As organisations accelerate cloud adoption and embrace AI-driven innovation, their attack surface is expanding faster than traditional security models can cope. Cloud environments now demand security that is both cloud-native and time-sensitive, capable of detecting and responding to threats in seconds rather than minutes.
In an email interview, Fabio Fratucello, Field CTO World Wide, CrowdStrike outlined how cloud detection and response (CDR) is evolving to meet these demands, why identity has become the new perimeter, and how “cloud-conscious adversaries” are reshaping defensive priorities.
From batch-based detection to real-time cloud defence
Traditional CDR approaches have typically relied on static risk models and batch processing of logs. In many cases, this means it can take up to 15 minutes to detect a threat in a cloud environment – an eternity when modern attacks can unfold in seconds.
Attackers are using automation and AI to compress the intrusion timeline, so defenders need real-time visibility and response to stand a chance.
Modern CDR platforms, such as CrowdStrike’s Falcon Cloud Security CDR, are designed to provide real-time, unified protection across hybrid and multi-cloud environments through AI-native architectures. Rather than simply looking for known bad indicators, these platforms use detection engines built on adversary-informed operating models, mapping cloud risk to real-world attacker techniques as they occur.
By analysing cloud logs as they are generated, advanced CDR solutions surface high-fidelity, contextual alerts that help security teams prioritise what matters most.
What are “Cloud-Conscious Adversaries”?
The term “cloud-conscious adversaries” refers to threat actors who intentionally focus on exploiting cloud infrastructure and cloud-native services, rather than treating the cloud as just another hosting environment.
According to CrowdStrike’s 2026 Global Threat Report, cloud-conscious intrusions rose by 37-percent in 2025, with a staggering 266-percent increase in such intrusions attributed to nation state threat actors. This shift underscores how nation states actors and eCrime groups alike are prioritising cloud-focused operations.
Cloud is now mission-critical for most enterprises, and adversaries know it. Cloud-conscious actors understand the nuances of cloud identities, control planes, and services, and they build their playbooks around those realities.
In 2025, these adversaries employed a diverse range of tactics to increase their speed and access across cloud environments. Nation-state operators leaned on stealthy initial access methods, while eCrime adversaries targeted hybrid identity technologies to gain and maintain privileged access.
Fabio highlighted examples like:
- Murky Panda, which reportedly gained access via compromised trust relationships, exploiting the ways organisations connect and federate between environments.
- Cozy Bear, which combined abuse of Entra ID authentication flows with social engineering to compromise user accounts and bypass traditional safeguards.
Identity as the new perimeter
One of the most striking shifts in recent years is the move from “breaking in” to “logging in”. Adversaries increasingly rely on valid user credentials to blend in with normal activity.
CrowdStrike’s 2026 threat data indicates that valid account abuse accounted for 35-percent of cloud incidents, underlining how central identity has become to cloud intrusions. At the same time, 82-percent of detections in 2025 were malware-free, up from 51-percent in 2020, reflecting a broader industry trend towards “living off the land” and credential-based operations.
“Identity has become the new perimeter,” Fabio said.
This means, organisations are at risk from persons or workloads who may not necessarily be who they claim to be.
Cloud environments have become common entry points for such identity-driven attacks. Threat actors exploit misconfigurations, data exposure, and weaknesses in cloud controls to gain footholds and then leverage those to move laterally across systems. Once inside, attackers pivot across identities, endpoints, and cloud services, often hiding in normal operational traffic.
Cloud environments have become common entry points for such identity-driven attacks.
Compounding the problem, the window for defenders to react has narrowed dramatically. Breakout time – the interval from initial compromise to lateral movement – now averages just 29 minutes, with the fastest observed attack completing this transition in only 27 seconds.
In that kind of timeframe, manual triage is not enough. A unified, AI-native security platform that not only detects threats in real time, but also automates repetitive tasks so defenders can focus on the highest-risk incidents, is the answer that Fabio proposes.
CloudShell abuse
A growing area of concern is the abuse of browser-based cloud terminals, commonly referred to as CloudShell. These environments provide administrators with a convenient, in-browser shell that is already authenticated against the cloud console.
CloudShell abuse occurs when an adversary gains access to such an environment – for example, via stolen credentials or a compromised identity – and uses it to control the victim’s cloud environment. Because CloudShell sessions are typically associated with legitimate accounts and standard administrative tools, malicious activity can easily blend in with routine operations.
By exploiting CloudShell, attackers can:
- Execute commands and scripts directly in the cloud environment
- Deliver and stage malicious payloads
- Abuse legitimate tooling and permissions to avoid detection
CloudShell which is built for convenience gives attackers pre-authenticated and browser-based terminal inside your environment. They can hide in plain sight.
Modern CDR platforms are designed to address this by correlating live activity in CloudShell with rich context about cloud assets, data, and identities. AI and machine learning models evaluate behavioural patterns in real time, flagging unusual or high-risk actions associated with usage.
By eliminating alert noise and reducing manual bottlenecks, CDR helps security teams focus on active cloud data risks and significantly improve mean time to respond.
Multi-cloud and unified visibility: Beyond point solutions
As enterprises adopt multiple cloud providers and retain on-premises systems, security operations teams are demanding unified visibility across all environments. Modern CDR solutions are increasingly expected to operate seamlessly across hybrid and multi-cloud architectures.
Falcon Cloud Security CDR is part of the broader Falcon platform, integrating with CrowdStrike’s endpoint, identity, data protection, and next-generation SIEM capabilities. This unified approach enables organisations to correlate activity across domains, from endpoints and identities to cloud workloads and services.
Working with visibility partners like Gigamon
While CDR platforms provide the analytical and response “brain”, they often rely on specialised partners to enrich their view of the environment. One example is CrowdStrike’s integration with Gigamon, a provider of deep observability solutions.
Organisations can ingest Gigamon Application Metadata Intelligence (AMI) into the Falcon platform. This metadata, derived from network traffic, offers deep insight into application behaviour, protocols, and flows across hybrid and multi-cloud networks.
By combining AMI with Falcon’s existing endpoint, identity, and cloud telemetry, security teams have potential to:
- Extend network visibility into areas where traditional logging may be incomplete
- Strengthen vulnerability detection and threat hunting across dispersed environments
- Accelerate troubleshooting and reduce visibility gaps that attackers can exploit
The road ahead is AI-native, adversary-informed cloud security
The rise of cloud-conscious adversaries, identity-driven intrusions, and high-speed attack timelines is forcing enterprises to rethink their cloud security strategies. Static, siloed tools are giving way to AI-native platforms that unify detection and response across endpoints, identities, networks, and cloud services.
For IT leaders, defending the modern enterprise means treating identity as the perimeter, cloud as a first-class security domain, and CDR as a real-time, multi-cloud capability – not an afterthought.