DevOps · 4 modules

Falco — Runtime Security

The CNCF runtime-security engine that catches threats while your containers run. Learn how Falco taps kernel syscalls with its eBPF and kernel-module drivers, the rules and conditions language, the detections that matter, and the falcosidekick ecosystem — remembered with spaced repetition.

flashcards
48
flashcards
per day
~10 min
per day
level
Intermediate
level
modules
4
modules
About this topic

What is Falco?

Falco is a CNCF-graduated runtime security tool: it watches Linux syscalls — the ground truth of what every process actually does — to detect suspicious behavior while workloads are running. Where image scanning and admission control try to prevent bad things at build and deploy time, Falco catches what slips past, at runtime.

It taps the kernel through a driver — a kernel module or an eBPF probe (including the modern CO-RE probe that needs no compilation) — and evaluates events against a rules language of conditions, macros, lists and priorities. Out of the box it flags things like an interactive shell in a container, writes to sensitive directories, and unexpected outbound connections. Crucially, Falco detects and alerts — it does not block by itself; response is a separate layer.

This track covers how Falco works, the rules and conditions language, real detection scenarios, and the ecosystem — falcosidekick for alert fan-out, falcoctl for managing rules, and Talon for response. It uses spaced repetition so the concepts stick.

What you'll learn

4 modules, seed to bloom

Each module is a set of flashcards — 48 in total. Answer, review, and watch your knowledge grow from seed to full bloom.

How Falco Works

Runtime detection via syscalls, the kernel-module and eBPF drivers, plugins, and where Falco runs

12 cards

Rules & Conditions

Rule structure, conditions, filter fields, macros, lists, priority levels, tags and overrides

12 cards

Detection Scenarios

What Falco's rules catch — shells in containers, sensitive writes, drift and unexpected connections

12 cards

Outputs & Ecosystem

Output channels, falcosidekick, gRPC API, falcoctl, Talon, and tuning against false positives

12 cards
Try before you plant

Sample questions

A taste of the real flashcards. Pick an answer, then reveal the explanation.

Sample · Falco — Runtime Security

Does Falco prevent malicious actions or detect them?

  • AIt detects and alerts on them — Falco reports suspicious activity but does not block it by itself
  • BIt prevents them inline — Falco blocks each offending syscall before the kernel can execute it
  • CIt quarantines the pod — Falco automatically deletes any container that violates a rule
  • DIt rolls back the change — Falco reverts any file or process action that matches a rule
Permalink & share
Sample · Falco — Runtime Security

Which set of priority levels does Falco use?

  • AEMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG — syslog-style levels
  • BP0, P1, P2, P3 — a four-tier numeric scale from most to least urgent
  • CLOW, MEDIUM, HIGH, CRITICAL — a four-level severity scale like a CVSS rating
  • DTRACE, DEBUG, INFO, WARN, ERROR, FATAL — the logging levels common to application frameworks
Permalink & share
Sample · Falco — Runtime Security

What does Falco's 'Terminal shell in container' rule detect?

  • AAn interactive shell started inside a container — a common sign of hands-on-keyboard activity
  • BA container image built from a shell base — flagging images that ship with bash installed
  • CA shell script stored in a container volume — scanning mounted files for embedded commands
  • DA login to the host over SSH — recording administrator sessions on the node itself
Permalink & share
Sample · Falco — Runtime Security

What is falcosidekick?

  • AA companion that fans Falco alerts out to many destinations — Slack, Elasticsearch, Loki, and more
  • BAn alternative syscall driver — a lighter probe that replaces Falco's kernel module
  • CA rule editor UI — a web tool for writing and testing new Falco detection rules
  • DA cluster scanner — a job that audits nodes for missing Falco installations
Permalink & share
How Gnoseed works

Learn it once, keep it for good

1

Answer a question

Each card is one practical concept with multiple options. Pick what you think is right.

2

Get the full answer

See the correct option plus a clear explanation, and a link to deeper docs when one is available.

3

Review at the right time

A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.

Why learn this

Why Falco is worth your time

See attacks prevention misses

Scanning and admission control are build/deploy-time. Falco catches the malicious behavior that only appears once a container is actually running.

The CNCF standard for runtime security

Falco is the graduated, widely adopted runtime-detection project — a core skill for cloud-native security work.

Write and tune detections

Understanding the rules language — conditions, macros, exceptions — is what turns Falco from noisy to genuinely useful.

Learn syscall-level visibility

Falco is a practical way into eBPF and kernel observability, skills that carry across the whole security tooling landscape.

FAQ

Common questions

Does Falco block attacks? +

No. Falco detects suspicious behavior and alerts on it — it does not block or kill by itself. Automated response requires a separate layer, such as Falco Talon reacting to its alerts.

Do I need to know eBPF or the kernel first? +

No. The track explains how Falco taps syscalls through its drivers, including the modern eBPF probe, from the ground up — a basic grasp of containers and Kubernetes is enough.

How long does it take? +

About 10 minutes a day. Spaced repetition means short, frequent sessions beat long cramming, so the concepts stick.

Is it free? +

Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.

Ready to master Falco?

Plant your first seed today. Ten minutes a day is all it takes to detect threats while your containers run.

Start learning free