We scan Docker images for vulnerabilities. We have Network Policies. We have RBAC. But what if an attacker penetrates inside a running container? Falco detects anomalous behavior at the system call level.
Why image scanning isn’t enough¶
Zero-day vulnerabilities aren’t in databases. Runtime misconfiguration. Supply chain attack. Insider threat. You need runtime monitoring.
Falco — behavioral monitoring¶
- rule: Terminal shell in container
desc: A shell was spawned in a container
condition: spawned_process and container and shell_procs
output: Shell spawned (user=%user.name container=%container.name)
priority: WARNING
Our rules¶
- Shell spawned in container → WARNING
- Reading /etc/shadow → WARNING
- Unexpected outbound connection → NOTICE
- Package manager in production → CRITICAL
- Binary from /tmp → CRITICAL
False positives¶
Initially overwhelmed with false alerts. Rule tuning takes weeks. Recommendation: audit mode for a week, analyze, add exceptions, then enable alerting.
Runtime security is the last line of defense¶
Prevention (scanning, RBAC, Network Policies) is the foundation. Detection (Falco) is insurance. Together they form defense-in-depth.
falcocontainer securitykubernetesruntime security
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us