DevOps · Flashcard

Does Falco prevent malicious actions or detect them?

  • AIt detects and alerts on them — Falco reports suspicious activity but does not block it by itself
  • BIt prevents them inline — Falco blocks each offending syscall before the kernel can execute it
  • CIt quarantines the pod — Falco automatically deletes any container that violates a rule
  • DIt rolls back the change — Falco reverts any file or process action that matches a rule

Why this is the answer

Falco is a detection and alerting engine: it surfaces suspicious behavior but does not block, kill, or revert on its own. Blocking or remediation requires a separate response layer (e.g. Falco Talon reacting to alerts) — Falco itself neither intercepts syscalls to deny them, deletes pods, nor rolls back actions.

Official docs
Study in Gnoseed →