Falco
Cloud-native runtime security for Linux/Kubernetes: syscall and K8s audit rules with Falcoctl and ecosystem outputs.
Why it is included
CNCF graduated project; default mental model for K8s behavioral alerts.
Best for
Clusters needing rule-based detection for shells, sensitive file access, and odd process trees.
Strengths
- Rich default rules
- gVisor/eBPF paths
- Vendor integrations
Limitations
- Tuning noise vs coverage; not a full EDR
Good alternatives
Tracee · Tetragon (different stack)
Related tools
Security & Privacy
Tracee
Linux runtime security using eBPF to trace OS and container events with prebuilt signatures and pipeline exports.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
kube-bench
CIS Kubernetes benchmark checker: run checks against nodes, control plane, etcd, and policies with readable reports.
Security & Privacy
Open Policy Agent (OPA)
General-purpose policy engine with Rego: unify authorization and config decisions across K8s, APIs, Terraform plans, and CI.
Security & Privacy
Kyverno
Kubernetes-native policy engine using YAML (no Rego) for validate, mutate, generate, and image verification rules.
Security & Privacy
Kubescape
Kubernetes security scanner for misconfigurations, RBAC, compliance frameworks (NSA/CIS), and image vulnerabilities.