The security camera for your running workloads — detect threats in containers, hosts, and Kubernetes the moment they happen.

Welcome to Falco: Runtime Security for Cloud-Native Systems.

Falco is the leading open-source runtime security tool for cloud-native systems: it watches what your containers, hosts, and Kubernetes actually do and alerts the instant behavior looks dangerous. This free book teaches it from the ground up: runtime-security fundamentals and where Falco fits, how it taps the kernel via eBPF to see syscalls, its event-pipeline architecture, the rules language (conditions, fields, macros, lists, outputs), the default ruleset and writing custom rules, Kubernetes integration and audit-log monitoring, responding to alerts with Falcosidekick and automated response, tuning to defeat alert fatigue, and securing and operating Falco in production. Ten focused chapters with real rules and clear diagrams that show how to detect threats in running systems and act on them.

This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.

A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.

We hope it serves you well.

— Shriira Press

Contents

1. Chapter 1 — What Falco Is
2. Chapter 2 — Runtime Security Fundamentals
3. Chapter 3 — How Falco Sees: Syscalls and Drivers
4. Chapter 4 — Architecture
5. Chapter 5 — The Rules Language
6. Chapter 6 — Default Rules and Custom Rules
7. Chapter 7 — Kubernetes Integration
8. Chapter 8 — Responding to Alerts
9. Chapter 9 — Tuning and Reducing Noise
10. Chapter 10 — Operating Falco and Putting It Together