Falco — Cloud Native Runtime Security & Threat Detection

What it is

Falco is an open-source runtime security tool that detects abnormal behavior in containers, hosts, and Kubernetes clusters. It uses eBPF to monitor system calls in real time and matches them against security rules. When a rule triggers (e.g., a container spawns an unexpected shell, reads sensitive files, or makes suspicious network connections), Falco generates an alert.

Falco targets security teams and SREs who need runtime threat detection for containerized environments. It acts as an intrusion detection system (IDS) that runs alongside your workloads without modifying application code.

How it saves time or tokens

Falco provides out-of-the-box security rules for common threats: shell execution in containers, sensitive file access, unexpected network activity, and privilege escalation. Without Falco, you would need to build custom monitoring for each of these scenarios. Falco's rules are maintained by the community and updated for new attack patterns. Integration with Kubernetes admission controllers lets you block suspicious workloads before they run.

How to use

1. Install Falco via Helm:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco --create-namespace \
  --set driver.kind=modern_ebpf

1. View Falco alerts:

kubectl logs -n falco -l app.kubernetes.io/name=falco -f

1. Customize rules by editing the Falco rules file or adding custom rule ConfigMaps.

Example

# Custom Falco rule: Detect shell in container
- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec for a container
  condition: >
    spawned_process and container and
    shell_procs and proc.tty != 0
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name
    shell=%proc.name parent=%proc.pname)
  priority: WARNING
  tags: [container, shell, mitre_execution]

Related on TokRepo

• Security Tools — Cloud native security and compliance tools
• DevOps Tools — Kubernetes infrastructure management

This tool integrates with standard development workflows and requires minimal configuration to get started. It is available as open-source software with documentation and community support through the official repository. The project follows semantic versioning for stable releases.

For teams evaluating this tool, the key advantage is reducing manual work in repetitive tasks. The automation provided by the built-in features means less custom code to maintain and fewer integration points to manage. This translates directly to lower maintenance costs and faster iteration cycles.

Common pitfalls

• Falco's eBPF driver requires a recent kernel version (5.8+); older kernels fall back to the kernel module driver, which requires additional privileges.
• Default rules generate many alerts on busy clusters; tune the rules to suppress known-good behaviors to reduce alert fatigue.
• Falco monitors but does not block by default; integrate with Kubernetes admission controllers or response engines (falco-sidekick) for active enforcement.