Falco
What is Falco?
FalcoAn open-source cloud-native runtime security engine that detects abnormal container, host, and Kubernetes behavior by streaming syscalls and audit events through a rules engine.
Falco is an Apache 2.0 licensed runtime security tool originally built by Sysdig and donated to the Cloud Native Computing Foundation (CNCF), where it reached Graduated status in 2024. It consumes Linux syscalls via an eBPF probe or kernel module, plus Kubernetes audit logs and pluggable event sources (AWS CloudTrail, Okta, GitHub), and evaluates them against a YAML-defined rule set. Out-of-the-box rules detect container escape, shell-in-container, write below /etc, unexpected outbound connections, and privilege escalation. Operators ship alerts to falcosidekick which can forward to Slack, OpsGenie, Loki, or a SOAR. Falco is the runtime layer of choice for Kubernetes-native SOCs alongside admission controllers like Kyverno.
● Examples
- 01
Alerting when a shell is spawned inside a production nginx container (rule: Terminal shell in container).
- 02
Detecting a pod that mounts /var/run/docker.sock and tries to escape to the host.
● Frequently asked questions
What is Falco?
An open-source cloud-native runtime security engine that detects abnormal container, host, and Kubernetes behavior by streaming syscalls and audit events through a rules engine. It belongs to the Defense & Operations category of cybersecurity.
What does Falco mean?
An open-source cloud-native runtime security engine that detects abnormal container, host, and Kubernetes behavior by streaming syscalls and audit events through a rules engine.
How does Falco work?
Falco is an Apache 2.0 licensed runtime security tool originally built by Sysdig and donated to the Cloud Native Computing Foundation (CNCF), where it reached Graduated status in 2024. It consumes Linux syscalls via an eBPF probe or kernel module, plus Kubernetes audit logs and pluggable event sources (AWS CloudTrail, Okta, GitHub), and evaluates them against a YAML-defined rule set. Out-of-the-box rules detect container escape, shell-in-container, write below /etc, unexpected outbound connections, and privilege escalation. Operators ship alerts to falcosidekick which can forward to Slack, OpsGenie, Loki, or a SOAR. Falco is the runtime layer of choice for Kubernetes-native SOCs alongside admission controllers like Kyverno.
How do you defend against Falco?
Defences for Falco typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Falco?
Common alternative names include: Falco runtime security, Sysdig Falco.
● Related terms
- defense-ops№ 367
eBPF Security
The use of extended Berkeley Packet Filter (eBPF) programs running in the Linux kernel to provide deep observability and policy enforcement for processes, networking, and syscalls.
- defense-ops№ 212
Container Image Scanning
The practice of analyzing OCI/Docker images for known vulnerabilities, secrets, malware, and policy violations before they are deployed to a container runtime.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
● See also
- № 1175Trivy