CrowdStrike Advances CNAPP with Industry-First Adversary-Informed Risk Prioritization

BLOG Featured Recent Video Category Start Free Trial CrowdStrike Advances CNAPP with Industry-First Adversary-Informed Risk Prioritization New Falcon Cloud Security capabilities arm security teams with risk-based insights to close security gaps before they lead to breaches. March 24, 2026 | Jason Williams | Cloud & Application Security Interest in cloud-native application protection platforms (CNAPPs) has exploded over the recent years, partly due to their ability to reduce alert noise by translating siloed misconfigurations into correlated, theoretical attack paths and exposures. While many organizations have adopted these solutions in pursuit of outcomes like zero critical issues, cloud breaches continue to rise. In 2025, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year, the CrowdStrike 2026 Global Threat Report found. As cloud environments and adversary tradecraft evolve, proactive security must adapt to help organizations better prepare their defenses. But three key gaps remain: Limited to infrastructure: Current approaches analyze cloud assets and links between services but lack visibility into the business applications and how they run on cloud infrastructure. Security teams need additional tools to understand which infrastructure findings impact mission-critical applications. Ignores adversary behavior: Risk analysis reveals potential attack paths but does not incorporate intelligence on which paths and industries are targeted by specific adversaries. Security teams chase theoretical risk with arbitrary severity labels, while adversaries focus on exploitation chains proven against organizations like theirs. Endless triage: Risk detections surface without connection to the configuration changes that introduced them. Security teams manually comb through logs to stitch together which changes caused exposure, lacking visibility into causality and who made the changes. Today, we're introducing three industry-first CNAPP capabilities in CrowdStrike Falcon® Cloud Security designed to address these limitations and give security teams the context needed to understand cloud risk, prioritize remediation, and move from detection to action faster.  New CNAPP Innovations for Proactive Security These capabilities advance CNAPP by closing critical gaps in how cloud risk is assessed today, enabling organizations to understand how applications interact with infrastructure, which risks align with observed adversary behavior, and when conditions combine to enable a breach. Let’s take a look at what’s new. Application Explorer: Adding the Application Layer to Cloud Risk Analysis Falcon Cloud Security unifies application-layer visibility with cloud infrastructure context using Application Explorer. It shows how business applications run across cloud and on-premises environments, which services they depend on, and how infrastructure risks affect production applications — all within a single console. Organizations no longer need separate application monitoring tools or manual log stitching to understand business application risk.  CrowdStrike continuously performs code-level runtime analysis to build an application inventory, map dependencies, and identify application-layer risk. Built on the CrowdStrike Enterprise Graph®, Falcon Cloud Security correlates application insights with cloud infrastructure telemetry to show how applications interact with services, access data, use credentials, and integrate AI components. For example, if CrowdStrike identifies a storage resource with overly permissive access, it knows which applications connect to it and whether those applications process customer personally identifiable information (PII). Falcon Cloud Security also layers in business context to help security teams distinguish business-critical applications (e.g., payment processing, hospital ERP) from low-impact or non-production services.  For AI-driven applications, CrowdStrike discovers applications running as MCP, identifies dependencies on external large language models (LLMs), and maps what data those AI components can access — enabling organizations to discover shadow AI activity, detect unapproved model usage, and prevent sensitive data from being exposed to external AI services. By correlating runtime application behavior with cloud infrastructure findings, Application Explorer gives organizations a precise view of business risk across production environments. This new capability is generally available. Adversary Intelligence for Cloud Risks: Attacker-Aligned Risk Prioritization Falcon Cloud Security applies CrowdStrike’s world-class threat intelligence to cloud risk detections, enabling organizations to assess risk based on how threat actors operate. It maps cloud risks to known adversary profiles and observed techniques so security teams can focus on the conditions attackers target in documented intrusions. Falcon Cloud Security automatically analyzes risk detections against more than 280 adversary groups tracked by CrowdStrike, including threat actors such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, and identifies the industries they actively target. For example, if a risk maps to a threat group known to target financial services and the organization operates in that sector, the exposure reflects a documented intrusion pattern and signals a higher likelihood of targeting. Because CrowdStrike tracks each threat group’s tactics, techniques, and procedures (TTPs), organizations can prioritize the exposure with greater precision, assess potential blast radius, and align remediation to how that adversary is known to operate.  The CrowdStrike Falcon® Adversary OverWatch™ threat hunting team continuously monitors adversary behavior in real-world intrusions and translates evolving tactics into updated detection and intelligence context across the CrowdStrike Falcon® platform. As attackers shift techniques, CrowdStrike updates adversary mappings and detection logic so cloud risks are evaluated against current tradecraft. By grounding cloud risk in observed attacker behavior rather than static severity scoring, Falcon Cloud Security provides unique prioritization depth and context that helps organizations focus remediation and proactively stop adversaries before the breach. This new capability is in beta and will be generally available in the coming months. Timeline Explorer: Triage with Precision Timeline Explorer delivers automated root cause analysis by reconstructing how cloud risk develops over time. It shows how exposure formed and eliminates hours of manual investigation across logs, dashboards, and disconnected findings. Instead of pivoting across multiple tools to determine what happened, organizations gain a single chronological view that explains how a specific risk condition emerged. This clarity enables faster investigation and accelerates remediation decisions. Cloud risk often forms when multiple changes across connected assets converge to create exposure. CrowdStrike automatically correlates each cloud risk detection with the asset changes that contributed to that specific condition, identifies the changes and who made them, and presents the sequence in a clear chronological timeline. Rather than reviewing isolated change history, organizations see the exact chain of events that combined to create the risk. Timeline Explorer links cause to outcome, transforming fragmented change data into a coherent narrative of how exposure developed. Timeline Explorer also validates remediation within the same view. When a configuration change resolves the risk condition, the timeline reflects that update and confirms the exposure has been eliminated. Organizations no longer have to assume remediation worked — they can verify it. By combining automated root cause analysis with remediation validation, Timeline Explorer helps organizations understand why a risk occurred, not just where it appeared. This insight enables teams to address the underlying people, process, or control gaps that introduced the exposure, reducing repeat risk and delivering greater long-term security value beyond fixing individual findings. This new capability is in beta and will be generally available in the coming months. Falcon Data Security for Cloud: AI Data Flow Discovery in the Cloud Ultimately, adversaries don’t target infrastructure for its own sake, they target the sensitive data that applications and cloud services can access. As organizations build AI-powered applications, new data paths emerge that move sensitive information through AI pipelines, orchestration layers, and model services. As organizations build AI-powered applications, those paths expand. AI pipelines introduce new ways for sensitive data to move across cloud services, orchestration layers, and model platforms, creating additional exposure points that security teams need visibility into. Training data, customer PII, and proprietary intellectual property can flow through AI pipelines without clear visibility or controls, creating compliance exposure and breach risk. CrowdStrike Falcon® Data Security for Cloud now addresses this with real-time visibility into how sensitive cloud data flows into and through AI services at runtime. Using eBPF-powered monitoring, Falcon Data Security for Cloud continuously observes data flows across cloud services, APIs, containers, and internal services, classifying sensitive content in real time as it moves. For AI-driven workloads, this monitoring extends into AI data paths: Teams can see sensitive data as it's collected from cloud storage and databases, passed through internal or external AI orchestration layers including MCP servers, and sent to or consumed by internal AI and machine learning (ML) services such as Amazon SageMaker and Bedrock. Figure 1. Falcon Data Security for Cloud offers runtime visibility into data flowing to AI services For teams building AI cloud applications, it provides the end-to-end data flow visibility needed to ensure sensitive data isn't inadvertently incorporated into training pipelines or exposed through model outputs. For organizations managing AI workforce adoption, it closes the blind spots that log-based tools leave open, delivering runtime telemetry that identifies unexpected or risky AI data usage as it happens, with detections that can be routed into CrowdStrike Falcon® Fusion SOAR workflows for immediate response.  This new capability is in early beta and will be generally available in the coming months. Move from Detection to Remediation Faster These innovations in CrowdStrike Falcon Cloud Security enhance CNAPP by combining application-layer visibility, adversary intelligence, and chronological root cause analysis to transform how organizations assess and improve their risk posture. Together, these innovations enable organizations to reduce cloud exposure faster and proactively stop adversaries before risk escalates into a breach. Forward-Looking Statements This blog may include discussion of unreleased services or features. Any unreleased services or features referenced here are still in development and subject to change. Customers should make their purchase decisions based upon features that are currently available. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike's Linux Sensor Capabilities CrowdStrike Named a Customers’ Choice in 2026 Gartner Peer Insights™ Voice of the Customer for Application Security Posture Management Tools CrowdStrike Unveils Real-Time Cloud Detection and Response Innovations CATEGORIES Agentic SOC 49 Cloud & Application Security 140 Data Protection 22 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 202 Next-Gen Identity Security 67 Next-Gen SIEM & Log Management 112 Public Sector 42 Securing AI 27 Threat Hunting & Intel 211 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike's Linux Sensor Capabilities Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All