The Republic’s defences have always rested on the law: block the wrong workloads at the gate, and nothing bad gets in. But the Praetorian Guard was built for a different threat: the workload that slips through and acts badly at runtime. Tonight, the watchtower is dark. The rule that should fire when the census archive is touched has gone silent.
And while the Guard slept, an intruder crept in. It declared valid labels, passed the census, and presented itself as a loyal citizen of the Republic. Its papers were in order. Its power was not. Once inside, it reached straight for the census archive, the imperial rolls of every citizen, and now reads them on a loop, trying to send them out of the Republic.
Your mission: wake the Guard, close the gap that let the intruder in, and seal the archive for good.
Play This Challenge to Learn
- How Falco rules are structured: conditions, output, and kernel-level fields, and how to write a rule targeting a specific runtime behaviour
- Why
privileged: falseis not enough: how Linux capabilities grant host-level access without the privileged flag - How to use
spec.variablesin aValidatingPolicyto share reusable CEL expressions across validations - How pod volumes reference secrets, and why a volume’s name and the secret it mounts are two separate fields in the pod spec
- How Falcosidekick aggregates Falco alerts and how to use its UI to watch a runtime incident in real time
Awards & Deadline
Complete all levels and post your solution in the community before the deadline to be eligible.
1st place: 50% voucher for a Linux Foundation certification
Top 3: Credly badge to showcase the achievement
Deadline: 23 June 2026 at 23:59 CET
Play Now
Share your solutions, your questions, and the moment it clicked in this thread. We’re looking forward to seeing how you caught the intruder and sealed the archive.
