A Palantir Group product palantirgroup.co.uk ↗
Cerberus // AI Runtime Defense

When AI attacks, the kernel answers.

Machine-speed threats — prompt injection, model theft, inference abuse — met with eBPF enforcement inside the Linux kernel. Observe, simulate, then enforce: every action signed, time-bounded and reversible.

Metadata-only telemetry. No traffic mirroring, no TAP devices, no payload capture by default. The red streaks behind this page? That's the simulation you'll run before anything blocks.

Cerberus is not publicly distributed. Access is granted to vetted organisations only.

cerb-console — live decisions STREAMING
agents 24 relay ok threats contained 0 kill switch armed
0
enforcement paths, from kernel file-deny to network rate-limits
0
AI WAF rules across 7 attack categories, prompt injection to RAG poisoning
0
signing-key rotation — Ed25519-signed policy bundles, agents refuse anything else
0
of enforcement actions time-bounded, attributable and reversible
The enforcement workflow

Observe. Simulate. Enforce.

Alerting tools stop at step one. Cerberus is built around the discipline of what happens next — and every step leaves an audit trail.

01 — OBSERVE

See everything, copy nothing

eBPF hooks capture socket events, DNS queries and network flows directly in the kernel. No userspace agents to compromise, no packet payloads stored.

mode: observe · default on enrol
02 — SIMULATE

Rehearse before you block

Run any policy against live traffic without touching it. See exactly what would be blocked, verify zero false positives, then promote with confidence.

mode: simulate · would_block reports
03 — ENFORCE

Act at the kernel, not the perimeter

BPF LSM file-deny, cgroup-scoped blocks, traffic-control rate-limits. Every action carries a TTL, a rollback path and a kill switch.

mode: enforce · never the default
See it in action

Watch an AI attack meet the kernel.

Pick a live-fire scenario and run it. This is the same observe → score → simulate → enforce path Cerberus runs in production — replayed here against a decoy so you can watch every decision.

Attacker185.220.x.x
exploit in flight contained at ring 0
AI workloadnode-02cerb-agent
Select a scenario and press Run simulation to watch Cerberus respond in real time.
Idle · decoy environment · nothing here touches production

Representative sequence · exact signal names, thresholds and rule IDs are shared with vetted clients under NDA.

Platform capabilities

Built where attackers can't argue

Detection you can route around is advice. Enforcement in the kernel is a decision.

Kernel-level enforcement

eBPF + BPF LSM file-deny. Blocks happen inside the kernel — not in a userspace proxy that malware can walk around.

BPF LSM · kernel file-deny

cgroup-scoped policies

Target the workload, not the IP address. Process-isolation-grade precision on bare hosts, containers and pods.

cgroup identity · exact-match required

Active deception

Per-attacker honeypots with SO_ORIGINAL_DST hardening. Attackers burn their tooling on decoys; production stays untouched.

deception pipeline · per-attacker

Signed policy bundles

Ed25519 signatures with deterministic marshalling and 24-hour key rotation. Agents refuse any bundle they can't verify.

ed25519 · 24h key rotation

Deterministic AI scoring

Attack scores have a deterministic floor the LLM cannot lower. AI accelerates triage — it never overrules the rules.

deterministic floor · LLM advisory only

Operations-grade controls

TTL on every action, one-command rollback, a global kill switch and a complete audit trail. Built for people who answer for uptime.

ttl · rollback · kill switch · audit
AI Runtime Defense

Your AI stack is an attack surface. Cerberus treats it like one.

Model files, inference endpoints, agent frameworks and provider APIs — watched with the same kernel-level discipline as everything else.

The attack — machine speed

  • Prompt injection through user input and tool output
  • Model weights exfiltrated from disk
  • Inference-port abuse and endpoint flooding
  • Agent hijacking and RAG poisoning
VS

The answer — kernel depth

  • 38 AI WAF rules, detect-first with a central kill switch
  • BPF LSM file-deny on model directories
  • cgroup-scoped rate-limits on inference ports
  • Deterministic scoring the LLM cannot talk down

AI WAF

38 rules across the attacks that actually hit LLM applications. Detect-only rollout with a central flag and kill switch — nothing blocks until you say so.

prompt injectionLLM API abusemodel extraction training-data extractionagent hijackingtool injectionRAG injection

cerb-analyst

A LangGraph reporting sidecar that correlates IoCs, maps activity to MITRE ATT&CK and delivers a daily per-tenant threat report with risk score and recommendations. Runs against Anthropic, OpenAI — or fully local on Ollama.

What Cerberus watches on your AI stackself-hosted inference · provider egress · model artifacts
Provider egressOutbound connections from your workloads to external AI endpoints
Self-hosted inferenceAccess to local model-serving and inference endpoints
Model artifactsReads of model weights on disk, correlated with egress
Inference loadAbnormal activity against your AI service ports
Agents & RAGPrompt-injection, tool-injection and hijacking attempts
SIGNAL HONESTYEach signal is scored for what it actually proves — no alarm inflation. The full taxonomy — names, thresholds and severities — is shared with vetted clients under NDA.
Kubernetes-aware

Cluster identity. Kernel authority.

cerb-agent deploys as a privileged DaemonSet on every node. Kubernetes metadata drives targeting, identity and audit — enforcement always happens at the kernel and cgroup level.

TARGETING

Write policies against namespaces, workloads and service accounts.Pod UID, container ID and cgroup ID as identity — never pod names.

IDENTITY

Enforcement is blocked unless node-local identity resolves exactly.If identity cannot be resolved exactly, the action does not run. Guardrail, not guideline.

POSTURE

Enforce mode is never the default, on any target.Clusters start in observe; promotion is an explicit, audited decision.

RBAC

No Kubernetes API write permissions, by default and by design.The API is read for identity — it is never the authorization basis for enforcement.

cluster: production
node-01
cerb-agent
node-02
cerb-agent
node-03
cerb-agent
privileged DaemonSet · enforcement at node kernel · K8s API read-only
Architecture

Four components. No exposed core.

Agents behind NAT reach the core through a stateless relay — the core server is never public. Verified in production at ~60,000 events per six hours.

cerb-agent

eBPF telemetry + enforcement on every host and node. Spools up to 100 MB offline, replays in order on reconnect.

cerb-relay

Stateless WebSocket bridge. NAT-friendly, TLS, proxies console traffic over the same channel.

cerb-core

Ingest, rule engine, policy signing, threat & vulnerability intel. Postgres + ClickHouse behind it.

cerb-console

Fleet drift, policy timeline, simulation reports, evidence chains — and cerb-analyst threat reports.

Multi-tenant from day one — every table, every endpoint Local-first AI: Anthropic, OpenAI or on-prem Ollama Threat intel: domain + IP feeds, OSV, CISA KEV
Access protocol

Access is not open.

Cerberus operates with ring-0 authority inside your infrastructure. Software with that level of power is not downloaded, trialled or demonstrated casually. Due to the nature of this platform, access is granted exclusively to vetted organisations — no public builds, no self-serve trials, no exceptions.

01
Introduction

Your organisation identifies itself over a verifiable channel. Requests from anonymous or free-mail addresses are not processed.

02
Verification

We verify identity, infrastructure and intended use. Verification typically completes within five business days. We decline more requests than we accept.

03
Briefing under NDA

Technical disclosure follows verification — architecture, guardrails and a deployment plan mapped to your environment. Nothing before.

04
Controlled deployment

Observe-mode rollout with our engineers. Enforcement is promoted only after simulation proves clean against your live traffic.

Request access — verified organisations only

Requests are transmitted to our verification queue. All technical disclosure follows vetting — no exceptions.