Deepce vs Falco
GitHub Stats
About Deepce
Deepce (Docker Enumeration, Escalation of Privileges, and Container Escapes) is a tool designed to help identify vulnerable Docker installations and find potential container escape routes. Written as a portable shell script with no dependencies, it runs inside Docker containers to assess the security posture from the inside out. Deepce checks for dangerous capabilities (SYS_ADMIN, SYS_PTRACE, DAC_READ_SEARCH), mounted Docker sockets, writable host mounts, misconfigured namespaces, and known kernel vulnerabilities that enable container escapes. It also fingerprints the container environment, identifies the container runtime (Docker, Podman, LXC), checks network configuration, and enumerates neighboring containers. Its zero-dependency design makes it ideal for quick assessments during penetration tests where you land inside a container and need to assess your options.
About Falco
Falco is a cloud-native runtime security tool originally created by Sysdig and now a CNCF graduated project. It monitors system calls in real-time using eBPF or a kernel module to detect abnormal behavior, intrusions, and data theft in containers, Kubernetes clusters, and Linux hosts. Falco ships with a comprehensive rule set covering the MITRE ATT&CK framework, detecting events like shell spawning in containers, unauthorized process execution, sensitive file access, network connections to suspicious destinations, and privilege escalation attempts. Rules are written in a human-readable YAML format and can be customized to match any organization's security requirements. Falco integrates with Kubernetes admission controllers to enforce security policies at deploy time, and its output can be routed to Slack, PagerDuty, SIEM systems, or any webhook endpoint for alerting.
Platform Support
Tags
Deepce only
Falco only