Can you test CrowdStrike Falcon without triggering alerts that disrupt our SOC?

We coordinate with your security team before testing begins. Your SOC will know the testing window and can differentiate our activities from real threats. The alerts our testing generates are actually valuable because they show your SOC which attack techniques Falcon detects and how quickly your team responds. Standard validation costs $5,000 CAD.

How do you test CrowdStrike if the endpoint is protected?

We test from the network level using ShadowTap, simulating an attacker who has bypassed endpoint protection or compromised an unmanaged device. We also test Falcon's detection of attacks that originate from the network rather than the endpoint: lateral movement, credential theft over the wire and command-and-control traffic. EDR protects the endpoint. We test what happens when the attack comes from a device that does not have Falcon installed.

Is this related to the July 2024 CrowdStrike outage?

The July 2024 outage demonstrated that endpoint security tools carry operational risk alongside security benefit. Our validation does not test for outage scenarios. We test detection effectiveness: whether Falcon catches the attack techniques that matter in your environment. However, the outage highlighted the importance of independent validation. If a single vendor update can take down 8.5 million machines, understanding exactly what that vendor does and does not detect is critical to your risk posture.

What EDR blind spots do you typically find?

The most common blind spots include fileless attacks that execute entirely in memory, living-off-the-land techniques using legitimate Windows binaries, credential dumping methods that bypass sensor exclusions, lateral movement through protocols that Falcon does not monitor and attacks from unmanaged devices on the same network. Most organizations also have coverage gaps where Falcon is not deployed on all endpoints, including servers, IoT devices and legacy systems.

CrowdStrike Falcon Validation

You Run CrowdStrike. Does Your Configuration Actually Stop Attacks?

Falcon watches your endpoints. We test what it misses.

Sherlock Forensics offers CrowdStrike Falcon validation starting at $5,000 CAD. We test whether your Falcon deployment actually detects real attack techniques including fileless malware, memory-only payloads, living-off-the-land binaries (LOLBins) and credential dumping. Using our ShadowTap platform, we simulate attacks from the network level to test detection gaps that endpoint-only tools cannot see. You receive a detailed report showing what Falcon caught, what it missed and specific tuning recommendations. Comprehensive validation with full internal and external testing is available at $12,000 CAD.

Purchase Validation Book a Scoping Call

EDR Blind Spots

What We Find in CrowdStrike Deployments

Fileless Attack Evasion

Fileless attacks execute entirely in memory without writing to disk, bypassing traditional file-based detection. While Falcon includes memory scanning capabilities, configuration determines effectiveness. Sensor exclusions, memory scan intervals and behavioral detection thresholds all affect whether fileless attacks are caught in time or missed entirely.

Memory-Only Payload Detection

Advanced attackers inject payloads directly into legitimate process memory. These payloads never touch disk, never create new processes and operate within the context of trusted applications. We test whether Falcon's memory protection detects injected code in running processes, reflective DLL loading and process hollowing techniques.

LOLBins Evasion

Living-off-the-land binaries are legitimate Windows tools used for malicious purposes: PowerShell, certutil, mshta, regsvr32, wmic and others. Falcon must distinguish between legitimate administrative use and attacker abuse of these tools. Overly permissive exclusions for IT operations often create blind spots that attackers exploit. We test LOLBins detection across your actual exclusion policy.

Credential Dumping Blind Spots

Credential theft is a critical attack phase. We test whether Falcon detects LSASS memory access, SAM database extraction, Kerberoasting, DCSync attacks and credential harvesting from memory. Sensor exclusions configured for backup software, monitoring tools or IT administration scripts often inadvertently exclude the exact processes attackers target for credential theft.

Unmanaged Device Gaps

Falcon only protects endpoints where it is installed. Servers, IoT devices, legacy systems, contractor machines and BYOD devices without Falcon create blind spots on your network. An attacker on an unmanaged device can move laterally to managed endpoints or attack resources that Falcon cannot monitor. We test whether your network compensates for these gaps.

Lateral Movement Detection

After initial compromise, attackers move laterally through the network using stolen credentials, pass-the-hash, pass-the-ticket and remote service exploitation. Falcon detects some lateral movement techniques on the receiving endpoint, but network-level lateral movement between unmanaged devices goes undetected. We test lateral movement detection from both managed and unmanaged devices.

Prevention Policy Gaps

Falcon prevention policies determine whether detections result in blocks or alerts. Many organizations deploy Falcon with prevention set to detect-only during rollout and never switch to full prevention. Others have prevention enabled but with broad exclusions that create gaps. We test whether your prevention policies actually block attacks or just log them.

Our Process

What We Test

Network-Level Attack Simulation

We deploy ShadowTap on your internal network, simulating an attacker operating from an unmanaged device. This tests what happens when attacks originate from outside Falcon's visibility. Your firewall protects the front door. We test the windows, the basement and the hallway.

Detection Coverage Mapping

We execute a controlled sequence of attack techniques mapped to the MITRE ATT&CK framework and record which techniques Falcon detects, which it misses, detection latency and whether prevention policies block the attack or just alert. This gives you a concrete measurement of your detection coverage.

Evasion Technique Testing

We test techniques specifically designed to evade EDR: process injection, API unhooking, direct syscalls, timestomping and encrypted command-and-control channels. These are the techniques sophisticated attackers use against organizations with EDR deployed. If Falcon catches our evasion attempts, it will catch real attackers using the same methods.

Frequently Asked Questions

CrowdStrike Validation FAQs

Can you test CrowdStrike Falcon without disrupting our SOC?: We coordinate with your security team before testing. Your SOC will know the testing window. The alerts our testing generates are valuable because they show which techniques Falcon detects and how quickly your team responds. Standard validation costs $5,000 CAD.
How do you test CrowdStrike if the endpoint is protected?: We test from the network level using ShadowTap, simulating an attacker on an unmanaged device. EDR protects the endpoint. We test what happens when the attack comes from a device that does not have Falcon installed.
Is this related to the July 2024 CrowdStrike outage?: Our validation tests detection effectiveness, not outage scenarios. However, the July 2024 outage highlighted the importance of independent validation. If a single vendor update can take down 8.5 million machines, understanding exactly what that vendor detects is critical to your risk posture.
What EDR blind spots do you typically find?: The most common blind spots include fileless attacks, LOLBins abuse, credential dumping methods that bypass sensor exclusions, lateral movement through unmonitored protocols and attacks from unmanaged devices. Most organizations also have coverage gaps where Falcon is not deployed on all endpoints.

Validate Your Investment

Falcon watches your endpoints. Find out what it misses.

Standard CrowdStrike Validation: $5,000 CAD. Comprehensive Validation with ShadowTap internal testing, MITRE ATT&CK coverage mapping and executive report: $12,000 CAD.

Purchase Validation

Ready to Test Your CrowdStrike?

Tell us about your CrowdStrike Falcon deployment and we will scope a validation assessment. Free scoping call, fixed-price quote, testing typically completed within 5-10 business days.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: All Vendor Validations · ShadowTap Platform · NDR Validation