Open Source Container Native Runtime Security.
A CNCF Sandbox project.

What it Does

Visibility into the behavior of your containers & applications.

Define what activity is considered normal for your containerized applications & be notified when an application deviates.

Avoid common container anti-patterns with a predefined rule set.

Extend the rule set for your specific container security requirements using Sysdig's powerful system level filtering language.

Notify other systems or humans of abnormal behavior.

Trigger a variety of systems when abnormal behavior is detected from logging systems, messaging platforms, pub/sub providers, or Serverless functions.

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.

Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.

Container Visibility

Rich Rule Set

Take Action

Key Features

Kubernetes aware

Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices.


Runtime Security built for containers. Built from the ground up to natively support container runtimes.

See everything

Complete container visibility through a single daemon. Easily build rules and get informed immediately.

Designed for us

Designed with a easy to learn rule set, Falco makes your entire team productive in minutes.


Custom rules to allow you to adapt Falco to enforce your organization's container security policy.

Downloads + Resources.

Get started today.

Sysdig Monitor

Project website

Learn more at the project's website.

Sysdig Monitor


Jump over to our GitHub page to contribute to our open source ecosystem.

Sysdig Monitor


Get started with our Falco Installation Guides.

Sysdig Monitor


Visit our wiki where you can find information on installing Falco.

Sysdig Monitor

On-Demand Webinar

Kubernetes Open-Source Security: Falco + NATS + kubeless demo.

Join us to learn about container runtime security, and how to secure your container runtime environment with Falco and Kubeless.…

- Hosted by Michael Ducy

Watch webinar on-demand
Sysdig Monitor

On-Demand Webinar

Container Runtime Security with Sysdig Falco.

While there have been many improvements around securing containers, there is still a large gap in monitoring the behavior of…

- Hosted by Michael Ducy, Director of Community and Evangelism, Sysdig

Watch webinar on-demand

Stay up to date

Sign up for our monthly Cloud-native News.

Sysdig Monitor

Find out the Latest

Falco 0.10.0 released.

We are happy to announce the release of Falco 0.10.0. This release incorporates a number of improvements focused on making…

Want more power?

Like the power Falco gives you? Check out Sysdig Secure, a services-aware approach to run-time security and forensics.