When AI attacks, the kernel answers.
Machine-speed threats — prompt injection, model theft, inference abuse — met with eBPF enforcement inside the Linux kernel. Observe, simulate, then enforce: every action signed, time-bounded and reversible.
Metadata-only telemetry. No traffic mirroring, no TAP devices, no payload capture by default. The red streaks behind this page? That's the simulation you'll run before anything blocks.
Cerberus is not publicly distributed. Access is granted to vetted organisations only.
Observe. Simulate. Enforce.
Alerting tools stop at step one. Cerberus is built around the discipline of what happens next — and every step leaves an audit trail.
See everything, copy nothing
eBPF hooks capture socket events, DNS queries and network flows directly in the kernel. No userspace agents to compromise, no packet payloads stored.
Rehearse before you block
Run any policy against live traffic without touching it. See exactly what would be blocked, verify zero false positives, then promote with confidence.
Act at the kernel, not the perimeter
BPF LSM file-deny, cgroup-scoped blocks, traffic-control rate-limits. Every action carries a TTL, a rollback path and a kill switch.
Watch an AI attack meet the kernel.
Pick a live-fire scenario and run it. This is the same observe → score → simulate → enforce path Cerberus runs in production — replayed here against a decoy so you can watch every decision.
Representative sequence · exact signal names, thresholds and rule IDs are shared with vetted clients under NDA.
Built where attackers can't argue
Detection you can route around is advice. Enforcement in the kernel is a decision.
Kernel-level enforcement
eBPF + BPF LSM file-deny. Blocks happen inside the kernel — not in a userspace proxy that malware can walk around.
cgroup-scoped policies
Target the workload, not the IP address. Process-isolation-grade precision on bare hosts, containers and pods.
Active deception
Per-attacker honeypots with SO_ORIGINAL_DST hardening. Attackers burn their tooling on decoys; production stays untouched.
Signed policy bundles
Ed25519 signatures with deterministic marshalling and 24-hour key rotation. Agents refuse any bundle they can't verify.
Deterministic AI scoring
Attack scores have a deterministic floor the LLM cannot lower. AI accelerates triage — it never overrules the rules.
Operations-grade controls
TTL on every action, one-command rollback, a global kill switch and a complete audit trail. Built for people who answer for uptime.
Your AI stack is an attack surface. Cerberus treats it like one.
Model files, inference endpoints, agent frameworks and provider APIs — watched with the same kernel-level discipline as everything else.
The attack — machine speed
- Prompt injection through user input and tool output
- Model weights exfiltrated from disk
- Inference-port abuse and endpoint flooding
- Agent hijacking and RAG poisoning
The answer — kernel depth
- 38 AI WAF rules, detect-first with a central kill switch
- BPF LSM file-deny on model directories
- cgroup-scoped rate-limits on inference ports
- Deterministic scoring the LLM cannot talk down
AI WAF
38 rules across the attacks that actually hit LLM applications. Detect-only rollout with a central flag and kill switch — nothing blocks until you say so.
cerb-analyst
A LangGraph reporting sidecar that correlates IoCs, maps activity to MITRE ATT&CK and delivers a daily per-tenant threat report with risk score and recommendations. Runs against Anthropic, OpenAI — or fully local on Ollama.
| Provider egress | Outbound connections from your workloads to external AI endpoints |
| Self-hosted inference | Access to local model-serving and inference endpoints |
| Model artifacts | Reads of model weights on disk, correlated with egress |
| Inference load | Abnormal activity against your AI service ports |
| Agents & RAG | Prompt-injection, tool-injection and hijacking attempts |
Cluster identity. Kernel authority.
cerb-agent deploys as a privileged DaemonSet on every node. Kubernetes metadata drives targeting, identity and audit — enforcement always happens at the kernel and cgroup level.
Write policies against namespaces, workloads and service accounts.Pod UID, container ID and cgroup ID as identity — never pod names.
Enforcement is blocked unless node-local identity resolves exactly.If identity cannot be resolved exactly, the action does not run. Guardrail, not guideline.
Enforce mode is never the default, on any target.Clusters start in observe; promotion is an explicit, audited decision.
No Kubernetes API write permissions, by default and by design.The API is read for identity — it is never the authorization basis for enforcement.
Four components. No exposed core.
Agents behind NAT reach the core through a stateless relay — the core server is never public. Verified in production at ~60,000 events per six hours.
cerb-agent
eBPF telemetry + enforcement on every host and node. Spools up to 100 MB offline, replays in order on reconnect.
cerb-relay
Stateless WebSocket bridge. NAT-friendly, TLS, proxies console traffic over the same channel.
cerb-core
Ingest, rule engine, policy signing, threat & vulnerability intel. Postgres + ClickHouse behind it.
cerb-console
Fleet drift, policy timeline, simulation reports, evidence chains — and cerb-analyst threat reports.
Access is not open.
Cerberus operates with ring-0 authority inside your infrastructure. Software with that level of power is not downloaded, trialled or demonstrated casually. Due to the nature of this platform, access is granted exclusively to vetted organisations — no public builds, no self-serve trials, no exceptions.
Your organisation identifies itself over a verifiable channel. Requests from anonymous or free-mail addresses are not processed.
We verify identity, infrastructure and intended use. Verification typically completes within five business days. We decline more requests than we accept.
Technical disclosure follows verification — architecture, guardrails and a deployment plan mapped to your environment. Nothing before.
Observe-mode rollout with our engineers. Enforcement is promoted only after simulation proves clean against your live traffic.