CrowdStrike has signed a definitive agreement to acquire U.S.-based identity platform SGNL for $740 million, paid predominantly in cash with a stock component subject to vesting conditions.

CrowdStrike said the deal adds “Continuous Identity” capabilities designed to grant, deny, or revoke access in real time using risk signals, with the aim of reducing exposure created by standing privileges across human, non-human, and AI agent identities.

SGNL is a runtime access enforcement layer that sits between identity providers and the SaaS and cloud resources employees and ‘non-human’ identities touch.

CrowdStrike said the combined offering will extend “dynamic authorization across SaaS and hyperscaler cloud access layers,” explicitly calling out AWS IAM and Okta as target expansion areas beyond CrowdStrike’s current identity coverage.

CrowdStrike’s deal blog post put the integration in “continuous, context-aware authorization” terms: as device posture, identity risk, or adversary signals change, access should change with them.

President Michael Sentonas also tied the roadmap to standards-based plumbing, writing that SGNL will enhance Falcon’s identity approach with CAEP-driven enforcement integrated into Falcon Fusion SOAR.

Falcon is CrowdStrike’s AI-native cybersecurity platform, delivered through a single cloud-based agent and console, used to protect endpoints, cloud workloads, identities and data.

Standards and interoperability

CAEP (Continuous Access Evaluation Profile) is defined by the OpenID Foundation as a profile of the Shared Signals Framework, intended to let cooperating systems send continuous security updates so receivers can attenuate access to users, devices, sessions, and applications.

That matters for enterprises because it describes a practical interoperability goal: risk signals generated in one layer (endpoint, identity, SaaS) can drive access decisions in another without waiting for periodic reviews or manual ticketing.

Why it matters

CrowdStrike’s message lands in a threat environment where credential and access abuse remains central. Verizon’s 2025 Data Breach Investigation Report says stolen credentials show up across multiple incident patterns, and calls out that they remain one of the most common entry points.

Microsoft’s 2025 Digital Defense Report also describes a shift toward “logging in” rather than breaking in, and highlights the role of access brokers in the cybercrime economy, including a dataset where credential-based attacks dominate initial access vectors.

Against that backdrop, CrowdStrike is pitching SGNL as a way to shrink the blast radius of identity misuse by minimizing how long privileges exist and by enforcing policy at runtime rather than relying only on static roles and periodic certification.

The acquisition also extends a longer identity arc for CrowdStrike. The company entered identity protection via its planned acquisition of Preempt Security in 2020.

In the SGNL deal announcement, CrowdStrike cited IDC research projecting the identity security market to grow to $56 billion by 2029, and positioned the SGNL purchase as a platform step toward being “in the path of access,” not just detection.

What’s next

CrowdStrike said the transaction is expected to close in its fiscal first quarter 2027, subject to customary closing conditions and approvals. CrowdStrike has not published product-level dates for when AWS IAM/Okta coverage will be generally available inside Falcon, beyond stating the combined capabilities will extend across SaaS and hyperscaler environments.