CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial These in-depth reviews evaluate how security controls behave in production to identify the threats they see, block, and miss.
May 04, 2026 Jesse Vazquez - JJ Cranford Every year, CrowdStrike Professional Services performs hundreds of Technical Risk Assessments (TRAs) across myriad industries, geographies, and business environments. These deep, hands-on reviews look at how security controls behave in production to evaluate the threats they see and block — and crucially, the threats they miss. Exposure is constantly changing as organizations adopt new technologies and adversaries accelerate and explore new tactics.
Because our team sees so many different environments up close, we have a lens into the patterns that put businesses at risk: the same misconfigurations, visibility gaps, and temporary exceptions continue to appear, and they map to the techniques modern adversaries use to move quickly and bypass detection. By analyzing these real-world findings, we’ve identified that the highest risk often resides in "silent" spaces — unmanaged assets and overlooked credential paths — where adversaries now operate with machine speed.
Addressing these systemic issues requires moving beyond tool acquisition and toward operational discipline. Our assessments reveal that securing the enterprise isn't just about having the right technology, but about gaining clarity into where risk lives. By closing the visibility gaps across critical areas, organizations can shift from a reactive posture to a proactive approach that disrupts the adversary’s path.
In this blog, we draw on a large sample of CrowdStrike Technical Risk Assessments to examine those patterns and highlight the most common issues quietly driving cyber risk. For security teams seeking to lower their risk profile, these are the areas to focus on to strengthen security posture. Most Common Risk Patterns Shadow AI: The Governance Gap Organizations Can't Ignore Employees, developers, and SaaS platforms are deploying AI tools faster than security and policy teams can respond.
From LLM-powered browser extensions to unapproved AI agents running in production, AI is proliferating outside sanctioned channels — and security teams often have no visibility into it. Unlike traditional shadow IT, shadow AI requires no installation, hides inside existing tools, and can silently route sensitive data to external models. In one recent CrowdStrike Services assessment, the client had zero approved agentic AI use but had agents running in production.
In another, the approved inventory was off by 400. The risks are significant: uncontrolled data exposure, broken access permissions, unmonitored autonomous agent behavior, and no clear accountability. Recommendations Form a cross-functional AI committee to align business needs with security requirements Deploy CrowdStrike Falcon® AI Detection and Response (AIDR) to surface shadow AI adoption and CrowdStrike Falcon® Exposure Management to inventory LLMs, agents, IDE extensions, and MCP servers Use CrowdStrike Falcon® Cloud Security (AI-SPM), CrowdStrike Falcon® Shield, and Falcon AIDR to identify AI activity across productivity and communication platforms Publish clear rules and a sanctioned list of approved models and interfaces Define who can build and deploy AI agents, what they can access, and how their behavior is logged and terminated Ensure staff understand the data exposure, compliance, and integration risks of unauthorized AI tools External Attack Surface The external attack surface refers to everything an adversary can see and access from the internet before they enter the target network.
This includes: Public-facing websites and applications Domains and subdomains (including old or “test” ones) Internet-exposed IP addresses and services VPN gateways, remote access portals, and management interfaces Cloud and SaaS services that can be reached directly from the internet In our Technical Risk Assessments, we consistently find that this external footprint is larger and more exposed than security teams realize.
Shadow IT, forgotten projects, third-party integrations, and misconfigured cloud services all expand the attack surface in ways that rarely show up in internal inventories. Common issues we uncover include: Unknown or “orphaned” assets that no one owns but are still live on the internet Outdated software and configurations on public-facing systems Overly permissive access to admin portals, APIs, and management interfaces Inconsistent controls between on-premises and cloud, or between different business units Each one of these gaps represents an opportunity for an adversary to gain initial access with minimal effort.
How Falcon Exposure Management Uncovers Risk CrowdStrike Professional Services uses Falcon Exposure Management to uncover and validate these risks as part of the Technical Risk Assessment. Falcon Exposure Management continuously discovers and maps internet-facing assets — domains, IP ranges, cloud services, and more — and correlates them with vulnerabilities, misconfigurations, and threat intelligence.
This gives us a view of the external attack surface. During a Technical Risk Assessment, our consultants: Enumerate the organization’s external footprint using Falcon Exposure Management to identify known and unknown assets. Prioritize exposures based on exploitability and adversary behavior, focusing on the paths real attackers are most likely to use. Validate risk with hands-on analysis, confirming what an attacker could see and do from the outside.
Deliver clear recommendations outlining which issues to fix first and how to close high-risk internet-facing gaps. The result is an evidence-based view of the external attack surface and a prioritized roadmap to reduce the risk of a breach starting from an exposed asset on the public internet. Applications and Vulnerabilities When we review applications and vulnerabilities during a Technical Risk Assessment, we rarely find a lack of tools.
Most organizations have endpoint detection and response (EDR), vulnerability scanners, and patch management platforms. The challenge they most often face is the gap between finding issues and fixing them within a defined window. The most common pattern we see is critical vulnerabilities on “managed” assets. Even on systems covered by endpoint sensors and vulnerability scanners, we routinely find critical-severity CVEs that have been open for weeks or months.
These are often on business-critical servers and externally reachable systems. Patching is often treated as best-effort instead of a measured commitment. Technical Risk Assessments frequently find organizations lacking clear, risk-based SLAs for remediation, or SLAs that exist on paper but aren’t tracked and enforced in practice. Our recommendation is straightforward: Establish explicit SLAs for vulnerability remediation based on severity, exploitability, and exposure — for example, internet-facing and business-critical assets are held to the tightest timelines.
Continuously measure against those SLAs so security and IT teams can see where patch debt is accumulating. In a Technical Risk Assessment, our team uses Falcon Exposure Management to surface these high-risk CVEs on managed assets, show where SLA breaches are concentrated, and give you a prioritized, evidence-based plan to close the most dangerous gaps. Accounts, Identity, and Configuration Hygiene In almost every Technical Risk Assessment, we find identity hygiene issues create easy, high-impact paths for attackers.
A few patterns repeatedly surface: Noisy Remote Accounts on Home Networks With today’s remote and hybrid workforce, many employees are accessing corporate resources from home networks that don’t have enterprise-grade security controls. In our assessments, we often see a small number of systems associated with remote workers generating a very high volume of login attempts. These endpoints become magnets for credential stuffing and brute-force activity.
Attackers repeatedly try username/password combinations against internet-reachable services, and nothing on the home Wi-Fi stops this activity at the perimeter. Without good monitoring and controls, this “background noise” can hide real compromise attempts and make it harder for defenders to spot malicious logins in time. Kerberos Misconfigurations that Make Kerberoasting Trivial Kerberos is foundational to how many organizations authenticate users and services — and there are many ways it can be misconfigured.
In many environments, we see service accounts with weak passwords, legacy encryption settings, and excessive privileges. Kerberoasting remains a go-to technique: Attackers request service tickets, take them offline, and try to crack them. When passwords are weak or never rotated, this becomes a reliable way to quickly turn a standard domain account into powerful access. Misconfigured Kerberos and weak service account passwords is a combination that dramatically lowers the bar for a successful compromise.
Active Directory as a Critical and Accessible Target Most enterprises still rely on Active Directory (AD) as the backbone of their identity infrastructure. This makes AD a primary target for modern attackers. Once an adversary can control or abuse AD, they can move laterally, escalate privileges, and persist with relative ease. In Technical Risk Assessments, we frequently uncover: Stale or orphaned accounts that still have access they no longer need Over-privileged service and admin accounts Weak or inconsistent password policies Legacy configurations that were “good enough” years ago are dangerous today.
Cleaning up AD, tightening identity configurations, and enforcing strong authentication and password hygiene are some of the most direct ways to reduce cyber risk. Patterns of Strong Security Across hundreds of Technical Risk Assessments, the organizations in the strongest position tend to have a few things in common: A mapped and owned external attack surface: They know which domains, IP ranges, cloud services, and internet-facing applications belong to them, and who owns each one.
Falcon Exposure Management is used to continuously discover new assets and flag drift. It helps confirm nothing lives on the public internet without clear ownership, baseline controls, and a plan to remediate issues. Risk-based vulnerability management with real SLAs: Vulnerability data is prioritized by exposure and adversary behavior. High-risk CVEs on critical and internet-facing systems have tight, enforced SLAs.
Falcon Exposure Management helps correlate vulnerabilities with real-world context so teams can focus on what reduces breach likelihood. Clean, well-governed identities and directories: Remote endpoints are monitored for unusual login activity, and policies account for the realities of home networks. Kerberos is configured securely, service account passwords are strong and rotated, and Kerberoasting-resistant configurations are in place.
Active Directory is well-maintained: Stale accounts are removed, privileges are minimized, and configuration hygiene is continuously improved. Integrated visibility and a habit of continuous validation: Security and IT teams work from a shared, current view of assets, vulnerabilities, and identities. Technical Risk Assessments are used as a recurring health check to validate that controls are behaving as expected, SLAs are met, and newly introduced technologies don’t silently expand risk.
How We Help: CrowdStrike Technical Risk Assessment The Technical Risk Assessment provides a unified view of exposure across the external attack surface, applications, vulnerabilities, accounts, identity, and configuration hygiene — powered by the CrowdStrike Falcon® platform. What the assessment delivers: An executive‑ready report that summarizes exposure, business impact, and accountable owners Remediation details for each finding, mapped to real‑world adversary techniques A prioritized plan that scores every action by criticality and level of effort, so teams know what to fix first and how much work is required Platform capabilities behind the assessment: Falcon Exposure Management to discover, assess, and act on risk across assets and the external attack surface CrowdStrike Falcon® Next-Gen Identity Security to reveal and close risky identity paths and Active Directory weaknesses CrowdStrike Falcon® for IT to query, manage, and remediate at scale across the environment Contact your CrowdStrike representative or complete this form to schedule your Technical Risk Assessment.
Additional Resources Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights. Learn more about the CrowdStrike Technical Risk Assessment Service , Falcon Exposure Management , Falcon Next-Gen Identity Security , and Falcon for IT . Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility