CodersSecret

What is Falco?

Falco is a CNCF graduated project for runtime threat detection in Kubernetes. It monitors Linux syscalls and alerts when containers exhibit suspicious behavior.

FALCO RUNTIME DETECTIONThreat EventFalco (eBPF)syscall rulesAlertResponseDetects: shell in container, sensitive file read, privilege escalation, crypto mining

What Falco Detects

  • Shell spawned inside a container
  • Sensitive file access (/etc/shadow, /etc/passwd)
  • Unexpected outbound network connections
  • Privilege escalation attempts
  • Cryptomining processes
  • Container escape via nsenter or chroot

Falco vs Tetragon

Falco detects threats and sends alerts. Tetragon can block threats in real-time using eBPF enforcement. Many teams use both: Falco for broad detection, Tetragon for critical enforcement.

Learn More

See Module 10: Runtime Security.

Related Terms

tetragon ebpf runtime-security

Learn This in Our Free Courses

Cloud Native Security Engineering