Blog · IT & TSA

The sensors phone home or the perimeter is blind.

TSA CrowdStrike security separation is the work of moving the Newco's Falcon sensors, prevention policies, and threat history out of the seller's tenant into the Newco's own console. Endpoint detection and response is the most actively monitored security capability in most carved-out businesses, and a misconfigured cutover leaves either the seller or the Newco staring at incomplete telemetry. The Newco's TSA exit strategy has to put endpoint security in the front half of the wave order. The buyer that stages a clean tenant cutover keeps detection live throughout. The buyer that does not finds the security operations centre playing catch up for weeks.

3 to 6 mo
Typical Migration Window
Sensors
Migration Unit
7 min
Read Time
2026
Last Updated
Section 01

What the seller's Falcon tenant actually contains.

A CrowdStrike Falcon tenant holds sensor enrolments, host groups, prevention policies, custom indicators of attack, exclusions, response actions, and the historic threat detection record. The seller's tenant typically covers laptops, servers, virtual machines, and cloud workloads across the combined business. Some sensors are clearly Newco assets. Others belong to retained business or to shared infrastructure that the carve-out has to allocate.

The carve-out has to address each sensor by host group. A laptop assigned to a Newco employee is a clean Newco sensor. A server hosting a Newco application on shared infrastructure is harder. A virtual desktop hosted in a shared data centre may need to remain in the seller's tenant for a period under a third-party services arrangement. The allocation has to be made before any cutover begins.

A pre-signing inventory of sensors in scope, host groups, prevention policies, and custom rules is the first deliverable. Without it the cutover wave order is a guess and the security operations team has no baseline. The pattern overlaps with the broader Day One cybersecurity playbook.

Section 02

Sensor reassignment without losing coverage.

Falcon sensors authenticate against a customer ID. Moving a sensor between tenants requires the sensor to be reinstalled with the new customer ID, or in some cases reconfigured through the tenant migration tooling that CrowdStrike provides. The work has to be planned in waves. A wave that takes too many sensors offline at once leaves a window where the perimeter is uncovered. A wave that proceeds too slowly extends the period when telemetry is split across two tenants.

The standard discipline is to migrate by host group, validate sensor health on the destination tenant within an hour of the move, and confirm policy assignment immediately. A sensor that lands in the destination tenant without a policy is a sensor running on default protection. The validation step matters as much as the migration step itself.

Mobile devices, virtual desktops, and ephemeral cloud workloads each need a different migration approach. Mobile devices typically need a managed reinstall through the device management system. Virtual desktops need new images. Cloud workloads need updated infrastructure as code templates. The Newco's CISO and the seller's security operations team coordinate the wave plan jointly through the TSA period.

Section 03

Policies, exclusions, and the destination tenant.

Prevention policies, response policies, sensor update policies, and exclusions all live at the tenant level. The destination tenant has to be configured before any sensor migrates. Most Newcos start with the seller's policy set as a baseline, review every exclusion, and clean up the legacy that no longer applies. A policy that allowed a specific seller application to bypass detection should not be carried over if that application is not part of the Newco.

Custom indicators of attack are the high value content. The seller's security operations team has typically built rules over years to detect specific behaviours relevant to the business. The Newco needs the relevant rules in the destination tenant from sensor migration day one. The seller usually agrees to share the rule set under the TSA. The export and import is mechanical. The review and validation is not.

Response actions including containment, real time response, and remediation playbooks need the same treatment. Where the seller's security operations centre runs the playbooks during the TSA period the Newco should observe and document until the security function transitions. The pattern overlaps with the broader carve-out cybersecurity Day One playbook.

Section 04

Threat history, telemetry, and audit continuity.

The seller's tenant holds the historic detection record for the Newco. Investigations in flight, open incidents, and the year of telemetry that compliance evidences for audit all sit in the seller's console. The carve-out exit has to address how this history is preserved. Most Newcos request an export of the relevant detections and a defined retention period in the seller's tenant before decommissioning.

SIEM integrations are the second discipline. Falcon telemetry typically streams into a security information and event management platform. The destination tenant has to be wired into the Newco's SIEM before any sensor migrates. Where the Newco does not yet have its own SIEM, the seller may continue to receive telemetry under the TSA. The arrangement has to specify what data flows where and for how long.

Compliance frameworks expect continuity. SOC 2, ISO 27001, PCI DSS, and HIPAA assessments all expect a contiguous evidence record. The carve-out plan should include the auditor in the conversation early. The auditor will accept a documented bridge between the seller's tenant evidence and the destination tenant evidence if the plan is laid out in advance. They will not accept a gap discovered during fieldwork.

Section 05

Licensing, cost, and the TSA invoice.

CrowdStrike Falcon is licensed by sensor count and module bundle. The seller typically holds an enterprise contract that covers the combined business at a discount. During the TSA the seller allocates a share of the sensor count and the module cost to the Newco. The allocation methodology needs to be transparent. Buyers that accept an opaque allocation often pay for modules they do not use or for sensor counts that drift higher than the actual deployed base.

The Newco's own CrowdStrike contract or destination endpoint platform is procured during the TSA period. Some Newcos stay on Falcon in their own tenant. Some move to alternatives such as Microsoft Defender for Endpoint, SentinelOne, or Palo Alto Cortex. The choice depends on the security operating model, the value creation plan around managed detection, and the level of investment in custom rules.

When the cutover completes the seller's invoice should drop to zero on the endpoint security line. The pattern overlaps with the broader TSA invoice validation process playbook.

Section 06

Closing the migration and the exit.

A clean Falcon exit closes three records. The seller's tenant retains no active Newco sensors, no active Newco host groups, and no active SIEM stream into the Newco environment. The Newco's destination tenant covers the full asset estate with policies, indicators, and response playbooks live. The cutover documentation supports the broader TSA exit certificate and the audit committee can rely on a single security perimeter.

Open items, typically a small set of long tail assets that have not yet been imaged, are tracked under a short post-close services agreement with a hard end date. Those assets are either migrated or deprecated. The decision is made asset by asset with the IT operations owner in the room.

Specialist support across the security workstream is part of the TSA Exit Acceleration service when the milestone is at risk. The work coordinates with the Newco's CISO, the seller's security operations centre, and the IT operations owners on both sides.

Related Reading

More on vendor and platform separation.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

The sensors phone home or the perimeter is blind.
TSA Exit Acceleration

Move the perimeter before the next incident.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The Cybersecurity Day-One Playbook

Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →