Sysdig Secure extends Falco’s rich threat detection for easier security policy management across containers and cloud

Start Free

Falco, the open-source cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime.

Falco requires a driver to listen to the Linux Kernel. This driver can either be:

This unique instrumentation allows Falco to have deep visibility into all syscall activity (ex. security events, commands, connections etc.) Falco natively integrates with Kubernetes API audit logs to alert on suspicious orchestrator activity. For cloud environments, Falco also ingests cloud audit logs to provide threat detection and alerting. By adding Kubernetes and cloud application context, teams can understand exactly who did what.

Why Falco?

Signature-based approaches are engaged in a never-ending game of catch up with the constant stream of new threats. Behavioral monitoring based approaches, in contrast, look at what is happening on a system and can immediately alert if something malicious occurs.

With Falco, you can create detection rules to define unexpected application behavior. These rules can be enriched via context from the cloud provider and Kubernetes environments. Your teams can detect policy violations using community-sourced detections of malicious activity and CVE exploits. They can then alert by plugging Falco into your current security response workflows and processes.

Benefits of using Falco for Runtime Detection

Lock Icon

Strengthen container and cloud security

Common policy language to detect threats across containers, hosts, Kubernetes and cloud.

Integrations Icon

Reduce risk via immediate alerts

You can immediately respond to policy violation alerts and integrate Falco within your response workflows.

Checkmark Icon

Leverage most current detection rules

Falco out-of-the box rules alert on malicious activity and CVE exploits.

How Sysdig Secure Extends Falco

Sysdig Secure leverages the Falco engine under the hood for runtime security and cloud threat detection. Sysdig Secure saves time in creating and maintaining policies.

Sysdig Secure extends the open-source Falco detection engine to provide comprehensive security across the Kubernetes lifecycle and cloud environments.

Sysdig Secure allows you to:

  • Block threats by extending Falco’s detection capabilities with prevention (Pod Security Policies) and automated responses that don’t impact performance
  • Ease the burden of creating and updating runtime Falco rules with ML-based profiling, a flexible Policy Editor to customize rules, and an extensive curated Rules Library
  • Generate fewer false positives by tuning Falco-based policies for your own environment
  • Embed security across the DevOps process with image scanning, security monitoring, forensics, incident response, and audit
  • Validate compliance using out of the box checks and runtime policies that map to compliance standards like NIST and PCI
  • Continuously detect threats based on cloud logs (e.g., suspicious logins, file access, etc.)


Sysdig Secure and Falco Feature Comparison

Sysdig Secure
Sysdig proprietary licensing plus open-source components
Open source Apache v2 license CNCF sandbox project
- Daemonset via Helm
- Package manager
- Docker container
- Cloud Template
- Daemonset via Helm
- Package manager
- Docker container
Installation support
Supported by Sysdig
Community supported
Continuous CSPM
Sysdig Secure
Asset discovery
Cloud security posture management and compliance
Sysdig curated CIS AWS
Cloud risk insights
Threat detection based on cloud logs (i.e., suspicious logins, file access, etc.)
Context enrichment
Cloud, host, containers, and Kubernetes labels
Cloud, host, containers, and Kubernetes labels
Sysdig Secure
Compliance (CIS Benchmarks, PCI controls, NIST 800-190 controls)
Continuously enforce across the lifecycle
You can create compliance rules at runtime
Cloud benchmarks for AWS
Container and Kubernetes benchmarks
Compliance metrics reporting and dashboards
Guided remediation
Runtime compliance rules based on open-source
Sysdig Secure
Runtime detection
Detects anomalous behavior on new logins, file access, network, system calls, storage writes
Detects anomalous behavior on Kubernetes API calls
eBPF probe
Kernel module probe
Metadata context
Cloud, host, container & Kubernetes labels
Cloud, host, container & Kubernetes labels
Sysdig Secure
Deployment prevention
Admission Controller
Runtime prevention
Pod Security Policy Advisor
Sysdig Secure
Block container & Kubernetes threats and attacks
Pause/Stop/Kill container
Capture activity (pre and post incident) for incident response
Default notifications channels
Slack, PagerDuty, Email, Webhook, VictorOps, OpsGenie, AWS SNS
Requires 3rd party components
Event forwarder
High performance forwarder to SIEM
Guided remediation
Policy management
Sysdig Secure
Centralized highly scalable rule management across clusters and clouds
Web UI for easier policy creation and customization
Automated image profiles provided by machine learning
Out of the box rules library
Sysdig curated and supported
Community created
Compliance tags for Falco rules
API to automate configuration
Terraform provider to manage security as code
Additional Security
Sysdig Secure
Audit (Record of all commands executed on cloud accounts/assets)
You can build your own with an external database
Image scanning (Configuration validation, secrets scanning, vulnerability scanning, reporting, alerting, CI/CD & registry integrations, etc)
Incident response and forensics
Infrastructure and application monitoring and troubleshooting
Other Services
Sysdig Secure
Included with subscription
Technical account management
Contact sales

Enterprise Falco with Sysdig Secure

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.

Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.

Threat Detection Policy

Sysdig Secure Runtime Policies

Rules Library

Sysdig Secure Rules Library

Remediation Actions

Sysdig Secure Remediation Actions

Get Started
with Falco Today

Sysdig Monitor

Project website

Learn more at the project's website.