Skip to main content

Kubernetes Runtime Security: Falco, Tetragon, and eBPF

Identity and network policies prevent unauthorized access. But what about threats that happen inside an authorized workload? A compromised container attempting privilege escalation, an attacker running a cryptominer, or malware modifying system files — these are runtime threats.

Runtime Security Tools

  • Falco: CNCF graduated project that detects abnormal behavior by monitoring Linux syscalls. Detects: shell spawned in container, sensitive file read, unexpected network connections.
  • Tetragon: Cilium-based runtime enforcement using eBPF. Goes beyond detection — can block malicious actions in real-time at the kernel level.
  • eBPF: The underlying technology that makes modern runtime security possible. Runs sandboxed programs in the Linux kernel without kernel modules.

Learn Runtime Security — Free

Module 10 of our free Cloud Native Security Engineering course covers Falco, Tetragon, and eBPF with hands-on detection and response labs.

How to Use This Topic

This page is a focused entry point into the larger course. Use it to understand the vocabulary, the production problem, and the first practical module to open next.

  • Read the overview to map the concept to real engineering work.
  • Follow the linked module for exercises, diagrams, and implementation details.
  • Return to the full curriculum when you need adjacent topics and a complete learning path.

Start Learning for Free

Continue with Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: 16 modules, 32 hands-on labs, completely free.

Start Module 10 | View full curriculum