Enterprise Falco
Sysdig Secure extends Falco’s rich detection for easier security policy management across the container lifecycle
Falco, the open-source cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime.
Falco requires a driver to listen to the Linux Kernel. This driver can either be:
- Extended Berkeley Packet Filter (eBPF) probe - a secure mechanism to run user code in the kernel
- Open-source kernel module
By tapping into sysdig open-source libraries through Linux system calls, it can run in high performance production environments. Falco also ingests Kubernetes API audit events to provide runtime detection and alerting for orchestration activity. By adding Kubernetes application context, teams can understand exactly who did what.
Why Falco?
Signature-based approaches are engaged in a never-ending game of catch up with the constant stream of new threats. Behavioral monitoring based approaches, in contrast, look at what is happening on a system and can immediately alert if something malicious occurs.
With Falco, you can create detection rules to define unexpected application behavior. These rules can be enriched via context from the cloud provider and Kubernetes environments. Your teams can detect policy violations using community-sourced detections of malicious activity and CVE exploits. They can then alert by plugging Falco into your current security response workflows and processes.
Benefits of using Falco for Runtime Detection
Strengthen container security
The flexible rules engine allows you to describe any type of host or container behavior or activity.
Reduce risk via immediate alerts
You can immediately respond to policy violation alerts and integrate Falco within your response workflows.
Leverage most current detection rules
Falco out-of-the box rules alert on malicious activity and CVE exploits.
How Sysdig Secure Extends Falco
Sysdig Secure leverages the Falco engine under the hood for runtime security. Sysdig Secure saves time in creating and maintaining policies.
Sysdig Secure extends the open-source Falco detection engine to provide comprehensive security across the Kubernetes lifecycle. Sysdig Secure allows you to:
- Block threats by extending Falco’s detection capabilities with prevention (Pod Security Policies) and automated responses that don’t impact performance
- Ease the burden of creating and updating runtime Falco rules with ML-based profiling, a flexible Policy Editor to customize rules, and an extensive curated Rules Library
- Generate fewer false positives by tuning Falco-based policies for your own environment
- Embed security across the DevOps process with image scanning, security monitoring, forensics, incident response, and audit
- Validate compliance using out of the box checks and runtime policies that map to compliance standards like NIST and PCI
Sysdig Secure and Falco Feature Comparison
Package manager
Docker container
Package manager
Docker container
Enterprise Falco with Sysdig Secure
Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.
Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.
Threat Detection Policy
Rules Library
Remediation Actions
Get Started with Falco Today
Project website
Learn more at the project's website.