New integration connects Falco alerts to Stratoshark’s forensic tools, delivering Wireshark-style visibility into system call and audit log data
Key Highlights
- Falco, a CNCF graduated project, now integrates with Stratoshark to connect real-time security alerts with forensic-level capture and analysis tools.
- Security teams can instantly pivot from detection to deep investigation without switching tools, reducing response time and improving root cause analysis.
- Platform and security teams working across Kubernetes, containerized environments, and hybrid/multicloud infrastructure.
- Available now; demonstrated live at KubeCon + CloudNativeCon North America 2025 in Atlanta.
ATLANTA—KUBECON + CLOUDNATIVECON NORTH AMERICA, Nov. 10, 2025 — The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced new integrations between Falco, a graduated project, and Stratoshark, a forensic tool inspired by Wireshark. With this release, Falco alerts can now trigger precise forensic captures, allowing real-time threat detection to be paired with deeper event analysis.
Security and platform teams have long faced challenges bringing together real-time threat detection and the detailed forensic visibility needed for effective incident response. Historically, security analysts and incident responders relied on separate tools to manually capture full system-call activity, producing large volumes of unfiltered data that often slowed down investigations and complicated incident resolution. Falco Captures provides on-demand event recording, enabling alerts when a security rule triggers. Each triggered alert comes with an automatically recorded trail of system calls, ready for immediate replay and inspection, equipping security analysts with precise, actionable insight.
“We’ve long seen how alerts without context force a time‑costly hunt,” said Leonardo Grasso, core maintainer of Falco. “These new capabilities let teams go from detection to investigation in moments, with minimal overhead. It’s community collaboration delivering real value to modern security operations.”
Falco Captures and the plugin API enhancements help teams across on-premise, multicloud, and hybrid environments respond to incidents more efficiently. System CAPture (SCAP) files are now generated only when specific Falco rules trigger, reducing unnecessary data and focusing analysis on relevant events.
“With Stratoshark, we’ve taken the forensic precision that users expect from Wireshark and brought it into the cloud native space,” said Gerald Combs, creator of Wireshark and lead developer of Stratoshark. “By building on Falco’s detection engine, we’re giving teams a direct path from alert to byte-level visibility so they can see exactly what happened, where, and when.”
The integration expands Falco’s functionality by enabling forensic capture tied directly to specific detections. With the addition of Stratoshark’s packet-level analysis, users can investigate alerts with greater technical depth. This allows teams to identify the root cause of security issues more efficiently, without needing to manually correlate data across separate tools.
“Falco’s goal has always been to provide open source and real time visibility into cloud native workloads,” said Chris Aniszczyk, CTO of CNCF. “By connecting alerts with detailed event data, this update helps teams move more quickly from detection to investigation—without introducing unnecessary complexity.”
Falco, which joined CNCF in 2018 and graduated in 2024, is an open source tool for detecting unexpected behavior and configuration changes at runtime. It supports a range of environments, including containers, virtual machines, and bare-metal hosts, and is widely adopted for monitoring security events in Kubernetes and other cloud native systems.
Visit the Falco Maintainer track or attend the Lightning Talk “When Falco Spots Trouble, the Shark Swims In” to see a live demonstration of these new features.
Additional Resources
- CNCF Newsletter
- CNCF Twitter
- CNCF Website
- Learn About CNCF Membership
- Learn About the CNCF End User Community
About Cloud Native Computing Foundation
Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together top developers, end users, and vendors and runs the largest open source developer conferences in the world. Supported by more than 800 members, including major cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit www.cncf.io.
###
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.
Media Contact
Kaitlin Thornhill
The Linux Foundation