Improving CrowdStrike Falcon® Detection Content with the Gap Analysis Team

CrowdStrike has introduced a new team called the Gap Analysis Team (GAT) to enhance the detection capabilities of its Falcon platform through innovative strategies that focus on automation and scalability. GAT's approach includes the development of a tool-agnostic testing framework called RTFACT Detonation, which utilizes cloud-native technologies like Docker, Kubernetes, and Ansible to automate the testing of red team tools and adversarial emulations. This framework aims to reduce manual testing steps and improve the time-to-detect adversarial tactics, techniques, and procedures (TTPs). By leveraging advanced log aggregation tools such as Humio and Splunk, RTFACT Detonation provides comprehensive data analysis to assess and improve the Falcon platform's detection content. The team is also exploring further automation opportunities to streamline the testing process, allowing analysts to focus on enhancing detection content, ultimately aiming to stay ahead of increasingly sophisticated threat actors.