The primary use case for Sysdig Falco is to find vulnerabilities in real-time. It helps us find CVEs in the runtime part of a container environment, so not just scanning the code before it's deployed but also in runtime when it's actually executed.

We find vulnerabilities there and know from a security perspective for our clients that if they have a CVE published, they can rapidly see which deployed applications are using parts affected by that CVE. Runtime security is the main use case for us and our clients.

The runtime security part of Sysdig Falco has been the most valuable over the years. They do extensive monitoring, and you can get many insights and an overview and drill down into connections, but it's the runtime security that sets them apart from the competition.

Sysdig Falco's real-time monitoring feature for anomaly detection is very high quality. They lean on the Falco project, which is an open-source project that is an excellent source of finding vulnerabilities. They have AI capabilities to set a baseline of the traffic that the client usually has, and then they find anomalies where things start to deviate from the baseline, and they do that exceptionally.

The flexibility of Sysdig Falco's rule-driven engine for meeting security policies for customers is very good because you can have the standard features that are already out-of-the-box ready, and then you can tailor your own rules freely and create any type of rules desired.

Sysdig Falco is probably the most complete security solution for container-type workloads today. One area for improvement would be having predefined security standards for measuring compliance reports. If there are requirements to be compliant with NIST or CIS or other regulations, there are other tools with better ready templates that you can pull out in real-time to show compliance with certain regulations. That's an area where Sysdig Falco could improve.

I have been working with Sysdig Falco for approximately four years.

Regarding stability and reliability, Sysdig Falco has proven very good, as we haven't had any major problems anywhere.

I would evaluate Sysdig Falco as very scalable. We have one client with a very large installation, and there are no issues scaling it up for that deployment.

My experience and what I've heard about Sysdig Falco's support is generally very good. They are very responsive and helpful in getting things sorted. I would rate them a nine out of ten.

Positive

From my experience, I consider it fairly straightforward to install and set up Sysdig Falco. The configuration afterwards can be a little bit more complex, but that depends on the client's use case and how they want to have it set up, so it's not really Sysdig Falco's issue. It's a fairly easy tool to install, and there's a lot of help available, as AI-assisted features can help establish baselines, making it fairly straightforward and easy to use.

I haven't personally participated in the initial setup and deployment of Sysdig Falco, but our consultants have handled these implementations.

The ROI side is complex with these security tools because it's when you have an incident that you save money by having the right tools in place. There's no real ROI case before you buy the product, as it becomes a theoretical discussion around how many problems this product can prevent.

We've had incidents with clients where high-impact CVEs were published, and I know comparisons where one client said if they didn't have Sysdig Falco in place, what took them about a day would have probably taken one or two months to resolve. This is a huge time saver and risk avoidance, as they know where they have the problem and can patch immediately. However, it's hard to quantify that into a traditional ROI case in terms of saved money or avoided costs.

I work with many different products in the open-source world relating to containers and Kubernetes, not just Prisma Cloud by Palo Alto Networks. We work with the big ones, such as Red Hat, VMware, and smaller, niche-specific ones such as Sysdig Falco, Armo, and ArmoSec.

I work with all three variants: Sysdig Falco, Sysdig Monitor, and Sysdig Open Source.

On a scale of 1-10, I rate Sysdig Falco a 10.