Back to home

CrowdStrike vs Am I Being Pwned

Triaging Browser Extensions with CrowdStrike Falcon

CrowdStrike Falcon inventories browser extensions and rates them by permission severity, but it can't read their code or give a verdict. Here's how to actually triage extensions with evidence.

Does CrowdStrike triage browser extensions?

Partly. CrowdStrike Falcon's Browser Extension Assessment, part of Falcon Exposure Management, inventories every extension across your fleet and rates each one Critical, High, Medium or Low. But that rating is heuristic permission-severity: it comes from the permissions an extension declares, plus context signals like whether it was sideloaded or is missing a Web Store listing. The code itself is never read.

So the rating tells you an extension could do something dangerous because it asked for a powerful permission, not that it actually does. CrowdStrike frames a high-severity extension as 'requiring further evaluation' - the allow-or-block call, and the work of proving whether the code is genuinely malicious, still lands on your analyst.

That's the gap a dedicated tool fills. Am I Being Pwned deobfuscates the source and detonates the extension in an instrumented sandbox, then reports what it did: the endpoints it called, the data it read, anything it tried to exfiltrate. You get a keep-or-block call backed by captured evidence, not a permission score someone still has to interpret.

What CrowdStrike gives you

  • Agent-based inventory of every extension across Chrome, Edge, Safari and Firefox on Windows and macOS
  • Per-extension detail: version, declared permissions, publisher, install method (including sideloaded), and Web Store listing status
  • A heuristic 'permission severity' rating (Critical / High / Medium / Low) computed from requested permissions
  • Context signals that flag suspicious installs, e.g. sideloaded plus missing vendor plus no store listing
  • Policy enforcement: block installation and stop installed extensions from running, with allow and block lists

Where it stops

  • The rating is computed from declared permissions; the extension's actual JavaScript is never analysed
  • It never runs the extension, so nothing is observed at runtime
  • A high rating means 'requiring further evaluation', not a verdict - the triage call still falls to your analyst
  • Vulnerable code shipped inside an extension isn't correlated against known CVEs
  • When an extension silently updates, its behaviour isn't re-checked; permissions rarely change even when behaviour does

CrowdStrike vs Am I Being Pwned

Capability
CrowdStrike
Am I Being Pwned
Fleet-wide extension inventory
Yes - agent-based across Chrome, Edge, Safari, Firefox
Yes - via a lightweight managed extension
Basis of the risk signal
Declared permissions plus install context
What the code actually does at runtime
Reads the extension's source code
No
Yes - deobfuscates and analyses the bundle
Dynamic sandbox execution
No
Yes - runs it live, watches network and DOM
Evidence-backed verdict
No - flags 'requiring further evaluation'
Yes - verdict with captured evidence and CWE refs
Re-analysis after a silent update
Permission-derived, blind to behavioural change
Re-scans behaviour on every version change
Human researcher review
No
High-severity findings reviewed by a researcher
Policy enforcement / blocking
Yes - block install and execution
Yes - via Jamf, Intune, Kandji, Google Admin

How to triage browser extensions when you use CrowdStrike

CrowdStrike gives you a scored inventory. Here's how to turn that into an actual keep-or-kill decision for each flagged extension.

  1. 1

    Export the flagged extensions from Falcon

    In Falcon Exposure Management, open Browser Extension Assessment and pull everything rated High or Critical, plus anything flagged as sideloaded or unlisted. That is your triage queue - CrowdStrike has told you where to look, not what to do.

  2. 2

    Read the severity for what it is

    The rating reflects the permissions an extension requested. A Critical extension has asked for powerful access; it has not been shown to abuse it. Treat the score as a prioritisation signal, not a verdict.

  3. 3

    Get behaviour, not the manifest

    For each queued extension you need to know what the code does: which endpoints it contacts, what data it reads, whether it injects scripts. Paste the extension ID into Am I Being Pwned for a behavioural report, or scan your whole Workspace at once.

  4. 4

    Decide with evidence

    Keep extensions whose behaviour matches their stated purpose; remove the ones caught exfiltrating data or injecting code. Each finding links to captured evidence and a CWE reference, so the decision is defensible to security, legal, and the extension's owner.

  5. 5

    Enforce and keep watching

    Push blocks through CrowdStrike or your MDM, then monitor for silent updates. An extension that was clean at install can turn malicious in a later version - permission-based scores miss that, continuous behavioural re-scanning catches it.

From our published research

Frequently asked questions

Does CrowdStrike Falcon detect malicious browser extensions?

It flags extensions that request dangerous permissions or install suspiciously (sideloaded, unlisted) and rates them by permission severity. It does not analyse the extension's code or run it, so it cannot confirm an extension is actually malicious - it surfaces candidates 'requiring further evaluation'. Confirming malicious behaviour needs code and runtime analysis, which is what Am I Being Pwned provides.

What is CrowdStrike's Browser Extension Assessment?

A component of Falcon Exposure Management that inventories browser extensions across your fleet and assigns each a heuristic permission-severity rating (Critical, High, Medium, Low) with context signals like install method and Web Store listing status. It also supports blocking extension installation and execution through policy.

Can CrowdStrike tell me if an extension is safe to keep?

No. CrowdStrike gives a permission-derived risk severity and explicitly frames high-risk extensions as 'requiring further evaluation'. It hands the allow-or-block decision to your team without telling you what the code actually does. A keep-or-remove verdict requires behavioural evidence.

Do I still need a dedicated tool if I already have CrowdStrike?

CrowdStrike is strong at inventory and at enforcing block policies. Where it stops is analysis: it scores permissions, not behaviour. Am I Being Pwned complements it by reading the code, running the extension in a sandbox, and returning an evidence-backed verdict, so you know which of CrowdStrike's flagged extensions are genuinely dangerous.

How is permission-based scoring different from behavioural analysis?

Permission scoring rates what an extension is allowed to do based on the access it declares. Behavioural analysis observes what it actually does when it runs. An extension can request modest permissions and still ship malicious code, or request broad permissions and behave perfectly. Our research found permission-based scores had no meaningful correlation with real risk across 2,534 extensions.

Triage every extension in your fleet, with evidence.

Free scan of your Google Workspace in under 48 hours.