Enterprise Falco

Sysdig Secure extends Falco’s rich detection for easier security policy management across the container lifecycle

Start Free Trial

Falco, the open-source cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime.

Falco requires a driver to listen to the Linux Kernel. This driver can either be:

By tapping into sysdig open-source libraries through Linux system calls, it can run in high performance production environments. Falco also ingests Kubernetes API audit events to provide runtime detection and alerting for orchestration activity. By adding Kubernetes application context, teams can understand exactly who did what.

Why Falco?

Signature-based approaches are engaged in a never-ending game of catch up with the constant stream of new threats. Behavioral monitoring based approaches, in contrast, look at what is happening on a system and can immediately alert if something malicious occurs.

With Falco, you can create detection rules to define unexpected application behavior. These rules can be enriched via context from the cloud provider and Kubernetes environments. Your teams can detect policy violations using community-sourced detections of malicious activity and CVE exploits. They can then alert by plugging Falco into your current security response workflows and processes.

Benefits of using Falco for Runtime Detection

Lock Icon

Strengthen container security

The flexible rules engine allows you to describe any type of host or container behavior or activity.

Integrations Icon

Reduce risk via immediate alerts

You can immediately respond to policy violation alerts and integrate Falco within your response workflows.

Checkmark Icon

Leverage most current detection rules

Falco out-of-the box rules alert on malicious activity and CVE exploits.

How Sysdig Secure Extends Falco

Sysdig Secure leverages the Falco engine under the hood for runtime security. Sysdig Secure saves time in creating and maintaining policies.



Sysdig Secure extends the open-source Falco detection engine to provide comprehensive security across the Kubernetes lifecycle. Sysdig Secure allows you to:

  • Block threats by extending Falco’s detection capabilities with prevention (Pod Security Policies) and automated responses that don’t impact performance
  • Ease the burden of creating and updating runtime Falco rules with ML-based profiling, a flexible Policy Editor to customize rules, and an extensive curated Rules Library
  • Generate fewer false positives by tuning Falco-based policies for your own environment
  • Embed security across the DevOps process with image scanning, security monitoring, forensics, incident response, and audit
  • Validate compliance using out of the box checks and runtime policies that map to compliance standards like NIST and PCI

Sysdig Secure and Falco Feature Comparison

Feature
 
Sysdig Secure
Falco
 
Licensing
Sysdig proprietary licensing plus open-source components
 
Open source Apache v2 license CNCF project
 
Installation
Daemonset via Helm
Package manager
Docker container
 
Daemonset via Helm
Package manager
Docker container
 
Installation support
Supported by Sysdig
 
Community supported
Detection
 
Sysdig Secure
Falco
 
Runtime detection
 
 
 
Detects anomalous behavior on new logins, file access, network, system calls, storage writes
 
 
 
eBPF probe
 
 
 
Kernel module probe
 
 
 
Detects anomalous behavior on Kubernetes API calls
 
 
 
Metadata context
Cloud AWS, host, container & Kubernetes labels plus others (Docker Swarm, ECS, etc) with high performance indexing
 
Container & Kubernetes labels
Prevention
 
Sysdig Secure
Falco
 
Deployment prevention
 Admission Controller
 
 
Runtime prevention
 Pod Security Policy Advisor
 
 
Response
 
Sysdig Secure
Falco
 
Block threats and attacks
 
 
 
Stop container
 
 
 
Pause container
 
 
 
Kill container
 
 
 
Capture activity (pre and post incident) for incident response
 
 
 
Default notifications channels
Slack, PagerDuty, Email, Webhook, VictorOps, OpsGenie, AWS SNS
Requires 3rd party components
 
Open framework alert exporters
 
 
 
Event forwarder
 High performance forwarder to SIEM
 
 
Policy Management
 
Sysdig Secure
Falco
 
Centralized highly scalable rule management across clusters and clouds
 
 
 
Web UI for easier policy creation and customization
 
 
 
Automated image profiles provided by machine learning
 
 
 
Out of the box rules library
 Sysdig curated and supported
 Community created
 
Compliance tags for Falco rules
 
 
 
API to automate configuration
 
 
 
Terraform provider to manage security as code
 
 
 
Additional Security
 
Sysdig Secure
Falco
 
Audit (Record of all commands executed on hosts/containers)
 
 You can build your own with an external database
 
Image scanning (Configuration validation, secrets scanning, vulnerability scanning, reporting, alerting, CI/CD & registry integrations, etc)
 Read more about Sysdig Secure
 
 
Compliance (CIS Benchmarks, PCI controls, NIST 800-190 controls)
 Continuously enforce across the lifecycle
 You can create compliance rules applied only at runtime
 
Incident response and forensics
 
 
 
Infrastructure and application monitoring and troubleshooting
 
 
 
Other Services
 
Sysdig Secure
Falco
 
Support
 Included with Subscription
 
 
Technical Account Management
 
 Contact Sales
 

Enterprise Falco with Sysdig Secure

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.

Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.

Threat Detection Policy

Falco - Threat Detection Policy

Rules Library

Falco - Rules Library

Remediation Actions

Falco - Remediation Actions

Get Started with Falco Today

Sysdig Monitor

Project website

Learn more at the project's website.