Falco integrates Stratoshark for faster forensic cloud security
Falco, an open-source security tool maintained by the Cloud Native Computing Foundation, is now integrated with Stratoshark to enable real-time detection and forensic-level analysis of cloud-native environments.
The new integration provides security teams with the ability to immediately investigate alerts generated by Falco using Stratoshark's forensic tools, offering detailed inspection of system call and audit log data without switching between platforms.
Detection and analysis
Security professionals have traditionally faced challenges connecting real-time threat detection with forensic investigation. This often required analysts to manage separate tools, introducing delays and handling large, unfiltered datasets when investigating incidents. The integration of Falco, which has been a part of the CNCF since 2018, with Stratoshark aims to address these challenges by coupling triggered alerts with focused forensic captures.
When unexpected behaviour or configuration changes trigger Falco rules, the system can now record and attach a trail of system call data, captured in SCAP files, to the alert. This enables analysts to replay and examine relevant activity immediately, reducing the time spent correlating data and minimising unnecessary data collection.
"We've long seen how alerts without context force a time‐costly hunt. These new capabilities let teams go from detection to investigation in moments, with minimal overhead. It's community collaboration delivering real value to modern security operations," said Leonardo Grasso, core maintainer at Falco.
Cloud native environments
The integration is designed with modern infrastructure in mind, supporting on-premises, multicloud, and hybrid cloud environments commonly used by platform and security teams. Falco supports containers, virtual machines, and bare-metal hosts, and is widely adopted for monitoring security events in Kubernetes deployments.
The plugin API and targeted event recording ensure that forensic data is only gathered when relevant security rules are triggered. This narrows the scope of analysis and streamlines incident response.
"Falco's goal has always been to provide open source and real time visibility into cloud native workloads," said Chris Aniszczyk, Chief Technology Officer at CNCF. "By connecting alerts with detailed event data, this update helps teams move more quickly from detection to investigation - without introducing unnecessary complexity."
Forensic visibility
Stratoshark, developed by Wireshark developer Gerald Combs, provides packet-level forensic analysis inspired by Wireshark, a widely used tool for network inspection. By combining Falco's real-time detection with Stratoshark's detailed analysis, teams can investigate security alerts with greater technical depth than previously possible in the cloud-native stack.
This direct link between alert and forensic evidence aims to support quicker identification of root causes in security incidents. The organisation says analysts will no longer need to manually aggregate data from different tools, which previously complicated investigations and delayed effective response.
"With Stratoshark, we've taken the forensic precision that users expect from Wireshark and brought it into the cloud native space. By building on Falco's detection engine, we're giving teams a direct path from alert to byte-level visibility so they can see exactly what happened, where, and when," said Combs.
