Cloud-native security teams face the same challenge every day: alerts without answers. They can see something suspicious happening inside a Kubernetes cluster, but to find out why it happened, they often need to jump between tools, collect logs, replay events, and manually trace system calls. By the time they’re done, the trail has gone cold.
With its latest release, Falco, the CNCF’s graduated runtime security project, is closing that gap. At KubeCon + CloudNativeCon North America 2025, Falco announced a new integration with Stratoshark, a forensic analysis tool inspired by Wireshark.
The update lets Falco alerts trigger forensic captures in real time, enabliing security teams instant access to detailed system-call and audit-log data. Instead of chasing clues across multiple platforms, security engineers can now shift from alert to byte-level evidence in seconds.
This is a turning point for cloud-native forensics, one where detection and investigation finally live in the same workflow.
Why This Matters for Security Practitioners
Runtime visibility has always been Falco’s strength. It can spot unusual container activity like a shell spawning inside a pod or a process touching sensitive files. However, what came next was usually the hard part: gathering enough context to understand how the breach unfolded.
With the new Stratoshark integration, Falco now closes that loop. When a Falco rule triggers, it automatically records a System CAPture (SCAP) file containing all relevant system calls. Security engineers can open this capture in Stratoshark and replay it with Wireshark-style precision filtering by process, syscall, or network event to uncover the full timeline of an incident.
In short, the integration makes Falco not just a detection engine, but an investigation tool.
As Leonardo Grasso, one of Falco’s core maintainers, explained, “Alerts without context force long, costly hunts. These new capabilities let teams go from detection to investigation in moments.”
For DevSecOps practitioners, this means faster root cause analysis, less noise, and no need to export gigabytes of data just to reconstruct what happened.
Why Now: Security Needs Speed and Precision
The timing is significant. As cloud-native adoption grows, so does the attack surface. Modern Kubernetes environments are sprawling, dynamic, and distributed, which makes old-school forensics slow and expensive.
Until now, most teams had two bad options: collect everything and drown in data, or collect too little and miss the signal. Falco’s new capture workflow strikes the balance: it only records data when a rule triggers, focusing investigation on real events instead of background noise.
And by partnering with Stratoshark, led by Wireshark creator Gerald Combs, the project brings a familiar, trusted interface to cloud forensics. As Combs put it, “We’ve taken the forensic precision that users expect from Wireshark and brought it into the cloud-native space.”
That accessibility matters. It lowers the learning curve for platform teams that aren’t full-time security analysts, giving them the ability to dig into runtime events without specialized tooling or training.
The Bigger Picture: Open Source Security Matures
Falco’s evolution mirrors a larger trend in the cloud-native ecosystem: the convergence of detection, observability, and forensics. Teams don’t just need alerts; they need context, automation, and speed.
By linking real-time detection with forensic visibility, Falco helps close one of the biggest gaps in cloud security operations, the “investigation latency” between an alert firing and an analyst understanding what it means.
For open source security, this integration also sets an example of what collaboration looks like in practice. Falco and Stratoshark are both community-driven tools, built to interoperate rather than compete. Together, they show that open tooling can rival, and often outperform, proprietary alternatives in speed, transparency, and depth.
The Practitioner Takeaway
For platform and security engineers, the new Falco–Stratoshark integration delivers three clear benefits:
- Faster incident response – Teams can jump straight from detection to replay, cutting investigation time from hours to minutes.
- Reduced noise – Forensic captures are created only when a rule triggers, so every byte of data has meaning.
- Deeper visibility. Byte-level analysis brings full transparency into what happened across containers, pods, or entire clusters.
This isn’t just an upgrade for Falco users; it’s a milestone for the entire CNCF security ecosystem. By bringing forensic depth into real-time operations, Falco is helping teams keep pace with the speed and complexity of modern cloud environments.
As threats evolve, so must detection. And now, when Falco spots trouble, the shark really does swim in.
