CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns

BLOG Featured Recent Video Category Start Free Trial CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns These in-depth reviews evaluate how security controls behave in production to identify the threats they see, block, and miss. May 04, 2026 | Jesse Vazquez - JJ Cranford | From The Front Lines Every year, CrowdStrike Professional Services performs hundreds of Technical Risk Assessments (TRAs) across myriad industries, geographies, and business environments. These deep, hands-on reviews look at how security controls behave in production to evaluate the threats they see and block — and crucially, the threats they miss.  Exposure is constantly changing as organizations adopt new technologies and adversaries accelerate and explore new tactics. Because our team sees so many different environments up close, we have a lens into the patterns that put businesses at risk: the same misconfigurations, visibility gaps, and temporary exceptions continue to appear, and they map to the techniques modern adversaries use to move quickly and bypass detection. By analyzing these real-world findings, we’ve identified that the highest risk often resides in "silent" spaces — unmanaged assets and overlooked credential paths — where adversaries now operate with machine speed. Addressing these systemic issues requires moving beyond tool acquisition and toward operational discipline. Our assessments reveal that securing the enterprise isn't just about having the right technology, but about gaining clarity into where risk lives. By closing the visibility gaps across critical areas, organizations can shift from a reactive posture to a proactive approach that disrupts the adversary’s path. In this blog, we draw on a large sample of CrowdStrike Technical Risk Assessments to examine those patterns and highlight the most common issues quietly driving cyber risk. For security teams seeking to lower their risk profile, these are the areas to focus on to strengthen security posture. Most Common Risk Patterns Shadow AI: The Governance Gap Organizations Can't Ignore Employees, developers, and SaaS platforms are deploying AI tools faster than security and policy teams can respond. From LLM-powered browser extensions to unapproved AI agents running in production, AI is proliferating outside sanctioned channels — and security teams often have no visibility into it. Unlike traditional shadow IT, shadow AI requires no installation, hides inside existing tools, and can silently route sensitive data to external models. In one recent CrowdStrike Services assessment, the client had zero approved agentic AI use but had agents running in production. In another, the approved inventory was off by 400. The risks are significant: uncontrolled data exposure, broken access permissions, unmonitored autonomous agent behavior, and no clear accountability. Recommendations Form a cross-functional AI committee to align business needs with security requirements Deploy CrowdStrike Falcon® AI Detection and Response (AIDR) to surface shadow AI adoption and CrowdStrike Falcon® Exposure Management to inventory LLMs, agents, IDE extensions, and MCP servers Use CrowdStrike Falcon® Cloud Security (AI-SPM), CrowdStrike Falcon® Shield, and Falcon AIDR to identify AI activity across productivity and communication platforms Publish clear rules and a sanctioned list of approved models and interfaces Define who can build and deploy AI agents, what they can access, and how their behavior is logged and terminated Ensure staff understand the data exposure, compliance, and integration risks of unauthorized AI tools External Attack Surface The external attack surface refers to everything an adversary can see and access from the internet before they enter the target network. This includes: Public-facing websites and applications Domains and subdomains (including old or “test” ones) Internet-exposed IP addresses and services VPN gateways, remote access portals, and management interfaces Cloud and SaaS services that can be reached directly from the internet In our Technical Risk Assessments, we consistently find that this external footprint is larger and more exposed than security teams realize. Shadow IT, forgotten projects, third-party integrations, and misconfigured cloud services all expand the attack surface in ways that rarely show up in internal inventories. Common issues we uncover include: Unknown or “orphaned” assets that no one owns but are still live on the internet Outdated software and configurations on public-facing systems Overly permissive access to admin portals, APIs, and management interfaces Inconsistent controls between on-premises and cloud, or between different business units Each one of these gaps represents an opportunity for an adversary to gain initial access with minimal effort. How Falcon Exposure Management Uncovers Risk CrowdStrike Professional Services uses Falcon Exposure Management to uncover and validate these risks as part of the Technical Risk Assessment. Falcon Exposure Management continuously discovers and maps internet-facing assets — domains, IP ranges, cloud services, and more — and correlates them with vulnerabilities, misconfigurations, and threat intelligence. This gives us a view of the external attack surface. During a Technical Risk Assessment, our consultants: Enumerate the organization’s external footprint using Falcon Exposure Management to identify known and unknown assets. Prioritize exposures based on exploitability and adversary behavior, focusing on the paths real attackers are most likely to use. Validate risk with hands-on analysis, confirming what an attacker could see and do from the outside. Deliver clear recommendations outlining which issues to fix first and how to close high-risk internet-facing gaps. The result is an evidence-based view of the external attack surface and a prioritized roadmap to reduce the risk of a breach starting from an exposed asset on the public internet. Applications and Vulnerabilities When we review applications and vulnerabilities during a Technical Risk Assessment, we rarely find a lack of tools. Most organizations have endpoint detection and response (EDR), vulnerability scanners, and patch management platforms. The challenge they most often face is the gap between finding issues and fixing them within a defined window. The most common pattern we see is critical vulnerabilities on “managed” assets. Even on systems covered by endpoint sensors and vulnerability scanners, we routinely find critical-severity CVEs that have been open for weeks or months. These are often on business-critical servers and externally reachable systems. Patching is often treated as best-effort instead of a measured commitment. Technical Risk Assessments frequently find organizations lacking clear, risk-based SLAs for remediation, or SLAs that exist on paper but aren’t tracked and enforced in practice. Our recommendation is straightforward: Establish explicit SLAs for vulnerability remediation based on severity, exploitability, and exposure — for example, internet-facing and business-critical assets are held to the tightest timelines. Continuously measure against those SLAs so security and IT teams can see where patch debt is accumulating. In a Technical Risk Assessment, our team uses Falcon Exposure Management to surface these high-risk CVEs on managed assets, show where SLA breaches are concentrated, and give you a prioritized, evidence-based plan to close the most dangerous gaps. Accounts, Identity, and Configuration Hygiene In almost every Technical Risk Assessment, we find identity hygiene issues create easy, high-impact paths for attackers. A few patterns repeatedly surface: Noisy Remote Accounts on Home Networks With today’s remote and hybrid workforce, many employees are accessing corporate resources from home networks that don’t have enterprise-grade security controls. In our assessments, we often see a small number of systems associated with remote workers generating a very high volume of login attempts. These endpoints become magnets for credential stuffing and brute-force activity. Attackers repeatedly try username/password combinations against internet-reachable services, and nothing on the home Wi-Fi stops this activity at the perimeter. Without good monitoring and controls, this “background noise” can hide real compromise attempts and make it harder for defenders to spot malicious logins in time. Kerberos Misconfigurations that Make Kerberoasting Trivial Kerberos is foundational to how many organizations authenticate users and services — and there are many ways it can be misconfigured. In many environments, we see service accounts with weak passwords, legacy encryption settings, and excessive privileges. Kerberoasting remains a go-to technique: Attackers request service tickets, take them offline, and try to crack them. When passwords are weak or never rotated, this becomes a reliable way to quickly turn a standard domain account into powerful access. Misconfigured Kerberos and weak service account passwords is a combination that dramatically lowers the bar for a successful compromise. Active Directory as a Critical and Accessible Target Most enterprises still rely on Active Directory (AD) as the backbone of their identity infrastructure. This makes AD a primary target for modern attackers. Once an adversary can control or abuse AD, they can move laterally, escalate privileges, and persist with relative ease. In Technical Risk Assessments, we frequently uncover: Stale or orphaned accounts that still have access they no longer need Over-privileged service and admin accounts Weak or inconsistent password policies Legacy configurations that were “good enough” years ago are dangerous today. Cleaning up AD, tightening identity configurations, and enforcing strong authentication and password hygiene are some of the most direct ways to reduce cyber risk. Patterns of Strong Security Across hundreds of Technical Risk Assessments, the organizations in the strongest position tend to have a few things in common: A mapped and owned external attack surface: They know which domains, IP ranges, cloud services, and internet-facing applications belong to them, and who owns each one. Falcon Exposure Management is used to continuously discover new assets and flag drift. It helps confirm nothing lives on the public internet without clear ownership, baseline controls, and a plan to remediate issues. Risk-based vulnerability management with real SLAs: Vulnerability data is prioritized by exposure and adversary behavior. High-risk CVEs on critical and internet-facing systems have tight, enforced SLAs. Falcon Exposure Management helps correlate vulnerabilities with real-world context so teams can focus on what reduces breach likelihood. Clean, well-governed identities and directories: Remote endpoints are monitored for unusual login activity, and policies account for the realities of home networks. Kerberos is configured securely, service account passwords are strong and rotated, and Kerberoasting-resistant configurations are in place. Active Directory is well-maintained: Stale accounts are removed, privileges are minimized, and configuration hygiene is continuously improved. Integrated visibility and a habit of continuous validation: Security and IT teams work from a shared, current view of assets, vulnerabilities, and identities. Technical Risk Assessments are used as a recurring health check to validate that controls are behaving as expected, SLAs are met, and newly introduced technologies don’t silently expand risk. How We Help: CrowdStrike Technical Risk Assessment The Technical Risk Assessment provides a unified view of exposure across the external attack surface, applications, vulnerabilities, accounts, identity, and configuration hygiene — powered by the CrowdStrike Falcon® platform. What the assessment delivers: An executive‑ready report that summarizes exposure, business impact, and accountable owners Remediation details for each finding, mapped to real‑world adversary techniques A prioritized plan that scores every action by criticality and level of effort, so teams know what to fix first and how much work is required Platform capabilities behind the assessment: Falcon Exposure Management to discover, assess, and act on risk across assets and the external attack surface CrowdStrike Falcon® Next-Gen Identity Security to reveal and close risky identity paths and Active Directory weaknesses CrowdStrike Falcon® for IT to query, manage, and remediate at scale across the environment Contact your CrowdStrike representative or complete this form to schedule your Technical Risk Assessment. Additional Resources Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Learn more about the CrowdStrike Technical Risk Assessment Service, Falcon Exposure Management, Falcon Next-Gen Identity Security, and Falcon for IT. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download Related Content Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach CATEGORIES Agentic SOC 50 Cloud & Application Security 143 Data Protection 22 Endpoint Security & XDR 353 Engineering & Tech 86 Executive Viewpoint 180 Exposure Management 118 From The Front Lines 204 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 29 Threat Hunting & Intel 215 CONNECT WITH US FEATURED ARTICLES May 05, 2026 April 30, 2026 April 22, 2026 April 22, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up Introducing the CrowdStrike Shadow AI Visibility Service Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All