--- title: BT and CrowdStrike are now selling AI cybersecurity to UK SMBs. Six questions to ask first. description: BT and CrowdStrike announced a UK partnership in October 2025 that puts AI-led cybersecurity into the hands of small businesses through a single bundled contract. The pitch is reassuring. The contract is not. After 120 AI projects across 15 industries, here are the six questions any UK SMB owner should ask before signing, plus a short FAQ on what the partnership actually delivers and where it lands you on the wrong side of UK GDPR. canonical: https://richardbatt.com/blog/bt-crowdstrike-ai-cybersecurity-uk-questions date: 2026-05-05 author: Richard Batt tags: [AI Cybersecurity, BT, CrowdStrike, UK Business] type: blog_post --- # BT and CrowdStrike are now selling AI cybersecurity to UK SMBs. Six questions to ask first. _BT and CrowdStrike announced a UK partnership in October 2025 that puts AI-led cybersecurity into the hands of small businesses through a single bundled contract. The pitch is reassuring. The contract is not. After 120 AI projects across 15 industries, here are the six questions any UK SMB owner should ask before signing, plus a short FAQ on what the partnership actually delivers and where it lands you on the wrong side of UK GDPR._ **Richard Batt** — AI implementation specialist. 120+ projects across 15+ industries, serving SMBs (5-200 employees) worldwide from Middlesbrough, UK (working globally). Contact: richard@richardbatt.com · https://richardbatt.com In October 2025, BT and CrowdStrike announced a UK partnership that bundles CrowdStrike's AI-led security platform into BT's small business connectivity products. The headline pitch is straightforward. A telco you already pay every month, a tier-one security platform you have heard of, AI doing the threat detection, one contract. For a 30-person firm with no in-house security team, that sounds like a relief. It might be a relief. It might also be a five-year lock-in to a contract you didn't read carefully. After 120 AI projects across 15 industries (and a lot of conversations with the same SMB owners six months after they signed something), the pattern is consistent. Bundled AI security deals are rarely as bad as the cynics say. They're rarely as good as the brochure says either. The difference between the two is the questions you ask before you sign. Here are the six. ## What's actually AI in this product, and what's marketing? Most "AI cybersecurity" products bundle three things: a behaviour-analytics layer (a model watching traffic and flagging anomalies), a threat-intelligence feed (real-time updates on new attack patterns), and a response automation layer (the system blocking the IP, the file, the user). Some of those are genuinely model-driven. Some are rules with a model on top. Ask the salesperson which specific tasks the AI performs that a fixed-rules product wouldn't. Ask which task the AI does better than a senior analyst would. Then probe what happens when the AI is wrong. If you can't get a concrete answer to all three, the AI is mostly a logo on the brochure. ## What's the data residency story? CrowdStrike runs telemetry on every endpoint. That telemetry is data, and under UK GDPR you need to know where it's stored, who can access it, and on what lawful basis. The default architecture moves telemetry to CrowdStrike's cloud, which historically has had US infrastructure in the loop. For a UK SMB selling to public-sector buyers (the NHS, councils, the Ministry of Justice), data leaving the UK or the EEA is a contracting issue. Some buyer frameworks reject it outright. Ask your BT account manager for the data flow diagram in writing. If they cannot produce one in a fortnight, that itself is the answer. ## What's the lock-in shape? Bundled telecoms-plus-security contracts in 2026 typically run three to five years with auto-renewal clauses and meaningful early-termination charges. The salesperson will frame the term as a discount lever. It also is one. The catch is that AI security tooling is moving fast, so a three-year minimum locks you out of switching to a better product if one shows up in 18 months. Read the renewal mechanics carefully. A 90-day notice window before auto-renewal is reasonable. A 30-day window or no window at all is not. And ask explicitly whether your data is portable at the end of the term (for SIEM logs, threat-detection rules, configured policies). If it isn't, the lock-in is total. ## What's excluded from the cover? Every cybersecurity product has exclusions, and the exclusions in AI-led products tend to be specific. Ransomware response over a certain incident size. Insider threats originating from a privileged user. Threats targeting specific cloud services not on the supported list. Phishing originating from a service the platform doesn't monitor. Ask for the exclusions list in writing before you sign. If the contract references "industry-standard exclusions" without listing them, that's a red flag. The list is short, knowable, and your lawyer will read it in 20 minutes. ## What's the incident response time, and who shows up? The brochure will say "24/7 response." The contract will define what response means. Some bundles include a CrowdStrike Falcon Complete-style managed service where a human analyst triages the alert and contains the incident. Others give you a dashboard alert and a phone number to call. Ask for the response service level agreement (SLA) in writing. Then ask the median time from incident to human response in the last six months for SMB-tier customers. And clarify whether the contracted response is from CrowdStrike directly or from a BT-employed analyst. The difference matters when you're at hour three of a live incident. ## What are the exit terms? Three years from now, you might want a different security product. Or BT might change the bundle. Or CrowdStrike might be acquired and the platform might shift. Each of those scenarios has a different impact depending on what your contract says about exit. Ask the four exit questions explicitly. What's the early termination charge if you leave at month 18? At month 30? Is your data portable to a competitor's product? Do BT-supplied endpoint agents keep functioning during a transition window, or do they switch off the moment notice is served? The answers to those four questions are the difference between a clean exit and a six-month gap with no security cover. ## A 30-person services firm I worked with last quarter A professional services firm in the North-East signed a similar bundled product in 2024 (different vendors, same shape of contract). They didn't ask the data residency question, the lock-in question, or the exit question. By month 14, they'd been told their telemetry was sitting in a US-region data centre. They needed to win a public-sector contract that prohibited that. They wanted to switch products. The early-termination charge was £18,000 against an annual fee of £14,000. They didn't switch. They built a workaround in their architecture instead, paid for two AI compliance audits, and accepted that the cheaper-on-paper bundle had cost them around £30,000 of indirect spend. The mistake wasn't picking a bad product. The product is fine. The mistake was not asking the six questions. ## How to use this list before you sign anything Print the six questions. Take them to the BT account manager or the CrowdStrike rep before the demo. Ask each one. Get the answers in writing. If they can't answer a question without "letting me check with the team," fine. Wait for the email. The good salespeople will appreciate the rigour because it shortens the sales cycle. The salespeople who push back are telling you something useful. You don't need a security consultant to ask these questions. You do need to ask them. The bundled-AI-cyber-product market in 2026 is good enough that most reasonable contracts pass the test on most questions. The point is to know which ones they fail on, before you sign rather than after. ## Frequently asked questions **Is the BT and CrowdStrike bundle a bad deal for UK SMBs?** No, the bundle is a reasonable starting point for a small firm with no in-house security team. The tooling is real, the response service exists, and the price point is competitive. The risk is in the contract structure, not the technology. A 30-person SMB asking the six questions in this post is well-placed to negotiate the parts that don't fit. **Do I need a separate AI policy if I'm using CrowdStrike's AI features?** Yes. Any UK SMB using AI on systems that touch personal data needs a data-protection impact assessment (DPIA) and a clear AI policy that covers vendor approval, data-classification rules, and human oversight on automated decisions. The CrowdStrike contract is one input to that policy. It doesn't replace it. **What's the alternative to a bundled BT and CrowdStrike contract?** The honest alternative for an SMB is one of three: a different bundled product (Cisco's Meraki plus Umbrella, Microsoft's Defender for Business inside the existing Microsoft 365 estate), a managed security service provider buying the same tooling on your behalf with a flexible contract, or a slim DIY stack with a part-time outsourced security adviser. Each has its own trade-off. None is obviously wrong. ## What to do this week If a BT or CrowdStrike rep is in your inbox, ask them the six questions and ask for the answers in writing before the next meeting. If you've already signed and are on month two of a five-year term, pull the contract and read the exit terms now, not in year three. And if you want a structured way to look at AI compliance and vendor risk together, the AI Roadmap audit at richardbatt.co.uk/roadmap covers vendor due diligence as part of the assessment. The bundled cybersecurity contract isn't the enemy. The unread bundled cybersecurity contract is. --- ## More about Richard Batt Richard Batt is an AI implementation specialist who helps businesses deploy working AI automation in days, not months. 120+ projects across 15+ industries. ### Key pages - [Home](https://richardbatt.com/) - [About Richard](https://richardbatt.com/about) - [Blog](https://richardbatt.com/blog) - [Contact](https://richardbatt.com/contact) - [Subscribe](https://richardbatt.com/subscribe) ### Contact - Email: richard@richardbatt.com - Location: Middlesbrough, UK (working globally) - Website: https://richardbatt.com