Kube Detection Labs
Each lab covers one threat scenario: what it looks like, why it matters, how to detect it with Falco, how to triage it, and how to fix the underlying condition. All content is free and open.
A container starts with securityContext.privileged: true. This gives it near-full access to the host kernel. Detect the runtime event and understand how to prevent it from happening again.
Read lab →A known cryptomining binary starts inside a container. The lowest false-positive detection in Kubernetes - and often the first sign that an attacker has gained execution in your cluster.
Read lab →A container opens an outbound connection and pipes it to a shell interpreter. This is one of the clearest signals of active compromise — detect it before the attacker completes their objective.
Read lab →An identity inside the cluster lists or reads Kubernetes Secrets via the API server. Detect it at the audit log level — this is the attack that follows a stolen service account token.
Read lab →A container has a hostPath volume that gives it access to the host filesystem. Detect the mount at runtime and understand the full escape chain — from container to node to cluster.
Read lab →A shell process starts inside a running container. Detect it with Falco, understand why it matters, and know what to do when it fires.
Read lab →A process inside a container reads /etc/shadow, /etc/passwd, or service account tokens. Detect credential access attempts before the attacker uses what they found.
Read lab →Someone ran kubectl exec into a production pod. It might be a developer debugging, or it might be an attacker who stole a kubeconfig. Detect it and know how to tell the difference.
Read lab →A container runs curl or wget to send data to an external destination. Detect the exfiltration tool spawning — not just the network connection — and understand what to look for in the egress.
Read lab →A process inside a container gains more privileges than its parent. Detect setuid/setgid execution and understand why allowPrivilegeEscalation: false is not just a checkbox.
Read lab →A container opens a connection to an external IP or domain it has no business contacting. Detect network anomalies at the syscall level and understand how NetworkPolicy and runtime detection work together.
Read lab →A container starts using :latest or a floating tag. Detect image tag hygiene violations at runtime and understand why this is both a security and reliability risk.
Read lab →The Detection Starter Pack includes 10–15 production-ready Falco rules, a severity matrix, triage guide for each detection, and a 2-week rollout plan.
Start by email