👋 Annual “falco vs osquery” gap analysis question: Both support eBPF. Falco has some blocking/prevention features, but besides that, is there more Falco has to offer over osq for k8s monitoring?

It's a difficult question to answer because it's sort of like comparing apples and oranges. They seem similar because they expose similar types of data but Falco is much more powerful than osquery. For example Falco's front-and-center value add is detection and alerting, osquery does neither. It's best to think of osquery as a more simple observability tool. It mostly presents an abstraction layer for data and OS concepts. And osquery presents a LOT of data across various operating systems. You need to integrate osquery with a product suite to be able to compare to Falco/sysdig.

Thats true. I’m finding it hard justify Falco assuming we have the logging, detection and alerting pipeline already built.