Open Source Container Native Runtime Security.

A CNCF Sandbox project.

What it Does

Visibility into the behavior of your containers & applications.

Define what activity is considered normal for your containerized applications & be notified when an application deviates.

Avoid common container anti-patterns with a predefined rule set.

Extend the rule set for your specific container security requirements using Sysdig's powerful system level filtering language.

Notify other systems or humans of abnormal behavior.

Trigger a variety of systems when abnormal behavior is detected from logging systems, messaging platforms, pub/sub providers, or Serverless functions.

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.

Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.

Container Visibility

Rich Rule Set

Take Action

Key Features

Kubernetes Aware

Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices.


Runtime Security built for containers. Built from the ground up to natively support container runtimes.

See Everything

Complete container visibility through a single daemon. Easily build rules and get informed immediately.

Designed For Us

Designed with a easy to learn rule set, Falco makes your entire team productive in minutes.


Custom rules to allow you to adapt Falco to enforce your organization's container security policy.

Downloads & Resources

Get started today, contribute to the open source project, & learn more.

Sysdig Monitor

Project Website

Learn more at the project's website.

Sysdig Monitor


Jump over to our GitHub page to contribute to our open source ecosystem.

Sysdig Monitor


Get started with our Falco Installation Guides.

Sysdig Monitor


Visit our wiki where you can find information on installing Falco.

Sysdig Monitor


Kubernetes Open-Source Security: Falco + NATS + kubeless demo

Join us to learn about container runtime security, and how to secure your container runtime environment with Falco and Kubeless.…

Register for Webinar
Sysdig Monitor


Container Runtime Security with Sysdig Falco

While there have been many improvements around securing containers, there is still a large gap in monitoring the behavior of…

Register for Webinar

Stay up to date

Sign up for our newsletter to receive updates.

Find out the Latest

Falco 0.10.0 released.

We are happy to announce the release of Falco 0.10.0. This release incorporates a number of improvements focused on making…

Want more power?

Like the power Falco gives you? Check out Sysdig Secure, a services-aware approach to run-time security and forensics.