Detecting Container Escape with Falco Rules Overview Falco is a CNCF-graduated runtime security tool that monitors Linux syscalls to detect anomalous container behavior. It uses a rules engine to identify container escape techniques such as mounting host filesystems, accessing sensitive host paths, loading kernel modules, and exploiting privileged container capabilities. When to Use - When investigating security incidents that require detecting container escape with falco rules - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured proced…