Falco for Kubernetes runtime security (eBPF, Rules, Tuning & Alerts)

Runtime attacks don’t wait for your next scan. Falco detects suspicious behavior in real time across Kubernetes, containers, and Linux hosts—using syscall signals (eBPF/kernel module) plus a rule engine and plugins. In ~10 minutes, Sysdig Managing Editor Kat Zivkovic breaks down how Falco works end-to-end, where it fits in a modern cloud-native security stack, and how to operationalize it without drowning in noise. In this video: What Falco is (and what it’s not): runtime behavioral detection vs. static scanning How Falco works: event capture → enrichment → rules → alerts Drivers: modern eBPF probe vs kernel module (tradeoffs + compatibility) What Falco can catch: shells in containers, writes to /etc, privilege escalation patterns, unexpected outbound connections Plugins & ecosystem: Kubernetes audit logs, cloud events, custom sources Practical rollout: start small, tune rules, route alerts to your workflow (Slack/SIEM/PagerDuty), measure overhead Getting started checklist (practical): Install Falco (Kubernetes via Helm or on hosts) Start with default rules Forward outputs to where engineers live (Slack/SIEM/alerts) Tune noisy rules + baseline “normal” behavior Expand with plugins + map to incident workflows (MITRE/NIST) Links: Falco: https://falco.org/ GitHub: https://github.com/falcosecurity/falco CNCF project page: https://www.cncf.io/projects/falco/ Sysdig Open Source community: https://community.sysdig.com What is Falco: https://www.sysdig.com/learn-cloud-na... Chapters: 00:00 What is Falco? 01:16 How does Falco work? 03:15 Falco use cases 04:30 What makes Falco different 05:30 Planning your Falco adoption 06:07 Getting started with Falco 07:25 Falco best practices & troubleshooting #Falco #kubernetessecurity #ebpf #containersecurity #devsecops #cloudsecurity #cncf #threatdetection #linuxsecurity #platformengineering #securityengineering