Falco for Kubernetes runtime security (eBPF, Rules, Tuning & Alerts)

Runtime attacks don’t wait for your next scan. Falco detects suspicious behavior in real time across Kubernetes, containers, and Linux hosts—using syscall signals (eBPF/kernel module) plus a rule engine and plugins. In ~10 minutes, Sysdig Managing Editor Kat Zivkovic breaks down how Falco works end-to-end, where it fits in a modern cloud-native security stack, and how to operationalize it without drowning in noise. In this video: - What Falco is (and what it’s not): runtime behavioral detection vs. static scanning - How Falco works: event capture → enrichment → rules → alerts - Drivers: modern eBPF probe vs kernel module (tradeoffs + compatibility) - What Falco can catch: shells in containers, writes to /etc, privilege escalation patterns, unexpected outbound connections - Plugins & ecosystem: Kubernetes audit logs, cloud events, custom sources - Practical rollout: start small, tune rules, route alerts to your workflow (Slack/SIEM/PagerDuty), measure overhead Getting started checklist (practical): - Install Falco (Kubernetes via Helm or on hosts) - Start with default rules - Forward outputs to where engineers live (Slack/SIEM/alerts) - Tune noisy rules + baseline “normal” behavior - Expand with plugins + map to incident workflows (MITRE/NIST) Links: Falco: https://falco.org/ GitHub: https://github.com/falcosecurity/falco CNCF project page: https://www.cncf.io/projects/falco/ Sysdig Open Source community: https://community.sysdig.com What is Falco: https://www.sysdig.com/learn-cloud-native/what-is-falco Chapters: 00:00 What is Falco? 01:16 How does Falco work? 03:15 Falco use cases 04:30 What makes Falco different 05:30 Planning your Falco adoption 06:07 Getting started with Falco 07:25 Falco best practices & troubleshooting #Falco #kubernetessecurity #ebpf #containersecurity #devsecops #cloudsecurity #cncf #threatdetection #linuxsecurity #platformengineering #securityengineering