Install falcoctl on the host or container where Falco runs and confirm it can reach the default registry at ghcr.io
Run 'falcoctl artifact search' to list available rule sets and plugin artifacts by name and version
Install a specific rules artifact version using 'falcoctl artifact install' with the fully qualified artifact reference
Configure falcoctl to run as a sidecar or init container in a Falco DaemonSet pod to keep rules updated without restarting Falco
Use 'falcoctl artifact follow' mode to watch for new rule versions and automatically pull updates on a configurable interval
Verify installed rules are loaded by Falco by checking the Falco startup log for rule count and any parse errors
Known gotchas
falcoctl artifact follow keeps rules files updated on disk but Falco must be configured to reload rules dynamically or be restarted to pick up changes; check whether your Falco version supports hot-reload
Pinning a specific artifact version is important in production; using 'latest' can introduce breaking rule changes that cause Falco to fail to start
When using a private OCI registry mirror, configure falcoctl's registry credentials using its config file or environment variables before running install commands
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp