Package: Invicti AppSec Enterprise (on-premise, on-demand)
CrowdStrike CSPM Integration
CrowdStrike Falcon provides cloud security posture management capabilities that detect misconfigurations and compliance violations across your cloud environments. In Invicti AppSec, the CrowdStrike CSPM integration connects to your CrowdStrike account to import cloud security findings into your projects.
Prerequisites
| Field | Description |
|---|---|
| Client ID | CrowdStrike Falcon API Client ID |
| Client Secret | CrowdStrike Falcon API Client Secret |
Get API Credentials (on CrowdStrike Side)
- Log in to the CrowdStrike Falcon console.
- Navigate to Support & Resources > API Clients and Keys.
- Click Add new API client.
- Enter a name for the client and select the required scopes:
- CSPM registration: Read
- Click Add. Copy the Client ID and Client Secret immediately — the secret is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CSPM Tab
On the Integrations > Scanners page, click on the CSPM tab.
Step 3: Find and Activate CrowdStrike CSPM
Scroll through the list of CSPM scanners to find CrowdStrike CSPM.
- If CrowdStrike CSPM is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the CrowdStrike CSPM card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Client ID | CrowdStrike Falcon API Client ID | Yes |
| Client Secret | CrowdStrike Falcon API Client Secret | Yes |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the CrowdStrike Falcon API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CSPM tab |
| 3 | Activate CrowdStrike CSPM |
| 4 | Enter Client ID and Client Secret |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add CrowdStrike CSPM Scanner
- Select CSPM as the scanner type.
- Choose CrowdStrike CSPM from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Associate the scan with a feature environment | No |
| Branch | The branch to associate cloud findings with | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Cloud Filter | Filter imported findings by Account ID, Region, Platform, or Severity | No |
-
Invicti AppSec automatically syncs CrowdStrike CSPM vulnerabilities on a daily basis — no manual trigger is required after the initial scan is configured.
-
Cloud Filter lets you narrow which findings are imported into this project. You can filter by Account ID (comma-separated), Region, Cloud Platform, and Severity level. If no filter is set, all findings accessible via the API credentials are imported.
Scheduler
Enable the Scheduler toggle to automatically re-run the CrowdStrike CSPM scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t crowdstrikecspm -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid Client ID or Secret | Verify the API credentials in the CrowdStrike Falcon console under Support & Resources > API Clients and Keys. |
| Insufficient permissions | Ensure the API client has the CSPM registration: Read scope assigned. |
| Client Secret not available | The client secret is shown only at creation — create a new API client if the original was not saved. |
Scan Issues
| Issue | Resolution |
|---|---|
| No findings imported | Verify that CrowdStrike Falcon CSPM is enabled in your subscription and that cloud account data is available. Check the Cloud Filter — overly restrictive filters may exclude all findings. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API client for Invicti AppSec with only the CSPM registration: Read scope — do not grant broader permissions than necessary.
- Rotate the Client Secret periodically and update the integration settings in Invicti AppSec accordingly.
- Use Cloud Filters to associate each project with the specific AWS Account IDs, regions, or cloud platforms it covers, so findings are relevant to that project's infrastructure.
- Use the Scheduler to keep cloud security findings up to date alongside CrowdStrike's assessment cadence.
Limitations
- CrowdStrike CSPM in Invicti AppSec imports cloud security posture findings — it does not trigger new CrowdStrike assessments.
- Only findings accessible via the provided API credentials are available for import.
- Vulnerability sync occurs daily automatically; manual on-demand sync is not supported outside of scheduled scans.
- Requires an active CrowdStrike Falcon subscription with CSPM capabilities enabled.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center