Learn how to use Falco. Without leaving your browser!


Learning how to use new tools is not always easy, especially with Security and Cloud.

We know that Falco is not an exception. Here you can find some resources that might help you to get started with this awesome tool.

Lab 1 - Introduction to Falco

General introduction to Falco running in single Linux hosts. Learn how to install Falco with Docker, and detect threads, such as:

  • Container running interactive shell
  • Unauthorized process
  • Write to non user-data directory

This lab is the best place to start your Runtime Security journey!

Lab 2 - Falco forensics in K8s

In this lab, you can learn how to deploy Falco in a a running Kubernetes cluster and how to define your first custom rules file.

Let us roleplay both the intruder and sysadmin roles and detect a Rogue attack.

Lab 3 - Falcosidekick: Thread Response Engine

Falco is not just about Runtime Detection. You can also perform automated actions to mitigate threads automatically.

In this lab, you will learn how to deploy Falco with Falcosidekick and Kubeless. Stop the running pod when you detect a security thread!

Lab 4 - Falco Custom Rules

Coming soon!

Want to contribute?

This content is built by the community. If there's any use-case you'd like to be covered in this training environments, ping us or build it yourself!

We use Katacoda to build this labs and can check the source code source code of this training to propose changes or fixes.