CERBERUS
Data-Loss Prevention · Reimagined

Nothing leaves without passing the guardian.

Cerberus inspects every outbound payload across four detection layers and returns a single verdict, allow, warn, or block, in under 100 milliseconds.

See the numbers How it works
Scroll
Heuristics·Named-Entity Recognition· Semantic Embeddings·Transformer Classifier· allow / warn / block· Heuristics·Named-Entity Recognition· Semantic Embeddings·Transformer Classifier· allow / warn / block·
The pipeline

Four heads. One verdict.

Every request flows through a fast-fail pipeline. Cheap deterministic checks run first; the heavy model only wakes when it has to. Each layer adds its own evidence, and Cerberus fuses them into one decision.

Heuristics

Deterministic regex & validators catch the obvious, private keys, AWS credentials, Luhn-valid cards, JWTs. Match or no match, no ambiguity.

Sub-10 ms · fast-fail block

NER Engine

Hybrid spaCy + exact-match recognition surfaces PII and company-specific entities, customer names, emails, phone numbers, national IDs.

Contextual PII detection

Semantic Search

FAISS-indexed embeddings of your proprietary source. Catches leaked code even after every variable has been renamed.

Cosine similarity > 0.65

ML Classifier

A DistilBERT model, ONNX-optimised for CPU, reads intent and sorts each payload into safe, suspicious, or exfiltration.

Zero-day intent detection
Live trace

Anatomy of a single request.

Scroll to watch a prompt pass through every detection layer, from keystroke to verdict.

Pillar I, Performance

Proven on the evaluation bench.

Latest run against the expanded dataset of labelled prompts, safe developer chatter, accidental leaks, and outright malicious exfiltration.

0
Accuracy
0
Recall, zero misses
0
F1 score
0
p95 latency

How each head earns its keep

Detections that landed correctly, per layer.

Confusion matrix

50 samples · classes fused to leak / no-leak.

Zero false negatives, nothing sensitive slipped through. The handful of false positives are deliberately conservative: Cerberus warns first.

Pillar II, Use cases

A guardian for every domain.

Wherever a single pasted secret is a breach, Cerberus sits inline at the gateway. Here is how teams across different fields put it to work.

Most sensitive data never leaves through a breach, it leaves through a text box. A pasted .env, a copied customer table, a screenshot of a contract. Cerberus watches that text box.
— the problem Cerberus was built to solve

Put a guardian on your gateway.

Run the detection API, point your proxy at it, and watch the verdicts stream in.

Request a demo