detecting-container-runtime-threats-with-falco

Installation
SKILL.md

Detecting Container Runtime Threats with Falco

Overview

Falco is the CNCF graduated runtime-security project (originally by Sysdig) that consumes Linux kernel syscalls and Kubernetes audit events through a driver, evaluates them against a YAML rule engine, and emits real-time alerts. It is the de facto open-source detection tool for runtime threats inside containers, including container escape (MITRE ATT&CK T1611, Escape to Host), namespace manipulation (setns), privileged mounts, reverse shells, and unexpected outbound connections.

Falco supports three drivers: the modern eBPF probe (preferred default, requires kernel >= 5.8, shipped directly inside the Falco binary so no init container is needed), the legacy eBPF probe, and the kernel module (kmod). Driver selection is handled by falcoctl driver config --type {kmod|ebpf|modern_ebpf} or driver.kind=modern_ebpf in the Helm chart. On Kubernetes, Falco runs as a DaemonSet so every node is monitored, and falcoctl automatically installs and updates rule artifacts from the Falco rules registry.

This skill covers authoring and deploying custom Falco rules to detect the container-escape primitives and anomalous-behavior signals that the breakout techniques in this collection produce. Each Falco rule has the fields rule, desc, condition, output, priority, and optional tags; reusable logic is factored into macro and list objects. Source: falco.org official documentation; falcosecurity/rules repository; Sysdig Falco detection research (e.g., CVE-2025-22224).

When to Use

  • Building runtime detections for a Kubernetes or Docker environment
  • Validating that container-escape and lateral-movement attempts generate alerts (purple-team)
  • Adding coverage for a newly disclosed runtime CVE
  • Hardening a SOC's container telemetry pipeline (Falco -> Falcosidekick -> SIEM)

Prerequisites

Installs
5
GitHub Stars
24.7K
First Seen
14 days ago
detecting-container-runtime-threats-with-falco — mukul975/anthropic-cybersecurity-skills