One Engineer, One Platform, Zero Gaps: How Addition Financial Secures More with Less

It started with physical access. Two criminals targeting an Addition Financial ATM after hours sideloaded specialized jackpotting malware designed to force the machine to dispense cash on demand. The attack was part of a broader wave seen across the region — and the adversaries were well-practiced.

But when the ATM came back online, CrowdStrike was waiting. Despite the malware executing before the Falcon sensor was fully operational, it was detected and blocked. CrowdStrike Falcon® Complete Next-Gen MDR alerted the team, and the system stayed locked down. The attempt failed. No cash was stolen.

Paul Colon, the credit union’s sole dedicated security engineer, followed up with due diligence. “We took the file hash and dropped it into VirusTotal. Every vendor marked it clean except CrowdStrike. That’s when we realized just how far ahead CrowdStrike’s threat intel really is.”

It was a clear validation of the Falcon platform’s power: real-time protection, AI-native detection and elite threat intelligence working in unison to stop threats others miss.

With over a decade of experience in networking and infrastructure, Colon joined Addition Financial in early 2024. The organization had recently deployed the AI-native CrowdStrike Falcon® cybersecurity platform for endpoint security, but was still using a third-party MDR provider. Colon immediately spotted the disconnect: alerts surfaced by CrowdStrike weren’t being actioned by the MDR service.

“They were using a different tool, and they didn’t have the visibility we needed,” he recalled. “Meanwhile, I was spending half my day triaging alerts myself. That’s not sustainable.”

Later that year, he pushed to replace the outsourced MDR with Falcon Complete Next-Gen MDR, bringing together CrowdStrike’s AI-native platform with the team best equipped to act on it. “Since the switch, I haven’t had to triage anything unless it’s a true positive. That alone gives me back hours every day,” Colon said.

Replacing the MDR provider was just the beginning. Colon also championed the deployment of CrowdStrike Falcon® Identity Protection, which gave him deeper visibility into identity misuse and enabled advanced enforcement policies that weren’t possible with previous tools. That visibility quickly uncovered patterns of risky behavior among IT staff.

“I got an alert that someone was doing privileged activity on their local workstation,” said Colon. “We have dedicated servers for that, so this was outside of policy. Because of that detection, we addressed it and now we’re building alerts to catch that behavior going forward.”

Even more importantly, those detections are behavior-based, not rule-based. “Any time an admin steps outside their baseline, Falcon Identity Protection catches it. That’s the kind of visibility that helps us enforce policy and reduce real risk, without adding manual work.”

In 2025, Addition Financial rolled out CrowdStrike Falcon® Next-Gen SIEM to centralize telemetry and provide deeper insight into log data across the enterprise. Colon now ingests data from domain controllers and other critical infrastructure to monitor privileged actions, flag anomalies, and prepare for audits.

In addition, CrowdStrike® Charlotte AI has become a key part of Colon’s workflow, helping him quickly write complex queries and extract insights without needing to master the underlying syntax. “It’s taken a lot of the pressure off,” he said. “Charlotte makes it easier to get value out of the data, especially during audits or investigations.”

During a recent audit, these new capabilities quickly proved their value. “This year, I used Charlotte AI to build the exact query I needed. We showed evidence of every privileged action in just minutes. And there were no findings from the auditors.”

Colon is beginning to operationalize Falcon Fusion workflows and SOAR actions, both integrated into Falcon Next-Gen SIEM, starting with third-party integrations. One workflow already in production resets employee passwords automatically when leaked credentials are detected on the dark web — a capability powered by Recon, part of CrowdStrike Falcon® Adversary Intelligence, another offering Addition Financial uses.

“That process used to take time and coordination,” he said. “Now it’s instant, which means faster protection with less burden on the help desk.”

As the only dedicated security engineer at Addition Financial, Colon needs tools that don’t just work — they work together. That’s why one of his biggest wins with CrowdStrike has been consolidation. By unifying endpoint, identity, exposure management, threat intel, and next-gen SIEM into the unified Falcon platform, he’s been able to retire security products and simplify operations.

“We’ve eliminated three tools by consolidating on the Falcon platform,” said Colon. “That means fewer consoles to manage, fewer agents to maintain, and no gaps in coverage.”

That simplification is more than operational; it’s strategic. With a single lightweight agent and unified console, Colon no longer has to worry about conflicting alerts or integration gaps. Every module shares context and telemetry, enabling better protection without added overhead.

“The Falcon platform doesn’t just replace tools, it replaces them with something better,” he said. “I’m not spending time chasing alerts across platforms. I can manage everything from one place, and I know the coverage is there.”

That platform approach is what made the rollout of CrowdStrike Falcon® Exposure Management so seamless. The solution immediately began identifying more vulnerabilities than the previous scanner, while also improving usability. “I don’t have to export reports and build pivot tables anymore,” said Colon. “The dashboards are clear, and leadership gets what they need without extra work.”

For Colon, the value of CrowdStrike goes beyond platform efficiency. It’s about stopping threats other vendors miss and giving him the confidence to operate at a higher level.

“We’re not a SOC. I don’t have a team of analysts,” he concluded. “CrowdStrike gives me the coverage, the automation, and the intelligence to protect the business and get my time back. And when we have a real threat, like that ATM incident, we don’t just detect it, we stop it cold.”