falcosecurity/falco

★ 8,938C++Audience · ops devopsComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((Falco))
    What it does
      Runtime security
      System call monitoring
      Alert on threats
    Features
      Custom rules
      Container context
      SIEM forwarding
    Tech Stack
      C++
      Linux kernel
      Kubernetes
      eBPF
    Use Cases
      Container security
      Compliance monitoring
      Threat detection

mindmap root((Falco)) What it does Runtime security System call monitoring Alert on threats Features Custom rules Container context SIEM forwarding Tech Stack C++ Linux kernel Kubernetes eBPF Use Cases Container security Compliance monitoring Threat detection

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Monitor a Kubernetes cluster for suspicious activity, such as unexpected shell access inside a container or writes to sensitive files.

USE CASE 2

Forward security alerts with pod, namespace, and container context to a SIEM system for long-term analysis.

USE CASE 3

Write custom detection rules to catch specific behaviors in a Linux system, such as unusual network connections from a process.

Tech stack

C++LinuxKuberneteseBPFHelm

Getting it running

Difficulty · hard Time to first run · 1h+

Requires a Linux host or Kubernetes cluster with elevated permissions to load the kernel module or eBPF probe.

In plain English

Falco is a security monitoring tool for Linux that watches what is happening inside a running system and raises alerts when something looks suspicious or unexpected. It focuses on runtime security, meaning it catches problems while software is actually running, rather than scanning code ahead of time. It was originally created by Sysdig and is now a graduated project under the Cloud Native Computing Foundation, which is the same organization that oversees Kubernetes and many other tools used in modern cloud infrastructure. At its core, Falco monitors Linux system calls, which are the requests that every program makes to the operating system when it wants to read a file, open a network connection, spawn a new process, or do almost anything that requires the kernel. Falco compares those calls against a set of user-defined rules, and when a call matches a suspicious pattern, it generates an alert. Rules can be written to catch things like a shell being spawned inside a container, a process writing to a sensitive file, or unusual network activity. Falco is designed for environments that run containers and Kubernetes. It can attach metadata from the container runtime and from the Kubernetes API to each event, so alerts include context like which pod, namespace, or container was involved. Collected events can be forwarded to security information and event management systems or data warehouses for longer-term analysis. The project is organized across several GitHub repositories. The main Falco binary lives here, but the core libraries, official rules, plugin integrations, and Helm charts for Kubernetes deployment are maintained in separate companion repositories. A command-line management tool called falcoctl handles tasks like installing and updating rules. The project includes audit reports and a documented vulnerability disclosure process.

Copy-paste prompts

Prompt 1

Write a Falco rule that alerts when any process inside a Kubernetes container spawns a shell or runs curl or wget.

Prompt 2

How do I deploy Falco on a Kubernetes cluster using the official Helm chart and configure it to send alerts to a Slack channel?

Prompt 3

Show me how to install falcoctl and update the Falco rules to the latest version without restarting the Falco daemon.

Prompt 4

How do I write a Falco rule that triggers when a process writes to /etc/passwd or /etc/shadow on a Linux host?

Open on GitHub → Explain another repo

← falcosecurity on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.