aicoolies logo
Falco logo

Falco

Cloud native runtime security for Kubernetes

Share
open-sourceOpen Source
Visit Website →

Falco is a CNCF graduated open-source runtime security tool that detects unexpected behavior and threats across containers, Kubernetes, and cloud workloads in real time. Originally created by Sysdig, Falco monitors Linux kernel syscalls using eBPF and applies customizable detection rules to alert on malicious activity like container escapes, cryptojacking, unauthorized file access, and anomalous network connections. It supports 50+ alert output channels including SIEM integration.

Falco is the cloud native runtime security standard, a CNCF graduated project that monitors system calls in real time to detect threats across hosts, containers, and Kubernetes clusters. Created by Sysdig and now maintained by a broad open-source community, Falco uses eBPF-based kernel instrumentation to observe every syscall without modifying application code. Its flexible rules engine lets teams define custom detection policies for container escapes, privilege escalation, cryptojacking, sensitive file access, and unexpected network activity. With over 7,000 GitHub stars and production deployments at organizations like Trendyol and Incepto Medical, Falco has become the de facto runtime detection layer for Kubernetes security.

The architecture is built around a pluggable event pipeline. At the core, the Falco driver captures kernel events and forwards them to userspace for rule evaluation. Beyond syscalls, Falco supports plugins for ingesting Kubernetes audit logs, AWS CloudTrail events, GCP audit logs, GitHub activity, and Okta authentication events. Detection rules ship out of the box covering common CVE exploits and MITRE ATT&CK techniques, and teams can author custom Falco rules using a simple YAML-based syntax. Alerts are output in JSON format and can be forwarded to over 50 third-party destinations via Falcosidekick, including Slack, PagerDuty, Elasticsearch, and any HTTP endpoint.

Falco deploys natively on Kubernetes via an official Helm chart as a DaemonSet ensuring every node is monitored. It supports x86_64 and ARM64 architectures across all major managed Kubernetes platforms including EKS, GKE, and AKS. The project is completely free and open source under the Apache 2.0 license with zero cost to start. Sysdig offers commercial products built on Falco for teams needing managed detection, compliance reporting, and enterprise support. The Falco ecosystem includes falcoctl for management, dedicated ruleset repositories, and an active community on Kubernetes Slack and regular contributor meetings.

Pricing

Free and open source (Apache 2.0). Sysdig offers commercial products built on Falco.

Platforms

Linux, Kubernetes (Helm), EKS, GKE, AKS, x86_64 and ARM64

Categories

Tags

Use Cases

Alternatives

Related Tools

KubeAI

Kubernetes operator for serving AI inference workloads

KubeAI is an Apache-2.0 Kubernetes operator for deploying and scaling AI inference workloads, including LLMs, embeddings, reranking, and speech-to-text. It gives platform teams OpenAI-compatible endpoints, model proxy/controller primitives, model caching, scale-from-zero behavior, and cluster-native resource management for self-hosted inference on Kubernetes.

open-sourceOpen Source

kubectl-ai

Google’s open-source Kubernetes assistant that translates natural-language intent into precise cluster operations.

kubectl-ai is an AI-powered Kubernetes assistant from Google Cloud Platform. It acts as an intelligent interface for cluster work, translating operator intent into Kubernetes commands and workflows. The key distinction from reactive diagnosis tools is that kubectl-ai is designed as an interactive natural-language interface for planning and executing Kubernetes operations, with provider configuration and MCP-oriented workflows around the CLI.

open-sourceOpen SourceTelemetry
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source

Comparisons