Joe Gallo (Jefferies): Hey guys, thanks for the question. Really nice results and guide. George, securing AI is a huge market opportunity. Would love your thoughts on one, when securing AI materializes to ARR meaningfully for you, is that a fiscal 27 story? And then two, how much of the new market opportunity goes to pure play cyber vendors? In cloud, people certainly use the hyperscalers for some of their security needs. So just curious how much of that new AI market goes to pure play cyber vendors like yourselves. Thank you.

Executive George (Title): Yeah, thanks, Joe. Obviously, we're still in the early innings, but we continue to ramp in protecting AI, and it's happening today in terms of ARR growth. And we're obviously blown away of what we've seen with Pangea and AIDR. It was up 5x over a quarter from when we acquired the company. So we're really excited about that. The other piece to keep in mind is that not only is it going to drive AI DR growth, but we're going to see growth in protecting attack services like cloud. We're going to see growth in next gen SIM. We're going to see growth in other areas that all touch AI. So from that standpoint, as I said, early innings, but lots of opportunity for us. And I think with regards to hyperscalers, I'm glad you asked the question because when I started the company in 2011, we pioneered cloud delivered security. And over the years, as cloud was maturing, I heard a lot about the hyperscalers actually providing all the security services. Well, that didn't happen.

In fact, as you've seen with our results and our partnership with AWS as an example, we transact billions through these platforms and they're a great partner, and there's a lot more exposure in the cloud. So we see the same thing happening with what I call AI hyperscalers, being able to actually partner with these hyperscalers, leveraging AI and their LLMs, and also being able to leverage the technology to provide better outcomes within the platform of record for our customers, which is felt. Thanks, Joel.

Analyst Rob Owens (Piper Sandler): Great. Thank you for taking my question. George, you talked about the 10 other agents that you guys have besides Charlotte and some of the traction that CrowdStrike's seeing with these security agents. But can you provide color on some of the recent acquisitions? When we look at agentic security more broadly, where are customers in their journey? And do you see identity as maybe one of the main hurdles for them getting agentic deployments at scale? Thanks.

Executive George (Title): Yeah, Rob, identity is one of the biggest threat vectors right now that we see. In fact, one of our latest threat reports, 80% of the breaches are non-malware based, right? So a lot of it is around identity. And between the identity stack that we've built over the years, again, we got into identity security in 2020. We built that out. It's a big business. And now really with the addition of Signal AI, this is, in my mind, game-changing technology, to have zero standing privileges, to be able to protect non-human identities and human identities in a much more modern stack than anything else that's out there in the market. It's a perfect fit to CrowdStrike in our platform. You combine that then with something like Seraphic in browser security. So now you're able to protect the front door of really where these attacks happen, plus where AI takes place. and you add the identity layer to that. And again, we're providing something that we think is going to be very unique in the industry. And of course, Pangea, which is our AIDR product. When you look at EDR, in today's market, EDR is a must. It's a compliance mandate. And we believe that EDR will be a similar opportunity, sorry, AIDR will be a similar opportunity to EDR in the coming years, driven by compliance and the need to accelerate protecting AI. Thanks, Rob.

Analyst Fatima Bulani (Citi): Good afternoon. Thank you for taking my question. George, I wanted to direct this to you. I had a question about the next generation SIM opportunity. There are very much percolating fears that the open-ended SOC modernization, share capture opportunity that had thus far been pretty open-ended is perceived to maybe be at more risk from what the frontier labs may or may not be pursuing. So maybe in the context of the opportunity ocean commentary in your prepared remarks, can you help us with a deeper explanation and understanding of what your current nature is of relationship, partnership, and integration is with the frontier labs and the frontier models? And how should we very critically think about the durability of your moat from any potential commoditization from an architectural or technical or frankly, any other relevant contextual standpoint? Thank you.

Executive George (Title): Yeah. Yes, great question. So when you look at what we built, and I talked about this in the prepared remarks, we're a net data creator, right? We have telemetry that we create from our agents and from other parts of our platform that is unique. We put it into various data stores, including NextGen SIM and our threat graph, and we're able to understand the threats in real time with real-time prevention. That's vastly different than what the LLM providers and frontier models do. Now, certainly, we leverage the frontier models. We have our own small language models. We have our own curated data. So I think we get the best of both worlds, but we're doing this in a platform that is driving consolidation that we've got millions and millions of workflows on already, and it becomes very, very sticky. So from the standpoint of our next gen SIM, you've got to look at the next gen SOC opportunity and what we're doing with Charlotte and the agents that we've created, where we're driving meaningful change in the SOC. We're overall driving down costs and getting better outcomes. And we're doing it in a compliant way.

To be a security vendor, you have to have trust. Customers are driven by compliance. And we are the epicenter of creating this data. So what we also are open to is having an open model. We have customers that create their own agents, that leverage our technologies, that leverage our MCP services. And this is part of having an open platform, which is why our customers love CrowdStrike. Thanks Fatima.

Analyst Saket Kalia (Barclays): Okay, great. Hey guys, thanks for taking my question here. Great finish to the year. George, maybe for you, you know, the cloud security business, I think is the biggest piece of kind of that three platform product group, if you will. And it's continued to add a consistent amount of net new ARR dollars over the last few years, which has been great to see. Maybe the question is, how do you see the competitive environment in cloud security right now? And how do you think about the longevity of the growth in that market as you look out into the future?

Executive George (Title): Well, when we look at the cloud market, I couldn't be prouder of our execution and the products that we brought to market. One of the areas that we focused on, as you know, for a long time, is runtime protection. And that's the technology that really is focused on stopping breaches. And I think customers have realized just by having the ability to understand sort of exposures doesn't mean you're going to stop the breach. So with our CSPM technology, with a lot of the other technologies that we have acquired, like Falcon Shield, it has become an extremely potent offering for our customers. And again, why is it resonating? One, the technology works. Two, it all works together, and we're able to drive down cost complexity and get a better outcome, which is stopping the breach. It's not just about reporting on some exposures. It's about understanding the overall control plane in the cloud and being able to protect it. And we're giving the customers what they want, and that's the right outcome at a much lower cost than the competitors that are out there. So I think that's why, in a nutshell, you're seeing the results in our cloud business. Thanks.

Analyst Brian Essex (JPMorgan): Great. Good afternoon. Thank you for taking the question and congrats on some nice results. And Bert, congrats on the return to gap profitability. Really good to see. Maybe a quick question for you, George, on identity. Great to see the acceleration there. Could you unpack that business a little bit and help us understand? I mean, obviously... Identity was one of the segments that was part of the CCP incentive plans that you guys were pursuing. How much of the resurgence and growth there on the identity side is, I guess, renewal of CCP or flex deals versus net new kind of emerging identity product? It would be great to get a feel underneath the covers there.

Executive George (Title): Well, it's one of the modules everyone wanted, and certainly was a fan favorite in days of CCP. So we're seeing success from that. And as I have mentioned many times, once a customer engages with a module, there's an extremely high percentage that they're going to continue to renew that. So we continue to see that. But I think overall, you have to look at the threat landscape and the fact that identity is really one of the, you know, compromised identities, really one of the number one drivers of breaches, and customers are being, are focused on being able to protect those identities, both in the cloud and on premise, if you will, and there's a massive compliance need for something like ITDR. So we're getting the benefit from the platform consolidation piece, and we're also getting the benefit from having a very mature stack now. Not only can we prevent these sort of breaches with ITDR, but you include now Falcon Shield, protecting SaaS identities. And then you kind of look at what we've done with our PAM offering. It's been very, very well received by our customers. So I think that's why you're seeing our opportunity continue to grow there. And as I said earlier, we couldn't be more excited about the Signal AI acquisition that we just completed. Thanks, Brian.

Analyst Brad Zelnick (Deutsche Bank): Great. Thanks so much for taking the question. George Burt, congrats on a really strong finish to the year and impressive ARR guidance out of the gate for next year, implying 22.5% net new growth, which is above your prior commentary and now off of even a higher base. After such a strong fiscal 26, this obviously stands out in a very good way. Can you talk about the building blocks that get you there and especially how to think about the renewal opportunity that you have visibility to and the expansion opportunity given just how much you can address today versus when many of those customers might have last transacted? Thank you.

Executive George (Title): Hey, Brad. Thanks for your comments. And I'll give you an insight into how we thought about the guide. I mean, first and foremost, it starts with the strong momentum that we're seeing in business. We saw in Q4 broad-based demand from all sizes of businesses, from all business sizes, whether it was enterprise all the way down to MSSPs. And then that rolled over into Q1 when we talked about the record Q1 pipeline, which grew 49% UOB. Then as George mentioned, Proudstreck is thriving in this AI revolution. We are not only leveraging AI within the entire platform, but our platform also helps organizations use AI securely. And that's the key. And then I think we're still benefiting from the consolidation tailwinds. Customers continue to seek the best outcomes, you know, at the lower TCO, which we're helped to provide. And the consolidation really comes from, you know, the strength of our platform. You know, you look at cloud, next-gen identity, and next-gen, you know, SIM collectively. We posted a record net new ARR resulting in 1.9 billion in ending IRR, up 45% year over year. And look at Endpoint.

They accelerated for the second straight quarter on the heels of AI-driven demand. And then you tag onto that the success that we saw in Flex. We added over 350 Flex customers in Q4. The average Flex customer ending IRR that was over a million bucks, those guys have adopted nearly 10 modules, well over our company average. And then Reflex, you know, we have greater than 380 Reflex customers. The average time for a Reflex is seven months. 100 customers Reflex multiple times with the average ARR lift post Reflex for this cohort was 48%. These are really, really great numbers for us. And so you combine all those things and other things gave us, you know, the confidence to be able to come out with the guy that, you know, that we came out with for that new ARR for next year. Great, thanks.

Analyst Matt Hedberg (RBC): Great, thanks for taking my question guys. Congrats from me as well. George, I wanted to ask about pricing. Obviously Flex and Reflex is doing extremely well, but there's obviously a lot of concerns that I think we're all seeing out there about potentially fewer knowledge workers seats in the future due to AI. The flip side of that is way more agents. So I guess two part question. First, how do you think about agent pricing? And second, how well does Flex position customers for this potential mix shift? And could consumption become a bigger element to the growth algorithm?

Executive George (Title): Well, when we look at the overall threat landscape and how we go to market, obviously we protect endpoints and cloud workloads. You have to look at those in totality. But now we have the opportunity to protect AI agents. And industry stats is that each knowledge worker will have 90 AI agents. So even if the mix moves around, we have a massive opportunity to protect AI agents. We have a massive opportunity to protect all of these AI cloud workloads. And from what I've seen in different technology shifts, we tend to create more opportunity as technology advances, not less opportunity. So that's the way we would view that piece of it. In terms of Flex, look, it's been a smashing success. There's a reason why so many other companies sort of copied our model or tried to copy it. Customers like it. You can see the success in the numbers. And it just makes it so much easier to, you know, help customers very quickly. You look at the acquisitions we did, they were available immediately to customers as soon as the deal closed, you know, and or we went to a GA, but we didn't have to go through another procurement cycle. So that's really the model that we're leading with going to market this year. And we couldn't be more excited about it. And I think the flex results speak for themselves. Thanks, Matt.

Analyst Roger Boyd (UBS): Great. Can you hear me okay?

Executive George (Title): Yep, go ahead.

Analyst Roger Boyd (UBS): Okay, great. George, I want to go back to your comments on why you're best positioned to benefit from AI SOC. And I appreciate your comments around your approach of tech plus human expertise and the floggle that creates giving you an advantage in terms of operationalizing this technology. I think it's also maybe the lowest friction way for some enterprises to benefit from some of this emerging tech. And I guess with that in mind, what sort of growth are you seeing with some of the managed service offerings like Complete and Overwatch relative to the acceleration you're seeing in the overall endpoint business right now? Thanks.

Executive George (Title): Yeah, those businesses continue to grow extremely well and when you look at why, it's because we're getting the right outcome that customers need. One of the things that we track is meantime to detection, meantime to remediation. We're absolutely best in class for customers. It's very difficult for them to replicate what we do. Why? Because it's the network effect, right? It's the full view that we see in over 176 countries where we actually have our software operating. when you're at the tip of the spear in seeing the activity through our technology, the tip of the spear in responding to some of the biggest breaches in the world, combined with our threat intelligence, you've got the right understanding and the right DNA to create the right technology and outcome for customers. So that's what we continue to see. Obviously, they're leveraging our technology and we're providing the automation, but there are many, many customers who don't have the skills or expertise to get the outcomes that we provide, which is stopping the breach, identifying these sort of threats, remediating much faster than they ever could, and ultimately giving them the best outcome for a cost that it's very hard to replicate. And that's why it's been a fantastic success for us. Thanks, Roger.

Analyst Gabriela Borges (Goldman Sachs): Hey, good afternoon. Thank you, George. I really appreciated your description on what LLMs are not. And as it pertains to the RHLF commentary, I want to ask you the opposite question. What do you think the role is of Anthropic in cybersecurity use cases, whether it's on the coding side or the pen testing side, or even the data aggregation side? What role do you think they should have? Thanks.

Executive George (Title): I mean, I guess I'll talk just in general terms for LLM providers. And they're certainly good at a lot of things and can help sort through lots of data very quickly. And it's something that, you know, the security industry and most security players are leveraging. You know, in our particular case, we certainly leverage technology like that, but we've built our own bespoke models depending on the module and trained in a certain way with the vertical expertise to get the right outcome. Here's what you have to remember is that what customers want is real-time prevention. You have to be in line. You have to be able to get the data in milliseconds, and you have to make a decision. That's not the case with an LLM. There's many great things it can do, and it's certainly fantastic technology, but it's not stopping any breaches in real time. And that's one of the areas, I think, again, where we shine. So from my perspective, we continue to work with them. We continue to partner with them. and amazing technologies, and I think it really is going to be the better together approach as the industry goes forward. Customers want to leverage their own models.

We leverage Numotron with Nvidia. It's an unbelievable time to be in tech, and you're going to have agents talk to agents, and our agents talking to customer agents that are inside their network. But at the end of the day, as the platform system of record for security, this is where you want to be. It is a very sticky place. We create the data, we curate the data. And again, we want to be open and work with any of the models that are out there. And we want to meet our customers where they have AI and leverage their technologies as well as ours. Great. Thanks, Gabriella.

Analyst Todd Weller (Stevens): Yes, good afternoon. Appreciate the question. George, this is the second quarter of endpoint acceleration. Can you talk about what's driving that, how you think about the durability of the growth acceleration? And then related to this, there's been a lot of action in the market recently around browser security. Do you see that as a new category or as an extension of endpoint? Thank you.

Executive George (Title): Well, when you think about endpoint acceleration, it's a simple answer, A.I. You know, we've talked about it and we're showing it in the results. And I mean, one of the biggest thing you look at, you know, open clock comes out, our customers immediately are looking at all of our technologies to be able to identify it, put controls around it and make sure that they can leverage these technologies in an efficient and compliant way. So that's where AI meets, the rubber meets the road is at the end point and that's how people consume it. So that's where we're seeing it. And then you combine that with, browser security, that's really the front door now for how people are interacting with AI models and LLMs and the various technologies that are out there, as well as how threats get into the environment. So you combine that with our agent and the ability to have protection across any browser, not just ask an organization to switch their browser, we can protect any browser that's out there, we tie it into our identity stack, and I can tell you the feedback from our customers, as soon as we made the announcement they were looking and how fast can we get this technology? Because they know on our platform it's going to be additive for them. And we're excited about the category and the great company in Serafic that we acquired. Thanks, Todd.

Analyst Dan Ives (Wedbush): Yeah, it's a great, great quarter as always. So, George, I was going to say, what, when it comes to Anthropic and Klon, and obviously all the worries out there, and you hit it on the Q&A, to some extent, can't this also be a huge benefit to you as it just further spreads the word and customers realize essentially what they don't have and you do have, especially with the Microsoft partnership at the same time? Thanks.

Executive George (Title): Yeah, you know, Dan, as I said in my prepared remarks, AI is a talent for us, and I mean, I take a simple approach is, do we have more AI in the next year or two or five years? And for me, the answer is absolutely yes. And if that AI is being deployed with AI agents, you're going to need protection. You're going to need something like AI DR. You're going to need identity security. You're going to need browser security. You're going to need compliance around this. And that's the way we look at it. And again, we leverage the technologies that are out there. Why wouldn't we? and we have our own unique IP and our own model. So we get the best of both worlds. And there's many things that, you know, customers are looking for in these workflows and sort of data curation and knowledge in the security industry that you can't just get from a general LLM model. So, you know, I've talked about this before. It is a great opportunity to work together and that's really what we're focused on. Thanks.

Management: Thank you. This concludes today's question and answer session. All right. So thanks everyone for their time today. We appreciate your continued support and look forward to seeing you at our upcoming events. Thanks so much.

Q3 2026 Earnings Call — December 2, 2025

question-and-answer session. Please be advised that today's conference is being recorded. I would now like to hand the call over to Andy Nowinski, Vice President of Investor Relations and Strategic Finance. Andy, please go ahead. Good afternoon, and thank you for your participation today. With me on the call are George Kurtz, Chief Executive Officer and founder of CrowdStrike, and Bert Podbear, Chief Financial Officer. Before we get started, I would like to note that certain statements made during this conference call that are not historical facts, including those regarding our future plans, objectives, growth, including projections, and expected performance, including our outlook for the fourth quarter and fiscal year 2026, and any assumptions for fiscal periods beyond that, are forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements represent our outlook only as of the date of this call. While we believe any forward-looking statements we make are reasonable, actual results could differ materially because the statements are based on current expectations and are subject to risks and uncertainties.

We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise. Further information on these and other factors that could affect the company's financial results is included in the filings we make with the SEC from time to time, including the section titled Risk Factors in the company's quarterly and annual reports. Additionally, unless otherwise stated, excluding revenue, all financial measures disclosed in this call will be non-GAAP. A discussion of why we use non-GAAP financial measures and a reconciliation schedule showing GAAP versus non-GAAP results is currently available in our earnings release, which may be found on our investor relations website at ir.crowdstrike.com or on our Form 8K filed with the SEC today. With that, I will now turn the call over to George. Thank you, Andy, and a warm welcome to the CrowdStrike team. Andy is no stranger to many on this call, and I'm glad to have him with us to lead investor relations. I'm excited to share CrowdStrike's fantastic Q3. It was a record quarter as the business continued accelerating.

On the back of record attendance at Falcon Global and Falcon Europe, the momentum we're seeing with customers, prospects, and partners drives my conviction in our near-term and long-term growth. Last quarter, Q2, we delivered our forecasted reacceleration a quarter early. This quarter, we furthered the trend with relentless execution. Across the entire CrowdStrike team, I'm extremely proud of our Q3, with highlights including, one, record Q3 net new ARR of $265 million, which grew 73% year over year, beating our expectations by more than 10%. Two, ending ARR of $4.92 billion, which accelerated to 23% growth year over year. Three, record Q3 free cash flow of $296 million, or 24% of revenue. Four, all-time record operating income of $265 million, or 21% of revenue. This is the second consecutive quarter of record operating income. Five, broad-based ending ARR acceleration across cloud, next-gen identity, and next-gen SIM collectively, as well as acceleration in our endpoint business. And six, more than $1.35 billion in ending ARR from accounts that have adopted the Falcon Flex subscription model, growing more than 200% year over year.

Underpinning these financial highlights is the CISO, CIO, and board feedback I regularly hear. CrowdStrike is mission critical in today's agentic society. No matter how the market swings, geopolitical tensions evolve, or what technologies are in vogue, our digital society mandates cybersecurity as a necessity. And now more than ever, synonymous with that, CrowdStrike is a necessity. Our growth is driven by pervasive, durable, and thematic market forces. Organizations of all sizes are in the midst of AI transformations, investing in the future of workforce productivity in the name of speed, scale, and cost benefits. In the midst of this societal shift, what I've shared over the past few years and quarters is unfolding before our very eyes. One, AI is rapidly expanding the attack surface. Businesses are onboarding a whole new type of workforce today, the agentic workforce. Humans using agents to do more and agents working by themselves, each with access to data, applications, compute, and sometimes even other agents.

While the benefits of this newfound workforce are exciting and increasingly vital for market competitiveness, the rapidly expanding risk profile of this realm cannot be ignored. Every single agent expands the attack surface, necessitating protection. CrowdStrike is both the armor and intelligence layer that keeps each agentic identity secure. The intelligence layer. providing visibility and context to organizations from agentic threats and risks. And the armor, protecting agents from attacks, influence, exfiltration, and data manipulation. In addition, CrowdTrack is also present as the foundational protector of the underlying technologies powering the AI revolution, providing security by design for the world's cloud and token factories. Two, The democratization of destruction wasn't just a bold prediction. It's already today's reality. Businesses every day are having jarring, lightbulb moments witnessing AI-powered adversarial tradecraft firsthand. Just a few weeks ago, a major AI company shared that China state-sponsored adversaries were using their LLM to create and operationalize active cyber intrusion agents. This is just one of the many AI-enabled attacks we've seen.

The AI cyber battleground is no longer theoretical. It's now real. Now, just as anyone can use AI to vibe code and become a software engineer, anyone can now also vibe hack, becoming a sophisticated adversary with AI. Three, cybersecurity in the agentic era demands a single platform. The criticality in being able to operate with agility, efficacy, and speed to stop breaches is having the data, the controls, and the actions in a single platform, not multiple platforms, because when you have multiple platforms, by definition, you don't have a platform. Tap switching and contact switching cost time. Data stitching doesn't scale. These are the seams and cracks where adversaries thrive. The leaky lifeboat of PowerPoint platforms and point product fragments simply cannot offer the protection, scalability, and cost benefits or the ease of use of a single platform solution. CrowdStrike wins as the market's broadest and only single platform solution. Taking my three points together, one, we've built the right architecture, a single console, single data backend, single sensor, agentic hyperscale platform, that is frictionless and one-of-a-kind in cybersecurity.

Two, it's the right time with the rapid growth of AI agents raising the threat risk profile and driving a holistic technology shift. And three, we're in the right position. CrowdStrike's technology, innovation engine, and ecosystem position us as the operating system of cybersecurity for the agentic era. Market demand is high because the need is real. We have the right architecture, we have the right products, and we're in the right market position to continue taking share. Successful AI adoption requires cybersecurity transformation, necessitating a new operating system to create a structure around the next chapter of enterprise security programs. Falcon Next Gen SIM is the foundation of our platform, turning CrowdStrike into our customer's operating system for cybersecurity. Next-Gen SIM has become a scale disruptor in a market that has historically been slow to evolve as customers embrace the speed and efficiency advantages versus legacy competitors. And with the acquisition of Onum, we're making it even easier to build on CrowdStrike with a hyper-scalable telemetry detection pipeline that brings CrowdStrike even closer to all our customers' critical data.

Falcon NextGen SIM had a record net new ARR quarter, a clear outcome of the deliberate strategic choices we've made over the past several years. We know that the value of the technology is only as good as the platform on which it's delivered. So we invested heavily in integrating NextGen SIM to create a unified single platform. This isn't just a single console. It's a truly integrated and unified data backend that brings together all of CrowdStrike in one place, delivering not just economies of scale, but far superior outcomes. And with Charlotte as the agentic SOC orchestrator, now FedRAMP high approved, we're delivering the AI SOC of the future today. Furthering our position as the operating system of cybersecurity, we recently announced our expanded partnership with AWS. Through this announcement, all of AWS's millions of customers will have access to Falcon NextGen SIM natively within their AWS security console, enabling them to immediately access, interact with, and analyze AWS telemetry directly in NextGen SIM. Going a step further, we've also enabled federated search so that AWS customers can query their data from a single console.

We're incredibly excited about what the future holds and thank AWS for both our amazing partnership and for their validation of Falcon NextGen SIM as the best choice for their customers. A large European bank renewed their more than 500,000 workload EDR deployment, adding NextGen SIM, Onum, and Charlotte in a large eight-figure expansion deal. With our acquisition of Onum, this financial institution was able to eliminate their existing streaming pipeline point product as well as migrate off Splunk. Competing against hyperscalers and firewall vendor SIMs, Falcon NextGen SIM won the hearts and minds of the security and IT team as the easiest solution, fastest to see value, and best agentic stock transformation platform. Our identity business continues to perform exceptionally well. While the demand for our ITDR offering has increased, it's the launch of both our PAM and FalconShield offerings that has our customers increasingly excited. Falcon Shield had a record net new ARR quarter, growing nearly 50% sequentially as market demand for SaaS application security has become a mainstream necessity.

Securing SaaS app misuse from human and non-human identities has never been more important or challenging. Nefarious agentic behavior is targeting data-rich SaaS applications that have quickly become a feeding ground for breaches. From on-prem apps to cloud apps, we stop these breaches. A Fortune 500 logistics company used Falcon Shield to uncover exfiltrated CRM data in less than 30 minutes from deployment. resulting in a seven-figure deal. A leading customer experience platform saw a Shield demo and activated the module via Flex within an hour. And lastly, a Global 500 personal care leader conducted a Shield assessment, uncovering 25 unknown shadow instances of their CRM. This customer quickly transacted a seven-figure expansion, bringing their SaaS environment under control. As these examples illustrate, today's elevated third-party SaaS risk environment demands visibility and protection. Falcon Shield delivers near-immediate time to value and is a product that we can land new logo accounts with even without endpoint deployments. Turning to the cloud where we delivered Q3 record net new ARR.

While CrouchRite continues to benefit from M&A-related market disruptions, it is our customers' embrace of best-in-class runtime protection that continues to push us forward. As the cloud security market matures, customers are realizing that posture doesn't equate to prevention. Security teams now understand that they need active defense within their cloud environments, and this can only be delivered in runtime. CrowdStrike is the cloud runtime security leader as validated by the most recent Frost and Sullivan CWP report. And with our recent acquisition of Pangea, we're now positioned to protect the entirety of our customers' AI infrastructure. At our recent analyst day at our Falcon conference, we discussed how protecting AI is akin to protecting a building. Security teams don't want a non-integrated, fragmented series of solutions to protect their critical AI infrastructure because they know that this complexity creates gaps that are increasingly exploitable by AI-enabled adversaries. CrowdStrike Falcon Cloud Security offers customers a unified, integrated, end-to-end solution that enables secure adoption of transformative technology without slowing the end user down.

A Fortune 500 consumer packaged goods company grew their Falcon deployment with Falcon Cloud Security in a seven-figure expansion deal. This customer took the opportunity to displace Wiz, bringing their cloud security program to Falcon for the benefit of our consolidated CSPM, ASPM, CIEM, and CDR approach. The outcome delivered is single platform management, better visibility, and the ability to stop cloud breaches versus simply alerting on them. This was just one of multiple whiz replacements. In addition, Falcon Cloud Security was selected to protect a leading Neo cloud in an eight-figure transaction.

This token factory decided it was time to secure AI from the source so that enterprises of all sizes would trust and build with confidence on them. cybersecurity became a differentiator and business enabler not a cost and finally i wanted to touch on our endpoint business our endpoint business accelerated in the quarter on the heels of ai driven demand in the world of ai so much is being pushed to the edge employees are now deploying new applications such as cloud desktop and chat gpt directly onto their machines driving both rapidly improved productivity and also significant new risks. This is further exacerbated by the rapid adoption of new AI browsers, such as Common and Atlas, which bring new opportunities and concurrently new vulnerabilities and threats. AI adoption is supercharging renewed interest in the endpoint, as the endpoint is the epicenter of human and non-human interaction with AI. In this new agentic world, the endpoint has quickly become the risk point, the productivity point, and the opportunity point.

A large government agency took the opportunity to modernize, replacing more than 75,000 endpoints of legacy AV with Falcon, as well as deploying us in their AWS environment for cloud protection in what was a strong federal quarter for CrowdStrike. In addition, EY brought us into a Fortune 500 healthcare account where in just a few months we were able to modernize the endpoint, cloud, and SIM environments, an eight-figure end-to-end Flex expansion deal where we displaced two SIMs, Defender for endpoint, and a point cloud security product. Frequently imitated but never duplicated, Falcon Flex makes it easier than ever for our customers to experience the full power of the Falcon platform without procurement friction. The Flex model cultivates more platform utilization, accelerating module adoption. Falcon Flex is an unlock, not an ELA. Flex customer and the account ARR more than tripled year over year. But what has us even more excited is the momentum we're seeing in Reflex activity. The number of Reflex accounts more than doubled quarter over quarter to more than 200, with 10 customers Reflexing more than 2x their initial Flex subscription.

This demonstrates that Flex customers can and do increase their ARR and TCV spend with CrowdStrike, which is contrary to the ELA model, where all the economic value is realized once up front. When we launched Flex, we believed that it would allow customers to more quickly benefit from the full value of our platform, and that's exactly what's happening. As customers and partners alike continue to embrace Flex as the best way to adopt Falcon, we expect it to become our licensing standard. Our community or crowd powers our technology, and that's who we build for. Our ecosystem partners continue leading us to new heights, affirming CrowdStrike's market and category leadership. Our alliance team delivered a record quarter in terms of deal value closed with partners. CrowdStrike's market position comes to light in mission-critical times. F5 asked us to partner with them to further secure their BIG-IP hardware and virtual appliances. We rapidly deployed our sensor on BIG-IP, which they certified, and F5 took the opportunity to purchase Falcon and Overwatch licensing for their install base in a large flex transaction.

We are pleased to be taking our industry-leading protection capabilities to new insertion points designed to enhance network perimeter protection. Today, hundreds of F5 customers are now securing their F5 appliances with CrouchRite, many of whom weren't CrouchRite customers prior. Partners take us into new account environments, implementing Falcon as part of their broader agentic enterprise architecture vision. Experiencing the success of next-gen SIM in the market, EY took a bold step to standardize their SIM practice on Falcon in a large seven-figure transaction. EY is migrating accounts for which they own and operate multiple legacy SIM technologies, consolidating on CrowdStrike. Additionally, EY is a leading global partner of ours for next-gen SIM implementations, taking numerous Fortune 500 accounts through the journey from legacy SIM to next-gen SIM migration. Deloitte announced NextGen SIM in their MXDR practice, replacing their legacy SIM provider. And WePro, too, has standardized security delivery and incident response on Falcon. The GSI community is quickly seizing the SIM and SOC transformation opportunity that only our single platform provides.

The ecosystem embrace of partner-led services on Falcon is correlated to the opportunity we represent. A recent Canalys report showed that our ecosystem creates up to $7 in services opportunities for every dollar of Falcon product sales, illustrating the large ecosystem opportunity surrounding the Falcon platform. I want to return to yesterday's announcement that we made with AWS. AWS selected Falcon Next Gen SIM as the default SIM for all their customers offered in their Security Hub console. This brings Falcon NextGen SIM with pre-populated AWS data to millions of AWS customers in a product-led growth motion. Our intent is to convert NextGen SIM usage into flex subscriptions as more accounts experience the power, speed, and actionability of their AWS data, CrowdStrike data, and other third-party data in NextGen SIM. Our NextGen SIM helps AWS fill a critical market gap now competing with other hyperscaler SIMs and doing so with Falcon. Our next-gen SIM delivers value for AWS customers, even those who don't yet use Falcon, because we've become a federated, pre-populated, and affordable security data lake for observability, triage, and threat hunting.

And Charlotte is there to help operate the whole system on a customer's behalf. In addition, Accenture is our launch partner with AWS, helping AWS customers leave their legacy SIEM for Falcon Next-Gen SIEM on AWS. Our partnership with AWS continues from strength to strength, with CrowdStrike announced as AWS's Global Security Partner of the Year and AWS's Global Marketplace Partner of the Year yesterday at reInvent. We're excited about the opportunity to engage AWS accounts, onboarding them to Falcon, and serving as their operating system for cybersecurity. Lastly, I want to share a noteworthy MSSP partnership, which we've announced today with Kroll, a leading mid-market professional services firm. Kroll's cybersecurity division performs thousands of incident response engagements yearly for mid-market firms around the world, largely from their cyber insurance panel inclusion. Kroll had been using a point product DVR in their incident response and managed detection and response business. Now, Kroll exclusively uses Falcon, and in an almost eight-figure