At Fal.Con Gov 2026, CrowdStrike announced expanded GovCloud capabilities including Falcon Flex, new Charlotte AI investigator features, Falcon for XIoT, External Attack Surface Management in Falcon Exposure Management, and behavioral malware analysis to accelerate modernization and strengthen federal defenses within a FedRAMP-authorized environment. These innovations are designed to reduce procurement friction, automate and speed investigations with natural-language and agentic response, extend unified IT/OT and internet-facing asset visibility, and accelerate threat response while preserving compliance and continuity. #CrowdStrike #FalconFlex
Keypoints
- CrowdStrike announced new and coming capabilities in GovCloud to help U.S. federal, state, and local agencies modernize security operations within a FedRAMP-authorized environment.
- Falcon Flex introduces a commitment-based purchasing model to reduce procurement friction, enable platform-wide capability adoption, and consolidate tools under one Falcon platform investment.
- Charlotte AI is expanding with natural language conversations and a Response Agent to automate investigative workflows, surface context, and accelerate response guided by Falcon Complete playbooks.
- Falcon for XIoT is now available in GovCloud to deliver asset visibility and protection for IoT/OT devices, improving IT/OT convergence and critical infrastructure defense.
- External Attack Surface Management (EASM) in Falcon Exposure Management provides continuous outside-in visibility into internet-exposed assets to find shadow IT, exposed services, and misconfigurations.
- Behavioral malware analysis in Falcon Adversary Intelligence enables sandbox detonation, runtime behavior analysis, and memory dumps to produce actionable indicators of compromise for faster investigations.
- All offerings are positioned to accelerate mission readiness for agencies by combining AI-native automation, unified visibility, and FedRAMP High-aligned compliance and data residency controls.
MITRE Techniques
- [T1595 ] Active Scanning – Adversaries scan for unknown, unmanaged, and misconfigured assets to identify targets and vulnerabilities (‘…adversaries scan for unknown, unmanaged, and misconfigured assets so they can exploit what defenders don’t see, gain initial access, and move laterally.’)
- [T1190 ] Exploit Public-Facing Application – Exploitation of discovered external-facing systems is described as a route to initial access (‘…exploit what defenders don’t see, gain initial access, and move laterally.’)
- [T1021 ] Remote Services – Lateral movement is referenced as adversaries move through networks after obtaining access (‘…gain initial access, and move laterally.’)
- [T1195 ] Supply Chain Compromise – Supply chain compromise is cited as amplifying impact across targets and operations (‘Supply chain compromise multiplies impact.’)
- [T1204 ] User Execution – Malicious files are detonated and analyzed in sandboxes, implying reliance on executed files to achieve malicious behavior (‘…detonate and analyze suspicious files in a controlled environment to understand runtime behavior.’)
Indicators of Compromise
- [File Hashes ] Behavioral indicators produced by sandbox detonation and analysis – no specific hashes provided in the article
- [File Names ] Suspicious files submitted for sandbox detonation and behavioral analysis – no specific file names provided in the article
- [Memory Dumps ] Memory dumps generated during behavioral analysis to support investigations and IOC creation – no specific dump identifiers provided
- [External Assets (Domains/IPs) ] Internet-exposed assets, shadow IT, and exposed services identified by EASM for risk reduction – no specific domains or IP addresses provided
- [Behavioral Indicators ] Runtime behavior and behavioral indicators used to generate actionable IOCs for response – example indicators not specified in the article