Interactive Product Demo

Governance Active
Interactive Product Demo

Keep your logger. Add Cerbi governance.

Install the SDK, choose a governance profile, keep writing normal structured logs, and see what Cerbi changes before logs reach downstream tools.

Run the demo View SDK setup

SDK Setup

Two lines to add governance

CerbiStream is Cerbi's native governed logging pipeline. Cerbi.MEL.Governance adds runtime governance to Microsoft.Extensions.Logging. Other logger SDKs are shown as plugin coverage without exact setup snippets in this demo.

Verified SDK setup
dotnet add package CerbiStream
Before
var builder = WebApplication.CreateBuilder(args);

var app = builder.Build();

app.MapPost("/signup", (
    ILogger<Program> logger,
    SignupRequest request) =>
{
    logger.LogInformation(
        "User signup {email} {ssn}",
        request.Email,
        request.Ssn);

    return Results.Ok();
});

app.Run();

record SignupRequest(string Email, string Ssn);
After — one line added
using CerbiStream;

var builder = WebApplication.CreateBuilder(args);

builder.Logging.AddCerbiStream();

var app = builder.Build();

app.MapPost("/signup", (
    ILogger<Program> logger,
    SignupRequest request) =>
{
    logger.LogInformation(
        "User signup {email} {ssn}",
        request.Email,
        request.Ssn);

    return Results.Ok();
});

app.Run();

record SignupRequest(string Email, string Ssn);
Advanced production setup
builder.Logging.AddCerbiStream(options => options
    .ForProduction()
    .WithGovernanceProfile("myservice")
    .WithAesEncryption());

Expected result

  • Native governed logging enabled.
  • Sensitive fields can be redacted before logs leave the process.
  • Governance violations are attached to the event.
  • Downstream systems receive safer log data.

Editable Governance Profile

{
  "EnforcementMode": "Strict",
  "LoggingProfiles": {
    "Orders": {
      "FieldSeverities": {
        "userId": "Required",
        "email": "Required",
        "password": "********"
      },
      "AllowRelax": true,
      "RequireTopic": true,
      "AllowedTopics": ["Orders"]
    }
  }
}

Save as cerbi_governance.json and point the SDK at it.

Rule Playground

Change the rule. Re-run the log.

The expected dashboard outcome changes because the policy changed. Cerbi is policy-driven, not magic.

Input log

logger.LogInformation(
    "User info: {userId} {email}",
    "abc123",
    "test@example.com");

How the rule works

  1. 1.Required fields prove the log has enough context (e.g. userId).
  2. 2.******** fields prevent secrets from leaving the app (e.g. password).
  3. 3.Strict mode suppresses unsafe raw messages and emits governed output instead.
  4. 4.The SDK attaches governance metadata to the event.
  5. 5.CerbiShield turns governed events into findings, score changes, and remediation guidance.

Expected governed output

seeded demo data
{
  "Message": "User info",
  "userId": "abc123",
  "email": "test@example.com",
  "GovernanceViolations": [],
  "GovernanceRelaxed": false,
  "GovernanceProfileUsed": "Orders",
  "GovernanceMode": "Strict"
}

Expected dashboard update

seeded demo data
StatusAccepted
ProfileOrders
Dashboard updateAccepted governed log added to event stream
Suggested fixNo action needed.

Sample CerbiStream Scenario

Source-side redaction

The raw value never leaves the process.

Input log
logger.LogInformation(
    "User signup {email} {ssn}",
    "a@b.com",
    "111-11-1111");
Expected governed output — seeded demo data
{
  "message": "User signup",
  "email": "a@b.com",
  "ssn": "REDACTED",
  "GovernanceViolations": [
    {
      "Code": "********Field",
      "Field": "ssn"
    }
  ],
  "GovernanceProfileVersion": "1.0.0"
}
StatusViolation
Profilemyservice
Field actionssn redacted
Rule matched********Field:ssn
Dashboard updateViolation count increments, risky fields updated with ssn
Suggested fixRemove ssn from the log and use a safe identifier instead.

Event Stream

Expected event stream

Expected demo outcome from seeded events.

TimeSDKServiceLevelMessageResult
14:42:11CerbiStreamsignup-apiInformationUser signupViolation
14:42:18MELorder-apiInformationUser infoAccepted
14:42:26MELorder-apiInformationOnly email providedViolation
14:42:34MELorder-apiInformationPassword in logViolation
14:42:41MELorder-apiInformationEmergency diagnostic logRelaxed

Expected Dashboard Update

Expected CerbiShield dashboard update

Expected demo outcome from seeded events.

Total governed logs

5

Accepted logs

1

Violation events

3

Relaxed logs

1

Governance score

70 / 100

Top risky fields

ssn, password, userId

Top affected services

signup-api, order-api

Verified SDK setup

CerbiStream, MEL

Plugin SDK coverage

Serilog, NLog, Log4j2 + 4 more

What Cerbi Added

What Cerbi added to this event

Developer fix for selected scenario

No action needed.

Additional Logger Plugin SDK Coverage

Additional logger plugin SDK coverage

Serilog

Plugin SDK coverage. Exact setup snippet not shown in this demo.

NLog

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Log4j2

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Logback

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Pino

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Winston

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Zap

Plugin SDK coverage. Exact setup snippet not shown in this demo.

Evidence Library

The blast radius is bigger than logs.

Credentials, tokens, PII, payment fields, debug payloads, and AI context do not stay in one place. They move through logs, queues, dashboards, tickets, traces, support tools, and developer workflows. Cerbi helps govern that data at the source.

CredentialsAnchor

22%

of breaches had stolen credentials as the root cause.

Verizon DBIR 2025, via Check Point

Why it matters

Credentials spread through logs, repos, tickets, and debug output become easy access paths.

Cerbi angle

Block password, token, apiKey, connectionString, and secret fields before logs leave the app.

CredentialsAnchor

~29M

secrets were exposed on GitHub in 2025.

GitGuardian State of Secrets Sprawl 2026

Why it matters

Secrets leak through ordinary developer workflows, not just obvious security failures.

Cerbi angle

Prevent secrets from entering logs and telemetry where they can be copied, exported, indexed, or pasted into tickets.

ComplianceAnchor

Do not log

access tokens, passwords, database connection strings, encryption keys, PII, or payment cardholder data.

OWASP Logging Cheat Sheet

Why it matters

Most teams know this rule. Few enforce it consistently in every app.

Cerbi angle

Turn "please don't log that" into runtime policy.

AI

2x

AI-assisted code leaked secrets at roughly double the GitHub baseline.

GitGuardian State of Secrets Sprawl 2026

Why it matters

AI increases coding speed and can increase accidental leakage paths.

Cerbi angle

Govern runtime logs even when code was generated quickly or inconsistently.

Compliance

When / where / who / what

OWASP recommends logs include enough context for monitoring and analysis.

OWASP Logging Cheat Sheet

Why it matters

Governance is not only blocking bad fields. It also requires useful context.

Cerbi angle

Require userId, correlationId, serviceName, environment, and eventType.

Incident Response

94 days

average time to remediate leaked credentials from GitHub repositories.

Check Point, 2025

Why it matters

Exposed credentials can remain usable long after discovery.

Cerbi angle

Prevent secrets from being logged in the first place.

Stats summarize third-party breach and security research. Cerbi focuses on source-side logging governance: preventing unsafe fields from reaching logs, queues, observability tools, support workflows, and analytics. Cerbi reduces one preventable path — unsafe runtime data spreading into logs and downstream tools — and does not claim to prevent every breach or imply logs caused every cited incident.

Cerbi is a seatbelt for logging, not a replacement for the car.

Your logger stays. Your log statements stay. Cerbi intercepts, governs, and audits before anything reaches a downstream sink — automatically, at runtime, without changing how developers write code.

Get Started Guided chapters

This demo uses seeded events and expected dashboard outcomes. SDK setup code is shown only where verified public setup examples are available. Other logger SDKs are shown as plugin coverage without copy-paste setup snippets in this demo.

Cerbi | Logging Governance for Your Stack