Stop sensitive data
before it reaches your logs.
Cerbi runs in-process inside your .NET application and enforces logging policy before logs reach Splunk, Datadog, Azure Monitor, Elastic, or OpenTelemetry. Works with MEL, Serilog, and NLog — no call-site rewrites.
Why teams adopt Cerbi
Three problems that source-side governance solves.
Sensitive data in logs is a breach waiting to happen.
PHI, PII, secrets, and credentials are routinely emitted by application code. They end up in Splunk, Datadog, and Azure Monitor — where access controls are loose and retention is long.
Schema drift breaks dashboards and hides audit gaps.
When teams log inconsistently, required fields go missing, alerts fire on noise, and compliance audits expose gaps. Governance policy needs to be enforced before the event leaves the service.
Ungoverned logging wastes ingestion budget.
Unfiltered log volume inflates Splunk and Datadog costs with noise nobody reads. Blocking irrelevant events and redundant fields at the source reduces ingestion before it hits the pipeline.
Governance runs inside your application — before any log leaves the process.
Cerbi intercepts every log event between your framework and the underlying provider. Nothing is rewritten at the call site. No pipeline replacements. No infrastructure changes.
Application
Your .NET service
Log emitted normally via MEL, Serilog, or NLog.
Cerbi Governance Layer
In-process — no pipeline changes
Policy applied at emission time. Sensitive fields blocked or masked. Schema validated. Violations tagged.
Governed Payload
Only clean, compliant data continues
Redacted fields never enter the pipeline.
Your existing destinations
What happens at each stage
Log emitted normally
Your application code calls _logger.LogInformation() or equivalent. No changes needed to existing call sites.
Governance applied in-process
CerbiStream intercepts the event inside the logging provider. Rules from your cerbi.json profile are evaluated instantly.
Sensitive fields blocked or masked
Fields matching DisallowedFields are blocked. Fields matching MaskFields are partially redacted. Violations are tagged on the event.
Only governed payload continues downstream
The sanitized log event is passed to your existing logger sinks — Splunk, Datadog, or wherever you're sending logs today.
Program.cs
builder.Logging.AddCerbiStream();One line of setup. No changes to existing log call sites. No pipeline migration.
Before vs. after governance
Sensitive data blocked before it leaves the process.
Policy enforcement happens before the event leaves the application — not after it reaches your observability platform.
GovernanceViolations
Governance rules are defined in a JSON profile and enforced at runtime — no pipeline changes, no log rewriting at the call site.
One unified governance platform. Three components.
CerbiStream enforces governance in the application. CerbiShield manages it across the platform. CerbiScoring tracks it over time.
CerbiStream
In-app enforcement
The .NET logging provider that enforces governance rules in-process. Blocks sensitive fields, redacts values, tags violations — before any log leaves the application.
Learn moreCerbiShield
Governance management and deployment
Central dashboard for managing governance profiles, monitoring violations, and deploying policy updates across environments. Includes RBAC, audit history, and Entra SSO.
Learn moreCerbiScoring
Visibility and posture tracking
Tracks governance health, violation trends, and rule relaxation history across services. Gives security teams a quantified view of logging compliance over time.
Learn moreBuilt for engineering organizations running production systems.
Standardize telemetry across every service.
- Enforce consistent log schemas organization-wide without touching existing code
- Prevent ungoverned telemetry from reaching Splunk, Datadog, or other sinks
- Policy-as-code that lives in version control alongside your application
Stop sensitive data leakage before it happens.
- Block PHI, PII, credentials, and secrets at the application boundary
- Immutable, append-only audit trails for SOC 2, HIPAA, and GDPR requirements
- Full policy change history with actor tracking and approval records
Reduce cost, improve audit readiness.
- Governance posture visible and measurable across all services and teams
- Cut ingestion costs by filtering noise and redundant fields before the pipeline
- Integrate governance validation into CI without blocking developer velocity
Designed to be safe for enterprise deployment.
Cerbi is purpose-built for environments where data residency and access controls matter. Your logs stay in your infrastructure — always.
Runs inside your infrastructure
Cerbi is deployed within your tenant. Log payloads, sensitive fields, and governance metadata never leave your environment.
Log data stays in your tenant
No relay servers. No third-party log forwarding. Governance happens in-process — your observability data stays where it belongs.
Works with your existing observability stack
Sits in front of Splunk, Datadog, Azure Monitor, Elastic, and OpenTelemetry. No pipeline replacement required.
Governance enforced before ingestion
Every log event is validated at emission time, inside the application — not after data has already reached a downstream platform.
No pipeline replacement required
Cerbi adds governance without changing how logs flow. Your existing logging infrastructure continues to work unchanged.
Structured, version-controlled policies
Governance rules are JSON files that live in source control alongside your application code. No proprietary config systems.
Your logs should not carry sensitive data.
Cerbi enforces logging policy inside your application before data reaches downstream observability platforms. Works with your existing stack. No pipeline changes.