☁️ Cloud & container security
Falco
Cloud-native runtime security — detect threats inside containers and Kubernetes.
Why use it
Falco watches kernel-level events (syscalls) inside containers and matches them against rules — "process spawning shell from web server", "secret file accessed", "container escape attempt". The de-facto runtime security layer for Kubernetes.
What you get
- Kernel-level syscall observation via eBPF or kernel module
- Pre-built rule packs for Kubernetes, containers, hosts
- Custom rules in YAML
- Output to stdout, files, gRPC, syslog, webhook
- Falcosidekick for routing alerts to 50+ destinations
System requirements
| Cpu | 1 core per node |
|---|---|
| Ram | 512 MB per node |
| Disk | 500 MB |
| Os | Linux (kernel 5.8+ for modern eBPF) |
| Docker | Yes |
Installation
On Kubernetes: helm install falco falcosecurity/falco. Standalone: curl -s https://falco.org/repo/falcosecurity-packages.asc | sudo apt-key add - && sudo apt install falco. Test by spawning a shell in a container — Falco will fire Terminal shell in container.
Suggested configuration
Enable the falco-rules and falco_incubating_rules packs. Tune for false positives via customRules overrides — never edit the shipped rules. Use Falcosidekick to forward to your SIEM (Wazuh, Elastic) and Slack/Teams for high-severity events.
Integration ideas
- Falcosidekick → Slack, Teams, Discord, OpsGenie, etc.
- Forward to Wazuh / Elastic for unified detection
- Combine with Trivy for image-time + runtime coverage
Alternatives
- Tetragon — Cilium's newer eBPF-based runtime; powerful but younger ecosystem.
- Tracee — Aqua's alternative; different rule language.
Cyentrix verdict
If you run Kubernetes at home, install Falco. The default rules catch a startling amount of real-world attacker behaviour.