Architecture

CerbiSuite operates at three layers: build time, runtime, and dashboard. Each layer provides distinct governance capabilities while your pipeline remains unchanged.

Deployment & Licensing Truth

Tenant-Hosted Governance

CerbiShield and the governance control plane are deployed entirely in your tenant. Your log data never leaves your infrastructure.

App-Based Licensing

Licensing counts governed applications, not environments. One app across dev/test/uat/stage/prod counts as a single governed application.

CerbiShield and governance services run in your tenant.Cerbi does not export your raw logs to a Cerbi-hosted service. Logs flow only to the destinations you configure (Datadog, Splunk, Azure Monitor, etc). You keep your existing routing and observability tools.
Runtime
CerbiStream processes every log event with minimal overhead.
CerbiStream Sink
Integrates with MEL, Serilog, NLog
Validation Engine
Real-time schema and rule checking
Redaction Engine
Detect & redact sensitive fields (rule-based)
Scoring Engine
Calculates governance scores per event

Architecture Diagrams

Explore different views of the Cerbi architecture

How logs flow from developer code through Cerbi governance to destinations

Runtime Flow

How logs flow from developer code through Cerbi governance to destinations

1 / 5

Governance Integrations

Governance only works if it shows up where logs are actually written. CerbiShield integrates directly with existing logging frameworks. No forks, no rewrites, no new logging APIs to learn.

Available Now

Production-ready governance for .NET

Serilog

Structured event governance via sinks and enrichers

Microsoft.Extensions.Logging

First-class governance for default ASP.NET Core logging

NLog

Runtime governance through native targets and filters

All available integrations support structured field inspection, governance violation tagging, and optional redaction based on Cerbi governance profiles.

Alpha Testing

New governance plugins available for early adopters

Python
Alpha
  • logging (standard library)
pip install cerbi-python-logging-governance

What's Next

Extending governance across runtimes

CerbiShield is built to extend governance consistently across ecosystems using each platform's native logger extension model.

Java
  • Logback (SLF4J)
  • Log4j2
Node.js
  • Pino
  • Winston
Go
  • slog
  • zap

Roadmap subject to change. Capabilities may vary by platform.

Runtime Data Flow

1
App logs event
Your application calls the logger as usual
2
CerbiStream intercepts
The sink receives the log event
3
Validate schema
Check against governance profile
4
Detect & redact sensitive fields
Rule-based masking applied
5
Calculate score
Governance score is computed
6
Forward to sinks
Redacted + tagged event forwarded to your existing destinations

Designed for Performance

CerbiStream governance runs in-process with optional async buffering and queuing to reduce request-path impact. In microbenchmarks, overhead is typically sub-microsecond per event (excluding network I/O and destination sink costs). Results vary by profile, redaction rules, and workload.

See benchmark results

Benchmarks are indicative and exclude downstream sink and network costs. Real-world performance varies by configuration and environment.

Compliance references describe logging-control alignment and audit evidence support; they are not compliance certification.

Ready to integrate?

Talk to our team about your architecture and requirements.

Contact Us