What is Falco?

Falco is an open source security tool that helps us secure various environments. It is also the “threat detection” engine for the Kubernetes structure that we use frequently in the field of Cloud Engineering. Falco was created by Sysdig in 2016. Falco detects runtime unexpected application behavior in the Kubernetes cluster and issues alerts about threats.

Why Falco?

As you know, we are looking for best practice solutions while working in Kubernetes cluster. Of course, we also need to provide this solution on the Security side. Because applications are running on the cluster and we must be aware of every dangerous operation to be done on the pods here. Because we need to have the right log in order to best inform our customers about cluster based problems, not applications. We do logging meticulously in order to increase customer satisfaction. Falco helps us check Linux kernel, container, Kubernetes and other logs and raise alerts for dangerous usage. It allows us to protect the security of containers, especially in the Kubernetes environment. It even offers us services on “thread detection” in the Kubernetes environment. In the Kubernetes container, the runtime uses Kubernetes audit logs to capture threat findings and raises alerts on the results it receives. In this way, we can view who is logging into the cluster and what dangerous operations they are doing there, and we can integrate these alarms into the Slack channel so that everyone is aware of these activities. Therefore, Falco can be preferred to log every dangerous step on the pod and generate an alarm. Falco can be easily integrated into our work environment and is very simple to use.


In order to install Falco, first of all, Helm must be installed.


In order to start testing, we need to set up an pod like nginx.

Creating alarm

To create an alarm in Falco, we first need to determine the type of output and accordingly, we can easily create an alarm by enabling the necessary places in falco.yaml.

To read the Turkish version of the article, please click on the link below:




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store