{"id":119040,"date":"2026-07-06T10:38:29","date_gmt":"2026-07-06T05:08:29","guid":{"rendered":"https:\/\/www.guvi.in\/blog\/?p=119040"},"modified":"2026-07-06T10:38:30","modified_gmt":"2026-07-06T05:08:30","slug":"falco-runtime-security-tutorial","status":"publish","type":"post","link":"https:\/\/www.guvi.in\/blog\/falco-runtime-security-tutorial\/","title":{"rendered":"Falco Runtime Security Tutorial: Catch Attacks as They Happen"},"content":{"rendered":"\n<p>Most security tools check your code before it ships. Falco watches what is actually happening while your application runs. This Falco runtime security tutorial shows you how to install Falco on a Kubernetes cluster, see it catch a real suspicious action, and write your own custom detection rule.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TL;DR Summary<\/strong><\/h2>\n\n\n\n<ul>\n<li>This Falco runtime security tutorial shows you how to install Falco on Kubernetes and catch suspicious activity the moment it happens, not after the fact.<\/li>\n\n\n\n<li>Falco is a free, CNCF-graduated tool originally created by Sysdig that watches Linux kernel system calls in real time.<\/li>\n\n\n\n<li>It catches things static scanners cannot: a shell spawned inside a container, a sensitive file read, a privileged pod created.<\/li>\n\n\n\n<li>Install with Helm in under 5 minutes, Falco runs as a DaemonSet on every node.<\/li>\n\n\n\n<li>Falco ships with a strong default ruleset, and writing your own custom rule takes just a few lines of YAML.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is Falco?<\/strong><\/h2>\n\n\n\n<p>Falco is an open-source, CNCF-graduated runtime security tool originally created by Sysdig. It hooks into the Linux kernel using eBPF and watches system calls in real time, the actual low-level actions every process on a machine performs.<\/p>\n\n\n\n<p>When a running process matches one of Falco&#8217;s rules, a shell opened inside a container, a sensitive file like <strong>\/etc\/shadow<\/strong> being read, or a package manager launched unexpectedly, Falco fires an alert immediately. It works across hosts, containers, and Kubernetes, and is considered the de facto standard for Kubernetes runtime security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why Runtime Security Is Different From Static Scanning<\/strong><\/h2>\n\n\n\n<p>Tools that scan your code or container image catch known vulnerabilities before deployment. They never see what happens after a container actually starts running.<\/p>\n\n\n\n<p>RBAC controls what users can do through the <a href=\"https:\/\/www.guvi.in\/blog\/kubernetes-roadmap\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes<\/a> API. Network policies control which pods can reach each other. Neither one sees what is happening inside a running container, which processes are spawning, which files are being touched. This is exactly the gap Falco fills.<\/p>\n\n\n\n<p>Runtime security is becoming essential knowledge for DevOps and platform engineers in 2026. If you want to build the broader Kubernetes and infrastructure foundation that tools like Falco protect, HCL GUVI&#8217;s<a href=\"https:\/\/www.guvi.in\/zen-class\/devops-course\/?utm_source=blog&amp;utm_medium=hyperlink&amp;utm_campaign=falco-runtime-security-tutorial\" target=\"_blank\" rel=\"noreferrer noopener\"> DevOps Course<\/a> covers containers, CI\/CD, and real-world projects with NSDC certification.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Falco Runtime Security Tutorial: Installation on Kubernetes<\/strong><\/h2>\n\n\n\n<p>You need <strong>kubectl<\/strong> and <strong>helm<\/strong> installed, along with access to a Kubernetes cluster running Linux nodes. Docker Desktop on Windows or macOS will not work for this, you need real Linux nodes, x86_64 or ARM64.<\/p>\n\n\n\n<p>Add the Falco Helm repository:<\/p>\n\n\n\n<p><strong>helm repo add falcosecurity<\/strong><a href=\"https:\/\/falcosecurity.github.io\/charts\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong> https:\/\/falcosecurity.github.io\/charts<\/strong><\/a> <strong>helm repo update<\/strong><\/p>\n\n\n\n<p>Install Falco into its own namespace:<\/p>\n\n\n\n<p><strong>helm install falco falcosecurity\/falco &#8211;namespace falco &#8211;create-namespace &#8211;set tty=true<\/strong><\/p>\n\n\n\n<p>Falco deploys as a DaemonSet, meaning one Falco pod runs on every node in your cluster automatically. Wait for the pods to become ready:<\/p>\n\n\n\n<p><strong>kubectl wait pods &#8211;for=condition=Ready &#8211;all -n falco<\/strong><\/p>\n\n\n\n<p>Since version 0.40, Falco recommends the modern eBPF driver for kernels 5.8 and above, which needs no kernel headers or compilation, making installation noticeably simpler than older Falco versions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Seeing Falco Catch Its First Alert<\/strong><\/h2>\n\n\n\n<p>The fastest way to understand this Falco runtime security tutorial is to watch it catch something live.<\/p>\n\n\n\n<p>Open a shell inside any running container in your cluster:<\/p>\n\n\n\n<p><strong>kubectl exec -it &lt;pod-name&gt; &#8212; \/bin\/sh<\/strong><\/p>\n\n\n\n<p>Check Falco&#8217;s logs in a separate terminal:<\/p>\n\n\n\n<p><strong>kubectl logs -n falco -l app.kubernetes.io\/name=falco -f<\/strong><\/p>\n\n\n\n<p>Within seconds, you should see an alert fire, something like &#8220;A shell was spawned in a container with an attached terminal,&#8221; along with the user, the container image, and the full command line. This is Falco&#8217;s default ruleset working exactly as intended, catching a behaviour that is completely normal during debugging but highly suspicious during a real attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Understanding Falco&#8217;s Default Rules<\/strong><\/h2>\n\n\n\n<p>Falco ships with a comprehensive set of default rules covering common attack patterns. List everything currently loaded with:<\/p>\n\n\n\n<p><strong>falco &#8211;list<\/strong><\/p>\n\n\n\n<p>Or inside Kubernetes:<\/p>\n\n\n\n<p><strong>kubectl exec -n falco -it $(kubectl get pods -n falco -l app.kubernetes.io\/name=falco -o jsonpath='{.items[0].metadata.name}&#8217;) &#8212; falco &#8211;list<\/strong><\/p>\n\n\n\n<p>Each rule has three core parts: a <strong>condition<\/strong> that defines exactly what triggers it, an <strong>output<\/strong> template describing the alert message, and a <strong>priority<\/strong> level like NOTICE, WARNING, or CRITICAL. Default rules cover shell spawning, sensitive file reads, unexpected outbound connections, and privileged pod creation among many others.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Writing a Simple Custom Rule<\/strong><\/h2>\n\n\n\n<p>Falco&#8217;s real power in any Falco runtime security tutorial shows up once you start writing rules specific to your own environment. Here is a simple example that flags privileged pod creation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>- rule: Create Privileged Pod\n  desc: Detect creation of privileged pods\n  condition: &gt;\n    kevt and kcreate and ka.target.resource = \"pods\"\n    and ka.req.pod.containers&#91;0].privileged = true\n  output: &gt;\n    Privileged pod created (user=%ka.user.name pod=%ka.target.name\n    ns=%ka.target.namespace image=%ka.req.pod.containers&#91;0].image)\n  priority: WARNING\n  source: k8s_audit\n<\/code><\/pre>\n\n\n\n<p>This rule uses the <strong>k8s_audit<\/strong> source, which means it needs the Kubernetes API server configured to send audit events to Falco. Once active, any privileged pod created anywhere in your cluster triggers an immediate, clearly labelled alert.<\/p>\n\n\n\n<div style=\"background-color: #099f4e; border: 3px solid #110053; border-radius: 12px; padding: 18px 22px; color: #FFFFFF; font-size: 18px; font-family: Montserrat, Helvetica, sans-serif; line-height: 1.6; box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15); max-width: 750px; margin: 22px auto;\">\n  <h3 style=\"margin-top: 0; font-size: 22px; font-weight: 700; color: #ffffff;\">\ud83d\udca1 Did You Know?<\/h3>\n  <ul style=\"padding-left: 20px; margin: 10px 0;\">\n    <li>Falco is often considered the Linux equivalent of Sysmon for Windows, providing deep visibility into system activity and security events. It monitors activity at the kernel syscall level, allowing it to detect suspicious behavior without modifying the applications it protects. Because Falco operates independently of networking components, it works consistently across Kubernetes clusters regardless of the CNI or network plugin being used.<\/li>\n  <\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common Mistakes to Avoid<\/strong><\/h2>\n\n\n\n<ul>\n<li><strong>Treating Falco as a replacement for static scanning.<\/strong> Falco catches runtime behaviour, not vulnerable dependencies or insecure code. Pair it with a static analysis tool to cover both ends of the security lifecycle.<\/li>\n\n\n\n<li><strong>Ignoring alert volume in production.<\/strong> Default rules can be noisy on a busy cluster. Tune rule sensitivity and route alerts to a proper destination like Slack or PagerDuty instead of letting them pile up unread in logs.<\/li>\n\n\n\n<li><strong>Forgetting to configure Kubernetes audit logging for k8s_audit rules.<\/strong> Rules based on the <strong>k8s_audit<\/strong> source, like the privileged pod example above, will silently never fire unless the API server is actually sending audit events to Falco.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>This Falco runtime security tutorial covered the full beginner workflow: installing Falco with Helm on Kubernetes, watching it catch a real shell-spawn alert, exploring the default ruleset, and writing a custom rule for privileged pod detection. Static scanning catches problems before deployment. Falco catches them the moment they happen inside a running cluster, and that distinction is exactly why both belong in a serious security setup.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>FAQs<\/strong><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1782306615136\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>1. Is Falco free to use?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. Falco is fully open-source and free, with no licensing cost for any core features covered in this Falco runtime security tutorial.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782306634024\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>2. What is the difference between Falco and a static security scanner?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Static scanners check code or images before deployment. Falco watches actual running processes and system calls in real time, catching threats only visible once a workload is running.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782306656456\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>3. Does Falco work outside of Kubernetes?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. Falco can run on bare metal hosts and standalone Docker containers, not just Kubernetes clusters.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782306672111\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>4. What kernel driver does Falco use?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Modern eBPF is the recommended driver since version 0.40, requiring no kernel headers or compilation for kernels 5.8 and above.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782306687990\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>5. Can I write my own Falco rules?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes, in YAML with a condition, output message, and priority level, as shown in the custom rule example above.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Most security tools check your code before it ships. Falco watches what is actually happening while your application runs. This Falco runtime security tutorial shows you how to install Falco on a Kubernetes cluster, see it catch a real suspicious action, and write your own custom detection rule.&nbsp; TL;DR Summary What is Falco? Falco is [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":120889,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[712,621],"tags":[],"views":"53","authorinfo":{"name":"Jebasta","url":"https:\/\/www.guvi.in\/blog\/author\/jebasta\/"},"thumbnailURL":"https:\/\/www.guvi.in\/blog\/wp-content\/uploads\/2026\/06\/Falco-Runtime-Security-300x116.webp","_links":{"self":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119040"}],"collection":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/comments?post=119040"}],"version-history":[{"count":3,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119040\/revisions"}],"predecessor-version":[{"id":120897,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119040\/revisions\/120897"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media\/120889"}],"wp:attachment":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media?parent=119040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/categories?post=119040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/tags?post=119040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}