AI SecurityBlogCrowdStrikeCloud SecurityCloudSecurity
Blog8 minute read

Cloud Security: Announcements from Fal.con 2025

Crowdstrike continues to add new features to their platform, making Falcon Cloud Security a top contender when enterprises consider how they are going to secure their cloud investment, including AI applications in the cloud.

In this blog

  1. Executive summary
  2. Approach to cloud security
  3. Cloud, SOC and AI agents working together
  4. Falcon Cloud Security (FCS) announcements
  5. Conclusion

 Executive summary

CrowdStrike continues to round out its security platform, most recently addressing the need to gather insight into AI usage/data flows and distribute platform telemetry to all systems and stakeholders that need it. Recent acquisitions of Onum and Pangea bring those capabilities into the Falcon platform without having to rely on third-party solutions. 

As with any conference in 2025, AI took center stage. CrowdStrike is focusing its AI efforts on lowering work effort and securing AI from both the user and application data flow perspectives. CrowdStrike also believes in allowing customers to choose the level of autonomy Charlotte (their AI) operates with and the model being used to analyze threat intel during investigation.

CrowdStrike does not acquire technology lightly, nor do they open their platform to just any first-party data source, which may create integration concerns. They are purposeful in how they grow the Falcon platform to ensure data points are analyzed as close to real-time as possible to stop threats, not just react to them. In the age of AI, prevention is more important than ever.

On the surface, Fal.con 2025 appeared to be light on cloud security announcements as AI and agentic advancements took center stage. Looking deeper, we uncover the acquisitions, integrations, new data sources and visibility techniques that will power the next generation of Falcon Cloud Security (FCS).

 Approach to cloud security

CrowdStrike's most recent threat report data reveal a 136 percent increase in cloud intrusions during the first half of 2025, compared to last year. The average time for these attacks to breakout, or progress to lateral movement, has dropped to just over two minutes, with more advanced attacks coming in under a minute.

The perception of SaaS cloud environments is that the provider is securing everything, and the customers' only concern is configuring their piece of the application. This is a result of misleading industry "markitecture" designed for quick purchasing decisions and migration. In fact, SaaS platforms are often the entry point for further attacks. When you mix the fact that these applications are always on and available globally with the SaaS providers goal of maximum uptime for a shared tenant environment, there is little the provider can do to prevent identity-based attacks.

Once an attacker gains access via a human or non-human identity, they will use those credentials (often session tokens or API secrets) to pivot to a SaaS-based data store or an IaaS/PaaS environment. Most attacks and lateral movement in these cloud environments are not malware-based. Bad actors use standard host actions that appear to be normal sysadmin functions to escalate privileges instead of calling C2 systems. But when these actions are looked at through another lens, they become malicious; this is where the Falcon platform comes into play.

Falcon Cloud Security and the Falcon platform monitor the customer's entire attack surface: code, container images, IaaS and PaaS configurations, SaaS application configuration, including third-party apps and API access, identities and behaviors, application posture, data flows, and AI usage to stop adversaries with threat intelligence.

 Cloud, SOC and AI agents working together

Falcon Cloud Security's capability to monitor a customer's attack surface through agent and agentless, real-time scanning of hybrid and multi-cloud environments is not a new development. However, the recent acquisition of Adaptive Shield (now FalconShield) for monitoring SaaS applications, as well as this week's announcement of the Pangea acquisition for monitoring and enforcing employee AI prompts, AI applications and the usage of shadow AI, enhances Falcon's visibility and provides much-needed context for Charlotte AI to make high-confidence, risk-based prioritizations.

The goal is to close the loop between dev ops, cloud security and SOC teams. The former is heads down, proactively building application code, the middle is designing secure cloud bricks and patterns, and the latter is responding to threats. Falcon accomplishes this through cross-domain visibility, using capabilities mentioned above, to track machine and human identities, endpoints and cloud environments to get a complete posture assessment. The gap begins to close when the teams leverage Charlotte AI to comb through all events and data, analyzing complex detections with an agentic response and then triggering remediation workflows using Fusion.

This collaboration allows teams to make business-aware decisions by prioritizing risks with multiple levels of context and ensuring that work effort aligns with organizational goals. Further enhancing collaboration is the democratization of easily consumable, real-time, compliance reports measured against over 70 out-of-the-box frameworks that customers do not have to "opt-in" to use.

 Falcon Cloud Security (FCS) announcements

Cloud service providers (CSPs) continually innovate to meet customer demand. CrowdStrike is in lock step with the CSPs, keeping up with their enhancements as well as raising the bar on how to monitor and prevent malicious behavior in these environments. Several new FCS features were announced at Fal.con, specifically tailored to reducing mean time to respond (MTTR) with next-gen cloud detection and response.

 Cloud Agent Deployment Wizard

Deployment of cloud agents (in any platform) can be difficult; CrowdStrike aims to improve that with a wizard directly accessible from the Falcon platform. Security and Ops teams can choose a target, such as a virtual machine, self-hosted k8s, or hosted/managed k8s and FCS will generate a custom deployment script for that target host and the cloud environment.

 Visibility beyond APIs

APIs are the quick and easy way to gain visibility into a cloud environment. They require no installation of agents, no modification of underlying infrastructure or architecture, and only an API key and an appropriately permissioned role. While great for an immediate posture assessment, this approach does not provide real-time visibility.

All of the CSPs rate limit API connections from cloud security platforms to ensure they are not DoS'd and lock out paying customers. As such, platforms like FCS can only poll CSPs on an interval. This is valuable, especially for ongoing configuration drift detection, but for CrowdStrike, a company that prides itself on preventing attacks and not just responding, this is not enough visibility.

To gain visibility into the events that occur between API pulls, FCS now natively ingests logs from the CSPs, processes them and uses that data to inform detections and attack paths. This is all done in near real-time for all cloud components and k8s platforms. Customers no longer have to ingest logs into NGSIEM for this visibility and event correlation. Now, this telemetry is correlated directly in FCS for immediate risk assignment and response action workflows, saving the customer time and money (data ingestion cost).

 Unified asset timeline

Building on the new native cloud event ingestion capabilities, FCS now maps an asset's complete history on a timeline. Customers can pull up any asset in their cloud environment and instantly get a visualization of its instantiation and configuration changes by time/date stamp, overlayed with resulting health impacts and if/when the changes result in an attack path. Customers can further zoom out from a deep asset view to look at the totality of what is happening in their environment.

 AI-SPM

Crowdstrike's capabilities around monitoring CSP-hosted AI services were announced last year at Fal.con. AI-SPM monitors AI services and LLMs deployed in the cloud, detects misconfigurations, and identifies and addresses vulnerabilities to ensure that applications built to leverage these services are complying with the organization's policies. However, these capabilities are now table-stakes.

Through acquisitions over the years, including Bionic and Flow, CrowdStrike has improved visibility into where data flows, its lineage, and all the processes being used along that path. This increased visibility enables FCS to detect and prevent GenAI data leaks and identify areas where data modification is possible along the flow.

Now, with the acquisition of Pangea, Falcon will gain visibility into the agentic side of data flows, adding prompt analysis to FCS. This will provide insight into prompt injection through the use of an in-line data tap. Again, focusing on the ability to prevent injection and identifying what processes can inject themselves into the prompt process.

 Conclusion

From a cloud security perspective, CrowdStrike continues to expand beyond its EDR roots, and in that respect, Fal.con was another big hit. Through the shine and polish of a great event, looking at this year's announcements through a lens of past announcements and acquisitions, it becomes clear what CrowdStrike is marching towards: complete visibility across the entire estate.

Prior to Fal.con 2025, our research revealed CrowdStrike's FCS is on par with all cloud security platforms in most of our customer-influenced categories of concern. In other areas, FCS has surpassed competitors. We are looking forward to seeing how Falcon Cloud Security's new enhancements further improve the mission of preventing attacks in cloud hosted applications, including those driven by AI.

Technologies