What is Falco

At the highest level, you can think of Falco like a network of security cameras for your infrastructure. You deploy Falco across a distributed infrastructure. Falco collects data (from the local machine or by talking to some API), runs a set of rules against it, and notifies you if something bad happens.

Falco makes it easy to consume Linux kernel syscalls, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of out of the box security rules specifically built for Kubernetes, Linux and the cloud.

Originally developed as open source by Sysdig, Falco was contributed to the Cloud Native Computing Foundation (CNCF) in 2018, moved to the incubating level in 2020 and to the graduated level in 2024. Since its inception, Falco has been downloaded more than 100 million times, with more than 480% growth in the last two years.

How it works

Falco provides real-time detection capabilities for environments from individual containers, hosts, Kubernetes and the cloud. It is able to detect and alert on abnormal behavior and potential security threats in real-time, such as crypto mining, file exfiltration, privilege escalation in applications, rootkit installs among many others. These malicious behaviors are detected via user-defined Falco rules that classify events of application activity as malicious or suspicious.

More specifically, Falco collects event data from a source and compares each event against a set of rules. Some examples of sources for Falco events are:

• Linux kernel syscalls
• Kubernetes audit logs
• Cloud events (e.g. AWS CloudTrail)
• Events from other systems (GitHub, Okta)
• New data sources can be added to Falco by developing plugins

Rules help the Falco engine identify security issues. Falco comes pre-loaded with a comprehensive set of rules that cover container, host, Kubernetes and cloud security, and you can easily create your own rules to customize it. Newly introduced falcoctl allows you to have always-up-to-date security rules out of the box for Falco.

System calls are one of the most important data sources for Falco. If an application has been compromised, Falco is able to detect malicious or suspicious behavior based on the system calls that it performs.

Instrumenting system calls

Observing system calls is performance-critical, and there are two ways in which Falco achieves this: an eBPF probe or a kernel module.

eBPF is a revolutionary technology that enables us to run sandboxed programs inside an operating system. eBPF scripts are flexible, safe, and run extremely fast, making them perfect for capturing runtime security. This makes it ideal for instrumenting system calls for Falco.

Before eBPF emerged, kernel modules were the norm for extending functionality in the Linux kernel. They run in privileged mode and are written in C, making them efficient and an excellent option for performance-critical work. Falco offers a kernel module for situations where eBPF isn't the best fit.

React to threats

With Falco and Falcosidekick, you can also forward suspicious events to serverless systems to trigger actions and remediate threats.

Falcosidekick is a companion application to Falco that forwards Falco events. It allows you to distribute events to more than 50 systems, such as email, chat, message queues, serverless functions, databases and more. It’s easy to configure and use both locally and inside Kubernetes.