Real-time threat detection solution for containers, hosts, Kubernetes and the cloud

How Falco's runtime security can help your organization

Multi-level defense is essential for effective cybersecurity. Whether securing your software supply chain, controlling access, or protecting against cloud misconfigurations, the acceleration of cloud adoption has rapidly expanded the potential attack surface that companies need to address.

The ultimate line of defense, however, is runtime security. Security is an ever-evolving war against attacks, and one of the most powerful ways to improve the security posture of your cloud-native environment is to detect threats as they occur. With the increasing number of cyber attacks and breaches, it’s crucial to have real-time visibility across your cloud, workloads, and user activity.

To effectively detect threats, runtime security systems must be efficient and alert to suspicious behavior in real-time. Attackers have adapted their tactics to the cloud landscape and can initiate attacks within seconds of entering your environment. While legacy tools struggle to detect cloud-native threats, Falco can provide a sophisticated security monitoring layer to identify abnormal behaviors as they happen. This will give you an opportunity to take the right response action and minimize the impact of possible breaches, including sustained financial loss and reputational damage.

what is falco

What is Falco

At the highest level, you can think of Falco like a network of security cameras for your infrastructure. You deploy Falco across a distributed infrastructure. Falco collects data (from the local machine or by talking to some API), runs a set of rules against it, and notifies you if something bad happens.

Falco makes it easy to consume Linux kernel syscalls, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of out of the box security rules specifically built for Kubernetes, Linux and the cloud.

Originally developed as open source by Sysdig, Falco was contributed to the Cloud Native Computing Foundation (CNCF) in 2018, moved to the incubating level in 2020 and to the graduated level in 2024. Since its inception, Falco has been downloaded more than 100 million times, with more than 480% growth in the last two years.

how it works

How it works

Falco provides real-time detection capabilities for environments from individual containers, hosts, Kubernetes and the cloud. It is able to detect and alert on abnormal behavior and potential security threats in real-time, such as crypto mining, file exfiltration, privilege escalation in applications, rootkit installs among many others. These malicious behaviors are detected via user-defined Falco rules that classify events of application activity as malicious or suspicious.

More specifically, Falco collects event data from a source and compares each event against a set of rules. Some examples of sources for Falco events are:

  • Linux kernel syscalls
  • Kubernetes audit logs
  • Cloud events (e.g. AWS CloudTrail)
  • Events from other systems (GitHub, Okta)
  • New data sources can be added to Falco by developing plugins

Rules help the Falco engine identify security issues. Falco comes pre-loaded with a comprehensive set of rules that cover container, host, Kubernetes and cloud security, and you can easily create your own rules to customize it. Newly introduced falcoctl allows you to have always-up-to-date security rules out of the box for Falco.

System calls are one of the most important data sources for Falco. If an application has been compromised, Falco is able to detect malicious or suspicious behavior based on the system calls that it performs.

Instrumenting system calls

Instrumenting system calls

Observing system calls is performance-critical, and there are two ways in which Falco achieves this: an eBPF probe or a kernel module.

eBPF is a revolutionary technology that enables us to run sandboxed programs inside an operating system. eBPF scripts are flexible, safe, and run extremely fast, making them perfect for capturing runtime security. This makes it ideal for instrumenting system calls for Falco.

Before eBPF emerged, kernel modules were the norm for extending functionality in the Linux kernel. They run in privileged mode and are written in C, making them efficient and an excellent option for performance-critical work. Falco offers a kernel module for situations where eBPF isn't the best fit.

react to threats

React to threats

With Falco and Falcosidekick, you can also forward suspicious events to serverless systems to trigger actions and remediate threats.

Falcosidekick is a companion application to Falco that forwards Falco events. It allows you to distribute events to more than 50 systems, such as email, chat, message queues, serverless functions, databases and more. It’s easy to configure and use both locally and inside Kubernetes.

Falco FAQs

Runtime security is the process of providing real-time monitoring or observability capabilities for your host, containers, and applications while they're running. This allows you to detect a variety of threats, such as:

  • Privilege escalation attacks through exploiting security bugs.
  • The deployment of unauthorized workloads by an attacker.
  • Unauthorized access to secrets or other sensitive information.
  • The activation of malware that is hidden inside an application.

Falco is designed to detect these and other threats while your services and applications are running. When it detects unwanted behavior, Falco alerts you instantly so you’re informed (and can react!) right away, not after minutes or hours have passed.

You can think of Falco like a set of smart security cameras for your infrastructure: you place the sensors in key locations, they observe what’s going on, and they ping you if they detect harmful behavior.

With Falco, a set of rules define what bad behavior is. You can customize or extend these rules for your needs. The alerts generated by the set of Falco sensors can stay in the local machine, but it is a good practice to export them to a centralized collector.

Yes, Falco can run in almost every Linux kernel, whether it is a bare-metal server or a VM or microVM.

Please check the documentation to learn about kernel versions and more specific deployment restrictions. A list of available drivers can be found here.