Falco

Falco is the runtime threat detection system for containers and Kubernetes. It watches system calls in real-time via eBPF and alerts when something suspicious happens — a shell spawning inside a container, sensitive file access, unexpected network connections. Think of it as a security camera for your containers.

If you're running containers in production and need runtime security monitoring, Falco is the CNCF-graduated standard. Tetragon does similar eBPF-based detection with enforcement capabilities. KubeArmor restricts container behaviors using eBPF and Linux Security Modules. Commercially, Sysdig (Falco's creator), Aqua Security, and Crowdstrike offer runtime security with better UIs and management.

The rule system is expressive — define what "normal" looks like and alert on deviations. Default rules catch common attacks out of the box.

The catch: Falco only detects — it doesn't block. You need additional tools (KubeArmor, network policies) for prevention. Writing custom rules requires understanding Linux syscalls and container internals. False positives are common initially, and tuning rules for your workloads takes time. The eBPF driver requires kernel support, which can be tricky on older or locked-down hosts.