Falco
Falco is an open-source, cloud-native runtime security project that provides deep visibility into containerized environments, Kubernetes, and Linux hosts, detecting unexpected behavior and potential threats in real-time. It monitors system calls, Kubernetes audit events, and other data sources…
Key facts
- First appeared
- 2016
- Category
- technology
- Problem solved
- Falco was created to address the significant blind spot in runtime security for containerized and cloud-native environments. Traditional host-based intrusion detection systems (HIDS) were not container-aware, struggling to provide granular visibility into the ephemeral, dynamic nature of containers and Kubernetes pods. Existing security tools often focused on static analysis or network perimeters, leaving a critical gap in detecting suspicious behavior *inside* running workloads in real-time.
- Platforms
- Kubernetes, Linux (kernel 4.14+ for eBPF), Docker/Containerd runtimes, Cloud environments (AWS, GCP, Azure)
Related technologies
Notable users
- Various enterprises adopting Kubernetes for production workloads
- Cloud providers (integrating it into their security offerings)
- Organizations with stringent compliance requirements for runtime visibility
- Sysdig (founding company)