 All right, thank you everyone for joining my lightning talk about Falco. I'll be talking about achieving balance between security and performance in our software. So first of all, some of you here that I've met are CNCF maintainers, so you have probably heard of Falco. But in general, what it is in a couple of words, it's an open source security solution for threat detection. So we do runtime threat detection for your clusters, hosts and Kubernetes. And very importantly, Falco is now actually used by a lot of people in the community, a lot of people that use CNCF project. And in fact, this year Falco became a CNCF graduated project. So if you have never used Falco, kind of what does it look like? It's a magic box. You put some rules inside that magic box that is exactly what you want to be alerted about. So for example, here we have a rule for a terminal shell in a container. So I want to understand if that specific thing spawns in my cluster. And then I put the rule, and of course you can download our pre-made rules if you don't want to write your own, put it in the magic box and outcome alerts whenever these things happen. But you don't just want to see a blank screen, but yeah, now it's not a blank screen. So what is going to happen is that the Falco doesn't just give you an alert. It basically tells you a lot of context around the alert. So if you have our shell, we can know everything about the container. We know about Kubernetes, namespace, process ancestors, really a lot of things. You have hundreds of fields to choose from to have your alerts. But what if you're a maintainer? If you're a maintainer, if you're a contributor, which I hope some people will want to be. You see Falco a little bit differently. So first of all, that's this thing that's called a kernel module or an eBPF probe. This is the part that the user doesn't really want. I don't want to care about that, but it's there in order to take those events from the kernel and then send them to the user space agent, which is actually able to compute the rules and reach them with a lot of user space data, Kubernetes and many other things. This is a very nice and flexible and acceptable architecture. But of course, as a maintainer, you will see that this duality between kernel and user space is something that you have to really be to care about and sometimes as a user as well. So imagine if you were a Falco maintainer or a contributor for a day, what is it? And now you're going around KubeCon. What is it that people will be asking you? What are the questions that I get and my fellow maintainers get? So of course, a lot of people want more detections and that's really great. We want to detect more things. For example, there's a new CVE of the day and we want to be able to detect when that CVE is trying to be exploited by a malicious actor. So of course, we want that. Or we might have someone that is asking about the performance. There's systems that maintain and that operate with millions of events per second and Falco needs to kick up. Or some people have troubles installing it because we don't really want a kernel model in eBPF because they are hard to install. But of course, we use them because that's a way to get our data. And if you ever tried installing something like VMware, you know that it's not that easy to install and we want the Falco experience to be the best. And also, there's that annoying security person that comes and say, hey, the project is written in C++. Is it secure? And why? I love that person because it's me. And of course, we want to balance everything. We want to have everything. So we want to research and develop to get all of these things in Falco. How do we do it? So one thing is that we know that the more we detect and the slower we are at detections. Of course, we know that because if we put more features, we might have a problem with the balance of the performance. So what do we do to address that? We gave our users, especially our power users, a lot of knobs to adjust the performance, a lot of metrics supporting. And of course, we made Falco as smart as possible when it comes, the time to operate between the interface between kernel and user space. And also, we optimize, we try, and since the first day, Falco was optimized at the system call level pretty much at the assembly level. We don't write assembly because it supports four architectures, but we try to be smart with RC++. Not architecture as smart, but more optimization smart. And also, installing a kernel module, as I mentioned, it's a hard thing to do. And how we want to be compatible, we have compatibility with x86, with ARM, with S390X, and we can get more architectures. And we want to be compatible with them. And we want to also be secure. So, the thing that we do is like, I don't think there is an easy way around it, but we do have massive test matrices that basically test hundreds of different combinations of kernels, operating system, distributions, you name it, to make sure that Falco actually installs Falco works and Falco gathers events from those systems. And of course, we have modern technologies such as Query, that you can choose to use, and you probably want if you have a very new kernel, but we are also compatible with something like 2.6. And also, we take a page out of the security engineer book by using, by having that security person that forces his fellow maintainer and contributors a lot of security tracking tools and is annoying about all of that. That person is still me. Anyways, that's what it's like to work on Falco. I think it's fun, and some people agree. And basically you have to balance all these things. We want everything, we want a lot of detections, we want excellent performance, and we try every day and we work towards it. And we do a lot of development to get there. Of course, would you want to be a Falco maintainer? I don't know, but you can be very easily a Falco contributor. We are around, there's quite a few of us Falco maintainers around here. As we mentioned before, there's, of course, a kiosk that you can visit, a maintainer track, and you can find all the reference there, including a cool playground that you can use the play.falco.org even with your phone. Thank you so much.