George Kurtz

Template:Infobox person

George Kurtz (born May 5, 1965) is an American cybersecurity executive, entrepreneur, author, and professional race car driver who serves as co-founder, president, and chief executive officer of CrowdStrike, one of the world's leading cybersecurity technology companies. With more than 30 years of experience in the information security industry, Kurtz is widely recognized as a pioneering figure in endpoint protection, threat intelligence, and incident response.

Kurtz co-authored the bestselling cybersecurity book "Hacking Exposed: Network Security Secrets & Solutions" in 1999, which has sold over 600,000 copies and been translated into more than 30 languages, making it the best-selling computer security book of all time. He founded Foundstone in 1999, which was acquired by McAfee for $86 million in 2004, and served as McAfee's Chief Technology Officer before co-founding CrowdStrike in 2011.

Under Kurtz's leadership, CrowdStrike has grown into a publicly traded company with a market capitalization exceeding $50 billion at its peak, pioneering cloud-native endpoint protection and establishing itself as a critical player in global cybersecurity infrastructure. However, Kurtz's career has also been marked by significant controversy, most notably the July 2024 CrowdStrike global outage that affected 8.5 million Windows computers worldwide, causing widespread disruptions to airlines, banks, hospitals, and emergency services—the largest information technology outage in history.

As of 2024, Kurtz's net worth stands at approximately $2.6 billion, though it dropped significantly following the global outage. Outside of cybersecurity, Kurtz is an accomplished amateur race car driver, having won multiple championships including the GT World Challenge America Pro-Am title and class victories at the 24 Hours of Le Mans and 24 Hours of Spa, racing under the CrowdStrike Racing banner.

In 2024, Cybercrime Magazine named Kurtz "Cybersecurity Person of the Year" in recognition of his contributions to the field, though the award came just months before the catastrophic July outage that would test his leadership and the company's reputation.

George Kurtz was born on May 5, 1965, in New Jersey to a working-class family. His early childhood was marked by tragedy when his father passed away when Kurtz was just seven years old. The loss left his mother to raise him and his siblings alone, creating financial hardship that would profoundly shape Kurtz's work ethic and drive.

Growing up in modest circumstances in New Jersey, Kurtz developed an early fascination with computers and technology during the 1970s and early 1980s, when personal computing was still in its infancy. He spent countless hours teaching himself programming and exploring the emerging world of networked systems.

Kurtz attended Seton Hall University in South Orange, New Jersey, where he studied accounting rather than computer science. The choice reflected practical considerations—accounting offered a clear career path and financial security, something particularly important given his family's economic situation. However, even while pursuing his accounting degree, Kurtz continued to immerse himself in computer systems and security, recognizing early on that the intersection of business and technology would become increasingly important.

After graduating from Seton Hall, Kurtz began his career in accounting but quickly gravitated toward information technology and security roles. His unique combination of business training and self-taught technical expertise positioned him perfectly for the emerging field of information security, which required both technical knowledge and business acumen to succeed.

Throughout the 1990s, Kurtz established himself as a rising expert in computer security, particularly in the areas of penetration testing, vulnerability assessment, and incident response. He worked for accounting firms and consulting companies, helping businesses assess their security posture and respond to breaches.

In 1999, Kurtz co-authored "Hacking Exposed: Network Security Secrets & Solutions" with Stuart McClure and Joel Scambray. The book was revolutionary in its approach, written from the perspective of attackers to help defenders understand how hackers think and operate. Rather than focusing solely on defensive measures, "Hacking Exposed" walked readers through actual attack techniques, tools, and methodologies, then explained how to detect and prevent each type of attack.

The book became an instant bestseller, resonating with security professionals, corporate IT departments, government agencies, and even hackers themselves. Its success stemmed from its practical, hands-on approach and its willingness to discuss real attack techniques openly—an approach that was controversial at the time but proved enormously influential. "Hacking Exposed" has been updated through multiple editions, has sold over 600,000 copies, and has been translated into more than 30 languages, establishing Kurtz as a thought leader in the cybersecurity community.

The success of "Hacking Exposed" raised Kurtz's profile significantly and gave him the credibility and connections to pursue his entrepreneurial ambitions.

In October 1999, riding the wave of success from "Hacking Exposed," Kurtz founded Foundstone, Inc., positioning himself as founder and CEO. Foundstone was a security products and services company that specialized in vulnerability management, penetration testing, and incident response. The company developed software tools for security assessment and offered consulting services to help organizations identify and remediate security weaknesses.

Foundstone quickly established itself as one of the premier security consulting firms in the industry. The company developed a reputation for technical excellence and sophisticated incident response capabilities, often being called in to investigate high-profile breaches at major corporations and government agencies. Foundstone's consultants were among the most respected in the field, and the company's training programs became the gold standard for security professionals.

Under Kurtz's leadership, Foundstone pioneered several approaches that would later become standard practice in the security industry, including comprehensive threat modeling, systematic vulnerability assessment methodologies, and integrated security services that combined technology, processes, and training.

The company's success attracted the attention of McAfee, one of the world's largest antivirus and security software companies. In October 2004, McAfee acquired Foundstone for $86 million, bringing Kurtz and his team into the fold of a major security vendor.

Following the acquisition, Kurtz became Senior Vice President and General Manager of Risk Management at McAfee, overseeing the integration of Foundstone's capabilities into McAfee's broader product portfolio. He was responsible for McAfee's vulnerability assessment, penetration testing, and managed security services offerings.

In October 2009, Kurtz was promoted to Executive Vice President and Chief Technology Officer (CTO) of McAfee, one of the most senior technical positions in the company. As CTO, Kurtz was responsible for McAfee's overall technology strategy, product architecture, and innovation initiatives across the company's entire portfolio of security products, which included antivirus software, firewalls, intrusion prevention systems, and encryption technologies.

However, Kurtz's time at McAfee was marred by a significant incident that would foreshadow future controversies. In April 2010, McAfee released an antivirus definition update that contained a critical error. The update mistakenly identified a crucial Windows XP system file (svchost.exe) as malware and quarantined it, causing hundreds of thousands of Windows XP computers around the world to enter an endless reboot loop.

The incident caused massive disruptions to businesses, hospitals, government agencies, and other organizations that relied on Windows XP systems. It required manual intervention on each affected computer to fix, with IT administrators having to boot systems into safe mode, restore the quarantined file, and manually install corrected updates. The cleanup took days and cost organizations millions of dollars in lost productivity.

As McAfee's CTO at the time, Kurtz was responsible for the company's technology operations and quality assurance processes, though the specific individuals responsible for the flawed update were never publicly identified. McAfee issued apologies and explanations, attributing the problem to quality assurance failures, but the incident damaged the company's reputation and highlighted the enormous risks associated with security software that has deep system access.

Despite this setback, Kurtz remained at McAfee until October 2011, when he resigned from his executive roles. Colleagues noted that Kurtz had become increasingly frustrated with the bureaucracy and slower pace of innovation at a large corporation compared to his startup days at Foundstone.

In February 2011, George Kurtz co-founded CrowdStrike, Inc. along with Gregg Marston (former CTO of McAfee) and Dmitri Alperovitch (formerly VP of Threat Research at McAfee). The three former McAfee executives were united by a vision to fundamentally reimagine endpoint security for the cloud era.

The company was founded in Irvine, California, with $25 million in initial funding from Warburg Pincus, one of the world's leading private equity firms. The name "CrowdStrike" reflected the company's philosophy: leveraging the collective intelligence and data from all protected endpoints (the "crowd") to detect and prevent threats more effectively than isolated, traditional antivirus solutions.

Kurtz and his co-founders recognized that traditional endpoint protection—which relied primarily on signature-based antivirus software installed on individual computers—was fundamentally inadequate for modern threats. Advanced persistent threats (APTs), nation-state hackers, and sophisticated cybercriminal groups could easily evade signature-based detection. What was needed, Kurtz argued, was a cloud-native platform that could use behavioral analysis, machine learning, and threat intelligence to detect never-before-seen attacks.

CrowdStrike pioneered the concept of "endpoint detection and response" (EDR), which went beyond simple malware blocking to provide continuous monitoring, threat hunting, and incident response capabilities. The company's Falcon platform was built from the ground up as a cloud-native service, collecting telemetry from endpoints and analyzing it in the cloud using big data analytics and machine learning.

The approach resonated with customers. CrowdStrike quickly attracted major enterprise clients, government agencies, and security-conscious organizations that had been burned by traditional antivirus failures. The company's threat intelligence capabilities, led by co-founder Alperovitch, also gained prominence, with CrowdStrike becoming known for attributing major cyberattacks to specific threat actors, including nation-state groups from Russia, China, Iran, and North Korea.

Under Kurtz's leadership as CEO, CrowdStrike grew rapidly, raising successive rounds of venture capital at increasing valuations. The company became known for its aggressive, competitive culture and its willingness to publicly call out competitors' shortcomings—a reflection of Kurtz's confrontational and confident leadership style.

By 2018, CrowdStrike protected millions of endpoints globally and had achieved "unicorn" status with a valuation exceeding $1 billion. The company's growth accelerated as high-profile breaches at companies using traditional antivirus solutions drove demand for next-generation endpoint protection.

On June 12, 2019, CrowdStrike went public on the NASDAQ stock exchange under the ticker symbol CRWD. The IPO priced at $34 per share, above the expected range, raising $612 million and valuing the company at approximately $6.7 billion. On its first day of trading, CrowdStrike shares surged more than 70%, closing at $58, giving the company a market value of over $11 billion—one of the most successful tech IPOs of 2019.

The IPO made Kurtz a billionaire, with his stake in CrowdStrike valued at over $1 billion. More importantly, the public offering validated Kurtz's vision for cloud-native endpoint security and positioned CrowdStrike as a leader in the rapidly growing cybersecurity market.

Following the IPO, CrowdStrike continued to grow aggressively. The company expanded internationally, added new product capabilities, and deepened its presence in government and enterprise markets. The COVID-19 pandemic in 2020-2021 accelerated demand for CrowdStrike's services as organizations moved to remote work and expanded their attack surfaces, requiring more sophisticated endpoint protection.

By 2024, CrowdStrike had grown to protect hundreds of millions of endpoints globally, employed thousands of people, and generated several billion dollars in annual revenue. The company's stock price had multiplied several times from its IPO price, briefly pushing CrowdStrike's market capitalization above $80 billion and making it one of the most valuable pure-play cybersecurity companies in the world.

Kurtz's net worth grew in tandem with CrowdStrike's success, peaking at approximately $3.2 billion in mid-2024. He became a prominent figure in the cybersecurity industry, regularly speaking at conferences, testifying before Congress on cybersecurity threats, and advising governments on defense against nation-state hackers.

On July 19, 2024, CrowdStrike experienced the defining crisis of George Kurtz's career—a catastrophic software update failure that caused the largest information technology outage in history.

At approximately 04:09 UTC on July 19, 2024, CrowdStrike released a routine update to its Falcon sensor software for Windows endpoints. The update contained a critical defect in a configuration file (called a "Channel File") that caused the CrowdStrike Falcon sensor to crash. Because the Falcon sensor operates at the kernel level of the Windows operating system—giving it deep access necessary to detect malware—the sensor crash triggered a Windows "Blue Screen of Death" (BSOD) that rendered affected computers completely inoperable.

Millions of Windows computers around the world simultaneously crashed and entered an endless reboot loop, unable to start properly. The impact was immediate and global:

• Airlines grounded thousands of flights, stranding travelers worldwide
• Hospitals and emergency services lost access to critical systems
• Banks and financial institutions experienced service outages
• Retailers' point-of-sale systems failed
• Government agencies lost access to IT infrastructure
• Broadcasters went off the air
• Emergency 911 systems in some U.S. jurisdictions experienced disruptions

Microsoft later estimated that approximately 8.5 million Windows devices were affected—less than one percent of all Windows machines globally, but representing a massive number in absolute terms due to CrowdStrike's large customer base among critical infrastructure and enterprise organizations.

The outage's economic impact was staggering, with early estimates suggesting billions of dollars in losses from grounded flights, halted business operations, and IT recovery costs.

Within hours of the outage beginning, George Kurtz took to social media platform X (formerly Twitter) to address the crisis. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," he wrote. "Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed."

Kurtz's rapid public response was praised by crisis management experts as appropriate—acknowledging the problem quickly, clarifying the scope, and reassuring customers that work was underway to resolve it. However, his initial statement understated the severity and complexity of the recovery process.

The "fix" Kurtz mentioned was actually quite limited. CrowdStrike could push a corrected configuration file to devices that were still functional, but the millions of computers already stuck in reboot loops required manual intervention. IT administrators had to physically access each affected computer, boot it into safe mode or Windows Recovery Environment, navigate to a specific directory, delete the problematic file, and reboot. For organizations with thousands of affected devices spread across multiple locations, this recovery process took days or even weeks.

Kurtz appeared on NBC's "Today" show and other media outlets to apologize and explain the situation. "We're deeply sorry for the impact that we've caused to customers, to travelers, to anyone affected by this," Kurtz said. "Many of the customers are rebooting the system and it's coming up and it'll be operational... I think you're going to see those remediation efforts happening immediately."

However, cybersecurity experts and CrowdStrike customers criticized this characterization as overly optimistic, noting that recovery was far more complex and time-consuming than Kurtz suggested.

In the days and weeks following the outage, details emerged about how the incident occurred. CrowdStrike's internal investigation revealed that a defect in its content validation system allowed a faulty configuration file to pass through testing and be deployed to production systems. The file contained problematic data that triggered a logic error in the Falcon sensor, causing it to crash.

The incident raised serious questions about CrowdStrike's quality assurance processes, testing procedures, and staged rollout practices. Industry experts noted that such a critical update should have been tested more thoroughly and deployed gradually to detect problems before they affected millions of systems. The fact that the update was pushed simultaneously to millions of devices worldwide—rather than being gradually rolled out to catch issues early—was identified as a fundamental failure of software engineering best practices.

Comparisons were immediately drawn to the 2010 McAfee incident, when a faulty antivirus update under Kurtz's watch as CTO caused similar widespread system crashes. The fact that Kurtz had now been responsible for two of the worst software update failures in IT history seriously damaged his reputation and raised questions about whether systematic problems in CrowdStrike's development and release processes had been ignored.

CrowdStrike's stock price plummeted following the outage, falling more than 30% in the following weeks. The decline wiped approximately $25 billion from the company's market capitalization and reduced Kurtz's personal net worth by approximately $600 million, from $3.2 billion to $2.6 billion.

Lawsuits were filed against CrowdStrike by affected customers and investors, seeking damages for the outage. Delta Air Lines, which cancelled over 5,000 flights and claimed losses exceeding $500 million, hired prominent attorney David Boies to pursue legal action against both CrowdStrike and Microsoft.

Government regulators and lawmakers in multiple countries launched investigations. Congressional committees summoned Kurtz to testify about the incident. The European Union's cybersecurity agencies examined whether additional regulations were needed to prevent similar incidents. The outage sparked broader debates about the risks of concentrated market power in cybersecurity, the danger of kernel-level access for security software, and whether critical infrastructure should depend on single vendors.

In subsequent congressional testimony, Kurtz took responsibility for the incident while defending CrowdStrike's overall security record. "We let our customers down," Kurtz acknowledged. "The confidence that we built in drips over the years was lost in buckets within hours, and it was a gut punch." He outlined steps CrowdStrike was taking to prevent future incidents, including enhanced testing, gradual rollout procedures, and improved validation processes.

However, critics remained skeptical, pointing out that many of these measures should have been in place already, and questioning why lessons from the 2010 McAfee incident hadn't been more thoroughly applied at CrowdStrike.

George Kurtz is married to Annamaria Kurtz, and the couple has two children: a daughter named Allegra Kathleen Kurtz and a son named Alexander Kurtz. Kurtz maintains a relatively private family life despite his public profile as a CEO, and his wife and children rarely appear in media coverage or at public events.

The Kurtz family resides in the San Francisco Bay Area, though George maintains homes in multiple locations to accommodate his racing activities and business travel. Friends and colleagues describe Kurtz as intensely competitive, detail-oriented, and driven—traits that serve him in both business and motorsports but that can also make him demanding and difficult to work with.

Kurtz is known for his passion for exotic cars and professional motorsports, which he pursues seriously alongside his business career. He maintains an extensive collection of high-performance vehicles and has invested significantly in his racing program.

Outside of racing and cybersecurity, Kurtz supports various charitable causes, particularly those related to education and supporting children who have lost parents, reflecting his own experience losing his father at age seven. However, his philanthropic activities are generally kept private.

One of the more unusual aspects of George Kurtz's profile is his serious involvement in professional motorsports. Unlike many wealthy executives who casually participate in amateur racing events, Kurtz has competed at the highest levels of GT racing and achieved genuine success.

Kurtz made his professional racing debut in 2016 in the Pirelli World Challenge, driving an Aston Martin Vantage GT4 for TRG-Aston Martin Racing. Despite being a rookie and competing against professional race car drivers, Kurtz demonstrated natural talent and quickly improved his skills through intensive practice and professional coaching.

In 2017, Kurtz won the GTS Am class championship in the Pirelli World Challenge, driving a McLaren 570S GT4. The achievement demonstrated that his interest in racing was serious and that he had the dedication and skill to compete at a high level.

In 2019, Kurtz stepped up to the GT3 category in what had been renamed the GT World Challenge America, partnering with professional driver Colin Braun. The GT3 class features more sophisticated and powerful race cars, including Porsche 911 GT3 Rs, Mercedes-AMG GT3s, Lamborghini Huracán GT3s, and Ferrari 488 GT3s, and attracts top professional drivers from around the world.

Kurtz and Braun competed as part of CrowdStrike Racing, with CrowdStrike serving as a primary sponsor. The partnership proved highly successful. In 2023, Kurtz delivered his best season ever, winning the GT World Challenge America Pro-Am Drivers' Championship and Team Championship, earning 12 race victories across five different racing series throughout the season.

Most impressively, Kurtz has competed and won at some of motorsports' most prestigious events:

• 24 Hours of Le Mans - Pro-Am class victory
• 24 Hours of Spa - Pro-Am class victory
• Indianapolis 8 Hour
• Petit Le Mans
• 4 Hours of Sepang

Kurtz holds an FIA Bronze rating as a race car driver, which is the classification for accomplished amateur drivers who can compete in professional series alongside professionals in the Pro-Am category. His racing success is genuine and hard-earned, requiring thousands of hours of practice, physical fitness training, and mental preparation.

The racing program also serves business purposes, as CrowdStrike Racing provides marketing exposure, hospitality opportunities for customers and partners at races, and demonstrates Kurtz's competitive drive and commitment to excellence. However, colleagues note that Kurtz races primarily because he loves it, not merely as a business tool.

CrowdStrike Racing operates professionally, with dedicated teams, transporters, and support staff. Kurtz employs professional coaches, engineers, and driver development specialists to help him improve his skills and compete at the highest levels.

Throughout his career, George Kurtz has received numerous awards and recognition for his contributions to cybersecurity:

• Named "Cybersecurity Person of the Year" by Cybercrime Magazine (2024)
• Ernst & Young Entrepreneur of the Year Award (multiple years)
• Cloud Security Alliance's Philippe Courtot Leadership Award (2025)
• Multiple CEO Today awards recognizing leadership in technology and cybersecurity

Kurtz has also been a prominent voice in policy discussions about cybersecurity, testifying before Congress on numerous occasions about threats from nation-state hackers, cybercrime, and the need for improved public-private cooperation on cyber defense. He has advised government agencies on cybersecurity strategy and has been a vocal advocate for information sharing between private sector companies and law enforcement.

As an author, Kurtz's work on "Hacking Exposed" fundamentally influenced how cybersecurity professionals think about threats and defenses. The book's approach of explaining attack techniques to improve defense has been emulated in countless subsequent security publications.

However, the 2024 global outage has complicated Kurtz's legacy. While his contributions to cybersecurity innovation are undeniable, the catastrophic failure of CrowdStrike's update processes—and the fact that this was the second such incident in his career—has led many to question whether his reputation for technical excellence was deserved or whether systematic problems in quality assurance followed him from McAfee to CrowdStrike.

Colleagues and employees describe Kurtz as an intense, demanding leader who sets extremely high standards and expects exceptional performance from his team. He is known for being deeply involved in technical details despite his CEO role, often personally reviewing product architecture decisions and security research findings.

Kurtz emphasizes speed and aggressiveness in both business and technology development. CrowdStrike's culture reflects this, with rapid product releases, aggressive sales targets, and confrontational competitive positioning against rivals. This approach drove CrowdStrike's rapid growth but may have contributed to the quality assurance failures that led to the 2024 outage.

In presentations and interviews, Kurtz frequently emphasizes the sophistication of modern cyber threats, particularly from nation-state adversaries. "You're not fighting cybercriminals anymore; you're fighting nation-states with unlimited resources," is a common refrain in his presentations. This messaging has helped position CrowdStrike as essential for defense against advanced threats, though critics argue it sometimes veers into fear-mongering to drive sales.

While the 2024 global outage is by far the most significant controversy of Kurtz's career, other incidents have generated criticism:

CrowdStrike has been accused of making misleading competitive claims about rivals' products, with several competitors filing complaints about CrowdStrike's marketing practices. Kurtz's aggressive competitive rhetoric, while effective for sales, has sometimes crossed the line into disparaging competitors in ways that industry observers considered unprofessional.

Some CrowdStrike customers have complained about aggressive contract terms, high costs, and difficulty migrating to alternative solutions once they've adopted the Falcon platform. Critics argue that CrowdStrike exploits its deep integration into customers' systems to make switching prohibitively expensive and risky, giving the company pricing power that it uses to extract high margins.

CrowdStrike's threat intelligence team has been involved in several high-profile attribution cases, including identifying Russian government hackers as responsible for the 2016 Democratic National Committee breach. While CrowdStrike's analysis has generally been validated by other security firms and government agencies, the company has faced criticism for releasing attribution conclusions before law enforcement investigations are complete, potentially compromising criminal investigations for marketing purposes.

George Kurtz's legacy in cybersecurity is complex and still being written. On one hand, he is a pioneer who helped define modern endpoint protection, authored the field's most influential book, and built one of the most successful cybersecurity companies in history. CrowdStrike's innovations in cloud-native security, behavioral analysis, and threat intelligence have genuinely advanced the state of cyber defense.

On the other hand, Kurtz's career is now permanently marked by two of the worst software update failures in IT history—incidents that caused billions of dollars in economic damage and exposed systematic failures in quality assurance and risk management. The July 2024 CrowdStrike outage, in particular, raises fundamental questions about the wisdom of giving security vendors kernel-level access to critical systems and whether the industry's rush to deploy cloud-connected security solutions has created new systemic risks.

Whether Kurtz is ultimately remembered primarily as an innovator who advanced cybersecurity or as the CEO responsible for the largest IT outage in history will likely depend on how CrowdStrike and the broader industry respond to the lessons of July 2024. If the incident leads to meaningful improvements in software quality assurance, staged rollout practices, and resilience in the face of vendor failures, Kurtz's painful lesson may prove valuable. If similar incidents continue to occur, his legacy will be far more negative.

• CrowdStrike
• Dmitri Alperovitch
• Endpoint detection and response
• Computer security
• Hacking Exposed

• CrowdStrike official website
• George Kurtz on LinkedIn
• CrowdStrike Racing

Template:Authority control