Falco Runtime Security

Falco is an open-source runtime security engine that monitors system calls and Kubernetes events to detect suspicious activity. It runs as a DaemonSet on Kubernetes nodes, hooking into the kernel via eBPF (extended Berkeley Packet Filter) to observe every syscall. When behavior matches a threat pattern (e.g., container trying to read /etc/shadow, unexpected outbound connection, privilege escalation), Falco alerts. Unlike vulnerability scanning (finds known CVEs in code), Falco detects behavioral anomalies (a container doing something unexpected, even if the software is patched).