Seeking co-mentor for GSoC 2026: Falco + Drasi integration for security event correlation

[amansinghoriginal]

Hi Falco community! 👋
I'm a maintainer on Drasi, a CNCF Sandbox project.

I'm exploring a GSoC 2026 project idea that would integrate Falco with Drasi and wanted to gauge interest from the Falco community.

What is Drasi?

Drasi is a change detection and correlation engine. Instead of polling databases or writing custom code to detect changes, you write Cypher queries that subscribe to change streams and continuously evaluate incoming data to incrementally update result-sets and emit precise deltas (what was added/updated/removed).

The three core concepts:

• Sources – Connect to data systems (PostgreSQL, Kubernetes, APIs, event streams)
• Continuous Queries – Graph queries that maintain live result sets and detect meaningful changes
• Reactions – Trigger actions when query results change (webhooks, alerts, stored procedures)

What makes Drasi unique:

• Declarative Approach – No custom code. Just declare what you're interested in watching using openCypher or GQL.
• Cross-source joins – Correlate data from multiple sources without copying to a data lake
• Temporal logic – Detect sustained conditions ("X has been true for 5 minutes") and absence of change ("no heartbeat received for 10 minutes")

📺 KubeCon NA 2025 Talk: https://www.youtube.com/watch?v=nbLJ_ICpZhc

The Integration Idea

Build a Drasi source that ingests Falco events (via gRPC output or Sidekick), enabling:

Capability	Example
Temporal patterns	"Alert only if shell access persists for 5+ minutes"
Cross-source correlation	"Alert on critical events in containers that access PII databases" (joining Falco events with asset DB)
Aggregation	"Detect coordinated attacks: >3 containers in same namespace with critical events in 15 min window"
Context enrichment	"Who owns this container? What was the last deployment? What's the change ticket?"

In short: Falco excels at point-in-time runtime detection. Drasi adds the "over time" and "correlated with what else" layers.

Example: Sustained Threat Detection

MATCH (e:FalcoEvent)-[:TRIGGERED_IN]->(c:Container)
      -[:OWNED_BY]->(team:Team)
WHERE e.priority = 'Critical'
  AND drasi.trueFor(e.rule = 'Terminal shell in container', duration({minutes: 5}))
RETURN c.name, c.namespace, team.slack_channel

This query only fires if the shell remains active for 5 continuous minutes — filtering out brief legitimate access.

Why GSoC 2026?

GSoC is specifically looking for Security-focused projects this year. A Falco + Drasi integration:

• ✅ Connects two CNCF projects (Falco: Graduated, Drasi: Sandbox)
• ✅ Directly addresses the Security theme
• ✅ Creates a reusable pattern for security event correlation in the cloud-native ecosystem

What I'm Looking For

1. Feedback – Is this interesting/useful to Falco users?
2. Co-mentor – Would anyone from the Falco community be interested in co-mentoring a GSoC student on this project?

Happy to discuss further here, or jump on a call to walk through the architecture in more detail!
I'm also available on CNCF Slack.

Links

• 🌐 Drasi website: https://drasi.io
• 💻 Drasi GitHub: https://github.com/drasi-project
• 🏛️ CNCF project page: https://www.cncf.io/projects/drasi/
• 📋 CNCF GSoC 2026: https://github.com/cncf/mentoring/tree/main/programs/summerofcode/2026