Host intrusion detection (HID) has been around for some time. What if we rethought the problems HID solves in the context of Cloud Native platforms? What if we can detect abnormal behavior in the application, container runtime, & cluster environment as well?

In any Cloud Native architecture there’s a seemingly endless stream of events that happen at each layer. These events can be used to detect abnormal activity and possible security incidents, as well as providing an audit trail of activity.

In this talk we’ll cover how we extended Falco to ingest events beyond just host system calls, such as Kubernetes audit events or even application level events. We will also show how to create Falco rules to detect behaviors in these new event streams. We show how we implemented Kubernetes audit events in Falco, and how to configure the event stream.

Finally, we will cover how to create additional event streams leveraging the generic implementation Falco provides. Attendees will gain deep understanding of Falco’s architecture, and how it custom Falco for additional events sources.

Néstor Salceda

Container Runtime Security with Falco


Néstor is a passionate and upbeat software engineer. He loves to pick an idea, develop it and making it real. He is also a Open Source Software enthusiast and right now, he is part of Sysdig team. While he is not in front of its computers, you will find him playing in the ground with his two little twins or practising Judo or Aikido.

11:00-11:30 | Track 2