diff --git a/.github/workflows/release-kilt-images.yml b/.github/workflows/release-kilt-images.yml
index 00be6d8..c636ac0 100644
--- a/.github/workflows/release-kilt-images.yml
+++ b/.github/workflows/release-kilt-images.yml
@@ -37,28 +37,3 @@ jobs:
           platforms: linux/amd64
           push: true
           tags: falcosecurity/kilt-utilities:latest
-  release-falco-userspace:
-    runs-on: ubuntu-latest
-    name: Falco Userspace Image
-    needs:
-      - release-utilities
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Login to GitHub Packages
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_SECRET }}
-      - name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: ./definitions/falco/
-          file: ./definitions/falco/Dockerfile
-          platforms: linux/amd64
-          push: true
-          tags: falcosecurity/falco-userspace:latest
\ No newline at end of file
diff --git a/definitions/falco/Dockerfile b/definitions/falco/Dockerfile
deleted file mode 100644
index 7e1720b..0000000
--- a/definitions/falco/Dockerfile
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM falcosecurity/falco:latest-slim AS falco
-FROM falcosecurity/kilt-utilities AS kilt-utils
-FROM alpine:latest AS pdig-build
-
-# Build Pdig
-RUN apk add g++ gcc cmake cmake make libtool elfutils-dev libelf-static linux-headers git
-RUN mkdir /source
-RUN git clone https://github.com/falcosecurity/pdig /source/pdig
-RUN git clone https://github.com/falcosecurity/libs /source/libs \
-    && cd /source/libs \
-    && git checkout 2258aba1b3f9e8f8b1a9e1af3a9f7a1eb6c1299c
-RUN mkdir /source/pdig/build
-RUN cd /source/pdig/build && cmake -DMUSL_OPTIMIZED_BUILD=True ..
-RUN cd /source/pdig/build && make
-
-FROM scratch
-COPY --from=falco /usr/bin/falco /vendor/falco/bin/falco
-COPY --from=falco /etc /vendor/falco/etc
-COPY --from=pdig-build /source/pdig/build/pdig /vendor/falco/bin/pdig
-COPY --from=kilt-utils /kilt/waitforever /vendor/falco/bin/waitforever
-ADD falco.yaml /vendor/falco/falco.yaml
-
-VOLUME ["/vendor/falco"]
-
-CMD ["/vendor/falco/bin/waitforever"]
diff --git a/definitions/falco/Manual_Instrumentation.md b/definitions/falco/Manual_Instrumentation.md
deleted file mode 100644
index 90178e3..0000000
--- a/definitions/falco/Manual_Instrumentation.md
+++ /dev/null
@@ -1,22 +0,0 @@
-Most of these steps are performed automatically by [Kilt](https://github.com/falcosecurity/kilt). In case you want to roll your own solution or test it out manually use the following instructions.
-
-## Uploading Falco instrumentation image onto personal aws account
-In this example we're going to assume the target aws region to be us-east-1.
-
-## Instrumenting manually an existing Task Definition
-* Add 1 new containers to your task definition
-    - The image name doesn't matter but we'll need it afterwards so we'll use FalcoInstrumentation
-    - The entrypoint/command fields can be left empty
-    - As for the image itself, use falcosecurity/falco-userspace:latest
-* Add another container to your task definition
-    - The image name doesn't matter but we'll need it afterwards so we'll use KiltUtils
-    - The entrypoint/command fields can be left empty
-    - As for the image itself, use falcosecurity/kilt-utilities:latest
-
-* Edit the containers that you want to instrument
-    - Add a startup dependency on the FalcoInstrumentation and KiltUtils containers created before
-    - Mount volumes from FalcoInstrumentation and KiltUtils
-    - Add `SYS_PTRACE` capability to your container. See [this](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_KernelCapabilities.html)
-    - Set the following as your entry point: `/kilt/launcher,/vendor/falco/bin/pdig,$YOUR_COMMAND,--`
-    - Set the following as your command: `/vendor/falco/bin/falco,-u,-c,/falco/falco.yaml,--alternate-lua-dir,/vendor/falco/share/lua`
-    - Add environment variable `__CW_LOG_GROUP` to set the output log group 
diff --git a/definitions/falco/falco.kilt.cfg b/definitions/falco/falco.kilt.cfg
deleted file mode 100644
index 4b6c6df..0000000
--- a/definitions/falco/falco.kilt.cfg
+++ /dev/null
@@ -1,21 +0,0 @@
-build {
-    entry_point: ["/kilt/launcher", "/vendor/falco/bin/pdig"] ${?original.entry_point} ${?original.command} ["--"]
-    command: ["/vendor/falco/bin/falco", "-u", "-c", "/vendor/falco/falco.yaml", "--alternate-lua-dir","/vendor/falco/share/lua"]
-    environment_variables: {
-        "__CW_LOG_GROUP": "FalcoAlerts"
-    }
-    mount: [
-        {
-            name: "Falco"
-            image: "falcosecurity/falco-userspace:latest"
-            volumes: ["/vendor/falco"]
-            entry_point: ["/vendor/falco/bin/waitforever"]
-        },
-        {
-            name: "KiltUtilities"
-            image: "falcosecurity/kilt-utilities:latest"
-            volumes: ["/kilt"]
-            entry_point: ["/kilt/waitforever"]
-        }
-    ]
-}
diff --git a/definitions/falco/falco.yaml b/definitions/falco/falco.yaml
deleted file mode 100644
index 0f7d5ea..0000000
--- a/definitions/falco/falco.yaml
+++ /dev/null
@@ -1,206 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File(s) or Directories containing Falco rules, loaded at startup.
-# The name "rules_file" is only for backwards compatibility.
-# If the entry is a file, it will be read directly. If the entry is a directory,
-# every file in that directory will be read, in alphabetical order.
-#
-# falco_rules.yaml ships with the falco package and is overridden with
-# every new software version. falco_rules.local.yaml is only created
-# if it doesn't exist. If you want to customize the set of rules, add
-# your customizations to falco_rules.local.yaml.
-#
-# The files will be read in the order presented here, so make sure if
-# you have overrides they appear in later files.
-rules_file:
-  - /vendor/falco/etc/falco/falco_rules.yaml
-  - /vendor/falco/etc/falco/falco_rules.local.yaml
-  - /vendor/falco/etc/falco/k8s_audit_rules.yaml
-  - /vendor/falco/etc/falco/rules.d
-
-# If true, the times displayed in log messages and output messages
-# will be in ISO 8601. By default, times are displayed in the local
-# time zone, as governed by /etc/localtime.
-time_format_iso_8601: false
-
-# Whether to output events in json or text
-json_output: false
-
-# When using json output, whether or not to include the "output" property
-# itself (e.g. "File below a known binary directory opened for writing
-# (user=root ....") in the json output.
-json_include_output_property: true
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: true
-log_syslog: true
-
-# Minimum log level to include in logs. Note: these levels are
-# separate from the priority field of rules. This refers only to the
-# log level of falco's internal logging. Can be one of "emergency",
-# "alert", "critical", "error", "warning", "notice", "info", "debug".
-log_level: debug
-
-# Minimum rule priority level to load and run. All rules having a
-# priority more severe than this level will be loaded/run.  Can be one
-# of "emergency", "alert", "critical", "error", "warning", "notice",
-# "info", "debug".
-priority: debug
-
-# Whether or not output to any of the output channels below is
-# buffered. Defaults to false
-buffered_outputs: false
-
-# Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
-# full and system calls have been dropped, it can take one or more of
-# the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
-#
-# The rate at which log/alert messages are emitted is governed by a
-# token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
-
-syscall_event_drops:
-  actions:
-    - log
-    - alert
-  rate: .03333
-  max_burst: 10
-
-# A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
-#  - rate: the number of tokens (i.e. right to send a notification)
-#    gained per second. Defaults to 1.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
-#
-# With these defaults, falco could send up to 1000 notifications after
-# an initial quiet period, and then up to 1 notification per second
-# afterward. It would gain the full burst back after 1000 seconds of
-# no activity.
-
-outputs:
-  rate: 1
-  max_burst: 1000
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: false
-
-# If keep_alive is set to true, the file will be opened once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the file will be re-opened
-# for each output message.
-#
-# Also, the file will be closed and reopened if falco is signaled with
-# SIGUSR1.
-
-file_output:
-  enabled: false
-  keep_alive: false
-  filename: /falcologs/events.txt
-
-stdout_output:
-  enabled: false
-
-# Falco contains an embedded webserver that can be used to accept K8s
-# Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is enabled).
-#
-# The ssl_certificate is a combination SSL Certificate and corresponding
-# key contained in a single file. You can generate a key/cert as follows:
-#
-# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
-# $ cat certificate.pem key.pem > falco.pem
-# $ sudo cp falco.pem /etc/falco/falco.pem
-
-webserver:
-  enabled: false
-  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
-  ssl_enabled: false
-  ssl_certificate: /etc/falco/falco.pem
-
-# Possible additional things you might want to do with program output:
-#   - send to a slack webhook:
-#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-#   - logging (alternate method than syslog):
-#         program: logger -t falco-test
-#   - send over a network connection:
-#         program: nc host.example.com 80
-
-# If keep_alive is set to true, the program will be started once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the program will be re-spawned
-# for each output message.
-#
-# Also, the program will be closed and reopened if falco is signaled with
-# SIGUSR1.
-
-# This specific log shipper will ship events to cloudwatch logs in the
-# log group specified in __CW_LOG_GROUP env variable
-program_output:
-  enabled: true
-  keep_alive: true
-  program: "/kilt/logshipper"
-
-http_output:
-  enabled: false
-  url: http://some.url
-
-# Falco supports running a gRPC server with two main binding types
-# 1. Over the network with mandatory mutual TLS authentication (mTLS)
-# 2. Over a local unix socket with no authentication
-# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
-# please comment/uncomment and change accordingly the options below to configure it.
-# Important note: if Falco has any troubles creating the gRPC server
-# this information will be logged, however the main Falco daemon will not be stopped.
-# gRPC server over network with (mandatory) mutual TLS configuration.
-# This gRPC server is secure by default so you need to generate certificates and update their paths here.
-# By default the gRPC server is off.
-# You can configure the address to bind and expose it.
-# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
-# grpc:
-#   enabled: true
-#   bind_address: "0.0.0.0:5060"
-#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
-#   threadiness: 0
-#   private_key: "/etc/falco/certs/server.key"
-#   cert_chain: "/etc/falco/certs/server.crt"
-#   root_certs: "/etc/falco/certs/ca.crt"
-
-# gRPC server using an unix socket
-grpc:
-  enabled: false
-  bind_address: "unix:///var/run/falco.sock"
-  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
-  threadiness: 0
-
-# gRPC output service.
-# By default it is off.
-# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
-# Make sure to have a consumer for them or leave this disabled.
-grpc_output:
-  enabled: false