Falco is a Cloud Native Computing Foundation (CNCF) graduated open-source tool that acts as a security camera for your Linux systems and containers. It instruments the kernel using eBPF (extended Berkeley Packet Filter) to stream system calls directly to a rule engine, analyzing behavior against a configurable set of rules to detect threats like shell access in a container, unexpected network connections, or cryptomining processes.
Glossary
Falco

What is Falco?
Falco is the cloud-native runtime security project that detects anomalous application behavior and syscall events in real-time using eBPF.
The engine triggers real-time alerts to syslog, files, or streaming outputs when a rule is violated, integrating with SIEM platforms and incident response workflows. By operating at the syscall layer, Falco provides deep visibility into workload behavior without requiring code changes, making it a foundational component for Pod Security Admission and zero-trust runtime enforcement in Kubernetes clusters.
Key Features of Falco
Falco is a cloud-native runtime security tool that leverages eBPF to detect anomalous application behavior and syscall events in real-time, triggering alerts for threats like cryptomining or shell access in containers.
eBPF-Powered Deep Visibility
Falco uses eBPF (extended Berkeley Packet Filter) to instrument the Linux kernel and capture every syscall event at the operating system level. This provides deep visibility into container and host activity without modifying application code or inserting kernel modules. The eBPF probe sits in the kernel, parsing arguments and return values to build a rich, real-time stream of system events—file opens, process spawns, network connections—with minimal performance overhead.
Rule-Based Anomaly Detection Engine
Falco's detection logic is defined through a declarative rules language that specifies conditions for suspicious behavior. Rules can filter on:
- Syscall types (e.g.,
open,execve,connect) - Process lineage (parent-child relationships)
- File paths and permissions
- Network endpoints and protocols
Example: A rule triggers when a shell is spawned inside a running container (spawned_process with container and proc.name=bash), indicating a potential container escape or unauthorized access.
Real-Time Threat Alerting
When a rule condition is met, Falco generates a structured alert containing:
- Event timestamp and severity level
- Container ID, image name, and Kubernetes metadata
- Process command line and user context
- File paths or network details involved
Alerts are streamed to stdout, syslog, or integrated with SIEM platforms and notification channels like Slack, PagerDuty, and webhooks. This enables immediate incident response for threats such as cryptojacking, reverse shells, or unauthorized credential access.
Kubernetes-Native Integration
Falco integrates deeply with Kubernetes by enriching syscall events with orchestrator metadata. It automatically resolves:
- Pod names, namespaces, and labels
- Deployment and ReplicaSet ownership
- Service account identities
This context allows security teams to map a suspicious syscall directly to the responsible workload. Falco can be deployed as a DaemonSet to monitor every node, or as a sidecar for per-pod isolation, and its alerts can trigger Kubernetes admission webhooks or NetworkPolicy enforcement via tools like Falco Talon.
Customizable Output and Forensics
Falco supports programmatic output via gRPC APIs, allowing custom consumers to process alert streams. It can also capture full syscall logs for forensic analysis, recording every event on a system for post-incident investigation. Integration with Falcosidekick enables forwarding alerts to over 50 destinations, including:
- AWS S3 and Security Lake
- Elasticsearch and Loki
- Kafka for streaming analytics
This extensibility makes Falco the central sensor in a cloud-native detection and response pipeline.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Explore the core concepts behind Falco, the cloud-native runtime security tool that uses eBPF to detect anomalous behavior in your Kubernetes clusters and containerized applications.
Falco is a cloud-native runtime security tool originally created by Sysdig that monitors your containers, hosts, and Kubernetes clusters for anomalous behavior. It works by instrumenting the Linux kernel using an eBPF (extended Berkeley Packet Filter) probe or a dedicated kernel module to capture system calls (syscalls) in real-time. A user-space process then analyzes this stream of events against a set of declarative rules defined in YAML. When an event violates a rule—for example, a shell being spawned inside a production container with a specific label—Falco generates an alert that can be forwarded to various channels like Prometheus, Fluentd, or a webhook. This architecture allows for deep visibility without modifying the application code or container images, making it a foundational element of a zero-trust security posture for Kubernetes environments.
Related Terms
Core concepts and complementary technologies that form the runtime security stack around Falco for threat detection in disconnected Kubernetes environments.
eBPF (Extended Berkeley Packet Filter)
The kernel technology that powers Falco's instrumentation. eBPF allows sandboxed programs to run in the Linux kernel without changing kernel source code or loading modules. Falco's driver attaches eBPF probes to syscall tracepoints to capture every execve, open, and network connection with near-zero overhead. In air-gapped environments, the eBPF probe is compiled once and loaded as a pre-built object file, eliminating the need for kernel headers or LLVM at runtime.
Syscall Event Stream
The raw sequence of kernel-level system calls that Falco monitors in real-time. Each event contains metadata including the process name, PID, UID, parent process, and arguments. Falco's rule engine filters this high-volume stream—often thousands of events per second—against a rules file to identify suspicious patterns. Key monitored syscalls include:
execveandexecveatfor process spawningopenandopenatfor file accessconnectandacceptfor network activityptracefor debugging and injection attempts
Falco Rules Language
A declarative YAML-based DSL for defining security policies. Rules specify a condition (a boolean expression over syscall fields), a priority level, and an output message. The language supports macros for reusable logic and lists for grouping related items. Example rule detecting a shell spawned in a container:
- Condition:
evt.type = execve and container and proc.name = bash - Output:
Shell spawned in container (user=%user.name container_id=%container.id) - Priority:
WARNINGRules are compiled at startup and evaluated against every syscall event.
Falco Plugins
Shared libraries that extend Falco's event sources beyond syscalls. The plugin framework defines a gRPC-based API for ingesting events from cloud services, Kubernetes audit logs, or custom applications. Key plugin types:
- Source plugins: Generate events from external systems (e.g., AWS CloudTrail, GitHub webhooks)
- Extractor plugins: Parse fields from event payloads for use in rule conditions
Plugins are compiled as
.sofiles and loaded at startup, making them fully compatible with air-gapped deployments where they are distributed via private registries.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us