Most security conversations focus on what happens before code runs: vulnerability scanning, static analysis, image hardening. That work matters. But runtime protection is where the real cost of a breach gets determined. An undetected lateral move, an unexpected privilege escalation, a cryptominer quietly consuming 40% of your compute budget: these are runtime problems, and no amount of pre-deploy scanning stops them once an attacker is inside.
Runtime security tools monitor what your servers and containers are actually doing, comparing live behavior against known-good baselines or rule sets. When a process starts making unexpected network connections, spawns a shell from a web server, or reads /etc/shadow without authorization, a well-configured runtime agent catches it in seconds rather than days.
This comparison is for teams managing Linux workloads in production, whether that is bare metal, VMs, or Kubernetes clusters. The goal is to give you an honest map of the space so you can match tooling to your threat model and your budget.
What Runtime Protection Actually Covers
Runtime security tools typically operate in one or more of these layers:
- Syscall monitoring: Intercepting kernel-level calls (execve, connect, open) to detect anomalous process behavior
- File integrity monitoring (FIM): Alerting when protected files are modified outside of expected change windows
- Network visibility: Tracking unexpected outbound connections or lateral movement between services
- Process ancestry: Flagging when a process spawns a child that violates expected lineage (e.g., nginx spawning bash)
The underlying technology has shifted significantly in recent years. Kernel modules, the older approach, require recompiling and patching when kernels upgrade. eBPF (extended Berkeley Packet Filter) is now the industry standard: it runs sandboxed programs directly in the kernel, with the kernel itself verifying safety before execution. This means no kernel crashes, no recompilation on upgrades, and dramatically lower overhead.
The Tools
Falco
Falco is the dominant open source runtime security tool for cloud-native workloads. It started at Sysdig and was donated to the CNCF, where it achieved graduated project status, the same tier as Kubernetes and Prometheus. The latest release is version 0.43.0 (January 2026), with active development continuing on a roughly quarterly cadence.
Falco works by consuming a stream of kernel events via eBPF (or a kernel module on older kernels) and evaluating them against a rule engine written in YAML. When a rule fires, Falco emits an alert to stdout, a file, syslog, or any of several supported integrations including Slack, Webhook, Dynatrace, Sumo Logic, and OpenTelemetry Traces.
Performance: Falco can process over 10,000 events per second on modern hardware while consuming less than 5% CPU. The 0.42.0 release (October 2025) removed syscall enter events from the processing pipeline, consolidating to exit events only, which reduced overhead further.
A basic Falco rule looks like this:
- rule: Shell Spawned by Web Server
desc: A shell was spawned by a web server process
condition: >
spawned_process and
proc.name in (shell_binaries) and
proc.pname in (nginx, apache2, httpd)
output: >
Web server spawned shell
(user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline container=%container.name)
priority: WARNING
tags: [process, web, mitre_execution]Cost: Open source and free under Apache 2.0. Sysdig offers “Falco Feeds,” a commercially curated detection rule set backed by their threat research team, for teams that want managed rule updates without maintaining their own library.
Honest trade-offs: Falco generates alerts but does not block by default. It is a detection tool, not an enforcement tool. Reducing false positives in complex microservice environments requires ongoing rule tuning investment.
Tetragon
Tetragon is an eBPF-based security observability and enforcement tool from the Cilium/Isovalent project. Unlike Falco, which sits in user space and processes kernel events after the fact, Tetragon applies policy decisions directly inside the eBPF program, enabling real-time enforcement at the kernel level rather than just alerting.
This architectural difference matters for threat response. Traditional detection-then-alert pipelines have a window between detection and response where an attacker can act. Tetragon closes that window by blocking malicious operations inline, before they complete, which also eliminates TOCTOU (time-of-check-to-time-of-use) attack vectors.
Capabilities:
- Policy controls over syscalls, file operations, network communications, and process behavior
- Kubernetes-native policies via CRDs
- Works on plain Linux, Docker, and Kubernetes without requiring Cilium
Install via Helm:
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon \
--namespace kube-system \
--set tetragon.enableProcessCred=true \
--set tetragon.enableProcessNs=trueExample TracingPolicy to block writes to /etc/passwd:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "block-etc-passwd-writes"
spec:
kprobes:
- call: "fd_install"
syscall: false
args:
- index: 0
type: int
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/passwd"
matchActions:
- action: SigkillCost: Free under Apache 2.0. Enterprise support through Isovalent (now part of Cisco).
Honest trade-offs: Tetragon has a steeper learning curve than Falco, particularly for policy authoring. The enforcement capability is a double-edged sword: misconfigured policies can kill legitimate processes in production.
Wazuh
Wazuh is a host-based intrusion detection platform that covers runtime security as part of a broader XDR and SIEM stack. It runs lightweight agents on each host and ships data to a central manager. The latest version is 4.12.0 (May 2025), with regular releases throughout the year.
Where Falco and Tetragon are narrowly focused on kernel event streams, Wazuh takes a broader approach: file integrity monitoring, log analysis, vulnerability assessment, rootkit detection, and compliance reporting (PCI-DSS, HIPAA, GDPR, NIST) all in one platform.
Key runtime capabilities:
- Native integration with Linux
auditdfor syscall-level monitoring - File integrity monitoring with who-data (user, process, and timestamp for every change)
- MITRE ATT&CK framework mapping for detected events
- Rootcheck module for detecting hidden processes and suspicious kernel modules
Wazuh agent install (Debian/Ubuntu):
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg \
--import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
https://packages.wazuh.com/4.x/apt/ stable main" | \
tee /etc/apt/sources.list.d/wazuh.list
apt-get update && apt-get install wazuh-agent=4.12.0-1Cost: The platform is free and open source. Commercial support contracts are available, with typical engagements for mid-sized organizations running roughly $16,000 per year based on observed market data.
Honest trade-offs: Wazuh requires more infrastructure to operate than a focused tool like Falco: you need the manager, indexer, and dashboard components running and maintained. For teams that want a unified security platform rather than point solutions, this overhead pays for itself. For teams that already have a SIEM, it may be redundant.
Sysdig Secure
Sysdig Secure is the commercial CNAPP (Cloud Native Application Protection Platform) that originated from the same team that created Falco. It uses the same eBPF instrumentation under the hood but wraps it in a managed SaaS platform with vulnerability scanning, CSPM, identity risk management, and drift detection alongside runtime monitoring.
The key differentiator for enterprise teams is the operational model: Sysdig handles agent updates, rule maintenance, and threat intelligence enrichment. You get Falco-quality runtime detection without managing the open source stack yourself.
What you get beyond open source Falco:
- Managed Falco rule updates via the Sysdig Threat Research Team
- Drift detection: flags container file system changes post-deployment
- Cloud detection: extends runtime visibility to AWS CloudTrail, GCP audit logs, Azure Monitor
- Response workflows: built-in playbooks for common incident types
Cost: Per-host, per-month pricing. Not publicly disclosed; requires a sales conversation. Enterprise-scale contracts are the norm.
Honest trade-offs: The cost delta over self-managed Falco is real. For a team with 20 engineers and 200 hosts, the question is whether the managed rule updates and integrated CSPM justify the spend versus composing open source tools yourself.
Aqua Security
Aqua Security’s platform covers the full container lifecycle, with runtime protection as one component of their CNAPP offering. Their runtime agent blocks attacks based on behavioral policies defined at build time, essentially enforcing a “known-good” behavioral profile for each workload.
Distinctive capability: Aqua’s microsegmentation and immutable infrastructure enforcement can prevent a compromised container from doing anything outside its declared behavior profile, without requiring a human to write detection rules for every threat variant.
Cost: Enterprise pricing starting around $50,000 annually. No public tier pricing; custom quotes only.
Honest trade-offs: Aqua is priced for enterprises with compliance requirements that justify the spend. For teams running fewer than 50 nodes or without strict regulatory obligations, the ROI math rarely works out.
auditd (Linux Audit Framework)
Before evaluating any third-party tool, it is worth acknowledging that the Linux kernel ships with a capable auditing subsystem. auditd captures syscall events and writes them to a structured log, giving you a foundational record of who did what on a host.
Basic syscall monitoring setup:
# Monitor privilege escalation attempts
auditctl -a always,exit -F arch=b64 -S execve \
-F euid=0 -F auid!=0 -k privilege_escalation
# Monitor writes to /etc
auditctl -w /etc -p wa -k etc_changes
# Monitor SSH config changes
auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config
# Check rule status
auditctl -lThe practical limit of raw auditd is log volume and analysis. On a busy server, audit logs fill up fast and become unreadable without a SIEM or tool like Wazuh to parse and correlate them.
Cost: Free. Built into every Linux distribution.
Comparison Table
| Tool | Best For | Pricing | Open Source? | Key Strength |
|---|---|---|---|---|
| Falco | Cloud-native and Kubernetes workloads | Free; Falco Feeds add-on for managed rules | Yes (Apache 2.0) | CNCF-graduated, eBPF-based, massive community rule library |
| Tetragon | Teams that need inline enforcement, not just alerts | Free; enterprise support via Isovalent/Cisco | Yes (Apache 2.0) | Kernel-level enforcement, closes TOCTOU attack window |
| Wazuh | Teams wanting unified XDR/SIEM with runtime coverage | Free; ~$16K/yr for commercial support | Yes (GPL) | Broadest feature set: FIM, compliance, rootkit detection, MITRE mapping |
| Sysdig Secure | Enterprises wanting managed Falco without ops overhead | Custom pricing (per-host/month) | No (SaaS) | Managed rules, drift detection, integrated CSPM |
| Aqua Security | Large enterprises with compliance requirements | ~$50K+ annually | No (commercial) | Behavioral profile enforcement; blocks based on known-good definitions |
| auditd | All Linux hosts as a foundational layer | Free (kernel built-in) | Yes | Zero cost, kernel-native, integrates with every SIEM |
Practical Recommendations
Best for startups and small teams (under 50 nodes): Start with auditd on every host, then layer Falco for container and Kubernetes workloads. Both are free, both are battle-tested, and the combination gives you strong coverage without a budget line item. Invest the saved spend in rule tuning.
Best for teams building on Kubernetes who want enforcement, not just alerting: Tetragon is the standout choice. The inline enforcement model means you are not racing to respond to an alert after the fact. The policy authoring investment pays off in reduced incident response time.
Best for teams that want a single unified security platform: Wazuh covers the most ground for free: runtime monitoring, file integrity, vulnerability assessment, and compliance reporting in one stack. Budget for the infrastructure overhead and plan for a few weeks of setup and tuning time.
Best for enterprise teams without dedicated SecOps capacity: Sysdig Secure removes the operational burden of managing open source Falco at scale. If your team cannot dedicate engineering time to rule maintenance and agent upgrades, paying for a managed platform is the right trade-off. Get a quote and compare it against the fully-loaded cost of a self-managed Falco deployment.
Best for compliance-heavy environments (PCI, HIPAA, FedRAMP): Aqua Security’s behavioral enforcement model maps well to compliance requirements that demand provable, policy-driven controls. The price point reflects this positioning.
A practical approach for most teams: deploy auditd everywhere as a baseline (no cost, no excuse not to), add Falco or Tetragon for container workloads, and feed both into Wazuh or your existing SIEM for correlation and alerting. This stack covers 80% of the threat surface at minimal ongoing cost and is fully replaceable or upgradeable as requirements change.
π Free tools from ReleaseRun: Our Infrastructure Security Scanner Suite covers K8s YAML linting, Docker Compose checks, Terraform security scanning, and GitHub Actions supply-chain audits β all browser-based, no install.
π οΈ Try These Free Tools
Paste your Kubernetes YAML to detect deprecated APIs before upgrading.
Paste your docker-compose.yml to audit image versions and pinning.
Plan your upgrade path with breaking change warnings and step-by-step guidance.
Track These Releases