Falco is the cloud native runtime security standard, a CNCF graduated project that monitors system calls in real time to detect threats across hosts, containers, and Kubernetes clusters. Created by Sysdig and now maintained by a broad open-source community, Falco uses eBPF-based kernel instrumentation to observe every syscall without modifying application code. Its flexible rules engine lets teams define custom detection policies for container escapes, privilege escalation, cryptojacking, sensitive file access, and unexpected network activity. With over 7,000 GitHub stars and production deployments at organizations like Trendyol and Incepto Medical, Falco has become the de facto runtime detection layer for Kubernetes security.
The architecture is built around a pluggable event pipeline. At the core, the Falco driver captures kernel events and forwards them to userspace for rule evaluation. Beyond syscalls, Falco supports plugins for ingesting Kubernetes audit logs, AWS CloudTrail events, GCP audit logs, GitHub activity, and Okta authentication events. Detection rules ship out of the box covering common CVE exploits and MITRE ATT&CK techniques, and teams can author custom Falco rules using a simple YAML-based syntax. Alerts are output in JSON format and can be forwarded to over 50 third-party destinations via Falcosidekick, including Slack, PagerDuty, Elasticsearch, and any HTTP endpoint.
Falco deploys natively on Kubernetes via an official Helm chart as a DaemonSet ensuring every node is monitored. It supports x86_64 and ARM64 architectures across all major managed Kubernetes platforms including EKS, GKE, and AKS. The project is completely free and open source under the Apache 2.0 license with zero cost to start. Sysdig offers commercial products built on Falco for teams needing managed detection, compliance reporting, and enterprise support. The Falco ecosystem includes falcoctl for management, dedicated ruleset repositories, and an active community on Kubernetes Slack and regular contributor meetings.