Blog: Falco at KubeCon Europe 2026 — See You in Amsterdam! 🐦

Wed, 18 Mar 2026 00:00:00 +0000

We're excited to share that the Falco community will be at KubeCon + CloudNativeCon Europe 2026 in Amsterdam! Whether you're a long-time contributor, a curious user, or just want to say hi, we'd love to see you there.

Falco is celebrating 10 years of development and adoption, and we are on the lookout for people who would like to say Happy Birthday to the project or share their best Falco story. Libby Schulze and I will be on the event floor with mic and camera to capture some amazing moments and memories from Falco's 10 years. So bring your best story, and we'll see you at the Falco booth!

Sneak peek

Psst... we have something really cool brewing that we will show at the Falco booth. You, our amazing reader, is the first to hear about this. It's a way to run Falco locally on your development machine, and make sure your AI coding agents are following new rules that are being defined. We'd love to get your feedback on this as we're currently building it!

Here’s where you can find us in Amsterdam and everything we have lined up:

Project lightning talk

Forensics With Falco
Speaker: Gerald Combs, Maintainer
When: Monday, March 23, 2026 — 10:27 to 10:32 CET
Where: Elicium 2

Falco has recently expanded its capabilities with capture recording, opening the door to seamless integration with forensic analysis tools like Stratoshark. In this lightning talk, Gerald will walk through how the two tools work together to provide deep visibility into container and system activity. He will demonstrate how captured event data can accelerate investigations and discuss key considerations for safely and efficiently deploying these features in production environments.

Sysdig-led workshop

Hands-On Cloud Native Security Workshop
When: Monday, March 23 — 2:00–4:00 PM CET

Run Atomic Red Team™ tests, then step into the Blue Team role to detect threats and create custom Falco™ detection rules in this hands‑on 90‑minute keyboard workshop.

Conference talk

In Falco's Nest: The Evolution of Cloud Native Runtime Security
Speakers: Iacopo Rozzo (Sysdig), Aldo Lacuku (Kong Inc.)
When: Tuesday, March 24, 2026 — 12:00 to 12:30 CET
Where: G102–103

Falco, the Cloud Native Runtime Security project, is constantly evolving to meet the demands of modern cloud environments. This maintainer track session, led by the Falco maintainers, will dive deep into the latest advancements and the strategic direction of the project. We will focus on two major areas of growth: the introduction of the new Falco Operator and the new features that enhance Falco's performance and reliability.

The new Falco Operator simplifies the deployment, configuration, and management of Falco across Kubernetes clusters, making it easier than ever for users to secure their runtime environments at scale.

Furthermore, we will explore the most significant new features integrated into Falco. This includes performance optimizations for high-throughput environments. The session will also touch upon community contributions, ecosystem integrations, and the roadmap for the upcoming release.

Booth demo

Pivoting from detection to investigation with Falco and Stratoshark
Speaker: Gerald Combs
When: Tuesday, March 24, 2026 — 15:45 CET
Where: Sysdig Booth #671

See how to move from “we detected something” to “here’s what happened” using Falco and Stratoshark. Stop by the Sysdig booth and say hello!

Thank you!

We couldn’t do this without you all in our community - the contributors, users, and everyone who shows up at events. If you’re in Amsterdam, come find us at the talks, the workshop, or the booth. We’d love to meet you and hear how you’re using Falco.

See you there! 🐦

Blog: Falco at the KubeCon NA 2022

Tue, 08 Nov 2022 00:00:00 +0000

It was KubeCon recently. I doubt anyone reading this didn't know about it. And if you attended, you're probably still receiving e-mails about the event.

KubeCon is where everyone wants to be. And Falco was there too. It did indeed have a great presence: A project meeting, mentions, a few presentations, a keynote, it even had a party!

Once there, it was Falco time!

Project Meeting

A project meeting is where maintainers of the project, users, adopters and contributors have the opportunity to exchange impressions. On Tuesday afternoon, Falco maintainers met with interested users and potential adopters, and presented, not only the background of the project, but also its future roadmap.

There were questions from the attendees, requests and announcements of upcoming features, and even live demos. From the new plugins framework till the recent gVisor support, including a deep explanation of Falco libraries' insights. If you didn't know how Falco worked internally, you could leave the room being an expert.

Presentations

Falco is a well known project. It was mentioned in at least five presentations. Some of these, delivered by the core maintainers. Others, by the community or the CNCF organization itself. Its presence in so many occasions reflected the project's reputation in the community.

Keynote

Tuesday morning. Still tired from the jet-lag, and after the first day of Cloud Native SecurityCon, our first public Falco moment of the day: A Keynote at the SecurityCon delivered by Loris Degioanni, original creator of Falco.

Loris introduced the new GitHub Plugin for Falco, which is capable of detecting events like using GitHub actions for cryptominers, pushing code with secrets, or even detecting when someone starred the repository.

The time dedicated to a keynote is usually short, but for Loris it seemed to be enough to perform a couple of live demos. Don't miss them in this video.

Detecting Threats in GitHub with Falco - Loris Degioanni

The Eye of Falco

That same day, a few hours later, Stefano Chierici, Senior Security Researcher, and Lorenzo Susini, Open Source Engineer, both contributors of Falco, presented one of the most exciting of its features: Detection of attempts to escape Linux capabilities.

During this presentation, Lorenzo did an extensive walkthough on Linux capabilities, explaining the security situation before having them, detailing on its different sets (effective, permitted and inheritable) and its security implications when creating new processes that require higher privileges.

Stefano, on the other side, walked us through different scenarios showing a variety of real attacks. Therefore, having the CAP_SYS_MODULE capability enabled in the container would allow an attacker to use a Kernel Module to attack; having the CAP_SYS_PTRACE capability active would allow the injection of malicious code into memory; and having the CAP_SYS_ADMIN capability might open more than one path to make our host exploitable.

Trying not to spoil the end of the presentation (you can already imagine it though), we recommend to watch the following video to see how Falco faces this kind of threats, as it does with many others, by obtaining the state of the container and warning the user if the capabilities exceed the desirable ones.

The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini

Detecting the Undetectable

Falso also squeezed into a presentation from Carol Valencia, Cloud Native Security Advocate at Aqua Security, where she demonstrated how three different runtime security solutions, Falco among them, were able to detect fileless attacks.

Fileless Attack - Detecting the Undetectable

Falco Project Updates

For those that were not able to attend the Project Meetings at the SecurityCon, KubeCon was a second great opportunity to learn from their favority CNCF projects.

On Friday afternoon, Jason Dellaluce and Luca Guerra, both Open Source Engineers, as well as Falco maintainers, gave an overview of the Falco project and its recent updates.

Security In the Cloud With Falco: Overview And Project Updates - Jason Dellaluce & Luca Guerra

Falco Kiosk at the CNCF Pavillion

This year at the KubeCon, Falco maintainers spent a good amount of time at the Falco kiosk. They received visitors interested in the project, some, already users of Falco, others, new users looking to learn about it, even a couple of youtubers asking to interview the maintainers for their channels.

All in all, an awesome chance to discover, first hand, what people really thought of Falco, wonders and pain points, good and not so good experiences with the tool and its ecosystem. In other words, real and valuable feedback.

Book signing

We haven't mentioned it yet, but Falco even had a book at the KubeCon. Shortly before the event, O'Reilly published Practical Cloud Native Security with Falco, written by Loris Degionni and Leonardo Grasso, both Falco maintainers with a large experience in the project.

Wednesday and Thursday, Loris and Leo spent some time signing copies of their book to users and developers interested in learning the secrets of Falco. Receiving a book at the KubeCon is probably not such a highligh anymore. Receiving Falco users willing to queue to receive your book is still a rewarding experience though.

Party

KubeCon is not only about collecting swag and attending presentations, although these are a great source of knowledge (and the swag a lot of stolen space in your luggage). KubeCon is also about interacting with other attendees, having exciting conversations, sharing experiences and point of views.

So Falco thought of using an evening to do exactly that!

People at the event (let's call it a party!). So people at the party enjoyed some food, drinks, had meaningful conversations -at least, that's what we want to believe-, and played Cards against Containers -the paper version, not the online one.

Since the party took place on Tuesday, it meant a nice break between two days full of Security-related presentations, and the KubeCon starting the next day. We didn't stay long, but we had some joy.

Conclusion

As you can see, it was a week full of emotions, opportunities, friends and colleagues, and Falco. We are already looking forward to the next event, and we hope you too.

And if you didn't get your copy of the book, maybe there'll be another chance next year in Seattle or Amsterdam ;-)

Falco – Live Event