Stopping Cloud Breaches at Machine Speed: How CrowdStrike Uses Agentic AI to Power Cloud Detection and Response

Cloud is the new battleground, and more adversaries are joining the fight: New and unattributed cloud intrusions were up 26% in 2024, according to the CrowdStrike 2025 Global Threat Report. As adversaries accelerate cloud attacks, CrowdStrike delivers full-cycle agentic AI — from detection triage to threat response — giving defenders the edge to act at machine speed before adversaries can break through.

Cloud security tools often fall short in detecting and responding to these evolving attacks. While cloud workload protection (CWP) secures workloads, and security posture management tools identify misconfigurations, neither adequately investigates and responds to active cloud threats. Cloud detection and response (CDR) tools have begun to emerge — however, there is a response gap between adversaries leveraging AI and SOC teams moving at human speed.

Earlier this year, CrowdStrike released new Charlotte AI capabilities that use groundbreaking agentic AI: Charlotte AI Detection Triage, Charlotte AI Agentic Response, and Charlotte AI Agentic Workflows. Agentic AI refers to AI systems that operate autonomously with reasoning and decision-making capabilities, mimicking the decision logic of expert analysts. These innovations transform how SOC teams identify and respond to cloud threats, especially within the context of cross-domain attacks spanning cloud, identity, and endpoint.

LABYRINTH CHOLLIMA is one adversary that exemplifies the increase of cross-domain intrusions in which threat actors gain initial access via valid credentials then traverse endpoint and cloud environments. Here, we examine how CrowdStrike’s agentic AI capabilities work together to stop this adversary.

How Charlotte AI Stops LABYRINTH CHOLLIMA

LABYRINTH CHOLLIMA is a DPRK-nexus adversary that CrowdStrike has observed consistently targeting cloud environments.¹ Below are the details of an attack in which supply chain compromise led to exfiltration of data from the cloud.

Detecting and responding to this type of attack would typically require extensive manual investigation across the endpoint and cloud domains. Analysts would need to attempt to piece together the relationship between initial compromise and the subsequent cloud exfiltration — a process that would involve potentially hours or days of tediously correlating timestamps, IP addresses, and user activity across disparate systems.

With the capabilities built into Charlotte AI, SOC teams can quickly and accurately identify threats targeting the cloud and stop them before they cause damage.

Eliminate Noise with Charlotte AI Detection Triage

When a detection surfaces, Charlotte AI Detection Triage immediately goes to work. It autonomously analyzes the alert and provides a verdict, an explanation, and a recommended next step, leveraging its training from the industry-leading decisions of CrowdStrike Falcon® Complete Next-Gen MDR. SOC analysts receive explanations of triage decisions with supporting evidence and contextual insights, benefiting from consistent evaluation of every cloud security alert while saving valuable time.

Drive Expert-level Investigations with Charlotte AI Agentic Response

Picking up immediately after Charlotte AI Detection Triage, Charlotte AI Agentic Response jump-starts investigations by autonomously generating and answering the relevant, prioritized questions a seasoned SOC analyst would ask — driving more streamlined and consistent investigations. 

In complex cloud environments, where attack surfaces are vast and interconnected, this guided approach proves invaluable. It ensures no critical areas of investigation are overlooked and applies the latest investigative expertise of CrowdStrike’s industry-leading SOC analysts. As shown in Figure 3, this helps level the playing field against evolving adversaries, which can move at a speed that would be overwhelming to investigate manually.

Activate AI Reasoning in Response Playbooks with Charlotte AI Agentic Workflows

Charlotte AI Agentic Workflows revolutionize how teams automate cloud security responses. With Charlotte AI Agentic Workflows, customers can insert and activate state-of-the-art LLMs directly within CrowdStrike Falcon® Fusion SOAR workflows to analyze, reason, and respond in real time. This capability transforms cloud security operations by infusing adaptable, expert-level reasoning across response actions. These are crucial in complex environments where deep cloud expertise might be needed. 

See it in action

Stop Cloud Breaches with Charlotte AI

Charlotte AI brings autonomous speed and expert-level precision to cloud defense, powered by a self-reinforcing feedback loop of triage decisions from Falcon Complete Next-Gen MDR.

By automating detection triage for cross-domain threats with over 98% accuracy,² Charlotte AI reduces manual workloads by more than 40 hours per week,³ allowing security teams to focus on critical threats. Its agentic capabilities enable autonomous investigation and response within customer-defined boundaries, ensuring both speed and control.

These agentic innovations transform cloud detection and response by combining unmatched advantages — threat intelligence from 255+ adversaries, elite MDR expertise, and complete hybrid cloud visibility — all delivered through Charlotte AI's autonomous capabilities in a unified SOC experience. This powerful combination enables defenders to outpace modern adversaries and stop cloud breaches.

Additional Resources

• Learn more about Charlotte AI.
• Read about how CrowdStrike was named a Leader in Cloud / Application Runtime Security.
• Download the Cloud Detection and Response Survival Guide for the SOC.
• Schedule a test drive: See Falcon Cloud Security in action.

1. CrowdStrike 2025 Global Threat Report

2. Accuracy rating is a measure of Charlotte AI triage decisions that match the expert decisions from the CrowdStrike Falcon Complete Next-Gen MDR team.

3. Time savings represents the amount of time an analyst would have spent triaging the average number of customer detections but can now use that time for other skilled work while Charlotte AI triages the detections. Individual results may vary based on factors such as total alert volume.