Falco runtime detection
Driver, engine, rules; shells in containers.
Falco is the CNCF runtime detection engine that turns the kernel event stream into security alerts. Where an image scanner tells you a container might be vulnerable, Falco tells you a container is behaving maliciously right now — a shell spawned, a sensitive file written, an unexpected outbound connection.
Architecture: driver, engine, rules
Falco has three parts. A driver — the modern eBPF probe (or the legacy kernel module) — captures syscalls at the kernel and enriches them with container and Kubernetes context. The engine evaluates each event against a rule set. And the rules themselves are conditions over event fields, each with an output template and a priority. Deployed as a DaemonSet, Falco puts a detection agent on every node so it sees the syscalls of every workload scheduled there — a single central pod could never see other nodes’ kernels.
# Reusable building blocks:- list: shell_binariesitems: [bash, sh, zsh, ash, dash]- macro: containercondition: container.id != host# The rule: an interactive shell launched inside a running container.- rule: Terminal shell in containerdesc: A shell was spawned in a container — possible hands-on-keyboard intrusioncondition: spawned_process and container and proc.name in (shell_binaries)output: "Shell in container (pod=%k8s.pod.name ns=%k8s.ns.name image=%container.image.repository proc=%proc.cmdline)"priority: WARNING
What Falco is good at
Falco excels at behavioral detection that no static scan can provide: shells and unexpected binaries in containers, writes to sensitive paths (/etc, /root/.ssh), reads of secret files, privilege escalation, and suspicious outbound connections. Plugins extend the same engine beyond syscalls to sources like Kubernetes audit logs and cloud trails, giving one detection language across the kernel and the control plane. It is detection-only by default — it observes and alerts, and turning alerts into action is a deliberate next step (routing and response).