What is Falco?
A runtime security tool that detects anomalous behavior in containers using eBPF/syscalls.
Falco is a cloud-native runtime security tool originally created by Sysdig. It monitors system calls at the kernel level (via eBPF or kernel module) and detects suspicious behavior in containers — shell spawned in a container, unexpected outbound connection, privilege escalation, file write in sensitive paths. Falco rules are written in YAML and alerts can be routed to Slack, Elasticsearch, or SIEM systems. It's the de-facto standard for Kubernetes runtime threat detection.
More Security Terms
DevSecOps
Integrating security practices into every stage of the DevOps pipeline.
JWT (JSON Web Token)
A compact, self-contained token format for transmitting claims between parties.
mTLS (Mutual TLS)
Two-way TLS authentication where both client and server verify each other's certificates.
OAuth2
An authorization framework allowing third-party apps limited access to user accounts.
OIDC (OpenID Connect)
An identity layer on top of OAuth2 that provides user authentication.
OPA (Open Policy Agent)
A general-purpose policy engine for enforcing authorization decisions across the stack.
Test your knowledge of Falco and 130 other DevOps concepts