Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
CrowdStrike Vendor Risk Assessment — Full Report
Before you share customer data with CrowdStrike, your compliance team needs documented proof they can be trusted. ThirdProof investigated CrowdStrike across 27 intelligence sources — here's what we found.
✓ FedRAMP Status: Authorized (Moderate) — verified against marketplace.fedramp.gov
Risk Tier
Tier 3 — Moderate RiskSOC 2
⚠ Vendor AttestedFedRAMP
✓ AuthorizedLast Assessed
Apr 6, 2026🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.3🟢Domain Age: 15.8 years🟢Infrastructure: 11 open ports, 0 CVEs
- FedRAMP Status
- CrowdStrike is listed on the FedRAMP Marketplace as Authorized (Moderate) as of March 2026.
- SOC 2 Status
- CrowdStrike has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- CrowdStrike returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned CrowdStrike a Moderate Risk tier with 92% confidence across 27 intelligence sources.
25 sources queried. 92% confidence. Every CrowdStrike investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get CrowdStrike's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
52 of 133 questions answered for CrowdStrike
Auto-filled from public evidence • 39% complete
Q38
Do you have ISO 27001 certification?
ISO 27001 claim found on trust page (Vendor attested)
Q41
Are you FedRAMP authorized? At what level?
FedRAMP authorized: Product: Falcon Platform; Provider: CrowdStrike, Inc.; Status: Compliant; Impact Level: Moderate; Authorization Date: 2022-08-17T04:00:00.000Z; Attribution: parent organization (not this specific product)
Q40
Are you HIPAA compliant? Do you sign BAAs?
CrowdStrike will sign a Business Associate Agreement (BAA) that covers the use and disclosure of protected health information (PHI).
Q42
Are you GDPR compliant? Do you have a DPA available?
GDPR compliance / DPA claim found on trust page (Vendor attested)
+ 7 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get CrowdStrike's Full Report Free →✓FedRAMP Authorized (Moderate)
Verified against FedRAMP Marketplace API as of March 2026
Verified against the official FedRAMP Marketplace API as of March 2026.
CrowdStrike Falcon authorized at Moderate impact level.
◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
3Tier
Moderate Risk
CrowdStrike
Vendor Risk Assessment
Confidence Score92%
Based on data availability and source coverage
25
Sources Queried
23
Sources With Data
April 6, 2026
Last Assessed
Executive Summary
AI-generated analysis for CrowdStrike
CrowdStrike (crowdstrike.com) is a globally recognized cybersecurity platform provider assessed at Risk Tier 3 (Moderate Risk) with a 92% confidence score. This tier reflects a combination of strong institutional credibility and independently verified compliance posture, offset by specific technical web configuration gaps and open governance questions that warrant attention before onboarding at a critical data access level. CrowdStrike presents a number of meaningful positive signals that distinguish it from typical Tier 3 vendors:
Key Findings
- **FedRAMP Authorization (Moderate)**: The Falcon Platform is independently verified as compliant in the FedRAMP Marketplace, providing strong assurance for regulated environments. - **Domain maturity**: crowdstrike.com has been registered since 2010 and archived since 2012, reflecting over 15 years of established online presence. - **Clean threat posture**: The domain is not listed on SURBL, Spamhaus DBL, or URLhaus blacklists, Malware detection service returns no threats, and the CDN IP carries a 0% abuse confidence score. - **Comprehensive compliance claims**: CrowdStrike's trust page references SOC 2, ISO/IEC 27001, ISO/IEC 42001:2023, ISO 22301:2019, PCI DSS v4.0.1, CSA STAR, and Cyber Essentials — a notably broad compliance portfolio for a security vendor, though most remain vendor-attested and unverified by this assessment. - **Clean sanctions and adverse media**: No matches across OFAC, EU, and UN sanctions lists; no adverse media signals in the past 12 months across multiple search sources. Several concerns and gaps require follow-up prior to or concurrent with onboarding:
- **HTTP security header gaps**: CrowdStrike's marketing domain received a grade of D (30/100) from HTTP security scanner, with Content-Security-Policy and X-Frame-Options absent — an unexpected finding for a security vendor. - **Governance transparency concern**: A Hacker News discussion flagged a Bloomberg report describing CrowdStrike's CEO reducing voting power by 92% via unexplained share transfers, raising board accountability questions for enterprise procurement stakeholders. - **ISO 27001 registry unavailable**: The ISO 27001 certification registry was unreachable during this assessment, leaving that claim unverified by independent source. Overall, CrowdStrike is a credible, established security vendor with independently verified FedRAMP authorization and a clean threat posture. The Tier 3 rating reflects residual gaps in independently confirmed certifications, web security configuration, and AI data handling transparency — all of which are addressable through targeted vendor engagement.
Independence Statement
All evidence used in this assessment was independently sourced from external data repositories, public registries, threat intelligence databases, and web infrastructure analysis tools without any participation, submission, or review by CrowdStrike.
Investigation Findings
3 findings identified for CrowdStrike
1 high2 medium
high
HTTP Security Grade: D
crowdstrike.com received a poor grade (D) from Mozilla HTTP Observatory. Multiple security headers or configurations are missing.
medium
Recently Registered Entity
Harvest CrowdStrike Enhanced High Income Shares ETF was first registered in the LEI system less than 1 year ago (2025-12-15T16:50:52Z).
medium
Missing Security Headers
crowdstrike.com is missing 2 recommended security headers: Content-Security-Policy, X-Frame-Options.
Source:Domain Analysisdns.google →
✓
Security Strengths
30 positive signals verified
✓
FedRAMP Authorization Independently Verified
Trust & Compliance Page Scan →✓
Legal Entity Actively Registered
Business Registration →✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
No Adverse Media Found
Adverse Media Scan →✓
No Adverse Media Signals
Adverse Media Scan (Fallback) →✓
Firmographic Data Available
Company Intelligence →✓
Valid SSL Certificate
Domain Analysis →✓
11 Open Ports Detected
Infrastructure Exposure →✓
Established Domain (15+ years)
Domain Registration →✓
Clean domain reputation
Threat Intelligence →✓
Tech Community Discussion: trust
Tech Community Sentiment →✓
Certificate Data from TLS Handshake
Certificate Transparency →✓
Established Web Presence (14+ years)
Web Archive History →✓
Domain in 28 Threat Intelligence Pulses
Threat Intelligence (OTX) →✓
Clean IP Reputation
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Clean Website Security Scan
Website Security Scan →✓
Certification Claimed: GDPR
Trust & Compliance Page Scan →✓
Certification Claimed: CCPA
Trust & Compliance Page Scan →✓
Certification Claimed: SOC 2
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27001
Trust & Compliance Page Scan →✓
Certification Claimed: PCI DSS
Trust & Compliance Page Scan →✓
Certification Claimed: CSA STAR
Trust & Compliance Page Scan →✓
Certification Claimed: Cyber Essentials
Trust & Compliance Page Scan →✓
6 Subprocessors Identified
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
News Coverage Found (No Risk Signals)
Historical Media Search →✓
FedRAMP Authorization — Parent Organization Product
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →Recommended Actions
Steps to address findings for CrowdStrike
- 1
Request CrowdStrike's current SOC 2 Type II report (dated within the last 12 months) and a bridge letter covering the period up to today. Visit [trust.crowdstrike.com](https://trust.crowdstrike.com) and use the 'Get access' function to request compliance documentation directly from their security team.
- 2
Verify ISO 27001 certification status manually, as the automated registry check timed out. Ask CrowdStrike's compliance team for the current certificate number, issuing body, and expiry date — then cross-check at [IAF CertSearch](https://www.iafcertsearch.org) using the certificate number provided.
- 3
Request clarification on CrowdStrike's AI data handling commitments, specifically: (1) whether customer telemetry or security data is used to train AI models, (2) which third-party AI providers (if any) process customer data, and (3) what retention windows apply to AI-processed data. Reference their [published privacy notice](https://www.crowdstrike.com/en-us/legal/privacy-notice/) in your inquiry as the baseline document.
- 4
Ask CrowdStrike to confirm that Content-Security-Policy and X-Frame-Options headers are implemented on the Falcon platform application domain. If your SOC 2 boundary includes the Falcon agent or console as an in-scope system, this confirmation should be documented as a complementary user entity control (CUEC) review.
- 5
Review the governance disclosure regarding the CEO's voting power restructuring as reported by [Bloomberg](https://www.bloomberg.com/news/articles/2025-05-12/billionaire-crowdstrike-ceo-cuts-voting-power-by-92-with-unexplained-gifts) and discussed on [Hacker News](https://news.ycombinator.com/item?id=43962207). Escalate to your procurement or vendor governance committee for awareness; request CrowdStrike's IR contact or investor relations statement if your organization has contractual change-of-control provisions.
- 6
Confirm TLS certificate and domain renewal schedules with CrowdStrike before June 7, 2026. Both the domain registration and TLS certificate expire within the same narrow window — verify automated renewal is configured by requesting confirmation from their infrastructure team within 30 days.
Intelligence Sources Queried
25 sources in this assessment
23of 25 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Adverse Media Scan
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Certification Registry Verification
Certificate Transparency
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- ISO 27001 registry lookup (IAF CertSearch) was unavailable due to a timeout during this assessment. CrowdStrike claims ISO/IEC 27001 certification on their trust page, but independent registry verification could not be completed. Manual verification is recommended.
- Certificate Transparency log search (Certificate Transparency service) was partially unavailable; subdomain enumeration data is limited to the single certificate extracted via direct TLS handshake.
- CrowdStrike's AI data usage policy could not be fully assessed from external sources. The privacy notice page was located but did not yield determinable commitments on AI model training, customer data retention under AI features, or named third-party AI providers.
- External cyber risk scoring was not available for this assessment, so no quantitative cyber score comparison against the SaaS industry average could be performed.
- The LEI match returned via Legal Entity Registry corresponds to 'Harvest CrowdStrike Enhanced High Income Shares ETF' — a fund entity, not CrowdStrike, Inc. itself. This is a non-match for entity verification purposes and should not be treated as a legal entity confirmation for the vendor.
- The subprocessor list sourced from the vendor's published page (trust.crowdstrike.com) contains only 6 entries, which may represent a partial or illustrative list rather than a comprehensive GDPR Article 28 subprocessor disclosure. Independent completeness verification is not possible.
- HITRUST certification directory could not be rendered and no HITRUST evidence was found via web search. Absence of HITRUST evidence is not determinative given the directory access limitation.
- Soc 2 coverage was limited for this assessment. This does not confirm any deficiency — direct verification with the vendor is recommended.
- Ai data|policy|governance coverage was limited for this assessment. This does not confirm any deficiency — direct verification with the vendor is recommended.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
39% complete · 52/133 questions answered from public sourcesAre you CrowdStrike? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is CrowdStrike on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is CrowdStrike's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is CrowdStrike a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has CrowdStrike appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is CrowdStrike's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are CrowdStrike's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does CrowdStrike claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does CrowdStrike depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has CrowdStrike appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate CrowdStrike and every other vendor in your stack — average report time: 7 minutes. Get CrowdStrike's Full Report Free →
Frequently asked about CrowdStrike
Is CrowdStrike FedRAMP authorized?+
Yes, CrowdStrike holds FedRAMP Moderate authorization as of April 2026.
Does CrowdStrike have SOC 2 Type II?+
Yes — CrowdStrike holds SOC 2 (Type II not confirmed). Rated Moderate Risk — security header gaps found. See all 4 findings →
Is CrowdStrike on the OFAC sanctions list?+
CrowdStrike returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of April 2026.
What is CrowdStrike's vendor risk tier?+
ThirdProof assigned CrowdStrike a risk tier of Moderate Risk with 92% confidence based on assessment across 27 intelligence sources as of April 2026.
Can I get an auto-filled security questionnaire for CrowdStrike?+
Yes. Every ThirdProof investigation of CrowdStrike produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending CrowdStrike a single email or waiting for a vendor response.
Is CrowdStrike safe to use as a vendor?+
CrowdStrike is a endpoint security vendor that handles organizational data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see CrowdStrike's full risk profile.
Does CrowdStrike have SOC 2 certification?+
Yes — CrowdStrike holds SOC 2 + 7 other certs. Rated Moderate Risk — security header gaps found. See all 4 findings →
Has CrowdStrike had any data breaches?+
Data breach history is an important signal for any vendor, particularly endpoint security platforms like CrowdStrike that handle organizational data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is CrowdStrike on any sanctions lists?+
Sanctions screening is standard due diligence for endpoint security vendors. ThirdProof screens CrowdStrike against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If CrowdStrike or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess CrowdStrike for vendor risk?+
Assessing CrowdStrike as a endpoint security vendor involves verifying SOC 2 Type II and applicable industry standards compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
Also investigate these vendors
CrowdStrike is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates CrowdStrike across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.