Container & Kubernetes SecurityOpen source · Apache-2.0
Falco
Community project
An open-source runtime security engine that watches Linux kernel system calls to detect anomalous behavior in containers and Kubernetes — a shell spawning in a production pod, an unexpected outbound connection, a sensitive file read. Created by Sysdig, donated to the CNCF in 2018, and a graduated CNCF project since February 2024.
Verified Source: 1
- Product type
- Community project
- Deployment
- On-premAgent
- Organization size
- SMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
How Falco measures up against the full Container & Kubernetes Security taxonomy.
- Container image scanning — not supported
- Scans container images for vulnerabilities and exposed secrets before deployment.
- Runtime threat detection — supported
- Detects anomalous process and system-call behavior in running containers.
- Kubernetes posture management (KSPM) — not supported
- Flags misconfigured cluster settings, RBAC, and pod security policies.
- Admission control — not supported
- Blocks noncompliant workloads from being deployed to the cluster in the first place.
- Runtime response actions — not supported
- Kills, isolates, or quarantines a compromised container or pod.
- Registry scanning — not supported
- Continuously rescans image registries for newly disclosed vulnerabilities.
Alternatives
Other Container & Kubernetes Security tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Falco.