Skip to main content

Falco

Falco is an open-source runtime security (cloud-native security) project that detects unexpected application and container behavior on Linux systems using rule-driven inspection of system calls and Kubernetes audit events.

  • Runtime threat detection for containers, Kubernetes, and Linux hosts (cloud-native security)
  • Rule-based engine for inspecting kernel system calls and container activity (threat detection)
  • Support for monitoring Kubernetes audit logs and Application Programming Interface (API) server events (Kubernetes security)
  • Extensible rule sets and integration with alerting and Security Information and Event Management (SIEM) tools (security operations)
  • CNCF-hosted project focused on securing cloud-native workloads in production (cloud-native ecosystem)

More About Falco

Falco is an open-source runtime security (cloud-native security) project hosted by the Cloud Native Computing Foundation (CNCF) and designed to monitor Linux-based container, Kubernetes, and host environments for unexpected behavior. It focuses on detecting threats and policy violations at runtime by observing how processes interact with the Operating System (OS) and cluster APIs rather than scanning images or configuration alone. Falco targets workloads running on Kubernetes, container platforms, and traditional Linux hosts, and is used to enforce security policies and compliance expectations during application execution.

At its core, Falco uses a rules engine (threat detection) that evaluates system calls and other event streams against a set of declarative security rules. These rules describe conditions that represent suspicious or undesired behavior, such as file access in protected directories, process execution in containers, privilege escalation attempts, or network connections from restricted workloads. Falco can consume kernel-level events through drivers such as a kernel module or eBPF-based probe (kernel observability), enabling inspection of process activity, file operations, and network-related system calls in near real time.

Falco extends beyond system calls by integrating with Kubernetes audit logs and API server events (Kubernetes security). This allows security teams to detect configuration changes, access pattern anomalies, and administrative operations performed against cluster resources. Rules can reference Kubernetes metadata such as namespaces, labels, and users, enabling context-aware detection tuned to multi-tenant or segmented environments.

The project provides a default ruleset (security policy) covering common container and host threats, and it supports customization through user-defined rules written in a YAML-based syntax. Enterprises can tailor these rules to match internal policies, regulatory requirements, or workload-specific behaviors. Falco emits alerts in structured formats and offers integrations with logging and incident management tools such as syslog, standard output, webhooks, and through exporters into SIEM or observability platforms (security operations and observability).

Falco is typically deployed as a daemonset on Kubernetes clusters or as an agent on Linux hosts (infrastructure security). In Kubernetes, each node runs a Falco instance that observes local workloads and host-level activity, forwarding alerts to central logging or security platforms. This architecture aligns with cloud-native deployment patterns and allows Falco to operate alongside other CNCF projects and ecosystem tools.

From a directory and taxonomy perspective, Falco fits into runtime threat detection and intrusion detection for containers, Kubernetes, and Linux hosts (runtime security). It intersects with observability through its event collection and alerting functions, but its primary role is enforcing runtime security policies and detecting suspicious behavior across cloud-native and Linux infrastructure.