Container Security

In this workshop we’ll cover how to implement runtime security for containerized environments using the open source project Falco. We’ll cover the following:

  • Learn how to create rules for an application. We’ll take a containerized application and create Falco rules to detect abnormal behavior in the application. We’ll profile an application’s system calls, then use the profile to create application specific rules.

  • Learn how to alert on Kubernetes audit events like deployment creation, kubectl exec, privileged container creation, and other interactions with the Kubernetes API.

  • Learn how to leverage Serverless frameworks to react to security incidents. Delete offending pods, prevent nodes from being scheduled, and alert to Slack.


  • Comfort using a command line and a text editor
  • Familiarity with Docker & Linux
  • A laptop with a web browser and SSH client installed



Michael Ducy

Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef ...