The CNCF runtime-security engine that catches threats while your containers run. Learn how Falco taps kernel syscalls with its eBPF and kernel-module drivers, the rules and conditions language, the detections that matter, and the falcosidekick ecosystem — remembered with spaced repetition.
Falco is a CNCF-graduated runtime security tool: it watches Linux syscalls — the ground truth of what every process actually does — to detect suspicious behavior while workloads are running. Where image scanning and admission control try to prevent bad things at build and deploy time, Falco catches what slips past, at runtime.
It taps the kernel through a driver — a kernel module or an eBPF probe (including the modern CO-RE probe that needs no compilation) — and evaluates events against a rules language of conditions, macros, lists and priorities. Out of the box it flags things like an interactive shell in a container, writes to sensitive directories, and unexpected outbound connections. Crucially, Falco detects and alerts — it does not block by itself; response is a separate layer.
This track covers how Falco works, the rules and conditions language, real detection scenarios, and the ecosystem — falcosidekick for alert fan-out, falcoctl for managing rules, and Talon for response. It uses spaced repetition so the concepts stick.
Each module is a set of flashcards — 48 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
Runtime detection via syscalls, the kernel-module and eBPF drivers, plugins, and where Falco runs
12 cardsRule structure, conditions, filter fields, macros, lists, priority levels, tags and overrides
12 cardsWhat Falco's rules catch — shells in containers, sensitive writes, drift and unexpected connections
12 cardsOutput channels, falcosidekick, gRPC API, falcoctl, Talon, and tuning against false positives
12 cardsA taste of the real flashcards. Pick an answer, then reveal the explanation.
Does Falco prevent malicious actions or detect them?
Which set of priority levels does Falco use?
What does Falco's 'Terminal shell in container' rule detect?
What is falcosidekick?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
Scanning and admission control are build/deploy-time. Falco catches the malicious behavior that only appears once a container is actually running.
Falco is the graduated, widely adopted runtime-detection project — a core skill for cloud-native security work.
Understanding the rules language — conditions, macros, exceptions — is what turns Falco from noisy to genuinely useful.
Falco is a practical way into eBPF and kernel observability, skills that carry across the whole security tooling landscape.
No. Falco detects suspicious behavior and alerts on it — it does not block or kill by itself. Automated response requires a separate layer, such as Falco Talon reacting to its alerts.
No. The track explains how Falco taps syscalls through its drivers, including the modern eBPF probe, from the ground up — a basic grasp of containers and Kubernetes is enough.
About 10 minutes a day. Spaced repetition means short, frequent sessions beat long cramming, so the concepts stick.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day is all it takes to detect threats while your containers run.