Falco is a runtime security tool that watches system calls on Linux hosts and fires alerts when they match suspicious patterns — a shell spawning inside a container, an unexpected write to /etc, a process opening a raw socket, a sensitive file being read. It was created by Sysdig and was the first runtime security project to graduate from the CNCF.
Falco gets its event stream from one of two drivers: a classic kernel module, or (more commonly now) an eBPF probe — either a legacy eBPF probe or the modern CO-RE probe that works across kernel versions without recompilation. Events flow into a userspace engine that evaluates them against rules written in a YAML DSL with macros and lists, so you can express things like “a process named bash exec’d inside a container whose image is not in this allow-list.” Matched events get emitted as structured output to stdout, files, gRPC, or through Falcosidekick to Slack/webhooks/SIEMs.
It runs as a DaemonSet on Kubernetes and ships with a large default ruleset covering MITRE ATT&CK techniques and CIS benchmarks. Related projects include Falcosidekick (event fan-out), Falco Talon (automated response), and the broader plugin framework that lets Falco ingest non-syscall sources like Kubernetes audit logs, AWS CloudTrail, GitHub audit, and Okta. The main alternative in the same space is Tetragon, which is also eBPF-based but integrates more tightly with Cilium and can enforce policy in-kernel rather than only alert.