Falco Runtime Security Cheat Sheet

Updated 2026-05-22

Falco is a CNCF-graduated, open-source runtime security tool that monitors Linux kernel system calls and other event sources to detect anomalous behavior in containers, Kubernetes clusters, hosts, and cloud environments in real time. It acts as a security camera for your infrastructure — not an enforcement engine — by applying custom rules against a live stream of kernel events enriched with container and Kubernetes metadata. The key mental model is that Falco is detection-first: it alerts on behavior, but the response layer (Falco Talon, Falcosidekick integrations, SOAR) is handled separately, giving teams flexibility over how alerts are actioned.

What This Cheat Sheet Covers

This topic spans 24 focused tables and 246 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Falco Architecture and Kernel DriversTable 2: Falco Rule YAML StructureTable 3: Falco Rule Overriding and Custom RulesetsTable 4: Falco Condition Syntax and Supported FieldsTable 5: Default Rule Sets and Rule Maturity FrameworkTable 6: Common Detection Patterns and Rule ExamplesTable 7: Falco Output ChannelsTable 8: Falcosidekick — Fan-Out and IntegrationsTable 9: Falco Talon — Automated Response ActionsTable 10: Kubernetes Audit Log IngestionTable 11: Falco Rule Exceptions and Noise ReductionTable 12: Performance Considerations and TroubleshootingTable 13: Falco Deployment MethodsTable 14: Falco Plugin Framework and Event SourcesTable 15: Falco vs. Tetragon vs. TraceeTable 16: SIEM and SOAR IntegrationTable 17: Alert Prioritization and Triage WorkflowReferencesReferencesReferencesReferencesReferencesReferencesReferences

Table 1: Falco Architecture and Kernel Drivers

Falco collects events by hooking into the Linux kernel via one of three instrumentation drivers. The driver you choose has major implications for kernel compatibility, performance overhead, privilege requirements, and portability across distributions and cloud-managed node types.

Driver	Example	Description
Modern eBPF probe	`engine.kind: modern_ebpf` in `falco.yaml`	• Default and recommended driver since Falco 0.43 • bundled into the Falco binary using CO-RE (Compile Once – Run Everywhere), so no separate download is needed • Requires kernel ≥5.8 with BPF ring buffer and BTF support • Needs capabilities `CAP_SYS_BPF`, `CAP_SYS_PERFMON`, `CAP_SYS_RESOURCE`, `CAP_SYS_PTRACE` — not full root
Kernel module	`engine.kind: kmod`	• A `.ko` loadable kernel module installed via `falcoctl driver` or the `falco-driver-loader` image • Works on kernel ≥3.10 • supports x86_64 and aarch64. Requires full root privileges — cannot run with Linux capabilities alone • Useful on older kernels where eBPF is unavailable
Legacy eBPF probe	`engine.kind: ebpf` `engine.ebpf.probe: ~/.falco/falco-bpf.o`	• Deprecated in Falco 0.43.0 • will be removed in a future release • Required kernel ≥4.14 • needed `CAP_SYS_ADMIN`. Users should migrate to the modern eBPF probe
CO-RE portability	`bpftool feature probe kernel`	The modern eBPF probe uses the CO-RE paradigm with BTF so one compiled binary runs across kernel versions without per-kernel compilation, unlike the legacy probe and kernel module which needed kernel headers on the target host.

Table 1: Falco Architecture and Kernel Drivers

Driver	Example	Description
Modern eBPF probe	`engine.kind: modern_ebpf` in `falco.yaml`	• Default and recommended driver since Falco 0.43 • bundled into the Falco binary using CO-RE (Compile Once – Run Everywhere), so no separate download is needed • Requires kernel ≥5.8 with BPF ring buffer and BTF support • Needs capabilities `CAP_SYS_BPF`, `CAP_SYS_PERFMON`, `CAP_SYS_RESOURCE`, `CAP_SYS_PTRACE` — not full root
Kernel module	`engine.kind: kmod`	• A `.ko` loadable kernel module installed via `falcoctl driver` or the `falco-driver-loader` image • Works on kernel ≥3.10 • supports x86_64 and aarch64. Requires full root privileges — cannot run with Linux capabilities alone • Useful on older kernels where eBPF is unavailable
Legacy eBPF probe	`engine.kind: ebpf` `engine.ebpf.probe: ~/.falco/falco-bpf.o`	• Deprecated in Falco 0.43.0 • will be removed in a future release • Required kernel ≥4.14 • needed `CAP_SYS_ADMIN`. Users should migrate to the modern eBPF probe
CO-RE portability	`bpftool feature probe kernel`	The modern eBPF probe uses the CO-RE paradigm with BTF so one compiled binary runs across kernel versions without per-kernel compilation, unlike the legacy probe and kernel module which needed kernel headers on the target host.