You are viewing documentation for Falco version: v0.33.1

Falco v0.33.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Getting Started

Last modified August 8, 2022
Getting started with Falco

You can deploy Falco on a local machine, cloud, a managed Kubernetes cluster, or a Kubernetes cluster such as K3s running on IoT & Edge computing.

Falco Architecture

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts are triggered based on specific system calls, arguments, and properties of the calling process. Falco operates at the user space and kernel space. The system calls are interpreted by the Falco kernel module. The syscalls are then analyzed using the libraries in the userspace. The events are then filtered using a rules engine where the Falco rules are configured. Suspicious events are then alerted to outputs that are configured as Syslog, files, Standard Output, and others.

Falco Architecture


Currently, you can deploy Falco by:

  • Downloading and running Falco on a Linux host or running Falco userspace program in a container, with a driver installed on the underlying host.
  • Building from source and then running Falco on a Linux host or on a container.


Officially supported Falco artifacts


Setting up Falco on a Linux system


Upgrading Falco on a Linux system


Installing Falco on a Cluster


Operating and Managing Falco

Build Falco from source

Build Falco or its libraries yourself from the source code

Third Party Integrations

Community driven integrations built on the Falco core