Been running Falco on my bare metal Kubernetes cluster for a while. It sits on every node watching kernel syscalls, catching everything happening inside containers. Shell spawns, unexpected API connections, processes doing things they probably shouldn't. Sounds great until you're drowning in alerts at midnight and 90% of them are just sidecars doing their job.
Every Falco alert now goes straight to Claude with full context - process names, syscall types, container, namespace, MITRE ATT&CK tag, all of it. Claude comes back with three things: what actually happened, whether it's a real threat or expected behavior, and what to do about it. No noise, no cryptic log lines, just a straight answer.
And it gets it right. Grafana sidecar hitting the K8s API? "Expected behavior, allowlist it." Shell spawned inside the Vault container? "Worth investigating, verify this was authorized." It reads the context and gives you something actionable.
The whole thing runs on bare metal K8s - Claude API key stored in HashiCorp Vault, synced by External Secrets Operator, deployed via ArgoCD. The dashboard was built 99% (I just picked the colours) by Claude Cowork at 1:18am.. 😄
This is Part 1. It watches, analyzes, recommends.
Part 2 is where the "not yet" part disappears - tool calling, approval gates, auto-created rule exceptions, PRs opened automatically. I just review and merge.
Right now it tells me what to do. Next time it does it. 🚀
If you're doing something similar or just want to chat about it, find me on LinkedIn, I am always up for a conversation :)
Top comments (0)