CDK vs Falco
GitHub Stats
About CDK
CDK (Container penetration toolkit) is an open-source tool designed for container environment penetration testing and exploitation. It's distributed as a single static binary with zero dependencies, making it easy to deploy inside target containers during red team engagements. CDK bundles three categories of functionality: evaluation (gathering container environment information, checking capabilities, and identifying potential escape vectors), exploitation (automated container escape using techniques like mounting host filesystems, exploiting Docker socket, abusing Linux capabilities, and leveraging kernel vulnerabilities), and tools (network scanning, file transfer, reverse shell, and other post-exploitation utilities). CDK is regularly updated with new escape techniques as they're discovered, making it the most comprehensive container escape toolkit available.
About Falco
Falco is a cloud-native runtime security tool originally created by Sysdig and now a CNCF graduated project. It monitors system calls in real-time using eBPF or a kernel module to detect abnormal behavior, intrusions, and data theft in containers, Kubernetes clusters, and Linux hosts. Falco ships with a comprehensive rule set covering the MITRE ATT&CK framework, detecting events like shell spawning in containers, unauthorized process execution, sensitive file access, network connections to suspicious destinations, and privilege escalation attempts. Rules are written in a human-readable YAML format and can be customized to match any organization's security requirements. Falco integrates with Kubernetes admission controllers to enforce security policies at deploy time, and its output can be routed to Slack, PagerDuty, SIEM systems, or any webhook endpoint for alerting.
Platform Support
Tags
Shared
CDK only
Falco only