Explore runtime security with Falco in userspace in this conference talk by Loris Degioanni from Sysdig. Dive deep into the tradeoffs of using different backend drivers to access system call information for cloud-native security. Learn about eBPF, kernel modules, and ptrace(2), and understand the performance impacts of various solutions like LD_PRELOAD. Gain insights from Loris' extensive experience contributing to Wireshark and creating Sysdig and Falco. Discover Falco's architecture, rule examples, data collection methods, and the importance of kernel-based instrumentation. Examine LD Preload limitations, Ptrace, Amazon Fargate integration, and Falco Trace SSH. Understand system binary changes and performance considerations in this comprehensive exploration of Falco's userspace implementation.