PlatformIntegrationsChangelogPricingBlog
Deploy in your cluster
Blog
Runtime Detection 10 min read

Falco OSS vs Kubesentry: When to Use Which (And How to Migrate Rules)

Falco is exceptional for teams who want to own their detection pipeline end-to-end. Kubesentry builds on top of that with a managed policy engine, alert routing, and retention. Here's an honest comparison.

Dev Anand CTO, Kubesentry
Comparison diagram concept for Falco and Kubesentry detection architecture

Starting with Credit Where It's Due

Falco is genuinely impressive open-source software. The CNCF-graduated project processes millions of syscall events per second, has a well-designed rule language, ships with a maintained default ruleset covering hundreds of threat patterns, and has a large contributor community. The Falco Rules repository has real threat intelligence baked into it — many of the rules were written by people who have observed actual attack patterns in production. If you want to run a fully self-managed runtime detection pipeline and have the engineering bandwidth to operate it, Falco is the right foundation.

This comparison exists because we get asked a specific question repeatedly: "We're already running Falco. Why would we move to Kubesentry?" That's a fair question and it deserves a specific answer, not marketing language. Here's our honest read.

What Falco OSS Gives You (and What It Doesn't)

Falco's core architecture: a kernel driver (either a kernel module or an eBPF probe — both options exist, though the eBPF driver is now preferred for stability) captures syscall events and writes them to a shared ring buffer. The Falco userspace daemon reads the ring buffer, evaluates rules against each event using the Falco rule engine, and outputs alerts to configured outputs — stdout, files, gRPC, or an HTTP endpoint.

What Falco does well out of the box:

  • Rule language expressiveness: Falco's condition syntax is readable and powerful. A rule like condition: spawned_process and container.privileged = true and proc.name = "nsenter" is unambiguous and easy to audit. The macro system (lists + macros + rules) enables reusable components.
  • Default ruleset depth: The community rules file covers a broad range of threat patterns — from detecting sensitive file reads to terminal shell spawns in containers to unexpected outbound network connections. Running Falco with default rules provides meaningful coverage with zero configuration.
  • eBPF driver stability: the modern Falco eBPF driver (modern_ebpf, CO-RE-based) works across a wide range of kernel versions without requiring kernel headers to be installed on nodes — a significant operational advantage.

Where Falco OSS requires additional investment:

  • Alert routing is manual: Falco outputs to stdout, a file, or an HTTP endpoint. Getting alerts to Slack, PagerDuty, Splunk, or Datadog requires running Falcosidekick (a separate component) and configuring it. This is not difficult, but it's operational surface area that someone owns.
  • Rule management at scale: Falco rules files are YAML, and keeping them versioned, reviewed, and deployed consistently across a multi-cluster environment requires tooling — typically GitOps (ArgoCD or Flux) plus a policy-as-code CI step. Teams that haven't already built this workflow will need to.
  • Baseline tuning: Falco's default rules produce false positives against real production workloads. The rule language supports exceptions, but building a low-noise ruleset requires manual tuning iterations. Without active tuning, SRE teams learn to ignore the alert channel, which defeats the purpose.
  • Alert retention and correlation: Falco doesn't store events. Alert history, correlation across multiple nodes, and investigation of past events requires shipping to an external log store (Elasticsearch, Splunk, CloudWatch Logs) and querying it manually.

What Kubesentry Adds on Top

Kubesentry's detection engine accepts Falco-compatible rule syntax — a deliberate design choice. If you have existing Falco rules, they can be imported directly. We didn't invent a new rule language because there was no reason to fragment the ecosystem.

The differences are in the operational layer around detection:

Managed baseline tuning: rather than requiring you to write exception lists manually, Kubesentry's policy engine learns the expected syscall patterns per container image over a baseline period (configurable, default 72 hours) and automatically generates suppression rules for known-good patterns. This doesn't replace manual rule authoring — you still define what constitutes a threat — but it dramatically reduces false positive volume from default rules applied to workloads that have legitimate-but-unusual patterns.

Alert routing with context: every alert from Kubesentry to Slack, PagerDuty, or SIEM includes the process tree (not just the leaf process), the container ID, namespace, pod name, and labels. An SRE receiving a PagerDuty page about a suspicious exec can see immediately that it's nginx spawning a shell, in the payment-service pod in the production namespace, with the parent process being the nginx worker process — which is the minimum context needed to triage without running kubectl exec into the cluster.

Event retention and query: the Growth tier retains event data for 30 days with structured query support. Investigating "what was happening on node ip-10-0-1-47 at 03:14 AM three days ago" doesn't require you to have pre-configured log shipping to a separate SIEM — it's available in the Kubesentry dashboard by default.

Multi-cluster policy consistency: Enterprise tier manages rules across multiple clusters from a single control plane. A rule change deploys to all clusters simultaneously, with a review and rollback capability built into the workflow. For teams running production + staging + development clusters, keeping rules in sync is a recurring overhead that this eliminates.

When Falco OSS Is the Right Answer

We're not saying Falco is the wrong choice — we're saying it's the wrong choice for specific team profiles. Specifically, Falco OSS is the right choice if:

  • You have a dedicated security engineer who actively owns the detection pipeline and has time for ongoing rule tuning.
  • You already have a SIEM (Splunk, Elasticsearch) that you're comfortable querying, and Falcosidekick gets events there reliably.
  • Your compliance or data residency requirements prohibit sending alert metadata to a third-party control plane — even the minimal metadata Kubesentry processes.
  • You want complete control over the detection codebase for audit purposes — "no external dependencies" is a real operational constraint in certain regulated environments.

For most mid-size SaaS teams — the 40-node EKS cluster, the SRE team of four, no dedicated security ops — the engineering overhead of maintaining a production-quality Falco deployment tends to outweigh the benefit of self-management. The question is whether your team has the bandwidth to own rule management, alert routing configuration, false positive tuning, and multi-cluster synchronization as ongoing work, or whether that overhead is better consolidated into a managed service.

Migration: How to Move Existing Falco Rules

If you're running Falco today and evaluating Kubesentry, the migration path is designed to be low-risk. Kubesentry accepts Falco rule files (.yaml) directly. To validate compatibility before cutting over:

# Step 1: Export your current Falco rules
kubectl get configmap falco-rules -n falco -o jsonpath='{.data.falco_rules\.yaml}' > my-falco-rules.yaml

# Step 2: Validate against Kubesentry's rule compatibility checker
kubesentry rules validate --file my-falco-rules.yaml

# Step 3: Import to your Kubesentry workspace
kubesentry rules import --file my-falco-rules.yaml --workspace production

The validator will flag rules that use Falco macros not yet supported in Kubesentry's engine (a small subset of advanced macros) and rules that reference Falco plugins (plugin-based rules require separate evaluation). In our internal testing against a corpus of community Falco rules, approximately 92% import without modification. The remaining 8% are mostly plugin-based rules or rules using very recent Falco filter field additions.

After import, the baseline learning period (72 hours by default) runs on your actual traffic before Kubesentry activates automated suppression. You can run Kubesentry in observe-only mode alongside your existing Falco deployment for that period to compare alert overlap before cutover.

The Honest Bottom Line

Falco is a better choice if you want full ownership of the detection pipeline and have the engineering capacity to operate it. Kubesentry is a better choice if you want the detection fidelity of a well-tuned eBPF engine without the ongoing operational overhead — and if the 30-second P99 alert latency, contextual process tree alerts, and managed retention are worth the managed service tradeoff.

The rule compatibility means the choice isn't permanent. Teams often start with Falco OSS, hit the operational overhead ceiling, and migrate to Kubesentry when the time-to-triage cost becomes the bottleneck. The migration is designed to work in that direction. See the platform architecture for the full technical picture, or explore container escape detection and cryptomining detection as concrete examples of how detection rules map to threat patterns.