Falco – Community

Blog: Falco at KubeCon Europe 2026 — See You in Amsterdam! 🐦

Wed, 18 Mar 2026 00:00:00 +0000

We're excited to share that the Falco community will be at KubeCon + CloudNativeCon Europe 2026 in Amsterdam! Whether you're a long-time contributor, a curious user, or just want to say hi, we'd love to see you there.

Falco is celebrating 10 years of development and adoption, and we are on the lookout for people who would like to say Happy Birthday to the project or share their best Falco story. Libby Schulze and I will be on the event floor with mic and camera to capture some amazing moments and memories from Falco's 10 years. So bring your best story, and we'll see you at the Falco booth!

Sneak peek

Psst... we have something really cool brewing that we will show at the Falco booth. You, our amazing reader, is the first to hear about this. It's a way to run Falco locally on your development machine, and make sure your AI coding agents are following new rules that are being defined. We'd love to get your feedback on this as we're currently building it!

Here’s where you can find us in Amsterdam and everything we have lined up:

Project lightning talk

Forensics With Falco
Speaker: Gerald Combs, Maintainer
When: Monday, March 23, 2026 — 10:27 to 10:32 CET
Where: Elicium 2

Falco has recently expanded its capabilities with capture recording, opening the door to seamless integration with forensic analysis tools like Stratoshark. In this lightning talk, Gerald will walk through how the two tools work together to provide deep visibility into container and system activity. He will demonstrate how captured event data can accelerate investigations and discuss key considerations for safely and efficiently deploying these features in production environments.

Sysdig-led workshop

Hands-On Cloud Native Security Workshop
When: Monday, March 23 — 2:00–4:00 PM CET

Run Atomic Red Team™ tests, then step into the Blue Team role to detect threats and create custom Falco™ detection rules in this hands‑on 90‑minute keyboard workshop.

Conference talk

In Falco's Nest: The Evolution of Cloud Native Runtime Security
Speakers: Iacopo Rozzo (Sysdig), Aldo Lacuku (Kong Inc.)
When: Tuesday, March 24, 2026 — 12:00 to 12:30 CET
Where: G102–103

Falco, the Cloud Native Runtime Security project, is constantly evolving to meet the demands of modern cloud environments. This maintainer track session, led by the Falco maintainers, will dive deep into the latest advancements and the strategic direction of the project. We will focus on two major areas of growth: the introduction of the new Falco Operator and the new features that enhance Falco's performance and reliability.

The new Falco Operator simplifies the deployment, configuration, and management of Falco across Kubernetes clusters, making it easier than ever for users to secure their runtime environments at scale.

Furthermore, we will explore the most significant new features integrated into Falco. This includes performance optimizations for high-throughput environments. The session will also touch upon community contributions, ecosystem integrations, and the roadmap for the upcoming release.

Booth demo

Pivoting from detection to investigation with Falco and Stratoshark
Speaker: Gerald Combs
When: Tuesday, March 24, 2026 — 15:45 CET
Where: Sysdig Booth #671

See how to move from “we detected something” to “here’s what happened” using Falco and Stratoshark. Stop by the Sysdig booth and say hello!

Thank you!

We couldn’t do this without you all in our community - the contributors, users, and everyone who shows up at events. If you’re in Amsterdam, come find us at the talks, the workshop, or the booth. We’d love to meet you and hear how you’re using Falco.

See you there! 🐦

Blog: Hey Falco Flock! 🐦 Let's Soar Into 2026

Wed, 25 Feb 2026 00:00:00 +0000

New year, new opportunities!

As we spread our wings and glide into 2026, we want to make sure this community is one you’re proud (and excited!) to be a part of. Falco has always been more than just a project: it’s a flock of builders, defenders, contributors, question-askers, doc-writers, rule-tuners, and runtime security enthusiasts.

And now we want to hear from you.

We’ve put together a quick community survey (5 minutes or less!) to better understand:

How connected you feel to the community
What you love about being a part of it
What could be better
What you’d like to see us focus on this year
What resources would make your life easier
How you’re using Falco and what tools you integrate it with

Your feedback directly shapes our focus on what we build, improve, prioritize, and invest in this year - from documentation and content to events, integrations, and contributor experience. A report detailing the responses will be shared at the same time as KubeCon Europe 2026.

Whether you’re building, using, learning, or just keeping an eye on things, your voice matters.

👉 Take the survey here

Thanks for being part of the flock. We couldn’t do this without you and we’re excited to build 2026 together!

Blog: Falco: Project Recap 2022

Wed, 04 Jan 2023 00:00:00 +0000

Dear Falco community,

As always, we are truly grateful for the amazing community of maintainers and contributors. The Falco project and community would not be the vibrant ecosystem it is today without these incredible individuals. Let’s take a look at what the community accomplished in 2022, and we’ll give a quick glimpse of what to expect in 2023!

Thank you to the Falco maintainers

Falco would not be the same without these key individuals. They work hard to keep the project moving forward and the community engaged. On behalf of the Falco community, we want to extend a BIG thank you for all your dedication and hard work!

Andrea Terzolo, Polytechnic of Turin
Carlos Tadeu Panato Junior, Chainguard
David Windsor, Secureworks
Federico Di Pierro, Sysdig
Frank Jogeleit, LOVOO
Fred Araujo, IBM
Grzegorz Nosek, Sysdig
Hendrik Brueckner, IBM
Jason Dellaluce, Sysdig
Jonah Jones, Amazon
Leonardo Di Donato, Independent
Leonardo Grasso, Sysdig
Logan Bond, Secureworks
Loris Degioanni, Sysdig
Luca Guerra, Sysdig
Mark Stemm, Sysdig
Massimiliano Giovagnoli, Clastix
Mauro Ezequiel Moltrasio, RedHat
Michele Zuccala, Sysdig
Radu Andries, Independent
Teryl Taylor, IBM
Thomas Labarussias, Sysdig

New and noteworthy in Falco land

The Falco community was busy in 2022, figuring out how to better serve contributors, developing new features, fixing bugs, and taking the project to new heights. Here is a recap of key milestones reached this year:

Falco’s governance underwent a facelift this year. Why is this important? As a CNCF project, Falco is committed to promoting a healthy community of contributors and maintainers from multiple vendors. In aid of this, the core maintainers formerly announced & published these updates to help contributors better serve the community. To read the full announcement, see updating Falco Governance. At the beginning of 2022, Falco introduced a game changing feature, Falco Plugins. They allow Falco to monitor and trigger alerts for any kind of event. Since the launch of the new plugin framework the Falco community has collaborated to create plugins for GitHub, AWS CloudTrail and Okta.

A plugin also replaced the way Falco consumes the Audit Logs generated by a K8s API server. With these plugins, Falco covers more in depth the aspects of your infrastructure and allows you to use a single syntax for rules. Our adopters asked us for a way to monitor K8s Audit Logs and the previous implementation used an internal web server to receive the logs from the Kubernetes API. This method didn't support clusters managed by cloud providers, such as EKS, AKS, or GKE as they had to capture the Audit Logs for their own usage and then add them to their log aggregators. This situation is now solved thanks to the plugin framework and we're proud to have announced the first release of the plugin for EKS Audit Logs!!! Read the full blog here!

Feeling terrorized by sneaky cryptominer programs? Falco is helping fight these monsters. Cryptominers are programs that utilize computer resources to mine cryptocurrency. XMRig is an example of an open source crypto mining software designed for the sole purpose of mining cryptocurrencies, like Monero or Bitcoin. Cryptominers usually get rewarded with a token for every successful transaction mined, which makes cryptomining a profitable activity.
Whether an external entity, or an insider, cybercriminals are most commonly abusing services such as Kubernetes and GitHub actions by infecting hosts and containers with cryptojackers and using the business resources to mine cryptocurrency on the attacker's behalf. Learn how Falco detects cryptominers activity in your cluster.
The new eBPF probe landed among us 👽 this fall with new shiny features. The eBPF world grows continuously and every new kernel release introduces some unbelievable novelties! To take advantage of these the community created a completely new architecture, new BPF programs and maps. The main goal was to improve performance, maintainability, and user experience, shipping a unique, powerful, self-contained Falco executable. Discover the modern world of eBPF with Falco, read the full blog here.
At re:Invent 2022, it was a pleasure to announce that Falcosidekick would be available with preview integration for Amazon Security Lake, a new service that optimizes and centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake. Falcosidekick forwards Falco events into other services: the new integration exports security events using the Open Cybersecurity Schema Framework (OCSF) format, an open industry standard, and sends them directly to Amazon Security Lake. This makes it easier to normalize and combine Falco events with other security data sources. You can check out the integration in the next version of Falcosidekick, 2.27.0. Read the full announcement, Support for Amazon Security Lake.
As the home of such important assets, GitHub repositories should be at the top of your list of security priorities. However, many people fail to put in place even basic measures to protect source code repositories. Read about three risks to GitHub repos and how you can reliably detect them, as they happen, using Falco open source security.
Before 0.32.1, Falco could not work with gVisor monitored sandboxes because it was not possible to install a kernel module or eBPF probe in such an environment. But wouldn't it be great to leverage the stream of system call information that gVisor collects through its powerful monitoring system directly in Falco? This is exactly what became possible with gVisor release 20220704.0 and Falco 0.32.1. Learn how to integrate gVisor and Falco on Docker.
With Falco 0.32.1, you can now run Falco on Apple ARM M1 CPUs. It requires a Linux virtual machine (VM) since Falco doesn't run on OSX, but it is pretty straightforward. Here are the step by step instructions.
Different technologies are used on a daily basis, and tools like Vagrant, Terraform, Ansible, plus many more allow us to create and destroy digital resources in a matter of minutes, if not seconds. However, if you keep changing your running environment, you might need to calibrate your workloads to these new changes. This is especially true when you deploy operating system-dependent applications. In other words, every time you deploy an application like Falco there's a chance that you need to compile a new module or eBPF probe to get along with the current underlying kernel. This is the first of a series of posts introducing some interesting techniques using Falco to generate the much needed driver and how you can make it available for your deployments. Learn how to build your own Falco Drivers for Debian.
Giant Swarm simplifies the maintenance of the software stack within Kubernetes clusters by using its App Platform technology. Leverage this to easily deploy Falco, either individually or as part of Giant Swarm's Security Pack, to secure a managed Kubernetes service. Learn how to deploy and manage applications across hybrid environments.

Core releases

The Falco release process has been well-defined with a fixed schedule of three releases per year (roughly at the end of Jan, May, and Sept), plus patch releases that can occur when needed upon agreement by maintainers (for example, for hotfixes or security patches). Here are the three major releases for 2022:

Falco 0.31.0 a.k.a. "the Gyrfalcon" released in January 2022. Why did we call it the Gyrfalcons release? Well, the Gyrfalcons are the largest of the falcon species, just like this version of Falco, which had the biggest changelog ever released.The falco and libs repositories counted 30+ individual contributors, 130+ pull requests, and 360+ commits 🤯.
Falco 0.32.0 release in June 2022. This new release came with a ton of inner rework. Here is the foremost important change: Lua is no more a dependency of Falco! Basically, the Falco rule loader was rewritten in C++, to achieve better performance. Moreover, the entire rule engine has been rewritten too. This reduced the workarounds in Falco, and is now fully using libsinsp-provided filter parsers and compiler. Moreover, a new --list-syscall-events CLI option is now available.
Falco 0.33.0 a.k.a. "the pumpkin release 🎃" made available October 2022. For v0.33.0 the community focused on addressing the following updates & changes:
- Libs now allow individual selection of which syscalls to collect during live captures, which helps Falco improve performance and reduce dropped events
- Introduced the Kernel Crawler, a new tool that automatically identifies the most up to date kernel versions supported by popular distros
- Syscall kernel ring-buffer size is now customizable for your environment needs
- Mitigations for libsinsp’s Kubernetes metadata client to address recent issues that caused Falco to crash
- Support for multiple simultaneous event sources, which means that you can now run multiple event sources in the same Falco instance
- Added minikube as a supported platform in the driver loader and included it in our driver build matrix
- Rule alert rate limiter is now optional and disabled at default
- Support for two new syscalls and many improvements to the default Falco security ruleset

Falcosidekick & UI

Falcosidekick is a little daemon that extends a number of possible outputs, and since its creation this little guy has evolved in many amazing ways. A big thank you to Thomas Labarussias for driving the development of Falcosidekick and the UI. Here is how the project evolved in 2022:

Falcosidekick saw a major update in June of 2022, delivering four new outputs and enhancing existing ones too! Not only did we see updates in outputs, but the community delivered the first version of the Falcosidekick UI. The UI offered these new features: Redis DB for long term storage of events, API for counting and searching for events, and lastly filters to keep and share query strings. For a full detailed account of this update, see the blog Falcosidekick 2.25.0 and Falcosidekick 2.0.0..

Plugins

Falco v0.31.0 resulted in many exciting new features. One that is particularly strategic for the project is the general availability of the plugins framework. Why are plugins exciting and what do they mean for the future of Falco?

Plugins are shared libraries that can be loaded by Falco to extend its functionality. Plugins can currently implement two capabilities:

The event sourcing capability, which add new data sources to Falco. They produce input events, from either the local machine or a remote source, that Falco can understand.
The field extraction capability, which parse the data coming from source plugins and expose new fields that can be used in Falco rules.

By supporting one or both capabilities, plugins allows users to feed data into Falco, parse it in useful ways and create rules and policies from it, read the full announcement here!

Official plugins launched in 2022 include:

AWS CloudTrail
GitHub
K8saudit
K8saudit-EKS
Okta

Falco project growth

The Falco project excitedly announced that on Nov 4, 2022, project maintainers submitted the proposal to be considered for graduation. This milestone is important because it demonstrates the health and maturity of the project to the Kubernetes & cloud ecosystem.

Falco joined the CNCF as a Sandbox project in the fall of 2018 and evolved into Incubating status two years later. The community believes the next natural step is for Falco to apply for graduation. The project has reached maturity in community health, diversity of contributions & contributors, and ecosystem adoption.

Project highlights for 2022
Github stars: + 31%
Core repo contributors: +65%
Forks: +46%
Slack channel members: +126%
Downloads:
- 41.7M Docker hub pulls (25% growth)
- 1.2M AWS ECR

New features in Falco

The most significant additions since acceptance for Incubation include:

Stable release schedule
Contribution of the whole libs source code into the Falcosecurity organization
Plugin framework, allowing event sources other than syscalls
New eBPF probe
gVisor integration

Thank you to all of the contributors and maintainers of the Falco project. The project would not be where it is today without the help and dedication of these key individuals.

Wishing you a happy 2023,

Jacque

Blog: Falco applies for graduation

Wed, 09 Nov 2022 00:00:00 +0000

Dear Falco community,

The Falco project is excited to announce that on Nov 4, 2022, the project maintainers submitted the PR to be considered for graduation. This milestone is important because it demonstrates the health and maturity of the project to the Kubernetes & cloud ecosystem.

Falco joined the CNCF as a Sandbox project in the fall of 2018 and evolved into Incubating status two years later. The community believes the next natural step is for Falco to apply for graduation. The project has reached maturity in community health, diversity of contributions & contributors, and ecosystem adoption.

Why is Falco ready to graduate?

Falco’s adoption has grown widespread within the Kubernetes ecosystem; users of the project include AWS, Qonto, Shopify, and many others. The project has been integrated into a variety of derivative open source and commercial products such as R6/Phoenix, Giant Swarm AppPlatform, gVisor, StackRox, Tarian, Sysdig Secure, and many more.

Since incubation, the amount of contributions coming from organizations other than Falco's original creator (Sysdig) has grown steadily. During the last year, around 38% of the contributions came from a diverse group of committers that includes: Innoteam, Amazon, Samsung, IBM, Mercari, RedHat, and many individual contributors. More details are available here.

Falco currently stands with 5,300+ GitHub stars and 165+ contributors across the various repos in the falcosecurity GitHub organization. The community has also expanded its footprint to 1,695 users registered in the Falco community Slack channel.

Project highlights for 2022

Github stars: + 26%
Core repo contributors: +65%
Forks: +7%
Slack channel members: +126%
Downloads:
- 41.7M Docker hub pulls (25% growth)
- 1.2M AWS ECR

New features in Falco

The most significant additions since acceptance for Incubation include:

Stable release schedule
Contribution of the whole libs source code into the Falcosecurity organization
Plugin framework, allowing event sources other than syscalls
New eBPF probe
gVisor integration

Community maturity

The project has grown an active and engaged leadership committee and has been stable for the past year. We believe Falco has proven maturity in their maintenance processes that shows stability as a whole. We are proud to also highlight that since incubation, Falco has added maintainers from 4 new organizations.

Falco has also demonstrated consistent application of governance and community growth processes. We strongly believe that the community has evidence of happy and healthy contributors and maintainers. We've also facilatated and clarified roles to empower maintainers and contributors to follow a path of advancing contributions.

How can you help today?

Go here: Falco graduation proposal.
If you are a fan of Falco, we would love a 👍, ❤️, or 🚀 on this PR.
If you are using Falco in production, please add your name to our ADOPTERS.md document.
If you do any of the above, share it on the social media platform of your choice.

Blog: Falco at the KubeCon NA 2022

Tue, 08 Nov 2022 00:00:00 +0000

It was KubeCon recently. I doubt anyone reading this didn't know about it. And if you attended, you're probably still receiving e-mails about the event.

KubeCon is where everyone wants to be. And Falco was there too. It did indeed have a great presence: A project meeting, mentions, a few presentations, a keynote, it even had a party!

Once there, it was Falco time!

Project Meeting

A project meeting is where maintainers of the project, users, adopters and contributors have the opportunity to exchange impressions. On Tuesday afternoon, Falco maintainers met with interested users and potential adopters, and presented, not only the background of the project, but also its future roadmap.

There were questions from the attendees, requests and announcements of upcoming features, and even live demos. From the new plugins framework till the recent gVisor support, including a deep explanation of Falco libraries' insights. If you didn't know how Falco worked internally, you could leave the room being an expert.

Presentations

Falco is a well known project. It was mentioned in at least five presentations. Some of these, delivered by the core maintainers. Others, by the community or the CNCF organization itself. Its presence in so many occasions reflected the project's reputation in the community.

Keynote

Tuesday morning. Still tired from the jet-lag, and after the first day of Cloud Native SecurityCon, our first public Falco moment of the day: A Keynote at the SecurityCon delivered by Loris Degioanni, original creator of Falco.

Loris introduced the new GitHub Plugin for Falco, which is capable of detecting events like using GitHub actions for cryptominers, pushing code with secrets, or even detecting when someone starred the repository.

The time dedicated to a keynote is usually short, but for Loris it seemed to be enough to perform a couple of live demos. Don't miss them in this video.

Detecting Threats in GitHub with Falco - Loris Degioanni

The Eye of Falco

That same day, a few hours later, Stefano Chierici, Senior Security Researcher, and Lorenzo Susini, Open Source Engineer, both contributors of Falco, presented one of the most exciting of its features: Detection of attempts to escape Linux capabilities.

During this presentation, Lorenzo did an extensive walkthough on Linux capabilities, explaining the security situation before having them, detailing on its different sets (effective, permitted and inheritable) and its security implications when creating new processes that require higher privileges.

Stefano, on the other side, walked us through different scenarios showing a variety of real attacks. Therefore, having the CAP_SYS_MODULE capability enabled in the container would allow an attacker to use a Kernel Module to attack; having the CAP_SYS_PTRACE capability active would allow the injection of malicious code into memory; and having the CAP_SYS_ADMIN capability might open more than one path to make our host exploitable.

Trying not to spoil the end of the presentation (you can already imagine it though), we recommend to watch the following video to see how Falco faces this kind of threats, as it does with many others, by obtaining the state of the container and warning the user if the capabilities exceed the desirable ones.

The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini

Detecting the Undetectable

Falso also squeezed into a presentation from Carol Valencia, Cloud Native Security Advocate at Aqua Security, where she demonstrated how three different runtime security solutions, Falco among them, were able to detect fileless attacks.

Fileless Attack - Detecting the Undetectable

Falco Project Updates

For those that were not able to attend the Project Meetings at the SecurityCon, KubeCon was a second great opportunity to learn from their favority CNCF projects.

On Friday afternoon, Jason Dellaluce and Luca Guerra, both Open Source Engineers, as well as Falco maintainers, gave an overview of the Falco project and its recent updates.

Security In the Cloud With Falco: Overview And Project Updates - Jason Dellaluce & Luca Guerra

Falco Kiosk at the CNCF Pavillion

This year at the KubeCon, Falco maintainers spent a good amount of time at the Falco kiosk. They received visitors interested in the project, some, already users of Falco, others, new users looking to learn about it, even a couple of youtubers asking to interview the maintainers for their channels.

All in all, an awesome chance to discover, first hand, what people really thought of Falco, wonders and pain points, good and not so good experiences with the tool and its ecosystem. In other words, real and valuable feedback.

Book signing

We haven't mentioned it yet, but Falco even had a book at the KubeCon. Shortly before the event, O'Reilly published Practical Cloud Native Security with Falco, written by Loris Degionni and Leonardo Grasso, both Falco maintainers with a large experience in the project.

Wednesday and Thursday, Loris and Leo spent some time signing copies of their book to users and developers interested in learning the secrets of Falco. Receiving a book at the KubeCon is probably not such a highligh anymore. Receiving Falco users willing to queue to receive your book is still a rewarding experience though.

Party

KubeCon is not only about collecting swag and attending presentations, although these are a great source of knowledge (and the swag a lot of stolen space in your luggage). KubeCon is also about interacting with other attendees, having exciting conversations, sharing experiences and point of views.

So Falco thought of using an evening to do exactly that!

People at the event (let's call it a party!). So people at the party enjoyed some food, drinks, had meaningful conversations -at least, that's what we want to believe-, and played Cards against Containers -the paper version, not the online one.

Since the party took place on Tuesday, it meant a nice break between two days full of Security-related presentations, and the KubeCon starting the next day. We didn't stay long, but we had some joy.

Conclusion

As you can see, it was a week full of emotions, opportunities, friends and colleagues, and Falco. We are already looking forward to the next event, and we hope you too.

And if you didn't get your copy of the book, maybe there'll be another chance next year in Seattle or Amsterdam ;-)

Blog: Updating Falco’s governance documentation

Fri, 02 Sep 2022 00:00:00 +0000

As a CNCF project, Falco is committed to promoting a healthy community of contributors and maintainers from multiple vendors. In aid of this, we are delighted to announce that we have updated the Falco governance documentation to help our maintainers better serve our community.

Our goal has been to streamline and clarify roles and processes to make it easier for maintainers to do their job and for others to join the community. We fine-tuned and documented in detail the consensus-driven process we use for decision making. Additionally we clarified roles and responsibilities for contributors, and made explicit our community principles of openness, respect, transparency, diversity and vibrancy.

The voting PR for these updates commenced on August 22, 2022, after several weeks of discussion. The vote closed after just 4 days with 9 votes cast in favor of the changes, well exceeding the 66% majority required.

All Falco community members are encouraged to review the new governance and maintainers guidelines. Highlights of the revised documents include:

Falco community principles: we continue to strive for openness, respect, transparency, diversity, and a vibrant project
Leadership roles & responsibility: maintainers of the core repositories serve as the oversight and direction-setting group for the whole project, with limits set on per-company voting power
Technical advisory groups: can now be formed to address specific topics where expertise and recommendations are required
Maintainer lifecycle: clear definition of how project members move from contributor to maintainer and from retiring to emeritus status

Decision-making and voting: clear rules on lazy consensus by default, and how votes should be conducted.

For feedback or questions please contact us through #falco on the Kubernetes Slack or the developer mailing list.

If you are interested in joining the community, you can find out how to contribute in Contribution Guidelines.

Thank you to all the Falco maintainers and community members for their discussion and support as we improved our governance documentation!

Falco maintainers