Cloud happened. But public cloud computing in its earliest iterations was all about flexibility of service, the breadth of the backbone and the (once almost unfathomable) notion that we might be able to shift enterprise computing to a Software-as-a-Service (SaaS) model where an organisation’s datacenter footprint did not actually physically reside on the company premises. What early cloud didn’t do was provision an appropriate level of security. Subsequently, of course, we have adopted the private cloud for on-premises control, the hybrid model for flexibility and the so-called public-private cloud where multi-tenant spaces are conscientiously managed. So what happens next in cloud security?
Fast forward a couple of decades to where we are now and the whole technology proposition has shifted. This progression has given rise to a number of key projects that have been engineered to provide much-needed cloud configuration, composable compartmentalisation and – crucially – new advances in security-centric cloud management.
Forward to Falco
Among the more vibrant projects at this level is Falco, an open source runtime security platform that software engineers can use to detect and respond to suspicious behaviour within Linux containers and applications. Falco today is a CNCF graduate cloud-native project and it was originally designed by Sysdig to work with Kubernetes, but it is not limited to Kubernetes. In operational use, Falco can also provide runtime security monitoring for other container orchestration platforms and standalone container deployments.
Sister projects to Falco itself include Falco Talon, a “response engine” for Falco that allows for automatic responses to detected threats in Kubernetes clusters. It enables users to define rules that trigger specific actions when Falco detects a threat, which essentially makes it a way of automating threat mitigation. Another sister is Stratoshark, a sibling application for Wireshark, which enables cloud engineers to analyse system calls and log messages in order to understand, troubleshoot and secure how software systems are running.
Looking more directly at Falco, this technology provides runtime security across hosts, containers, Kubernetes and cloud environments. It makes use of “custom rules” (specific instructions that define exceptions or specific scenarios that override standard procedures) on Linux kernel events and other data sources through plugins, enriching event data with contextual metadata to deliver real-time alerts. Falco enables the detection of abnormal behaviour, potential security threats and compliance violations.
Falco leverages eBPF (extended Berkeley Packet Filter) to track updates in system calls, the actions that the cloud system is asked to do and then uses that data to be able to see things that should not take place.
An expanded audit event collection
“It’s been just over a year since open source Falco graduated from the Cloud Native Computing Foundation (CNCF) during KubeCon EU 2024 and the momentum hasn’t slowed down,” wrote Loris Degioanni, Sysdig founder and chief technology officer on his company’s own technology blog. “From advancements in real-time threat response and expanded audit event collection across cloud-native environments, to reaching 150 million downloads and even new open source technologies like Stratoshark being built on Falco’s libraries, the project continues to evolve rapidly.”
Detailing some of the key Falco developments in recent weeks and months, Degioanni talks of the above-mentioned Falco Talon, Falco for Windows, Falco plugins, Falco Feeds and the work of Falco maintainers on the road ahead.
Named after the pointed appendages on a falcon’s claws (talons), Falco Talon can be described as a no-code software tool that provides an experience similar to Falco Rules (pre-defined detections for various security threats) and uses familiar YAML files with append and override mechanisms. This enables security engineers to define “sequential response actions” (linked actions that may or may not trigger the next action in a software execution chain) while receiving structured log outputs with an associated Trace ID. For completeness here, let’s remember that a Trace ID is a unique identifier that tracks the execution of a single user request as it travels through multiple interconnected services or components in a system. Falco Talon is all about giving DevOps teams the flexibility to fine-tune event matching and override default rules as needed.
Falco for Windows
Building on the same YAML-based detection rule logic used in open source Falco, the Sysdig team created and developed Falco for Windows as an integral component of the Sysdig platform. It is designed to detect real-time threats directly from the Windows kernel. Similar to how Falco operates on Linux (using system call collection via kernel modules or an eBPF probe) this Windows implementation maintains familiar abstractions like Macros and Lists.
“The key difference lies in its approach to event collection. Instead of a kernel probe, the Windows agent leverages the Event Tracing for Windows (ETW) driver, providing an efficient and reliable method for monitoring Windows workload activity inside Kubernetes,” explained Degioanni.
Moving on to Falco Plugins, the Sysdig founder describes their essential functionality when integrating Falco and Sysdig with third-party event sources. An active community of cloud-native developers has driven the plugin ecosystem to grow by 40% since Falco’s CNCF graduation.
“The expanding list of Falco Plugins provides additional capabilities such as extended visibility to monitor additional services like Microsoft Entra ID (formerly Microsoft Azure Active Directory). These plugins become increasingly impactful as [any given] cloud environment grows and more SaaS services integrate with cloud-native systems,” said Degioanni. “This cloud-based identity and access management (IAM) service enables authentication and authorisation for Microsoft services, including Microsoft 365, MS Azure and their managed Kubernetes service (AKS).”
Customisability vs. complexity
There is high customisability control here with the Falco Plugin architecture, but (as we all know all too well) customisable controls offer flexibility, but they also often introduce complexity, especially as systems scale. Mindful of this fact, the team has highlighted that while Falco provides a useful rules maturity matrix, its out-of-the-box rules still require tuning and validation to accurately detect security threats within the unique constraints of Kubernetes clusters.
“Many managed detection and response solutions trade off flexibility for convenience, limiting the control teams expect from an open source project like Falco. Sysdig takes a different approach with Falco Feeds, a solution backed by the Sysdig Threat Research Team (TRT) that delivers enterprise-grade expert-written Falco rules via the falcoctl CLI tool. This allows teams to adopt new rules without the burden of ongoing maintenance or production downtime,” said Degioanni.
Falco in the future?
Looking ahead, Degioanni assures us that Falco’s journey is “far from over” and he says that as cloud-native security threats grow in complexity, Falco is evolving deeper Kubernetes integration, a more sophisticated plugin system and a shift toward automation in runtime security.
“Perhaps the most exciting development, though, is the growing synergy between Falco and Stratoshark. Together, they are setting the foundation for a new security paradigm – one where detection, investigation and response are seamlessly unified. Runtime security has always been about visibility, but as Kubernetes environments scale, visibility alone isn’t enough. Falco is tackling this by modernising its stack, making security more automated and easier,” explained the Sysdig founder.
That’s the official line on Falco and the world of open source runtime security platform technologies. We can certainly expect to hear more about third-party connectins and integrations There is a promise here of Falco and Stratoshark working in unison to pioneer a stronger approach to Kubernetes Detection and Response (KDR)… and that’s in a world where we today need to be reminded what KDR stands for i.e. these are rapidly evolving technologies in a somewhat embryonic space. Looking ahead, we’re promised a world where security in Kubernetes environments will shift from isolated detection tools to fully integrated security lifecycles as KDR itself becomes a more solidly codified standard in deployments where we rely on fully automated systems capable of detecting, analysing and responding to threats in real time.