Cloud Native Computing Foundation Announces Falco Graduation

The cloud native runtime security tool is used by more than 30 public adopters, including Booz Allen Hamilton, GitLab, Shopify

SAN FRANCISCO, Feb. 29, 2024 /PRNewswire/ -- The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the graduation of Falco, a cloud native security tool designed for Linux systems and the de facto Kubernetes threat detection engine.

Falco was created and open sourced in 2016 by Sysdig and became the first runtime security project accepted into the CNCF Sandbox in 2018 and, subsequently, the Incubator in April 2020. Since then, Falco has added maintainers from Amazon, Apple, IBM, Red Hat, and more. The project has also seen a 400% increase in active contributors since moving to incubation and now has hundreds active code contributors.

The project has over 30 public, self-declared adopters, including organizations like Cisco, Shopify, Skyscanner, and Vinted. Since moving to incubation, it has seen a 526% increase in total downloads, with a 135% increase in average monthly downloads.

"Real time visibility into the security of cloud native deployments is invaluable at scale," Chris Aniszczyk, CTO of CNCF. "Falco is helping to push advancements in the open source cloud native runtime security space with eBPF, and we look forward to seeing the progress in this area as the project continues to grow."

Falco employs custom rules on kernel events to provide real-time alerts and helps users gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security. In the past few years, maintainers have dedicated time to improving engineering processes and refactoring the Falco code base, including improved test suites and a new Kernet testing framework, increased quality checks, and new features like a new eBPF probe and integration with new first-party data sources.

"The conclusion that led to Falco's development and contribution to CNCF is that runtime security must be widely accessible and seamlessly integrated across cloud native infrastructure - you need prevention in the cloud, but threat detection is just as important," said Loris Degioanni, Creator of Falco and CTO and Founder of Sysdig. "The support Falco has received underscores the reality that you can't prevent everything, security teams need defense in depth, even in the cloud. I am grateful for the incredible Falco community and for surpassing this milestone within CNCF, but the Falco community has never seen graduation as the end goal -- rather, just the beginning of expanding Falco use cases through its plugin system."

To officially graduate from incubating status, the Falco project underwent a due diligence process with the CNCF Technical Oversight Committee (TOC), completed a third-party security audit, and supported the process of allowing CNCF projects to include GPL-licensed Linux kernel modules alongside the eBPF code. Graduation validates Falco's growth, maturity, and future outlook and cements the project's leadership in the runtime security space.

End User Support

"We needed a real-time solution that simultaneously met our application security needs and open source commitments -- Falco delivered both, providing immediate visibility across environments and prompt detection of and alerting on potential issues," said Aurimas Rudinskis, Security Engineering Manager at Vinted. "Falco offers an open source answer to the question of incident response in the cloud, and we're pleased to see its successful CNCF graduation."

"Congratulations to Falco for achieving CNCF graduated project status," said Ayoub Elaassal, Cybersecurity Director at Qonto. "In a world where ensuring robust security strategies relies on a multi-layered defense approach, Falco's runtime detection plays a pivotal role as an indispensable component within that framework. At Qonto we rely on Falco to get extreme visibility on low-level interactions on the system to, not only harden existing containers but also identify any suspicious or unexpected activity. Falco with its runtime security, is and should be an essential layer of any decent defense in depth strategy."

Learn more about Falco

    --  Check out the project website and GitHub repository.
    --  Join the community on Slack.
    --  Follow the project on Twitter and LinkedIn.
    --  Register for the 'Detecting Cloud Runtime Threats with Falco' training
    --  Hear talks and meet maintainers at KubeCon + CloudNativeCon Europe 2024
        in Paris from March 19-22.

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry's top developers, end users, and vendors and runs the largest open source developer conferences in the world. Supported by more than 800 members, including the world's largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Katie Meinders
The Linux Foundation

View original content to download multimedia:

SOURCE Cloud Native Computing Foundation