Falco is the First Runtime Security Project to join CNCF Incubation

JANUARY 8, 2020


  • Falco, originally created by Sysdig in 2016, is approved to join the CNCF Incubator after a 257 percent increase in downloads.

  • The CNCF’s only open source Kubernetes runtime security project has more than 8.5 million downloads as runtime security becomes cemented as a standard component of the cloud-native stack.

SAN FRANCISCO — Jan. 8, 2020 — Sysdig, Inc., the secure DevOps leader, today announced that Falco, the open source cloud-native runtime security project originally created by Sysdig, has been accepted as a Cloud Native Computing Foundation® (CNCF®) incubation-level hosted project. Falco entered the CNCF as a Sandbox Project in October 2018, the first and still the only runtime security technology to join. In the event of unexpected behavior at runtime, Falco detects and alerts, reducing the risk of a security incident.

Gartner analysts predict that “by 2021, more than 75% of midsize and large organizations will have adopted a multicloud and/or hybrid IT strategy.” A business benefit of cloud environments operated by Kubernetes includes shorter software production cycles and consistency across multicloud and hybrid deployments. As a result, organizations are standardizing on Kubernetes as a container orchestrator. The Sysdig Container Usage Report found that in 2019, 77 percent of Sysdig customers operated Kubernetes environments, a 26 percent increase over 2018.

Kubernetes provides easy access to infrastructure for development teams. However, securing Kubernetes requires putting controls in place to detect unexpected behavior. Common risks include exploits of unpatched and new vulnerabilities, insecure configurations, leaked or weak credentials, and insider threats that can be used as entry points into the application and to access data.

When operating a cloud-native environment, being able to detect anomalous activity is the last line of defense. This requires understanding unexpected service interactions between containers, without impacting performance. Falco efficiently leverages extended Berkeley Packet Filter (eBPF), a secure mechanism, to capture system calls to gain deep visibility. By adding Kubernetes application context and Kubernetes API audit events, teams can understand who did what.

“Runtime security is a critical piece in a cloud-native security story and essential for anyone taking cloud-native security seriously. Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions,” said Kris Nova, Chief Open Source Advocate at Sysdig.

Security for cloud-native systems is one of the few areas of the CNCF landscape that is still being standardized. Acceptance as an incubation-level hosted project signals that Falco is the de facto open source standard for cloud-native runtime security. Falco is trusted by government agencies, financial institutions, Fortune 2000 enterprises, and web-scale companies.

“It is great to see Falco advance within the CNCF to the incubating stage. As cloud-native technologies and our ecosystem matures, focus rightly shifts towards security. Falco fills a key gap in the cloud-native security landscape around intrusion detection. Combined with other projects and technologies on the prevention side, we have a comprehensive open source toolkit to enable an enhanced security posture for those investing in cloud native,” said Joe Beda, Principal Engineer at VMware and CNCF TOC Member.

Falco’s accomplishments since joining the CNCF

  • 100 percent increase in commits year-over-year
  • 64 committers
  • More than 2000 GitHub stars
  • 55 contributors, including engineers from Frame.io, Shopify, Snap, and Booz Allen Hamilton
Since joining the CNCF, the Falco community focused on making Falco easier to adopt and make contributions. A governance model, an outline that sets guidelines and standards for both contributors and maintainers to ensure the project’s compliance and health, was implemented during the last year. Falco was also made available in the Google marketplace and included in the launch of several major cloud projects, including AWS Firelens and Google Anthos. The Falco community created an operator that is available in the OperatorHub.io.

One of the major challenges of operating containers is defining the complex rules and configurations. At KubeCon + CloudNativeCon, Sysdig announced the Cloud-Native Security Hub, a repository for discovering and sharing Kubernetes security best practices and configurations. The hub currently hosts Falco rules. During the next phase, the Falco community will scale the scope to include rules and configurations for other Kubernetes security tools.

The future of Falco

“We created Falco because the cloud demands runtime security. Sysdig contributed Falco to the CNCF because innovation is stifled when core technology is controlled by a single provider,” said Loris Degioanni, Sysdig Founder and Chief Technology Officer. “Enterprises that want support, automation, and defined workflows can use Sysdig’s commercial product that incorporates Falco. Other organizations will choose to build their own tools using Falco. Now that Falco is an incubation-level hosted project, we expect that it will become a standardized component of the stack.”

While in the CNCF Incubator, the Falco community will continue to drive end user adoption. The main focus will be on making Falco easier to consume and integrate in cloud-native environments. This includes moving components of Falco to an API-first architecture, which enables the community to begin developing integrations with other tools, including Prometheus, Envoy, and Kubernetes.

To get started with Falco, visit its Falco GitHub page. To get involved, join the Falco Slack channel and attend the weekly office hours calls to discuss feature work, open issues, and repository planning.

Learn more about Falco on the blog and follow on Twitter

[1]Gartner, Technology Insight for Network Security Policy Management, Rajpreet Kaur, Adam Hils, John Watts February 21, 2019

Media Contact

Amanda McKinney, 280blue, Inc.
[email protected] 

Sysdig Logo

In the cloud, every second counts. Attacks move at warp speed, and security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. Sysdig, rated #1 for CSPM in the Gartner Peer Insights “Voice of a Customer” report, correlates signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation.

Sysdig. Secure Every Second.