Wednesday Poll - Which Detection Would You Build First?

Bodhi · October 22, 2025, 6:15pm

If you’re just starting out with Falco or cloud threat detection:
Which type of detection rule would you build first?

A) Kubernetes exec into container

B) Suspicious network outbound

C) File change to critical path

D) Other (comment below)

Huck · October 22, 2025, 7:45pm

D) Terminal shell in container.

This would allow detection of interactive sessions via kube exec, and RCE > shell in the event of workload compromise. If someone is actively interacting with my containers I want to know!

Interested to hear what everyone else thinks!

Maddie · October 22, 2025, 11:21pm

B) No one comes in without wanting to send something out.

leogr · October 23, 2025, 9:44am

A) Kubernetes exec into container

It would provide immediate value in understanding runtime visibility! With this, one can quickly distinguish between legitimate and suspicious exec patterns.

edsoncelio · October 23, 2025, 9:55am

A) Kubernetes exec into container
It looks like a small thing but it’s a good way to identify patterns and best (or bad) practices!

MOD_Crystal_Ball · October 23, 2025, 1:52pm

D) Known malicious IOCs like for malware and cryptominers. Simple enough to get your feet wet, but effective

Topic		Replies	Views
About the Falco category Falco	0	28	July 23, 2025
Falco Workshops! Come get hands-on guided instruction! Events & Meetups	0	14	July 25, 2025
What’s the Most Creative Falco Rule You’ve Written? Falco	1	62	July 30, 2025
Falco Open Source Frequently Asked Questions (FAQs) Falco Resources	0	60	July 28, 2025
From Alerts to Action: Falco Vanguard! Falco	0	83	August 6, 2025

Wednesday Poll - Which Detection Would You Build First?

Related topics