Today, the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee (TOC) voted to accept Falco as an incubation-level hosted project.

Falco, which entered the CNCF Sandbox in October 2018, is an open source Kubernetes runtime security project. It provides intrusion and abnormality detection for cloud native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.

Given the opaque nature of containers, organizations require deeper insight into container activities. The Falco project was created by Sysdig to better understand container behavior, and to share these insights with organizations, allowing them to protect their container platforms from possible malicious activity.

“Runtime security is a critical piece in a cloud-native security story and essential for anyone taking cloud-native security seriously,” said Kris Nova, Chief Open Source Advocate at Sysdig. “Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions.”

By leveraging open source Linux kernel instrumentation, Falco gains deep insight into system behavior. The rules engine can then detect abnormal activity in applications, containers, the underlying host, and the container platform. In the event of unexpected behavior at runtime, Falco detects and alerts, reducing the risk of a security incident. It can send these alerts via Slack, Fluentd, NATS, and more.

Main Falco Features:

Notable Milestones:

Since joining the CNCF sandbox, the Falco community has focused on making the project easier to adopt. Project maintainers have implemented a governance model, which sets guidelines and standards for both contributors and maintainers to ensure the project’s compliance and health. Falco was also made available in the Google marketplace. The Falco community also created an operator that is available in the

“Runtime container security tools like Falco provide the visibility necessary for development teams to feel safe plugging them into their stack,” said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. “During its time in the Sandbox, Falco has seen impressive growth and end user adoption, and we look forward to seeing the advancements the community continues to make.”

While in the Incubator, Falco will focus on moving to an API-first architecture, which enables the community to begin developing integrations with other tools, including Prometheus, Envoy, and Kubernetes.

As a CNCF hosted project, joining incubating technologies like OpenTracing, gRPC, CNI, Notary, NATS, Linkerd, Helm, Rook, Harbor, etcd, OPA, and CRI-O, Falco is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach.

Every CNCF project has an associated maturity level: sandbox, incubating, or graduated project. For more information on what qualifies a technology for each level, please visit the CNCF Graduation Criteria v.1.3.

To get started with Falco, visit its Falco GitHub page. To get involved, attend the weekly office hours calls to discuss feature work, open issues, and repository planning.

Learn more about Falco, visit