Open source: The backbone of modern innovation
Overview
Open innovation is a force multiplier for defenders. The tools, research, and detections that came from grassroots collaborations laid the groundwork for many of today’s most effective security practices, and open source trust and transparency are now an operational necessity.
Because attackers collaborate and share tools and techniques, defenders must do the same. Thanks to the ongoing contributions from practitioners and vendors alike, open source security tools have become faster and sharper, ensuring that they remain operationally impactful ahead of the threat landscape they aim to thwart. Open innovation is how modern security teams stay resilient and stay ahead.
Open source in the era of data sovereignty
The European Union (EU), Australia, Canada, and others have regulations dictating where data can be stored, how it can be processed, and who can have access to it. The EU Data Act, which goes into effect Sept. 12, 2025, mandates that businesses and users have the right to access and share data generated by their connected devices, giving them control over the data produced by those devices. For organizations operating in these countries, data sovereignty is a non-negotiable requirement.
With open security tools, there is no smoke and mirrors. You can look under the hood and see exactly what they’re doing because they’re built transparently by nature. These tools can also be self-hosted within the EU infrastructure; deployed in on-premises, private, or sovereign public cloud environments; and with self-controlled telemetry, so no data is sent externally, and you maintain legal and operational authority over your data. In the EU, Microsoft and Google are expanding their sovereign cloud offerings in response to these regulatory pressures; in Australia, Splashtop is doing the same.
Falco: Built in the open, battle-tested by the community
Falco, the CNCF’s open source runtime threat detection engine, is the global standard for open source cloud-native security, with nearly 10 million downloads since the beginning of the year, and more than 150 million total downloads. From 60% of Fortune 500 companies to startups and home labs across the globe, there’s a Falco use case for every security practitioner, regardless of the size or scope of their environment.
Falco’s evolution has mirrored the trends and shifts in the cloud security industry:
- From an intrusion detection system (IDS) tool to real-time runtime threat detection and response.
- From kernel modules to eBPF probes in 2018.
- From simple alerts to workflow integrations.
Thanks to the community’s support, Falco Actions extends Falco’s capabilities into CI/CD pipelines, supporting the “shift left and shield right” strategy to detect and contain threats at every part of the software life cycle. Falco Talon supports automated policy enforcement in CI/CD and aligns with the secure-by-design philosophy. And Falcosidekick sends Falco alerts wherever they need to go.
Furthermore, Falco not only checks the real-time detection and regulatory compliance boxes, but because it’s open source, organizations can tailor detection rules and compliance policies to their unique needs. That makes it especially useful to those in the finance, government, and health care sectors.
The diagram below contains an example of a self-managed open source Falco ecosystem, which exhibits a powerful toolkit for threat detection and response in cloud-native environments. It's possible for a team with the right resources to build this highly capable platform, but it is also important to recognize the operational investment required to both achieve and maintain such a deployment at an enterprise scale.
Open source starts the journey
Open innovation is where security starts and how security scales from sandbox to enterprise. Open source tools are powerful, but they also have limitations. Whether it’s running up against challenges around scale, looking for greater functionality, or seeking out enterprise support, many organizations choose to transition from using Falco for runtime detection and Sysdig OSS for container troubleshooting and investigations to an enterprise-grade tool like Sysdig. It’s often a natural progression rooted deeply in trust. Teams gain hands-on experience without upfront costs, and as their operational business needs grow, Sysdig offers a path forward with its enterprise platform built on the same open source foundations, allowing teams to scale without disruption.
Continuing shared innovation
With the launch of Stratoshark in January 2025 – which combines Wireshark’s powerful packet analysis with Falco’s robust runtime security for fast troubleshooting, confident incident response, and cloud-native flexibility – Sysdig has proven that its commitment to the open source community is here to stay. Wireshark was released in July 1998 and has 1.5 million monthly downloads. Stratoshark, with the same retro user interface, has already amassed 40,000 downloads and has 6,000 weekly visitors. Open innovation is essential for trust and collaboration; it supports compliance, detection, and defense in security. And as the cloud-native ecosystem continues to grow in complexity and regulations continue to evolve, open innovation will only become more essential. It’s already evident with the development and growth of open source AI.
“I really like that Sysdig is so active with open source. Sysdig has open source projects for both security and monitoring. Organizations can deploy both and run them for free. Then there is an enterprise version that fits nicely once you progress through the open source tools. If more capabilities or features are needed, Sysdig is there for you. Being a good community member and driver is important to me.”
– Principal Container Engineer, Worldpay
Sysdig customer story
Syfe is an international digital investment platform that uses a secure cloud-native infrastructure to help its customers manage their wealth and investments and broker global trades. Syfe began using Falco for foundational security – they were building custom policies and sending real-time alerts to Slack channels. The Sysdig TRT contributes detection rules to the Falco community weekly and Syfe was using these rules, but they were spending valuable time updating and maintaining them as their organization and environment quickly scaled.
Syfe eventually transitioned from Falco to Sysdig, noting that “the Sysdig TRT has one of the best pulses on the latest attacks. With their insight, they continuously refine and update detections within Sysdig, ensuring that we’re always one step ahead of attackers,” and saving them precious time.
Their move wasn’t a pivot; it was a natural evolution, rooted in trust and driven by operational scale. They still have control over their risk posture because they can customize rules to their liking, but they no longer have to maintain the Falco threat detection engine on their own.
