Two announcements, four months apart, describing the same capability
On 5 March 2026 CrowdStrike and Schwarz Digits announced a partnership. CrowdStrike would bring the Falcon platform to STACKIT, the sovereign cloud that Schwarz Digits operates inside the EU, with data residency and GDPR compliance as the selling point. The release described the collaboration as delivering the Falcon platform with full attack path visibility on infrastructure fully operated within the EU. Schwarz Group companies would consolidate their own security onto Falcon, and the two sides floated joint work on a secure enterprise browser and an AI-based SIEM.
That March release does not mention XM Cyber once.
On 16 July 2026 the two companies expanded the partnership. CrowdStrike signed a definitive agreement to acquire the intellectual property of XM Cyber, a Schwarz Digits company known for attack path visualisation and offensive simulation. The thing CrowdStrike promised to deliver in March is the thing whose patents it agreed to buy in July, and in March those patents sat inside its partner's own group.
What is actually being bought
The wording in the July release is unusually plain, and worth reading exactly as written. At closing, CrowdStrike will acquire XM Cyber's intellectual property, including more than 45 patents and proprietary source code, and will not acquire any revenue or customers. XM Cyber will continue operating as a standalone business with an intellectual property licence from CrowdStrike.
Strip the framing and the structure is clean. The buyer takes the patents and the source. The seller keeps the customers, the revenue and the going concern, and rents back the right to use what it just sold. No financial terms are disclosed. The transaction is expected to close in the second half of CrowdStrike's fiscal year 2027 and remains subject to regulatory approval.
This is how you buy a capability without buying a business. It is a legitimate and increasingly common shape. It is also a shape that leaves the acquired company's customers in a position most of them have never had to price.
The question an XM Cyber customer now owns
If you are running XM Cyber for exposure management and attack path analysis, nothing changes on your invoice, and that is precisely why this is easy to miss. The company you contracted with continues. Your renewal arrives from the same vendor. Support answers the same phone.
What changed is underneath. Your vendor no longer owns the source code of the product you run, and its right to keep shipping that product now derives from a licence granted by a company that sells a competing platform. Every question you would normally ask about roadmap, about which features get built, about how long a product line stays supported, now has an additional party in the answer, and that party is not on your contract.
The practical instruction is narrow and worth doing before the deal closes rather than after. At your next renewal, ask the vendor to state in writing who owns the intellectual property in the product, what the term and scope of any inbound licence is, what happens to your deployment if that licence lapses or is not renewed, and whether source code escrow is available. These are ordinary procurement questions. They are simply questions that did not previously have interesting answers for this product.
Sovereignty in the framing, transfer in the structure
The deal is wrapped in the language of European independence, and part of that wrapping is real. A phased roadmap will deliver Falcon on STACKIT, sovereign cloud infrastructure operated within the European Union. The release names the EU Cyber Resilience Act and NIS2 as the regulations raising the bar for operators of critical infrastructure in Europe. For a regulated European enterprise, running a leading security platform on EU-operated infrastructure is a genuine improvement on running it elsewhere, and data residency is not nothing.
But sovereignty claims should be tested against ownership, not against hosting. The residency of the servers is improving. The ownership of the intellectual property is moving in the other direction: more than 45 patents and the source code of a European group's security company transfer to a US vendor, and the European company continues on a licence from the acquirer. Both of those things are true at once, and only one of them is in the headline.
The useful lesson generalises past this deal. When a vendor offers you sovereignty, establish which layer it applies to. Sovereign hosting tells you where the data sits. It does not tell you who owns the code, who can withdraw the right to run it, or which jurisdiction's company holds the patents. Those are separate questions with separate answers, and a deal can improve the first while quietly reversing the third.
Read next: Europe Gets S3 Storage That Skips US Clouds | Your Sandbox Was Attacked a Month Before the Warning



