Falco Runtime Security

Falco is an open-source cloud-native runtime security tool that detects unexpected application behavior and alerts on threats at runtime, using system calls as the primary source of truth. Originally created by Sysdig in 2016 and contributed to the CNCF in 2018, graduated as a CNCF project in 2024, with over 7,800 stars as of 2026. Key features include: system call monitoring (captures and analyzes Linux system calls in real-time using kernel instrumentation via kernel module, eBPF probe, or modern eBPF driver, providing deep visibility into all process activity), rule engine (flexible rule engine using Falco Rules Language with conditions based on syscalls, process information, file operations, network connections, and container metadata, enabling custom security policies), default ruleset (over 100 built-in rules covering container escapes, privilege escalation, suspicious network connections, unauthorized file access, cryptomining detection, and Kubernetes security best practices), Kubernetes integration (enriches system call events with Kubernetes metadata including pod name, namespace, deployment, labels, and container ID using K8s API client), output channels (notifications via stdout, HTTP webhook, Slack, Microsoft Teams, PagerDuty, Elasticsearch, Loki, Kafka, and NATS with configurable alert formatting), output fields (structured JSON output with full event context including process, user, container, and Kubernetes metadata for incident response), plugins (Falco Plugin SDK for extending event sources beyond syscalls to include Kubernetes audit logs, cloud provider events, and custom data sources), gVisor and modern eBPF (support for modern eBPF CO-RE programs and gVisor sandboxed runtime), performance (low overhead event processing using efficient filtering at the kernel level before data reaches userspace), and deployment (Kubernetes DaemonSet, Helm chart, systemd service, and standalone binary modes).