> For the complete documentation index, see [llms.txt](https://book.konstantinsecurity.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.konstantinsecurity.com/readme/architect/kubernetes/runtime-security/falco.md). # Falco Falco is a cloud-native security tool designed for Linux systems. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata, to provide real-time alerts. Falco helps you gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security. [Try Falco](https://falco.org/docs/getting-started/) ![](/files/xgXW6R6BiG0Bx0hTkWTT) [Threat Detection](https://falco.org/about/use-cases/#threat-detection) Detect malicious behavior in hosts and containers, no matter what scale, using the power of eBPF. [Regulatory Compliance](https://falco.org/about/use-cases/#compliance) Stay compliant in cloud-native systems with Falco's intelligent monitoring and rule-based detection. ### What makes Falco different? ### Cloud Native Falco detects threats across containers, Kubernetes, hosts and cloud services. ### Real Time Detection Falco provides streaming detection of unexpected behavior, configuration changes, and attacks. ### Integration with 50+ Systems [Forward Falco alerts](https://falco.org/docs/outputs/forwarding/) to any off-host SIEM and data lake system for analysis, storage, or reaction. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.konstantinsecurity.com/readme/architect/kubernetes/runtime-security/falco.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.