How did CrowdStrike’s outage impact IT teams?

John Lee, an IT manager at the University of Illinois’s Grainger College of Engineering, and his team responded admirably to last year’s CrowdStrike outage, strategically sending out help to get systems back online. Lee and his on-campus infrastructure and user services teams also got together shortly after the incident to figure out what they could do better the next time they face 2,500 blue screens of death.

In case you’ve been sleeping under a Mac for the last year, a faulty content update to CrowdStrike’s cybersecurity sensor on July 19, 2024, crashed millions of devices and impacted facilities that require high availability, including airports, banks, and healthcare facilities.

In Lee’s “after-action review,” he and fellow IT practitioners determined they needed to establish clear incident-management roles, as well as a “command chain” for sharing information across all divisions of the organization, not just the IT department.

“It took us some time to self-organize in the beginning, and we recognize that,” Lee said.

Following an outage that impacted 8.5 million devices, according to Microsoft’s count, the Grainger team added new reporting and response strategies, including the creation of a “gathering spot” on the Microsoft Teams platform. Just as important: the establishment of one clear communication contact, a single voice for detailing relevant updates to students during a crisis.

Lee was just one of many IT professionals who had to deal with a lot of unexpected device crashes—and who likely have to consider how to prepare for the next unpredictable outage from any outside party.

Eric Grenier, senior director analyst for Gartner, said the outage was one of the most notable IT-specific events from this last quarter century, “just due to the number of devices that went down worldwide.”

We spoke with pros and analysts about the incident, and how crowdstruck orgs (and CrowdStrike itself) have changed processes to prepare for the next IT fire alarm.

What happened? Insurer Parametrix estimated the CrowdStrike error impacted about one in 4 Fortune 500 companies, totaling $5.4 billon (excluding Microsoft).

What made CrowdStrike’s outage different from other large-scale disruptions—even one like October’s AWS blackout—was that the fix was a very manual one. It involved pros like Lee and his team rolling around campus to put hands on keyboards, apply an update, and prioritize which machines needed to be fixed first.

On Sept. 24, 2024, months after the faulty update, CrowdStrike SVP of Counter Adversary Operations Adam Meyers testified to the US House of Representatives Committee on Homeland Security and shared deployment-process changes at the company, including input validation checks, phased rollouts, and customer control over configuration deployment. CrowdStrike’s root-cause analysis, published on August 6, 2024, revealed six mitigations that the company made to its content update process.

CrowdStrike took owning an incident to new levels when a representative accepted (in person) an award at 2024’s cybersecurity conference DEF CON for most epic fail.

When asked for additional commentary for this story, CrowdStrike PR director Kirsten Speas referred IT Brew in an email to CEO George Kurtz’s recent reflections (posted on LinkedIn) and CrowdStrike’s July 2025 blog post highlighting its post-incident steps.

In an interview with IT Brew earlier this year, Cristian Rodriguez, CrowdStrike’s field CTO for the Americas, noted the company’s “tremendous amount of updates to policies” following the incident, and that third-party reviewers validated those updates.

“That third-party assessment was essentially the final stamp of approval and validation that what CrowdStrike has suggested and has said we’re going to change has actually been implemented and modified and updated, in an effort to ensure that an outage like July 19 of last year would never happen again,” he told IT Brew at the time.

CrowdStrike’s root-cause analysis, released on August 6, 2024, stated that two independent third-party software security vendors would “conduct further review of the Falcon sensor code for both security and quality assurance,” and that the company would conduct an independent review of the “end-to-end quality process from development through deployment.”

What’s changed? Following the incident, Allie Mellen, principal analyst on the security and risk team at research firm Forrester, has seen many customers prioritize staggered rollouts and pre-deployment software testing.

CrowdStrike, since July 19, has allowed more customer control over updates. With “host group policies,” customers can set different deployment schedules for their test systems and machines. There’s also a “content pinning” system that locks systems to specific content versions.

Days after the CrowdStrike outage, the University of Alabama’s Office of Information Technology announced it would roll out updates first to test systems, then non-critical production systems, then production systems.

The cybersecurity capabilities of CrowdStrike products and those of other vendors have relied on visibility into a core aspect of an operating system: the kernel. In his September 2024 House testimony, Meyers said kernel visibility is “critical to ensuring that a threat actor does not insert themselves into the kernel themselves and disable or remove the security products and features.”

Microsoft’s Windows Endpoint Security Ecosystem Summit, hosted days before on Sept. 10, 2024, gathered endpoint-security vendors together to focus on possible capabilities and designs to reduce access to such critical components.

“This is an ongoing effort. It is a very difficult thing to do because kernel access is so important when developing security software, especially. But there’s a lot of effort being done to establish some ways to pull them out of the kernel and provide more resiliency around Windows in general,” Mellen said.

Mellen also sees the CrowdStrike incident impacting how organizations consider their third-party relationships, and how much control those partners have over their systems.

“If you are aware of that, then you can make better decisions about how you reduce risk in these scenarios,” Mellen told us.

Some events—like thousands of PCs going down at once—just aren’t in an emergency response plan. Lee said he couldn’t have predicted the CrowdStrike disruption would take out all staff machines.

“A lot of these things aren’t in our control. It’s up to the vendor,” Lee told IT Brew.