Falco, the CNCF runtime security engine, watching every syscall on the machine and alerting the moment a process behaves the way an intruder would.
Falco is the graduated Cloud Native Computing Foundation project for runtime threat detection. It taps the kernel's syscall stream, enriches each event with process, user and file context, and evaluates the result against a behavioural rule set, so it alerts on what a program actually did rather than on what it is called or what signature it matches. Its bundled rules already cover a large part of the way real intrusions look from the inside: a sensitive credentials file being read by a program that has no business reading it, an interactive shell appearing where none should exist, a kernel module being loaded, a process attaching a debugger to another process, a new binary written and then immediately executed, private keys or cloud credentials being searched for. Because the detections describe behaviour, they keep working against tooling nobody has catalogued yet.
Runtime detection is the layer that answers a question nothing else on the machine can. Vulnerability scanning tells you what could be exploited, and network controls tell you what can reach you, but neither tells you what an intruder is doing right now on a host that is already running. Falco fills that gap, and it is a natural companion to a network intrusion detection sensor rather than a replacement for one: the network sensor watches the packets, Falco watches the behaviour they lead to. Alerts are written as structured JSON, one object per line, which drops straight into a SIEM, a log pipeline or any alerting tool without parsing work.
cloudimg delivers Falco installed from the project's own signed package archive, with the signing key pinned by fingerprint and the archive wired into unattended upgrades, so the engine keeps receiving security updates rather than being frozen at whatever version happened to be current at build time. The image ships the modern eBPF driver deliberately: it is compiled once and relocated against the running kernel, so it needs no kernel module, no DKMS and no compiler, and it keeps working after your machine installs a new kernel and reboots. The alternative module based driver would quietly stop seeing events the first time that happened. Every cloudimg change lives in a configuration drop in directory so the packaged configuration files stay byte identical and future upgrades never stall on a configuration conflict. There is no login, no web interface and no user database, so no bootstrap credential exists anywhere in the image to leak, and the engine's only HTTP endpoint is bound to the loopback interface so nothing unauthenticated is ever reachable from the network. The only open port is SSH, using the key you supplied. Alerts are proven to actually fire before the image is ever captured, no build time alert data survives into your machine, and rule updates continue to arrive on your own instance. Backed by 24/7 expert support.