How to Resell CrowdStrike Device Protection with BT - BT Business Antivirus Detect and Respond

CrowdStrike is one of the most recognised names in enterprise endpoint security, by utilising BT's reseller channel, CrowdStrike Falcon is now accessible to SMB customers through BT Business Antivirus Detect and Respond (BADR). For UK resellers, BT Business Antivirus Detect and Respond is BT's productised version of Falcon at £4.99 per device per month, designed to sit alongside BT Business Broadband (Essential, Enhanced or Pro) and BTnet, all consolidated onto the same BT bill. In Netify's view, BADR is the strongest CrowdStrike resell route into the UK SMB market, and specifically the natural cross-sell for any reseller already selling BT Business products but also any other vendor's broadband offerings, making it an ideal solution for the SMB market which is significantly underserved on device protection.

This guide covers what the product is, how it works, who it is best suited to, how to have the sales conversation, and what to expect from the reselling process.

What is BT Business Antivirus Detect and Respond?

BADR is an endpoint security product - which focuses its protection capabilities on the individual devices themselves, rather than the network connection (like in BT's Meraki and Fortinet SASE offerings). This means that it sits on a laptop, a mobile phone, a tablet or a server and monitors what is happening on that device in real time, looking for signs that something has gone wrong and keeping crucial devices safe from threats.

The product is powered by CrowdStrike Falcon, which is one of the most recognised names in enterprise endpoint security. CrowdStrike was named a Leader in the 2024 Gartner Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive time, ranked highest for both Ability to Execute and Completeness of Vision and BT delivers Falcon through a managed service that adds UK-based support (and consolidated billing for pre-existing BT customers).

Where BADR differs from traditional antivirus products is in how it detects threats. Legacy antivirus works from a list of known threats, a signature database, and checks incoming activity against that list. If a threat is not on the list, it gets through - however, BADR (and the underlying CrowdStrike Falcon) works differently. For BADR, A lightweight sensor is utilised, placed directly on the device and monitors behaviour in real time, sending telemetry to the cloud for AI to analyse and provide the relevant instruction (if action is required). Given this use of the cloud, there is no performance impact on the device, no scheduled scan and no dependency on a vendor pushing out a database update before the product can respond.

And in practical terms, this can be significantly impactful (especially for SMBs) for multiple scenarios. The first of these being ransomware, in which BADR detects encryption behaviour at the process level, meaning it identifies what the malware is doing as it starts and prevents the process before the encryption has spread. This is much more effective than traditional antivirus, which by contrast, typically acts at the file level and can only contain damage after some files have already been affected. Secondly, BADR is optimised to detect and prevent threats created using AI tools, which by definition do not exist in any signature database and therefore bypass signature-based products entirely - again an improvement on traditional signature-based antivirus. 

How does BADR fit into the wider BT security portfolio?

BT splits its security products around two outcomes: securing connectivity and securing devices + data. Given this, BADR sits in the second category, alongside the likes of Complete Cloud Secure, Security Awareness Training, as well as the legacy McAfee antivirus product that BADR is effectively designed to replace in BT's product range.

We'd recommend utilising this split when discussing the product with customers - in our experience the most common objection we see in conversations like this is that the business 'already has Wi-Fi security or a firewall' and therefore feels covered - but it's important for them to recognise that BADR is entirely separate and protects at the device level, protecting it wherever it goes. A member of staff working from a coffee shop, a hotel or a client site is not behind any of that network protection, but they are still under the same threat exposure. The device itself needs its own layer.

Further to this, BADR is connectivity-agnostic. It does not require the customer to be on a BT broadband or BTnet product. This removes what would otherwise be the most obvious barrier to the conversation and means the full breadth of a reseller's customer base is in scope.

What does BADR actually protect?

One of the key questions customers will want answered is about which devices can be covered - BADR supports the following device types and operating systems:

• Windows laptops and desktops
• macOS
• Linux
• Android mobile devices and tablets
• Apple iOS mobile devices and tablets
• Servers 

It's worth noting the exclusion of support for the likes of Chromebooks, EPOS or point-of-sale systems, which mean that customers (especially from the retail or hospitality sectors) should only be factoring in devices that can actually make use of the product, though for the majority of SMB environments this will not be a limiting factor but is always worth confirming before quoting.

Alongside core protection capabilities, BADR includes enhanced device control, allowing administrators to lock down USB ports and prevent unauthorised data transfers onto or off the device, making it particularly marketable to customers handling sensitive data, financial records or customer information, being a unique driver for regulated industries where these kinds of features can assist with compliance.

Customers also get access to the CrowdStrike Falcon Portal, a centralised management console where they can view all protected devices, review alerts and detections, and manage notifications. BT provides supporting how-to guides and a dedicated support number for customers who need help interpreting what they are seeing in the portal.

Who is the right customer for BADR?

Of the three BT device security tiers, Netify rates BADR as the right fit for resellers targeting BT customer estates between 10 and 249 devices, where BT's Managed EDR is unjustified on price and complexity, and BT's legacy McAfee product is no longer adequate against AI-generated threats. The strongest single-customer fit is an existing BT Business Broadband or BTnet customer with hybrid staff and data that would cause commercial or reputational damage if compromised.

Customers already running BB Essential, BB Enhanced, BB Pro, BTnet, BT Cloud Voice or Complete Cloud Secure are the natural BADR cross-sell. The reseller already holds the BT account relationship. BADR is added as a line on the existing BT bill, with no new supplier onboarding and no separate billing relationship to manage.

In our opinion, BT BADR is well suited for businesses of all sizes but can be especially useful for SMBs where security may not be as developed as large organisations - for example, BT typically positions it as an ideal solution at one to 250 employees, though they also note that their partner channel has seen deployments well above that range. As of current though, the average deployment size is typically around two to three devices per customer, which reflects the reality that most business users have a laptop and a mobile device (with both needing to be covered).

In our experience, the strongest prospects are businesses that:

• Handle customer data, financial records or personal information
• Have staff who work remotely, from client sites or on the move
• Are currently running legacy antivirus (or nothing at all)
• Sit in professional services, retail or hospitality
• Have ten or more staff, though smaller businesses are absolutely in scope 

It is also worth noting that BADR can be sold to businesses that already have, but need to replace an antivirus - if a customer has existing device security software, the recommendation is to switch it off before deploying BADR, since running two agents simultaneously is not recommended. Often this will be in relation to a legacy/traditional antivirus, such as BT's previous McAfee (or another signature-based product), that offers much less capabilities than BADR.

Pricing

For BT-aligned resellers, BADR's pricing structure is built for cross-selling, with BADR priced at £4.99 per device per month and licences are per device, not per user - this means that a member of staff with a laptop and a mobile phone requires two licences. These also come in the form of 12 month, 36 month or 60 months, as well as being consolidated onto the standard BT bill, alongside any existing BT connectivity or other services. For customers already holding a BT account, this can be beneficial as it simplifies the commercial relationship and avoids introducing a separate bill for network products.

When discussing these prices, it may also be worthwhile discussing with customers that these prices are relatively modest numbers in the context of what a single ransomware incident costs, therefore offering a small cost for a pro-active approach. 

How to have the sales conversation

In Netify's view, BT-aligned resellers should approach BADR conversations with existing BT customers question-first, not product-first. The customer already trusts the BT account relationship. The goal is to surface the device-layer gap rather than introduce a new supplier. Once they have done that, the product sells itself more naturally.

The questions that tend to work well are:

•   Are you using AI to defend against AI-powered attacks? Only 11% of SMBs currently do.
• What would happen to your business if ransomware locked all your computers tomorrow?
• Do your staff work from home, client sites or coffee shops where networks or WiFi may not be offering any protection?
• Have you thought about what a data breach would cost you, commercially and reputationally? 
• Are your devices covered everywhere they go, or only when they are connected to your BT Business Broadband or BTnet line?

With this, customers typically realise the risks their businesses face on their own and helps them to realise how alarming threats to their business actually are. Some of the stats that may back up how they feel about potential threats can include:

• 43% of UK businesses experienced a cyber breach in the last 12 months
• Only 11% of SMBs use AI-powered defences
• Ransomware attacks doubled in the last year, affecting 19,000 UK businesses
• 60% of SMBs that suffer a serious cyberattack go out of business within six months. 

Handling common objections

What does the reselling process look like?

For BT-aligned resellers, the BADR order route is the same BT partner channel used for BB Essential, BB Enhanced, BB Pro, BTnet and BT Cloud Voice. There is no new supplier onboarding, no separate billing relationship, and BADR drops onto the customer's existing BT account. According to the BT 2026 SMB Security Roadshow, BADR is live in approximately one hour per customer.

Once a customer agrees to proceed, the commercial process runs through BT's standard partner ordering route and the product is billed through the BT account (no separate billing relationship).

After an order is placed, the customer receives two communications, the first being a BT order confirmation and the second, an activation email from CrowdStrike, prompting the customer to download and install the Falcon sensor on each device. To ensure this isn't missed, it is worth flagging this to customers in advance, since protection is not active until the sensor is installed and customers can miss the second email if they are not expecting it.

Support

BT provides a 24/7 support wrap around the CrowdStrike product, covering phone, online and chat. There are over 3,500 security experts in BT's team, alongside online self-diagnosis tools and a service queue jump for security incidents. Customers also get planned outage and maintenance notifications, and the whole service sits on a single BT bill and account.

The support wrap is, in our view, the most significant differentiator between buying CrowdStrike direct and buying it through BT (especially considering the actual underlying technology is the same). What BT adds is the service layer around Falcon, which includes their UK-based support, how-to guides built specifically around the SMB use case and the consolidated billing relationship that many smaller businesses find much easier to manage.

In Netify's analysis, the BT support wrap is the strongest reason for resellers to route SMB CrowdStrike sales through BT rather than going direct to CrowdStrike. The Falcon technology is identical either way. What BT adds is 24/7 UK-based support, consolidated billing alongside existing BT services, SMB-shaped how-to guides, and the same account manager handling BT broadband, BTnet, BT Cloud Voice and BADR on a single relationship.

Is BADR enough on its own, or does it sit alongside SD-WAN and SASE?

This is a question that comes up in conversations where a customer is already using, or considering, BT's SD-WAN products through Cisco Meraki or Fortinet. The short answer is that BADR and SD-WAN or SASE address different layers of the security architecture and are not substitutes for one another - if you're interested in a deeper look into our BT SD-WAN & SASE comparisons, see this article.

SD-WAN is a networking technology which optimises how traffic moves across a wide area network and, depending on the vendor, includes varying levels of network-level security - BT offer SD-WAN that utilises either Cisco Meraki or Fortinet as the product base, each with their own use cases. Fortinet's FortiGate, for example, includes a full Next Generation Firewall as a native component, whereas Cisco Meraki integrates with Cisco Umbrella for DNS-layer and cloud security. Both are meaningful products at the network layer, though neither extends protection to the device itself.

For greater insight, SASE builds on SD-WAN by adding cloud-delivered security services including Zero Trust Network Access, Secure Web Gateway and Cloud Access Security Broker. Though, again, even with a full SASE stack in place, the endpoint layer remains a separate concern, meaning that a phishing email that delivers a payload directly to a device or a compromised USB drive, are not necessarily stopped at the network perimeter.

This also adds another layer of framing for customers that are considering SD-WAN/SASE alongside BADR, in which resellers can confirm that these layers work together, not instead of each other.

• A customer with Meraki or Fortinet SD-WAN has addressed connectivity performance and network-level security.
• BADR closes the endpoint gap that those products leave open.

In fact, some SASE platforms integrate directly with CrowdStrike's Falcon Zero Trust Assessment, adjusting network access policies dynamically based on the security posture of the endpoint - with this reflecting the direction the market is moving: endpoint security and network security are increasingly expected to talk to each other.

What BT provides to resellers

BT makes a range of enablement materials available through the partner portal, including data sheets, battle cards, objection handling guides, product comparison sheets and customer scenario materials. In Netify's view, this is worth considering during live customer conversations - building around the objections resellers actually encounter, including the common assumption that an existing firewall or Wi-Fi security product already covers endpoint risk.

Decision trees for identifying the right security product for each customer type are also available and we would suggest working through these before approaching any prospect with more than 20 devices. At that size, the question of whether BADR or BT's Managed Endpoint Detection and Response is the right fit becomes relevant and the decision tree is the fastest way to get to the right answer before the customer asks.

Our recommendation

BADR is, in our view, a strong product at an accessible price point, utilising the product of an industry leader in CrowdStrike, whilst also being wrapped in a service layer provided by BT.

The biggest opportunity is with SMBs that are currently running legacy antivirus or nothing at all, have staff working outside the office and handle data that would create real commercial or reputational damage if compromised - with the trade-off for upfront cost versus potential cost if ransomware was to take effect being evident.

Resellers already selling BT Business products should treat BADR as a default cross-sell - therefore, for resellers already selling the likes of BT Broadband or BT Cloud Voice, we'd recommend BADR as a low-friction add-on to most connectivity conversations, especially where the customer already has billing from BT. However, for those approaching BADR as a standalone security sale, the connectivity-agnostic nature of the product means the addressable market is effectively every SMB in the country with devices that connect to the internet.

Harry Yelland

Cybersecurity Writer

Harry holds a BSc (Hons) in Computer Science from the University of East Anglia and is ISC2 Certified in Cybersecurity (CC). He serves as a Cybersecurity Writer here at Netify, where he specialises in enterprise networking technologies. With expertise in Software-Defined Wide Area Networks (SD-WAN) and Secure Access Service Edge (SASE) architectures, Harry provides in-depth analysis of leading vendors and network solutions.

LinkedIn • Credly

Fact checked by: Robert Sturt - Managing Director, Netify

Frequently Asked Questions