Govern logs at the source.�� before they become cost or riskStep 1 — The raw log
This log is leaving your
application right now.
Every checkout, every auth call, every background job. Developers log everything — and three of these fields should never reach your observability pipeline.
cardNumber= "4532-1234-5678-901…"PCI-DSS Req 3.4 — card data must never appear in logs
apiToken= "sk_live_abc123xyz7…"Credential exposure — live token grants full API access
email= "thomas@acme.com…"GDPR Art. 25 — PII should be minimised at source
82%
of breaches involve data
that appeared in application logs
Step 2 — Policy match
Every field is checked
against your deployed rules.
CerbiStream resolves aliases, checks every field key, and matches it to a governance rule before the log leaves the application process.
Field in log
cardNumber"4532-1234-5678-9012…"Rule matched
cardNumber → Forbiddenaliases: cc, creditCard
Reason
Card data in logs violates PCI-DSS. No conditions. Always redact.
Field in log
apiToken"sk_live_abc123xyz789…"Rule matched
token → Forbiddenaliases: apiKey, secret, accessToken
Reason
Live credentials in telemetry pipelines create lateral-movement risk.
Field in log
email"thomas@acme.com…"Rule matched
email → Warnaliases: userEmail
Reason
PII in logs. Warn-level: flags but does not block. Allows developer awareness.
Step 3 — Transformation
The log is governed
before it leaves the app.
Sensitive values are redacted in-process. The governed log — not the raw log — reaches Datadog, Splunk, or your SIEM.
Without Cerbi
cardNumber + apiToken + email reach Datadog / Splunk
With Cerbi
Sensitive values never reach your observability pipeline
Step 4 — Audit evidence
Every decision is
stamped and recorded.
CerbiShield receives governance metadata — not raw sensitive values. Each governed event produces a verifiable evidence record for auditors.
governedtrueprofileUserAPIprofileVersion1.0.0score89riskPenalty11.5violationCount3violations[]
cardNumberRedactedseverity: Forbiddenimpact: -5.0 ptsemailFlaggedseverity: Warnimpact: -1.5 ptsapiTokenRedactedseverity: Forbiddenimpact: -5.0 ptsEvidence Recorded
What this record gives auditors
What was governed
Which service, which profile version, which fields were evaluated and what decision was applied to each.
Proof of redaction
The raw sensitive value is not present. The record proves governance ran without storing what it protected.
Scoring and risk context
Score, penalty, and per-violation severity give auditors a quantified risk signal, not just a pass/fail stamp.
Remediation evidence
Violation codes map directly to developer fix instructions. The same record drives the refine loop.
Step 5 — Developer fix
Violations drive
concrete code changes.
The audit evidence maps directly to the logging call. Developers don't get a vague compliance complaint — they get the exact field to remove or replace.
Before — unsafe
logger.LogInformation("Checkout", new { service = "OrdersAPI", correlationId = txn.Id, userId = user.Id, cardNumber = payment.CardNumber, // ← FORBIDDEN apiToken = config.ApiToken, // ← FORBIDDEN email = user.Email, // ← WARN amount = cart.Total,});After — safe
logger.LogInformation("Checkout", new { service = "OrdersAPI", correlationId = txn.Id, userId = user.Id, // cardNumber removed — use last4 only last4 = payment.CardNumber[^4..], // apiToken removed — log tokenId instead tokenId = config.TokenId, // email removed — log userId for tracing amount = cart.Total,});After the fix — the governance score for this service goes from 38 to 100. The loop closes. The profile refines.
Where Cerbi fits
Sits before your pipeline.
Replaces nothing.
CerbiShield is a governance control plane. It does not replace Datadog, Splunk, Azure Monitor, OpenTelemetry, SIEM, or APM. Click any layer.
CerbiStream — governance layer
CerbiStream — governance
CerbiStream intercepts the event before emission. Rules are evaluated, fields are redacted or flagged, and governance metadata is attached. All in the same process, before any network call.
services.AddCerbiStream(options => {
options.ProfilePath = "governance.json";
options.Environment = "production";
});Step 6 — The governance loop
A repeatable loop,
not a one-time fix.
Governance compounds. Each pass through the loop catches more violations, fixes more code, and raises the score. Logging matures.
Create Rules
Security team defines policy — which fields are Forbidden, Required, or flagged.
Compliance coverage
Evidence for every
regulation that asks about logs.
CerbiShield does not replace a compliance program. It provides verifiable evidence of control wherever a regulation touches log data.
Req 3.4Render PAN unreadable anywhere it is stored
Redacts cardNumber, cc, creditCard in-process before any persistence or transmission
Req 3.5Protect PAN with strong cryptography when transmitted
Governed log never contains PAN — interception eliminates the transmission risk entirely
Req 10.3Protect audit logs from destruction and unauthorized modifications
Governance metadata is append-only and version-stamped, separate from the governed telemetry
Product value
Four dimensions of impact.
CerbiShield is evaluated across the four vectors that matter in enterprise adoption. Click any dimension.
avg 90/100
Ease of Adoption
88/100CerbiStream installs alongside NLog, Serilog, log4net, or MEL. Existing structured patterns continue to work. Most teams are running governance in under a sprint.
Next step
See Cerbi govern
your log, with your rules.
The interactive demo above runs the full governance engine — no live environment needed. Walk through every stage, add a rule, inject a log, and watch enforcement happen end-to-end.