Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest gaps to close, especially at runtime. Traditional antivirus and endpoint tools don’t see inside namespaces, syscall activity, or orchestrator actions. And most cloud-native environments move too fast for static rulesets to keep up.
Enter Falco—an open-source, kernel-level runtime security engine originally built by Sysdig and now part of the CNCF (Cloud Native Computing Foundation). It’s lightweight, pluggable, and built for Linux threat detection at the syscall level.
What Is Falco?
Falco is a security tool for real-time behavioural monitoring on Linux systems. It inspects kernel activity to detect anomalous or unauthorised behaviour, especially in containerised or orchestrated environments.
Falco uses eBPF or a kernel module to collect syscall data, which it evaluates against customizable rule sets. It’s purpose-built for:
- Runtime threat detection inside containers and pods
- Alerting on anomalous or dangerous activity
- Lightweight deployment in cloud-native architectures
Key Features
Real-Time Syscall Inspection
Falco hooks directly into the Linux kernel via eBPF or DKMS modules, capturing syscalls from all processes, including inside containers.
Flexible Rule Engine
Rules can inspect conditions such as:
- File access (
write,unlink,chmod) - Network connections (
connect,listen) - Execution patterns (
execve, parent-child relationships) - Container-specific context (e.g. namespace, user, pod metadata)
Kubernetes and Cloud Context
Falco can ingest metadata from:
- Kubernetes API
- CRI runtimes (containerd, CRI-O, Docker)
- Cloud logging backends
This allows for alerting based on pod name, labels, image used, and more.
Minimal Overhead
It uses minimal CPU and memory and is built to run in production. Many teams run Falco as a DaemonSet on every K8s node.
Outputs & Integrations
Falco can forward alerts to:
- stdout / file
- Webhooks
- gRPC
- Syslog
- SIEM platforms
- Prometheus, Grafana, Loki
- Falcosidekick (a project to send alerts to Slack, Discord, Teams, etc.)
Use Cases
- Detecting unauthorised container shell access (e.g. someone execs into a running pod)
- Alerting on unexpected file changes inside containers
- Identifying privilege escalation attempts via syscall patterns
- Detecting malware or crypto miners based on execution behaviour
- Monitoring sensitive file access on Linux hosts
Installation with Docker
First, ensure you have a Linux machine with a recent version of Docker installed. Note that the following will not work on Windows or macOS running Docker Desktop.
Run the following command:
sudo docker run --rm -i -t --name falco --privileged \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \ falcosecurity/falco:0.40.0 |
Pros and Limitations
Strengths
- Built for containers and Kubernetes
- Lightweight and cloud-native
- Extensive community ruleset
- CNCF-backed and actively maintained
- Integrates with SIEM/SOAR tools
Limitations
- No native correlation engine (use Falcosidekick for enrichment)
- Not a full SIEM or XDR
- Alerting is real-time but not persistent without backend integration
- Requires tuning in high-noise environments
Final Thoughts
Falco fills a particular and increasingly critical gap: runtime threat detection at the kernel level, especially in ephemeral, containerised, and orchestrated environments. If you’re running Kubernetes and don’t know what syscalls are flying around your nodes, you’re flying blind.
It’s not a replacement for your SIEM or EDR. But it is a vital signal source for any team serious about cloud-native defence.
You can read more or download Falco here.