Falco
Profile
Falco is an open-source runtime security tool that provides real-time threat detection for cloud-native environments through kernel-level monitoring. Originally created by Sysdig in 2016 and now a graduated Cloud Native Computing Foundation project, Falco monitors system calls and other data sources to identify security threats, unauthorized access, privilege escalation, and compliance violations across hosts, containers, and Kubernetes clusters. The tool leverages eBPF technology for efficient kernel instrumentation and operates as a behavioral security system that compares runtime activity against customizable detection rules. Falco's Apache 2.0 license and vendor-neutral governance have established it as fundamental infrastructure for runtime security in containerized environments.
Focus
Falco addresses the runtime security visibility gap inherent in dynamic, ephemeral container workloads where traditional security tools designed for static infrastructure prove insufficient. The tool provides continuous behavioral monitoring at the kernel level, detecting when system activity deviates from expected patterns during actual execution rather than relying solely on pre-deployment scanning. Platform engineers, security operations teams, and DevOps practitioners use Falco to detect intrusions, lateral movement, data exfiltration, and misconfigurations in real-time. The tool serves compliance requirements for regulated industries by providing runtime monitoring capabilities aligned with frameworks including PCI DSS, NIST, and SOC 2, while enabling organizations to establish behavioral baselines that catch novel attacks not matching predefined rules.
Background
Sysdig developed Falco in 2016 to address security blind spots emerging from rapid container adoption, then donated the project to the Cloud Native Computing Foundation in 2017 to ensure vendor-neutral governance. The project advanced from CNCF Sandbox to Incubating status in 2020, achieving Graduated maturity level in February 2024 alongside projects like Kubernetes and Prometheus. Production deployments include Shopify, GitLab, Skyscanner, Frame.io, and Booz Allen Hamilton across e-commerce, development tools, travel, video, and defense sectors. The project maintains active development through a diverse community of contributors from organizations including AWS, IBM, Red Hat, and Apple, with governance operating through CNCF's transparent, multi-vendor framework.
Main features
Kernel-level event monitoring with eBPF instrumentation
Falco captures Linux kernel events through system calls using the modern eBPF probe as its default driver, providing lightweight kernel-level monitoring without requiring kernel modules. The eBPF implementation leverages CO-RE (Compile Once Run Everywhere) paradigm, eliminating the need for kernel headers or build tools while working across diverse kernel versions. This approach monitors the low-level interface between applications, the kernel, and hardware, capturing comprehensive runtime behavior including process execution, file access, network connections, and privilege changes. The architecture enriches raw kernel events with contextual metadata from container runtimes and Kubernetes API servers, transforming basic syscall data into actionable security intelligence that includes container identity, pod namespace, image details, and security context settings.
Customizable rule engine with extensible detection logic
The rule engine uses YAML-based definitions specifying conditions for alert generation, consisting of logical expressions describing trigger criteria, descriptive output strings with contextual details, and priority levels indicating severity. Falco ships with extensive default rules detecting privilege escalation, unexpected network connections, suspicious process spawning, and unauthorized file access, while organizations can customize these rules or create entirely new detections based on specific threat models. Rules support macros for reusable condition snippets and lists for collections of matching items, enabling sophisticated detection patterns. The system includes rule versioning, compatibility tracking, and organized distribution through OCI artifact formats, allowing teams to maintain private rulesets in container registries while managing dependencies and updates through falcoctl.
Plugin architecture for multi-source event ingestion
The plugin framework extends Falco beyond syscall monitoring through dynamic shared libraries that ingest data from Kubernetes audit logs, Docker events, cloud provider APIs, and specialized services. Event-sourcing plugins create first-class event streams from sources like AWS CloudTrail, Okta authentication systems, and GitHub repositories, while field-extraction plugins add contextual fields for richer rule conditions and outputs. This composable architecture enables unified threat detection across infrastructure, applications, and cloud services within a single monitoring framework. Integration capabilities through Falcosidekick forward alerts to SIEM systems, messaging platforms, incident management tools, and monitoring services, while Falco Talon enables automated response actions including workload termination, network policy application, and pod isolation.





