Falco

Falco is an open-source, cloud-native runtime security project that provides deep visibility into containerized environments, Kubernetes, and Linux hosts, detecting unexpected behavior and potential threats in real-time. It monitors system calls, Kubernetes audit events, and other data sources…

Key facts

First appeared
2016
Category
technology
Problem solved
Falco was created to address the significant blind spot in runtime security for containerized and cloud-native environments. Traditional host-based intrusion detection systems (HIDS) were not container-aware, struggling to provide granular visibility into the ephemeral, dynamic nature of containers and Kubernetes pods. Existing security tools often focused on static analysis or network perimeters, leaving a critical gap in detecting suspicious behavior *inside* running workloads in real-time.
Platforms
Kubernetes, Linux (kernel 4.14+ for eBPF), Docker/Containerd runtimes, Cloud environments (AWS, GCP, Azure)

Related technologies

Notable users

  • Various enterprises adopting Kubernetes for production workloads
  • Cloud providers (integrating it into their security offerings)
  • Organizations with stringent compliance requirements for runtime visibility
  • Sysdig (founding company)