The State of Cloud Security: As Told by CrowdStrike
In this blog
At the beginning of 2025, CrowdStrike released the most recent version of its annual Global Threat Report. The overarching theme of this year's report is that adversaries are becoming more efficient and more "business-like." They are acting in ways that attempt to replicate normal traffic flows to fly under the radar. They are also learning from each other, copying strategies that have been successful for other threat actors. CrowdStrike has provided evidence that this is especially true in the cloud.
Scattered Spider is an infamous cybercriminal group that typically targets large enterprises and has been responsible for major breaches in recent years. The group also happens to have a special skill set in compromising cloud environments. According to CrowdStrike, Scattered Spider contributed to 30% of all cloud-related cyber attacks in 2023, a large percentage originating from just one group. That number has since decreased, but not because Scattered Spider has spent less time in the cloud. In fact, there have been several high-profile attacks this year that the group has been responsible for. But they are now inspiring others to follow their lead. Other groups are mimicking the strategies of Scattered Spider, taking advantage of tactics that have been proven to be successful. This has led to a 26% increase in new and unattributed cloud intrusions from 2023 to 2024.
Because threats are increasingly being hidden in plain sight, enterprises need strong threat detection and behavior analytics to identify anomalous activity. And that's where CrowdStrike puts its research into action.
Falcon Cloud Security
Falcon Cloud Security (FCS) is a solution built to stop the threats they've uncovered in the cloud realm. CrowdStrike offers FCS Runtime Protection (CWP and CDR) and FCS Proactive (CSPM, CIEM, ASPM, AI-SPM and DSPM), as well as a full CNAPP option that combines both.
Runtime | Proactive | CNAPP | |
| Cloud Workload Protection (CWP) | X | X | |
| Cloud Detection and Response (CDR) | X | X | |
| Cloud Security Posture Management (CSPM) | X | X | |
| Cloud Infrastructure Entitlement Management (CIEM) | X | X | |
| Application Security Posture Management (ASPM) | X | X | |
| AI Security Posture Management (AI-SPM) | X | X | |
| Data Security Posture Management (DSPM) | X | X |
FCS Runtime Protection
CrowdStrike's Cloud Runtime Protection provides both detection and prevention of malicious activity with over a decade of success. Threat detection and response is often seen as CrowdStrike's biggest strength, particularly in the Endpoint Detection and Response (EDR) realm, using the Falcon sensor. That same sensor is used on cloud VMs and Kubernetes workloads to perform CWP and CDR. This means customers can use the same sensor, monitor with the same console, and don't have to learn a new management for their cloud security tool. Additional technologies have been added to complement Kubernetes, such as an option to run a sensor as a sidecar and a Kubernetes Admission Controller, to ensure compatibility with the unique architecture of Kubernetes and adapt to cloud-native technologies.
FCS Runtime Protection provides real-time threat detection and response on cloud workloads, backed by industry-leading threat intelligence and proprietary ExPRT.AI scoring, used to qualify the accuracy, severity, and overall prioritization of detections. CrowdStrike identifies threats based on Indicators of Attack (IOA), focusing on malicious behavior. With the Falcon sensor, IOAs can be blocked before they ever have the opportunity to cause any harm.
FCS Proactive
As I mentioned in The State of Cloud Security, Part 2: Breaking Down CNAPP, cloud security tools gained speed with the emergence of agentless scanning, due to the need to gather data from every corner of increasingly large cloud environments. CrowdStrike has answered this with FCS Proactive. CrowdStrike identifies Indicators of Misconfiguration (IOM) across major cloud platforms such as AWS, Azure, and OCI. IOMs can be discovered across the cloud management plane, including general configurations, identities and entitlements, certain data stores, and AI services such as AWS Bedrock and AWS SageMaker. FCS Proactive will then correlate those IOMs to validate compliance based on many of the most prominent industry and regulatory frameworks.
One of CrowdStrike's differentiators in this area is its ASPM, which provides deep visibility into the application itself, including application-specific IOMs, data privacy concerns, risk posture, and an entire architecture buildout of all services, APIs, dependencies, and data flows within the application. With Falcon Proactive, CrowdStrike supports more of a shift-left mentality. Its ASPM, along with container image and IaC scanning, enables tool consolidation and encourages better collaboration across teams.
Bonus: SaaS Security
According to their research, CrowdStrike has also noticed an uptick in attacks against SaaS instances, especially as a medium for lateral movement and supply chain attacks. Even though it is not included in their CNAPP offering, it is still important to mention CrowdStrike's new SaaS Security Posture Management (SSPM) platform. Falcon Shield, previously called Adaptive Shield, monitors your most used SaaS and GenAI platforms with capabilities such as posture hardening, threat detection, discovering shadow IT, user access controls, preventing data exposure and more.
Conclusion
CrowdStrike's investment in cloud security reflects the increasingly sophisticated tactics of threat actors. The threat landscape continues to grow, and adversaries are finding better ways to hide within it, especially in an ecosystem as vast as the cloud typically is. Falcon Cloud Security supports a consolidated cloud security strategy within the same platform as the rest of CrowdStrike's portfolio. This is important when visibility is needed in the deepest parts of your environment.
Please reach out if you have any questions or want to learn more about Falcon Cloud Security!