Falco
Cloud native runtime security
The Lens
Falco monitors Linux system calls in real time and alerts you when something unexpected happens: a container spawning a shell, a process reading sensitive files, a network connection to an unusual destination. It's a security camera for your Linux kernel. It sees everything a process does because it hooks into the kernel via eBPF.
The open source version is free under Apache 2.0. CNCF graduated project. You get real-time threat detection, a rich rule engine, hundreds of pre-built rules for common attack patterns, and output to any alerting system (Slack, PagerDuty, syslog, etc.). Sysdig (the company that created Falco) sells Sysdig Secure, which adds a management UI, compliance dashboards, image scanning, and enterprise support. That's the commercial product. Falco itself has no enterprise tier.
Self-hosting is the only option. Install Falco on each host or as a DaemonSet in Kubernetes. The eBPF probe needs a kernel that supports it (5.8+ for best results). Initial setup is straightforward; tuning the rules to reduce false positives is where the real work starts. Solo developers: overkill unless you're running production containers with sensitive data. Small teams: install it on your Kubernetes cluster and configure Slack alerts. Cheap insurance. Growing teams: essential. Runtime security detection is a gap most teams don't fill until something bad happens.
The catch: out-of-the-box rules are noisy. You'll get alerts for normal container behavior until you tune the rules for your environment. Budget a few days for tuning, or you'll learn to ignore the alerts, which defeats the purpose.
Free vs Self-Hosted vs Paid
open core### Free (Open Source) Real-time threat detection via eBPF, custom rule engine (YAML-based), 100+ pre-built detection rules, output plugins (Slack, PagerDuty, Kafka, syslog, webhook), Kubernetes audit log monitoring, and Falcosidekick for routing alerts. Apache 2.0.
### Paid (Sysdig Secure, separate product) Sysdig Secure builds on Falco's detection engine and adds: vulnerability scanning, compliance benchmarks (CIS, NIST, PCI), runtime policy management UI, forensics/incident response, image scanning in CI/CD, and 24/7 support. Pricing: not public, typically $50-100/host/month for enterprise.
### Self-Hosted Costs Falco agent uses ~100-200MB RAM per host. Falcosidekick (alert router) is lightweight. Total infrastructure cost: whatever you're already paying for your hosts. The Falco agent adds negligible overhead.
### When to Pay Sysdig Secure makes sense when you need a compliance dashboard, vulnerability management, and a team of non-CLI users managing security policies. The open source Falco handles detection; Sysdig Secure handles the broader security operations workflow.
### Verdict Falco is free and production-grade for runtime detection. Pay for Sysdig Secure when you need compliance UI and vulnerability scanning.
Falco is free for runtime detection. Sysdig Secure (separate product) adds compliance and scanning at ~$50-100/host/month.
Similar Tools
About
- Stars
- 8,828
- Forks
- 1,002
Explore Further
More tools in the directory
Get tools like this delivered weekly
The Open Source Drop — the best new open source tools, analyzed. Free.