CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →Container runtime security
Container image scanning and Kubernetes policies cover the static security part: “is this image safe?”. They do not cover the runtime part: “is the running container doing something strange now?”.
Falco, launched in 2016 by Sysdig Inc., answers the second problem. Accepted in the CNCF Sandbox in October 2018, by January 2019 Falco is at version 0.13 with early production adoption. Apache 2.0 licence. In 2020 Falco will move to CNCF Incubating, in 2024 to Graduated.
How it works
Falco intercepts Linux kernel syscalls — the operations every process must make to interact with the system (file, network, exec). It does so via:
- Sysdig kernel module — the primary 2019 approach
- eBPF probe — alternative grown in later years, less invasive
- Userspace instrumentation (modern)
Intercepted syscalls are matched against YAML rules describing suspicious behaviour:
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
output: >
A shell was spawned in a container (user=%user.name
container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [container, shell, mitre_execution]If the condition matches, Falco emits an alert — on stdout, syslog, file, HTTP webhook, Slack, Kafka, Elasticsearch.
Base rules
Falco ships with ~150 base rules (as of 2019) covering common scenarios:
- Shell spawn in production containers — typically anomalous
- Sensitive file access — reading
/etc/shadow, SSH keys - Privilege escalation — setuid, unexpected capabilities
- Network activity — binding to unplanned ports, DNS to non-standard servers
- Container escape attempts — host filesystem mounts, access to different namespaces
- Cryptomining — execution of known patterns (xmrig, etc.)
Rules are user-extensible for organisation-specific policies.
MITRE ATT&CK mapping
Falco rules are tagged with MITRE ATT&CK tactics/techniques. This facilitates SOC workflow integration: a Falco alert is contextualised against the standard threat modelling framework.
Kubernetes integration
In Kubernetes Falco is typically deployed as a DaemonSet — one instance per node. Alerts automatically include K8s metadata (namespace, pod name, labels) thanks to Kubernetes Audit integration.
Falcosidekick (complementary component) forwards alerts to dozens of destinations (Slack, Teams, AlertManager, OpsGenie, AWS Lambda, custom webhooks).
Comparison with alternatives
- Sysdig Secure — Sysdig’s commercial proprietary product, with UI, policy management, compliance reports. Falco is the underlying open source core
- Aqua Security, Trend Micro Cloud One, Palo Alto Prisma Cloud — commercial suites competing with Falco for capability
- Tracee (Aqua Security, 2020) — eBPF-native open source alternative
- Emerging eBPF-based tools (Isovalent’s Tetragon, 2022) reshape the landscape again
In the Italian context
As of 2019 Falco is adopted in Italy by:
- Startups with cloud-native infrastructure
- Banks and fintech with multi-tenant Kubernetes clusters
- Italian SaaS — containerised runtime monitoring
- PA in regulated public cloud projects
References: Falco 0.13 (January 2019). Sysdig Inc. (founder). CNCF Sandbox (October 2018), Incubating (April 2020), Graduated (2024). Apache 2.0 licence. Kernel module/eBPF probe. MITRE ATT&CK, Kubernetes Audit integration. Falcosidekick for notification routing.