Runtime Security for
AI Agents & Linux
Falco detects threats at the kernel level. FalcoClaw responds in milliseconds.
Security that responds, not just alerts
Process Termination
Kill malicious processes before they can act. Shell injection, privilege escalation — stopped at first exec.
IP Blocking
Drop attackers at the iptables level in milliseconds. Block inbound intrusions and outbound C2 callbacks.
File Quarantine
Isolate suspicious files with immutable flags. Malware cannot persist, even if it runs again.
Agent Dispatch
Send alerts to OpenClaw, Hermes, or any agent framework. Trigger AI-powered investigation pipelines.
Millisecond Response
No LLM in the kill chain. Deterministic execution — response fires in the same event loop as detection.
YAML Rules
Define response policies in simple, auditable YAML. No code. No custom logic. Just rules.
Four steps from detection to response
Falco detects a syscall-level threat
Falco monitors system calls using the kernel audit subsystem. When a rule matches — shell spawned from Python, unauthorized exec — it emits a structured event.
FalcoClaw receives the event
FalcoClaw subscribes to the Falco output stream. It enriches events with process tree, file metadata, user context, and matched rule.
Response actions execute in milliseconds
Based on your YAML rules, FalcoClaw fires the configured response: kill the process, block the IP, quarantine the file, or dispatch to an agent webhook.
Agents investigate and remediate
Webhook payloads land in your agent pipeline. Agents take further action — revoke credentials, isolate workloads, alert your team.
Deploy in minutes
Docker
Run with full system access. Requires --privileged for Falco audit access.
Binary
Download the Linux amd64 binary from GitHub Releases.
Falco config
Point Falco at FalcoClaw webhook intake.
Open source. Production ready.
Apache 2.0 licensed. Built by THNKBIG Technologies.