Inferensys

Glossary

Falco

Falco is a cloud-native runtime security tool that uses eBPF to detect anomalous application behavior and syscall events in real-time, triggering alerts for threats like cryptomining or shell access in containers.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
RUNTIME SECURITY

What is Falco?

Falco is the cloud-native runtime security project that detects anomalous application behavior and syscall events in real-time using eBPF.

Falco is a Cloud Native Computing Foundation (CNCF) graduated open-source tool that acts as a security camera for your Linux systems and containers. It instruments the kernel using eBPF (extended Berkeley Packet Filter) to stream system calls directly to a rule engine, analyzing behavior against a configurable set of rules to detect threats like shell access in a container, unexpected network connections, or cryptomining processes.

The engine triggers real-time alerts to syslog, files, or streaming outputs when a rule is violated, integrating with SIEM platforms and incident response workflows. By operating at the syscall layer, Falco provides deep visibility into workload behavior without requiring code changes, making it a foundational component for Pod Security Admission and zero-trust runtime enforcement in Kubernetes clusters.

Runtime Security

Key Features of Falco

Falco is a cloud-native runtime security tool that leverages eBPF to detect anomalous application behavior and syscall events in real-time, triggering alerts for threats like cryptomining or shell access in containers.

01

eBPF-Powered Deep Visibility

Falco uses eBPF (extended Berkeley Packet Filter) to instrument the Linux kernel and capture every syscall event at the operating system level. This provides deep visibility into container and host activity without modifying application code or inserting kernel modules. The eBPF probe sits in the kernel, parsing arguments and return values to build a rich, real-time stream of system events—file opens, process spawns, network connections—with minimal performance overhead.

02

Rule-Based Anomaly Detection Engine

Falco's detection logic is defined through a declarative rules language that specifies conditions for suspicious behavior. Rules can filter on:

  • Syscall types (e.g., open, execve, connect)
  • Process lineage (parent-child relationships)
  • File paths and permissions
  • Network endpoints and protocols

Example: A rule triggers when a shell is spawned inside a running container (spawned_process with container and proc.name=bash), indicating a potential container escape or unauthorized access.

03

Real-Time Threat Alerting

When a rule condition is met, Falco generates a structured alert containing:

  • Event timestamp and severity level
  • Container ID, image name, and Kubernetes metadata
  • Process command line and user context
  • File paths or network details involved

Alerts are streamed to stdout, syslog, or integrated with SIEM platforms and notification channels like Slack, PagerDuty, and webhooks. This enables immediate incident response for threats such as cryptojacking, reverse shells, or unauthorized credential access.

04

Kubernetes-Native Integration

Falco integrates deeply with Kubernetes by enriching syscall events with orchestrator metadata. It automatically resolves:

  • Pod names, namespaces, and labels
  • Deployment and ReplicaSet ownership
  • Service account identities

This context allows security teams to map a suspicious syscall directly to the responsible workload. Falco can be deployed as a DaemonSet to monitor every node, or as a sidecar for per-pod isolation, and its alerts can trigger Kubernetes admission webhooks or NetworkPolicy enforcement via tools like Falco Talon.

05

Customizable Output and Forensics

Falco supports programmatic output via gRPC APIs, allowing custom consumers to process alert streams. It can also capture full syscall logs for forensic analysis, recording every event on a system for post-incident investigation. Integration with Falcosidekick enables forwarding alerts to over 50 destinations, including:

  • AWS S3 and Security Lake
  • Elasticsearch and Loki
  • Kafka for streaming analytics

This extensibility makes Falco the central sensor in a cloud-native detection and response pipeline.

RUNTIME SECURITY

Frequently Asked Questions

Explore the core concepts behind Falco, the cloud-native runtime security tool that uses eBPF to detect anomalous behavior in your Kubernetes clusters and containerized applications.

Falco is a cloud-native runtime security tool originally created by Sysdig that monitors your containers, hosts, and Kubernetes clusters for anomalous behavior. It works by instrumenting the Linux kernel using an eBPF (extended Berkeley Packet Filter) probe or a dedicated kernel module to capture system calls (syscalls) in real-time. A user-space process then analyzes this stream of events against a set of declarative rules defined in YAML. When an event violates a rule—for example, a shell being spawned inside a production container with a specific label—Falco generates an alert that can be forwarded to various channels like Prometheus, Fluentd, or a webhook. This architecture allows for deep visibility without modifying the application code or container images, making it a foundational element of a zero-trust security posture for Kubernetes environments.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.