Cyber Intelligence
PROTEGO
Monitoring, Auditing and Incident Response · Operations

L17. Runtime Security: Falco, Tetragon and eBPF

Video generating

Check back soon for the video lesson on Runtime Security: Falco, Tetragon and eBPF

Prevention controls fail. Runtime security detects anomalous behavior inside running containers: unexpected process execution, file access, network connections, and privilege escalation.

Why Runtime Security?

All the controls covered so far (RBAC, Pod Security Standards, Network Policies, image scanning) are preventive. They reduce the attack surface but they cannot stop a zero-day exploit or a sophisticated attacker who bypasses them.

Runtime security monitors container behavior and alerts on anomalies: a web server spawning a shell, a database process opening a network connection to an external IP, or a container writing to a sensitive host path.

eBPF: The Foundation

eBPF (extended Berkeley Packet Filter) is a Linux kernel technology that allows running sandboxed programs inside the kernel without modifying kernel source code or loading kernel modules. Runtime security tools use eBPF to observe system calls, network traffic, and file access with minimal performance overhead.

Falco

Falco is the most widely adopted runtime security tool for Kubernetes. It monitors system calls and generates alerts based on rules: 

<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">rule: Terminal shell in container</li>
</ul>
  desc: A shell was spawned in a container
  condition: >
    spawned_process and container and
    proc.name in (bash, sh, zsh, dash)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name
     image=%container.image.repository
     command=%proc.cmdline)
  priority: WARNING
  tags: [container, shell]

Falco can detect:

  • Shell execution in production containers
  • Sensitive file reads (/etc/shadow, /etc/passwd)
  • Outbound connections to known C2 IPs
  • Privilege escalation attempts
  • Unexpected process trees

Deploy Falco as a DaemonSet: 

helm install falco falcosecurity/falco \
  --set driver.kind=modern_ebpf \
  --set falcosidekick.enabled=true

Falcosidekick forwards alerts to Slack, PagerDuty, Elasticsearch, or any webhook endpoint.

Tetragon

Tetragon (from the Cilium project) provides eBPF-based runtime enforcement. Unlike Falco (which primarily alerts), Tetragon can block operations in real time: 

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: block-write-etc
spec:
  kprobes:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">call: "fd_install"</li>
</ul>
      selectors:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">matchArgs:</li>
<li class="text-slate-300">index: 0</li>
</ul>
              operator: "Prefix"
              values: ["/etc/"]
      matchActions:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">action: Sigkill</li>
</ul>

This policy kills any process that attempts to write to /etc/ inside a container. Tetragon operates at the kernel level with nanosecond-level response times.

Comparison

FeatureFalcoTetragon
Primary modeDetection/alertingDetection + enforcement
eBPF supportYes (modern_ebpf driver)Native eBPF
Rule languageYAML with condition syntaxTracingPolicy CRDs
Real-time blockingNo (alert only)Yes (Sigkill, Signal)
CommunityCNCF graduated projectCilium/Isovalent project

Building a Detection Strategy

  1. Start with Falco's default ruleset in alert-only mode
  2. Tune rules to reduce false positives in your environment
  3. Integrate alerts with your SIEM or incident response platform
  4. Gradually add Tetragon enforcement policies for high-confidence rules
  5. Monitor for performance impact (eBPF overhead is typically under 2%)
Exam Focus Points
  • Preventive controls (RBAC, PSS, Network Policies) cannot stop zero-day exploits: runtime security detects anomalous behavior in running containers
  • eBPF allows observing system calls, network traffic, and file access at the kernel level with minimal performance overhead
  • Falco is detection-focused: it monitors syscalls and generates alerts based on YAML rules
  • Tetragon can enforce policies in real time by killing processes that violate rules (Sigkill action)
  • Start with Falco default rules in alert-only mode, tune for false positives, then add Tetragon enforcement for high-confidence rules
Knowledge Check

1. What is the key difference between Falco and Tetragon?

2. What Linux technology enables runtime security tools to observe system calls with minimal overhead?

3. Which Falco rule condition detects a shell being spawned inside a container?

Sign in to track progress
Audit Logging and Incident Response in Kubernetes