Falco is an open-source runtime security project under the CNCF that detects unexpected behavior at the system call level. It uses a flexible rules engine to define suspicious patterns such as shell execution in containers or unexpected network activity. Falco can alert, log, or trigger automated responses when rules are matched, supporting Kubernetes and container environments. The project integrates with SIEMs and incident response tools to provide context and automate workflows. Falco is popular for cloud-native runtime protection and for monitoring both hosts and containerized workloads.
Details
Deployment mode
Cloud, SaaS, web-based
On-premise Linux
Training and support
Free trial available:
No
Available trainings
No