The cloud native runtime security tool is used by more than 30 public adopters, including Booz Allen Hamilton, GitLab, Shopify

SAN FRANCISCO, Calif. – February 29, 2024 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the graduation of Falco, a cloud native security tool designed for Linux systems and the de facto Kubernetes threat detection engine. 

Falco was created and open sourced in 2016 by Sysdig and became the first runtime security project accepted into the CNCF Sandbox in 2018 and, subsequently, the Incubator in April 2020. Since then, Falco has added maintainers from Amazon, Apple, IBM, Red Hat, and more. The project has also seen a 400% increase in active contributors since moving to incubation and now has hundreds active code contributors. 

The project has over 30 public, self-declared adopters, including organizations like Cisco, Shopify, Skyscanner, and Vinted. Since moving to incubation, it has seen a 526% increase in total downloads, with a 135% increase in average monthly downloads. 

“Real time visibility into the security of cloud native deployments is invaluable at scale,” Chris Aniszczyk, CTO of CNCF. “Falco is helping to push advancements in the open source cloud native runtime security space with eBPF, and we look forward to seeing the progress in this area as the project continues to grow.”

Falco employs custom rules on kernel events to provide real-time alerts and helps users gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security. In the past few years, maintainers have dedicated time to improving engineering processes and refactoring the Falco code base, including improved test suites and a new Kernel testing framework, increased quality checks, and new features like a new eBPF probe and integration with new first-party data sources. 

“The conclusion that led to Falco’s development and contribution to CNCF is that runtime security must be widely accessible and seamlessly integrated across cloud native infrastructure – you need prevention in the cloud, but threat detection is just as important,” said Loris Degioanni, Creator of Falco and CTO and Founder of Sysdig. “The support Falco has received underscores the reality that you can’t prevent everything, security teams need defense in depth, even in the cloud. I am grateful for the incredible Falco community and for surpassing this milestone within CNCF, but the Falco community has never seen graduation as the end goal — rather, just the beginning of expanding Falco use cases through its plugin system.” 

To officially graduate from incubating status, the Falco project underwent a due diligence process with the CNCF Technical Oversight Committee (TOC), completed a third-party security audit, and supported the process of allowing CNCF projects to include GPL-licensed Linux kernel modules alongside the eBPF code. Graduation validates Falco’s growth, maturity, and future outlook and cements the project’s leadership in the runtime security space.

End User Support 

“We needed a real-time solution that simultaneously met our application security needs and open source commitments — Falco delivered both, providing immediate visibility across environments and prompt detection of and alerting on potential issues,” said Aurimas Rudinskis, Security Engineering Manager at Vinted. “Falco offers an open source answer to the question of incident response in the cloud, and we’re pleased to see its successful CNCF graduation.”

“Congratulations to Falco for achieving CNCF graduated project status,” said Ayoub Elaassal, Cybersecurity Director at Qonto. “In a world where ensuring robust security strategies relies on a multi-layered defense approach, Falco’s runtime detection plays a pivotal role as an indispensable component within that framework. At Qonto we rely on Falco to get extreme visibility on low-level interactions on the system to, not only harden existing containers but also identify any suspicious or unexpected activity. Falco with its runtime security, is and should be an essential layer of any decent defense in depth strategy.”

Supporting Quotes

“Cloud native security continues to make strides forward within our ecosystem, and the graduation of the Falco project is the next advancement in demonstrating the maturity of detection engineering within the cloud native security field.  Adopters and participants in the cloud native ecosystem often focus on direct use projects, those that can be adopted as they exist to serve a singular purpose. However cloud native architectures are dependent on indirect use projects too, like Falco, that integrate with adopters’ existing tooling or other cloud native projects to provide enhanced solutions which spas technical domains, like threat monitoring and incident reporting. The Falco project has worked diligently to lean into adopters needs, adapt and iterate the project to compliment and enhance users expanding use cases, and continued to improve upon itself, its governance, and its community engagement. I’m excited to see the Falco project and its wonderful team of maintainers and contributors reach this milestone. It has been a true pleasure watching these technologists grow alongside the project.” – Emily Fox, Senior Principal Software Engineer, Red Hat and CNCF TOC Chair

“Today’s announcement that Falco is now graduated within CNCF is a testament to the Falco community and maintainers for their hard work and dedication bringing the project to a stable and mature state to achieve this milestone. Across the cloud-native and Kubernetes ecosystems, Falco has helped so many organizations and companies leverage the project’s unique capabilities to detect cloud-native security threats in real time. I’m excited for what’s next from the Falco project following this achievement as the importance of protecting against runtime security threats is more critical than ever before in today’s rapidly evolving security landscape.” – Carlos Panato, Staff Software Engineer, Chainguard and Falco Maintainer

“The Falco community is eager to make Falco compatible with many business-critical environments and platforms while continuously innovating the project. It is a pleasure to work together to bring features such as the modern eBPF probe to life while contributing expertise on the IBM Z & LinuxONE platform, making Falco a very efficient and ubiquitous security monitoring project.” – Hendrik Brückner, Chief Product Owner – Linux Virtualization and Cloud on IBM Z & LinuxONE

“Secureworks joined the Falco community to contribute to their libraries, rules engines, and driver/probe building framework. We are proud to have found such an avid community of passionate developers with respect to security through observability, detection rules, and a breadth of support for various systems. Falco genuinely promotes open collaboration from all, and we were welcomed wholeheartedly to join the project. We believe in the performance and adaptability Falco brings to the table, and we cannot wait to see how Falco continues to raise the bar with its open source cybersecurity initiative going forward. Congratulations to the Falco community for reaching this incredible milestone with the CNCF!” – Logan Bond, Principal DevOps Engineer, Secureworks

Learn more about Falco

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry’s top developers, end users, and vendors and runs the largest open source developer conferences in the world. Supported by more than 800 members, including the world’s largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Katie Meinders

The Linux Foundation