Sysdig’s Falco joins the Cloud Native Computing Foundation as a CNCF Sandbox Project.

OCTOBER 10, 2018


First Runtime Container Security Project joins CNCF, helping to make cloud-native architectures more secure

SAN FRANCISCO, October 10, 2018 – Sysdig, Inc., the cloud-native intelligence company, today announced Falco, the open source project for runtime container security from Sysdig, has joined the Cloud Native Computing Foundation® (CNCF®) as a Cloud Native Sandbox project and is the first runtime security technology to enter the Cloud Native Sandbox. The CNCF is a Linux Foundation® organization dedicated to advancing the development of cloud-native technologies. By accepting Falco, the CNCF is bringing awareness to runtime security and making it easier for the CNCF community to build more secure cloud-native applications.

Falco is designed to give DevSecOps visibility into the behavior of containers and applications. As cloud native becomes the default operating model for many organizations – large and small – new approaches are required to secure the containers and platforms application developers rely on. The highly dynamic nature of cloud-native environments demands security tooling with the ability to immediately detect and protect new containerized application instances. By tapping into the Linux kernel, Falco is able to provide near real-time detection of abnormalities and platform intrusions.

For more Falco milestones and what it means to be a CNCF Sandbox Project, read this blog post and view Falco on the CNCF website.

What Falco Brings to Cloud-Native Applications

Falco is able to shorten the security incident detection and response cycle in container and microservices architectures by providing runtime security that detects abnormal behavior at the application, file, system, and network levels. By tapping into the Linux kernel, Falco creates a stream of system call events, which enables Falco to apply rules and take action if a rule is violated, reducing the risk of a security breach.

Falco is an industry-trusted tool, most recently being awarded the InfoWorld Best of Open Source Software Award in the cloud computing category. By accepting Falco, the CNCF gains a single sensor with the ability to apply rules to a variety of different event sources. Coupled with other CNCF projects – Fluentd, Nats, and Kubernetes – Falco provides expanded visibility into potential security events and has the ability to take immediate actions like killing offending containers, notifying teams, and isolating Kubernetes nodes. Falco also provides metadata from sources such as the Kubernetes API server to enhance the data provided by the Linux kernel. This allows end users to create rules based on Kubernetes metadata, which can include rules applied to particular Kubernetes namespaces, deployments, or individual pods.

History of Open Source sysdig and Falco

Sysdig launched in 2013 with sysdig, an open source monitoring technology, and in 2016, Sysdig used the same core instrumentation technology to launch Falco. Open source technologies are at the root of Sysdig, and this step further builds on the commitment by Sysdig to the open source community.

With more than a million users relying on Sysdig open source security and troubleshooting tools, there is a broad community actively working together to define and share rule sets for common security exploits. This open approach provides the opportunity for faster response times to newly discovered exploits by providing the ability to share new rules for these exploits as they are discovered. By becoming a CNCF Sandbox Project and expanding the reach of Falco, the community behind the project will have access to a broader community to collaborate with and learn from.

“We’re proud to be able to contribute to the open source community in a larger way,” said Loris Degioanni, chief technology officer and founder of Sysdig. “Adding Falco to the Cloud Native Sandbox gives developers, operations, security, and other IT professionals access to our market-leading runtime security technology, which has more than 1.5 million downloads to date. Acceptance by the CNCF further reaffirms Falco’s approach to runtime container security.”

The Falco Roadmap

The Falco team will continue to work with the CNCF to build stronger integrations with the other CNCF technologies – current and future – with a major focus on three key areas: expanding the contributor base, increasing awareness of cloud-native security concerns, and providing a high-quality experience for the end-user community. The Falco roadmap includes expanded Kubernetes integrations, including the addition of Kubernetes audit events as a Falco event source, as well as Kubernetes network policy support. The roadmap also includes a Prometheus integration that enables Falco to expose detailed metrics using the OpenMetrics format.


Media Contact

Amanda McKinney

280blue, Inc.

[email protected]

Sysdig Logo

About Sysdig In the cloud, every second counts. Attacks move at warp speed, and security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. Sysdig, rated #1 for CSPM in the Gartner Peer Insights “Voice of a Customer” report, correlates signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation.

Sysdig. Secure Every Second.