Runtime Security in UDS Core: Standardizing on Falco

UDS Core provides a secure, open-source baseline for deploying mission applications in airgapped and egress-limited environments. Falco is now the standard runtime security engine in UDS Core. This change reduces operational complexity, improves rule lifecycle management in disconnected environments, and strengthens real-time threat detection at the node and cluster layers.

While prevention, container image scanning, and other features can be valuable to some missions, it was determined that runtime detection is what missions require across the board. The result is a leaner UDS Core with faster deployments, clearer signals, and better alignment to mission outcomes.

Decision

UDS Core now ships with Falco as the default runtime detection tool.

NeuVector was deprecated and removed on November 12, 2025. A separate UDS package will remain available for teams that still require it.

UDS security compliance artifacts will reflect this change.

Why Falco Fits UDS Core

Direct kernel-level visibility

Falco ingests system call activity from the Linux kernel. Collection occurs in kernel space and is delivered to user space through Falco libraries for enrichment and evaluation. This design provides broad coverage of host and container activity without application changes.

Mature, maintained rule sets with offline management

Falco includes maintained default rules and a structured language that supports macros, lists, and custom fields. Rules are published and versioned across stable, incubating, and sandbox sets. UDS Core can pin versions and perform controlled updates that match change-control processes.

Deployment model that matches constrained environments

Falco deploys as a Kubernetes DaemonSet across Linux nodes, minimizing moving parts and avoiding heavy control planes. The official Helm charts manage lifecycle operations and driver selection. This approach fits UDS Core requirements for simple, reliable components in airgapped environments.

Flexible, airgap-friendly alert routing

Falco emits alerts through standard outputs. For broad integrations, Falcosidekick acts as a lightweight forwarder that supports destinations including message queues, SIEMs, and webhooks. This enables local routing inside disconnected enclaves and later delivery to enterprise systems when links are available.

Project maturity and community backing

Falco is a CNCF Graduated project that has sustained governance, security reviews, and multi-vendor stewardship. This level of maturity supports long-term sustainment across mission environments.

Technical Details That Matter in UDS Core

Drivers and libraries

Falco libscap negotiates with the selected driver and streams syscall events to user space, where libsinsp enriches context and exposes fields for rules. The modern eBPF path removes the need to out-of-tree build kernel modules on many platforms and improves portability across kernel versions.

Rule authoring and tuning

Rules reference event fields for processes, files, and network activity, and can be scoped to specific sources like syscall or k8s_audit. Macros and lists reduce duplication and provide consistent tuning patterns. Project guidance codifies practices for minimizing noise while retaining coverage.

Outputs and response

Falco supports file, stdout, and program outputs. Falcosidekick extends this with a single endpoint for multiple Falco instances and many integrations, plus metrics for health checks. This simplifies local SOC workflows and downstream automation.

Kubernetes first, host coverage included

Falco observes both containerized and non-containerized workloads. The same rules engine covers pods, systemd services, and host processes, which reduces tooling fragmentation in multi-purpose clusters.

How This Strengthens UDS and Mission Outcomes

Lean baseline

Falco DaemonSet architecture, maintained rule sets, and OCI-based artifact distribution keep the runtime security footprint small while enabling strict version control in airgapped deployments. Fewer components and predictable updates translate to faster accreditation cycles and simpler sustainment, allowing mission owners to focus on what matters most: the mission.

High-fidelity alerts

Kernel-level visibility combined with Kubernetes audit streams produces alerts tied to workload and API context. Tunable rules, macros, and source scoping limit unnecessary events and align detections to the threat model, keeping the mission secure at all times.

Disconnected resilience

Rules, plugins, and charts are distributed as OCI artifacts and Helm packages, which can be mirrored into enclave registries on fixed schedules. This supports consistent, repeatable updates without external egress regardless of where the mission takes it.

Compliance enablement

Falco produces structured, timestamped alerts suitable for collection and retention in UDS observability stacks. This supports evidence generation for controls related to audit, monitoring, and incident detection.

Mission Impact

A UDS Core baseline powered by Falco provides real-time detection with minimal operational overhead, predictable offline updates, and direct alignment to Kubernetes operations. Teams gain faster deployment, tighter control of security artifacts, and clearer alerts that map to mission priorities.

This supports shorter paths to an ATO and more reliable delivery in disconnected, contested, or resource-constrained environments.

UDS Core is leaner, faster, and more focused on mission outcomes. Runtime security with Falco ensures you stay secure without the operational burden.