Set Up Falco
Runtime security.
Overview
Falco is the runtime security tool that watches syscalls on Linux hosts and Kubernetes pods, then alerts on suspicious behaviour against a YAML rule set. It catches what static security misses: a process spawning a shell inside a container that should not have one, a file write in a path that is supposed to be read-only, a pod talking to an unexpected egress destination.
- Runtime detection. Suspicious activity flagged as it happens. Static scanners miss this category entirely.
- Syscall-level visibility. eBPF or kernel module captures syscalls. Ground-truth view of what is actually running.
- Rule-based detection. YAML rules describe suspicious behaviour. Policy lives in source control.
- Kubernetes-aware plus routing. Pod and container context in alerts; Falcosidekick routes to Slack, PagerDuty, or SIEM.
The approach
Three habits make Falco produce real detection rather than alert fatigue: install via Helm with default rules, add custom rules only for application-specific threats, and tune ruthlessly to keep false positives low.
helm install falcosecurity/falco. Standard Helm install. Repeatable across clusters.- Default rules to start. Falco ships with sensible defaults curated by the maintainers. Resist the urge to write custom rules on day one.
- Custom rules per application. Application-specific threat patterns. The rule set grows as the team learns the workload.
- Falcosidekick routing plus tuning. Alerts routed to the workflow that fits; rules tuned ruthlessly to keep on-call sanity.
Why this compounds
Each tuned rule deposits durable detection coverage. The team learns Linux internals as a side effect; runtime security posture deepens alongside the application surface.
- Runtime detection grows. Each rule catches a class of threat. Coverage compounds.
- Incident response improves. Real-time alerts cut MTTR on the security incidents Falco was designed to catch.
- Compliance posture improves. Runtime monitoring satisfies SOC 2, PCI, and HIPAA controls without bespoke remediation.
- Year-one investment, year-two habit. First install is heavy lift. By year two, every cluster ships with Falco on day one.