Firewalls and application load balancers have been on the front lines for years, but they’ve rarely offered the same level of protection as a laptop or server. Now, F5 and CrowdStrike aim to close that gap with a new strategic partnership that, for the first time, brings the Falcon sensor and threat hunting OverWatch service directly to F5 BIG-IP devices.
The agreement, announced on November 12, 2025, promises advanced detection and response at the perimeter where the most critical application and API traffic is concentrated. And it offers an irresistible incentive for F5 customers: Falcon for BIG-IP will be free until October 14, 2026.
From Endpoint Protection to Shielding Network Devices
For years, cybersecurity strategies have revolved around the endpoint. EDR tools, lightweight agents, and XDR platforms have protected laptops, PCs, servers, and more recently, cloud workloads. But, as the joint note emphasizes, attackers don’t stop when they compromise a device: they move laterally through the network in search of critical applications and sensitive data.
“The current landscape demands taking the power of the Falcon platform beyond the endpoint,” said George Kurtz, CEO and founder of CrowdStrike. “We are making a bold move: normalizing the deployment of detection and response sensors across all attack surfaces, including network devices.”
Meanwhile, François Locoh-Donou, President and CEO of F5, acknowledged a painful sector reality:
“For too long, network devices have lacked the same level of protection as other endpoints, even though they sit right in front of the world’s most critical applications and APIs.”
This isn’t coincidence. F5 recently disclosed a security incident affecting part of its platform, which has accelerated efforts to raise security standards on its network appliances.
What Is Falcon for F5 BIG-IP?
The partnership results in a specific technical integration:
- CrowdStrike Falcon Sensor can be embedded directly into F5 BIG-IP, starting with the virtual version (BIG-IP Virtual Edition, VE).
- By the end of 2025, the integration will also be available for physical BIG-IP systems.
- Additionally, customers will be able to leverage the Falcon OverWatch service, CrowdStrike’s managed threat hunting team that analyzes telemetry in real-time to identify subtle attacker movements.
All of this is delivered on the F5 Application Delivery and Security Platform (ADSP), the platform F5 uses to deploy and secure applications and APIs across datacenters, public clouds, and edge environments.
Practically, this means a BIG-IP will no longer just be a load balancer or WAF, but also an advanced threat sensor capable of:
- Sending rich telemetry to the Falcon platform.
- Correlating events with activity on endpoints, identities, cloud workloads, and data.
- Triggering coordinated responses (blocks, isolations, temporary rules) using the same logic as the rest of the security architecture.
200 Clients in Production & Free Use Until October 2026
Although the announcement marks the official launch, F5 and CrowdStrike confirm that more than 200 customers are already using Falcon for BIG-IP in their networks. The key update is that the program now offers advantageous conditions:
- Free access to the Falcon sensor and OverWatch service for eligible BIG-IP customers until October 14, 2026.
- The offer initially applies to BIG-IP VE and will extend to hardware BIG-IP once the integration is available.
- F5 will provide onboarding resources (knowledge base articles and direct support) to facilitate deployment.
For many security and networking teams, this is an opportunity to test AI-enhanced perimeter detection at no initial cost and evaluate impacts on visibility, investigation times, and response effectiveness.
Why This Integration Matters for Businesses
1. Fewer Blind Spots in Critical Traffic
BIG-IP appliances are typically placed just in front of the business-driving applications: customer portals, internal and external APIs, payment gateways, internal services exposed via VPN or Zero Trust, etc.
Until now, many of these devices weren’t covered by EDR agents and acted as “black boxes” in terms of advanced detection. With Falcon integrated:
- Additional telemetry is gained on suspicious requests, anomalous traffic patterns, and behaviors that traditional inspection might miss.
- It becomes possible to correlate activity on BIG-IP with endpoint and cloud events, helping to reconstruct the full attack story.
2. Faster Response & Cross-Domain Coordination
With Falcon and OverWatch on BIG-IP, an incident is no longer analyzed solely from the endpoint perspective. If an attacker compromises a server, subsequent movement toward applications protected by F5 can be reflected in Falcon’s enriched logs.
This enables:
- Reduce detection times (MTTD) by uncovering patterns that might otherwise go unnoticed.
- Automate responses within the application layer (e.g., block IP addresses, terminate sessions, adjust rules temporarily).
3. AI-Driven Network Security, Not Just Endpoints
The Falcon platform already relies on a global data lake and AI models trained with attack indicators, telemetry, and adversary tactics. By connecting to BIG-IP, this analytics extends to the part of the infrastructure that sees all HTTP/HTTPS and API traffic.
This means CrowdStrike’s AI can dtect abnormal behaviors in request flows, repeated reconnaissance patterns, covert exfiltration, or malicious API misuse—supplementing traditional WAF protections.
What Network and Security Teams Should Know
For those managing F5 BIG-IP infrastructure, several practical points to consider include:
- Deployment Model: Integrating Falcon into BIG-IP VE allows testing in virtual environments (labs, cloud clusters) before deploying on physical appliances.
- Management & Performance: Falcon sensor is designed as a lightweight agent; organizations should validate resource usage and tweak settings in production.
- Governance & Privacy: The telemetry added to endpoint and cloud telemetry must align with internal data policies and compliance requirements.
From a governance standpoint, this is also a chance to foster closer collaboration between network and security teams, which often operate in silos. If BIG-IP becomes a “first-class citizen” in detection and response, it will be necessary to define:
- Who sets deployment policies for the sensor.
- How alerts and workflows are shared between NOC and SOC teams.
- Which metrics will be used to measure success.
Setting a Trend in the Industry
The F5–CrowdStrike alliance can be viewed as a preview of a broader movement in the industry: extending advanced security to devices traditionally not considered endpoints, such as:
- Network devices (routers, switches, load balancers).
- Remote access gateways.
- Critical OT and IoT devices.
If successful, similar integrations are likely with other network hardware vendors and security platforms, creating a model where all relevant nodes in the infrastructure run some form of unified sensor.
Frequently Asked Questions
What exactly is Falcon for F5 BIG-IP, and what does it include?
It’s an integration that enables installing the CrowdStrike Falcon sensor directly on F5 BIG-IP devices and leveraging the Falcon OverWatch managed threat hunting service. This extends Falcon’s detection and response capabilities to the application and API traffic at the perimeter.
Which clients can use Falcon for BIG-IP free until October 2026?
F5 has announced that eligible BIG-IP customers can access the Falcon sensor and OverWatch service free of charge until October 14, 2026. Initially, this applies to BIG-IP VE, with hardware support coming later. Details on eligibility can be checked with F5 or through their knowledge base.
Does installing Falcon on BIG-IP significantly impact performance?
The Falcon sensor is designed as a lightweight agent. However, environments vary. It is recommended to test the integration in BIG-IP VE or a testing environment prior to production, monitoring CPU, memory, and latency under load.
What advantages does this offer over conventional WAF and EDR tools?
While WAFs safeguard applications at the HTTP/HTTPS layer and EDRs protect endpoints individually, Falcon for BIG-IP unifies visibility and analysis within the application gateway itself. It enables correlating network events with endpoint, identity, and cloud data and orchestrating coordinated responses—reducing blind spots and reaction times.
Sources
- F5 / crowdstrike — F5 and CrowdStrike Strengthen Web Traffic Security with Falcon for F5 BIG-IP (official note, 12/11/2025).