Overview

Falco is an open-source runtime security tool developed by Sysdig, purpose-built for cloud-native environments such as containers, Kubernetes, and serverless infrastructures. As the de facto standard for Kubernetes threat detection, Falco continuously monitors system behavior and alerts users in real time when unexpected or malicious activity occurs. By leveraging a rules-driven engine and deep visibility into containerized workloads, it bridges the gap between observability and security. Falco empowers teams to detect and respond to threats across containers and cloud environments efficiently, while remaining highly scalable, flexible, and integrable within DevSecOps pipelines.

Features and Capabilities

• **Cloud-native threat detection: ** Monitors container, Kubernetes, and cloud runtime activity for abnormal or suspicious behavior.
• **Behavioral rule engine: ** Uses customizable rules to define abnormal behavior, enabling precise threat detection.
• **Kubernetes-aware context: **Enriches events with Kubernetes metadata like pod, namespace, container name, and labels.
• **Predefined security rules: **Includes a comprehensive library of community-curated rules to detect common threats and policy violations.
• **Real-time alerts: **Generates instant notifications when policies are violated, supporting integrations with SIEMs and notification tools.
• **Audit log analysis: **Parses Kubernetes audit logs to monitor sensitive operations and detect control plane threats.
• **Syscall instrumentation: **Hooks into Linux syscalls to provide deep visibility into runtime behavior with low overhead.
• **Plugin support: **Extend Falco's detection capabilities through plugins that ingest data from cloud services and third-party sources.
• **Cloud integrations: **Supports event sources like AWS CloudTrail and GCP Audit Logs for cloud-level threat detection.
• **Flexible deployment options: **Can be deployed as a DaemonSet in Kubernetes or used standalone on cloud or on-prem systems.
• **CNCF-hosted project: **Backed by the Cloud Native Computing Foundation, ensuring community-driven development and long-term viability.
• **Open-source ecosystem: **Offers transparency, auditability, and a strong community of contributors and users worldwide.