TTechclick ⚡ XP 0% All lessons
CrowdStrike · Endpoint Security · ArchitectureInteractive · L1 / L2 / L3

CrowdStrike Falcon Architecture — One Agent, the Cloud & Threat Graph

CrowdStrike Falcon is one lightweight agent talking to a cloud brain. This lesson maps the whole platform: the single kernel/user-mode sensor, the cloud-native Security Cloud, the Threat Graph that correlates trillions of events, how telemetry streams up with smart filtering, why one agent unlocks many modules, and what happens when the endpoint goes offline.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live telemetry demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to CrowdStrike Falcon architecture (2026): the single lightweight kernel/user-mode sensor, the cloud-native SaaS Security Cloud, Threat Graph correlating trillions of events, how telemetry streams up with smart filtering, the one-agent-many-modules console model, cloud regions and tenancy, and what the sensor does offline.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The single agent

One lightweight sensor: kernel driver + user service.

 2

The cloud brain

Cloud-native SaaS Security Cloud does the heavy work.

 3

Threat Graph

Telemetry streams up, smart-filtered, and is correlated.

 4

Modules, regions, offline

One agent, many modules; tenancy; offline behaviour.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. How many agents do you install per endpoint for Falcon?

Answered in The single agent.

2. Where does most of the analysis actually happen?

Answered in The cloud brain.

3. What is Threat Graph?

Answered in Threat Graph.

Most engineers think…

Most people picture endpoint security as 'a heavy antivirus suite installed on every laptop that scans files and phones nothing home'. That mental model is exactly backwards for Falcon.

Falcon is cloud-native by design: a single lightweight sensor on the endpoint that does on-box prevention and streams smart-filtered telemetry to the Security Cloud, where a purpose-built graph database — Threat Graph — correlates trillions of events across every customer to catch attacks in real time. The endpoint stays light because the heavy correlation lives in the cloud. Understanding that split is what lets you explain why one agent plus one cloud graph beats a pile of fat local engines.

① The single lightweight agent — one sensor, not a suite

The first idea to fix in your head: Falcon installs one sensor per endpoint, not a stack of separate products. That single sensor is a kernel-mode driver plus a user-mode service working together.

The kernel driver sits low in the operating system so it can see activity early (it loads during boot via the Early Launch Anti-Malware path on Windows), resist tampering by an attacker, and observe events that a user-mode-only tool would miss. The user-mode service processes what the driver sees, applies policy, and handles the secure connection to the cloud.

It is called lightweight for a real reason: the sensor is designed to be small and low-overhead, because the expensive correlation work is pushed to the cloud rather than run on your laptop. There is no on-prem management server to build and no daily signature download to schedule.

Figure 1 — Inside the one Falcon sensor
A single lightweight agent = a kernel-mode driver plus a user-mode service, talking to the cloud.Inside the one Falcon sensorKernel-mode driverSees activity early, tamper-resistantUser-mode serviceApplies policy, runs preventionSecure cloud channelStreams filtered telemetry up
A single lightweight agent = a kernel-mode driver plus a user-mode service, talking to the cloud.
Quick check · Q1 of 10 · Understand

The Falcon sensor is best described as…

Correct: c. Falcon installs a single lightweight sensor per endpoint. It combines a kernel-mode driver (early, tamper-resistant visibility) with a user-mode service (policy, prevention, cloud connection). It is light because heavy correlation is pushed to the cloud.
👉 So far: Falcon = one lightweight sensor per endpoint: a kernel-mode driver (early, tamper-resistant) plus a user-mode service (policy, prevention, cloud link). No on-prem server, no daily signatures.

② The cloud brain — a cloud-native SaaS model

Falcon is cloud-native SaaS: CrowdStrike runs the management plane, the console and the analytics as a service. You do not stand up your own servers — you log into the Security Cloud and your sensors phone home to it.

Why push the heavy work to the cloud

Keeping the brain in the cloud means three things at once. The endpoint stays light because it is not running giant analytics locally. Detection improves for everyone because the cloud sees patterns across all customers, not just yours — what hits one tenant can protect the rest. And upgrades are continuous: new logic and intelligence ship from the cloud, with no fleet-wide reinstall.

The interview line: the sensor senses, the cloud thinks. The agent does fast local prevention; the Security Cloud does the deep, cross-customer correlation.

Figure 2 — Sensor senses, cloud thinks
The endpoint stays light; the heavy correlation lives in the cloud-native Security Cloud.Sensor senses, cloud thinksObservesensor watchesendpointPreventfast on-box blockStreamsmart-filteredtelemetryCorrelateThreat Graph in cloudProtectintel shared to all
The endpoint stays light; the heavy correlation lives in the cloud-native Security Cloud.
Figure 3 — Legacy AV suite vs cloud-native Falcon
Falcon flips the model: a light agent plus a cloud brain instead of a heavy local engine.Legacy AV suite vs cloud-native FalconLegacy AV suiteHeavy local engineDaily signature downloadsOn-prem management serverSees only this one hostCloud-native FalconOne lightweight sensorLogic ships from the cloudSaaS console, no serverCross-customer correlation
Falcon flips the model: a light agent plus a cloud brain instead of a heavy local engine.
🛡️
Falcon sensor
tap to flip

One lightweight agent per endpoint — a kernel-mode driver plus a user-mode service. Does on-box prevention and streams telemetry to the cloud.

☁️
Security Cloud
tap to flip

The CrowdStrike-hosted, cloud-native SaaS platform: it ingests telemetry, runs analytics, stores data and serves the console. No on-prem server.

🕸️
Threat Graph
tap to flip

A purpose-built cloud graph database that correlates trillions of events per day across all customers as nodes and relationships.

🔌
Reduced Functionality Mode
tap to flip

A safe, limited state the sensor enters when the OS/kernel is unsupported or misconfigured — it runs reduced until compatibility is restored.

Say 'sensor senses, cloud thinks'

In an interview, separate the two halves cleanly: the lightweight sensor does fast on-box prevention and streams telemetry, while the cloud-native Security Cloud does the deep, cross-customer correlation in Threat Graph. That one sentence shows you understand why the agent can stay so light.

Quick check · Q2 of 10 · Understand

Why is the heavy analysis pushed to the cloud-native Security Cloud?

Correct: a. Keeping the brain in the cloud keeps the agent lightweight, lets CrowdStrike see patterns across every customer (shared protection), and ships new logic continuously without a fleet-wide reinstall.
👉 So far: Cloud-native SaaS: CrowdStrike runs the Security Cloud. The sensor senses and prevents; the cloud thinks and correlates across all customers, shipping logic continuously.

③ Threat Graph — streaming telemetry into one giant graph

Telemetry does not just sit in a log. The sensor streams events — process starts, file writes, network connections, registry changes — up to the cloud over a secure channel, and they land in Threat Graph: a purpose-built, cloud-native graph database.

Threat Graph correlates trillions of events per day across endpoints, identities, cloud workloads and more — modelling them as nodes and the relationships between them — so an attack can be spotted by how events connect, not just by a single bad file. Because the graph spans every customer, an indicator seen anywhere can defend everyone.

Smart filtering keeps it cheap

The sensor does not blindly fire-hose raw data. It applies smart filtering on the endpoint — sending the security-relevant signal and suppressing noise — which keeps both the network cost and the endpoint overhead low while still feeding the graph what it needs.

Figure 4 — One graph, every source
Threat Graph correlates trillions of events as nodes and relationships across many telemetry sources.One graph, every sourceThreat Graphcloud graph DBEndpointsIdentitiesCloud workloadsNetwork eventsThreat intelOther modules
Threat Graph correlates trillions of events as nodes and relationships across many telemetry sources.
'It is just antivirus on the laptop' under-sell

Falcon's power is not the local engine — it is the cloud graph. Treating it as a standalone on-box AV misses the whole point: Threat Graph correlates trillions of events across every customer, so an attack seen anywhere helps defend everyone. Always name the cloud brain, not just the agent.

▶ Watch one suspicious process get caught end-to-end

How a single endpoint event becomes a cloud-correlated detection. Press Play for the healthy path, then Break it to see the classic failure.

① EventA user opens a document that quietly spawns PowerShell to download a payload — the kernel driver sees the process start.
② Filter + streamThe user-mode service smart-filters the event and streams it over the secure channel to the Security Cloud.
③ CorrelateThreat Graph links the document, the child process and the network call into one chain — a known attack pattern.
④ Prevent + alertThe cloud verdict and on-box prevention kill the chain; a detection appears in the console with the full graph.
Press Play to step through the healthy detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

Your network team worries the sensor will flood the link with raw events. What actually limits that?

Correct: b. The sensor applies smart filtering locally — it streams the security-relevant signal and suppresses noise — keeping both network cost and endpoint overhead low while still feeding Threat Graph what it needs.
👉 So far: Telemetry streams up with smart filtering into Threat Graph — a cloud graph database correlating trillions of events per day as nodes and relationships, so attacks are caught by how events connect.

④ One agent, many modules — regions, tenancy and offline

The payoff of one sensor: one agent unlocks many modules. From a single console you license capabilities — EDR, next-gen antivirus, identity, cloud, and more — and the same deployed sensor lights them up. No new agent to roll out per feature.

The platform runs in regional clouds (for example US-1, US-2, EU-1 and government clouds, with in-country regions being added for data sovereignty). Each customer is a tenant with logically isolated data, so multi-tenancy gives shared intelligence without mixing one customer's records into another's.

What happens offline

If an endpoint loses the cloud, the sensor keeps doing local, on-box prevention using its cached logic and queues telemetry to sync later. A related safety state is Reduced Functionality Mode (RFM), which the sensor enters when the OS/kernel is unsupported or misconfigured — it runs in a limited, safe capacity until compatibility is restored, then resumes full function.

Figure 5 — One agent unlocks many modules
The same deployed sensor lights up new capabilities from the console — no new agent per feature.One agent unlocks many modulesInstall onceone Falcon sensorLicensepick modules inconsoleActivatesame agent enablesthemOperateone console, onetenant
The same deployed sensor lights up new capabilities from the console — no new agent per feature.

Vikram, a SOC lead in Pune, faces this

After a Linux kernel upgrade across a server fleet, those hosts stop raising detections in the Falcon console even though the sensor is still installed.

Likely cause

The new kernel version is not yet supported by the installed sensor, so those Linux sensors dropped into Reduced Functionality Mode (RFM).

Diagnosis

Check host status in the console — the affected hosts show RFM; on Linux, RFM sensors still send heartbeats but do not process events or register detections.

Falcon console ▸ Host setup & management ▸ Host management (filter: RFM)
Fix

Update the sensor to a build that supports the new kernel (or pin to a supported kernel), so the sensor exits RFM and resumes full functionality.

Verify

Re-check the hosts: RFM clears, detections and telemetry resume, and the heartbeat-only gap closes in the timeline.

Prove sensor health from the console

Never assume a quiet host is a safe host. The Falcon console shows each sensor's status — online, offline or RFM. If detections go silent after an OS update, check for RFM before assuming there is no threat; the answer is usually a sensor that needs a supported build.

Quick check · Q4 of 10 · Analyze

An endpoint loses internet for several hours. What happens?

Correct: c. Offline, the sensor still performs local prevention using cached logic and queues telemetry to upload when the cloud is reachable again. A separate state, RFM, applies when the OS/kernel is unsupported.
👉 So far: One agent unlocks many modules from one console; the platform runs in regional clouds with multi-tenant isolation; offline the sensor keeps local prevention, and RFM is a safe limited state on unsupported kernels.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

How many agents does Falcon install on an endpoint?

Correct: b. Falcon uses a single lightweight sensor per endpoint. That one sensor (kernel driver + user-mode service) serves the whole platform, and licensing more modules does not require installing more agents.
Q6 · Understand

Where does the deep correlation of events happen?

Correct: c. The endpoint does fast local prevention, but the deep, cross-customer correlation runs in the Security Cloud, specifically in Threat Graph. Falcon is cloud-native SaaS, so there is no on-prem server to run.
Q7 · Apply

An auditor asks how Falcon avoids saturating the WAN with endpoint data. Best answer?

Correct: b. Smart filtering on the sensor sends the security-relevant signal and drops noise, keeping network and endpoint overhead low while still feeding Threat Graph the events it needs to correlate.
Q8 · Analyze

Why does one customer benefit when Falcon detects a new attack at a different customer?

Correct: d. Threat Graph spans every customer's telemetry in one cloud graph. An indicator or attack pattern observed in one tenant becomes intelligence that helps defend all the others — the core advantage of the cloud-native model.
Q9 · Evaluate

An interviewer asks why CrowdStrike keeps the heavy analytics in the cloud instead of on the agent. Strongest answer?

Correct: a. Pushing correlation to the cloud keeps the sensor lightweight, lets CrowdStrike correlate across all customers for shared protection, and lets new logic and intel ship continuously from the cloud with no fleet-wide reinstall.
Q10 · Evaluate

What best explains data residency and isolation across CrowdStrike's regional clouds?

Correct: c. Falcon runs in regional clouds (e.g. US-1, US-2, EU-1, government and in-country regions) with true multi-tenancy: each customer is a logically isolated tenant, giving shared intelligence without mixing one customer's data into another's.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is CrowdStrike Falcon described as 'one lightweight agent plus a cloud graph' rather than 'antivirus on every laptop'? Then compare with the expert version.

Expert version: Because the architecture deliberately splits the work: a single lightweight sensor (kernel driver + user-mode service) does fast on-box prevention and streams smart-filtered telemetry, while all the heavy correlation lives in the cloud-native Security Cloud. There, Threat Graph — a purpose-built graph database — correlates trillions of events per day across every customer, so attacks are caught by how events connect and an indicator seen at one tenant protects the rest. The endpoint stays light, one agent unlocks many modules from one console, the platform runs in isolated regional tenants, and even offline the sensor keeps local prevention and syncs later. That is why it is 'one agent plus a cloud graph', not a fat local AV.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Falcon sensor
The single lightweight agent on each endpoint — a kernel-mode driver plus a user-mode service that does on-box prevention and streams telemetry to the cloud.
Kernel-mode driver
The low-level part of the sensor that loads early, sees system activity a user-mode tool would miss, and resists tampering.
User-mode service
The part of the sensor that applies policy, runs prevention and maintains the secure connection to the Security Cloud.
Security Cloud
CrowdStrike's cloud-native SaaS platform that ingests telemetry, runs analytics, stores data and serves the admin console.
Threat Graph
A purpose-built, cloud-native graph database that correlates trillions of events per day across all customers as nodes and relationships.
Graph database
A database that stores data as nodes and the relationships (edges) between them, so you can query how things connect, not just list rows.
Smart filtering
On-endpoint filtering that streams the security-relevant signal and suppresses noise, keeping network and endpoint overhead low.
Module
A licensed capability (e.g. EDR, next-gen AV, identity, cloud) that the same single deployed sensor unlocks from one console.
Multi-tenancy
Each customer is a logically isolated tenant in a shared regional cloud, giving shared intelligence without mixing customer data.
Reduced Functionality Mode (RFM)
A safe, limited sensor state entered when the OS/kernel is unsupported or misconfigured, until a supported build restores full function.

📚 Sources

  1. CrowdStrike — The CrowdStrike Falcon Platform: single lightweight-agent, cloud-native architecture. crowdstrike.com/platform
  2. CrowdStrike Blog — Tech Analysis: CrowdStrike's Kernel Access and Security Architecture. crowdstrike.com/blog/tech-analysis-kernel-access-security-architecture
  3. CrowdStrike — Threat Graph: cloud-powered graph analytics correlating trillions of events. crowdstrike.com/platform/threat-graph
  4. CrowdStrike Blog — How Log-Structured Merge Trees Enable CrowdStrike to Process Trillions of Events per Day. crowdstrike.com/blog
  5. CrowdStrike — New Regional Clouds & Global Data Sovereignty (US-1/US-2/EU-1, GovCloud, in-country regions). crowdstrike.com/press-releases
  6. Duke OIT / CrowdStrike docs — Reduced Functionality Mode (RFM) and sensor offline behaviour. oit.duke.edu / falcon.crowdstrike.com

What's next?

Got the architecture? Next, go deep on the detection engine — how Falcon's NGAV and EDR actually decide what is malicious using machine learning, indicators of attack (IOAs) and behavioural analytics.

Next · All interview lessons → Practice on exam.techclick.in →