Dashboards & Alerts
Overview
Dashboards and alerts are where the proxy's visibility surfaces. After deployment, Cerbera AI gives you a fleet-wide view of AI usage, the ability to drill into any individual user or agent, and a stream of alerts produced by your rules. What each alert contains is governed by your privacy settings, so visibility never comes at the cost of employee trust.
Fleet Dashboard
The top-level dashboard answers "what AI is happening across the organization?" at a glance:
| Metric | Description |
|---|---|
| AI tools detected | Unique AI tools, agents, and models observed across the fleet |
| MCP servers detected | Unique MCP servers connected by employees |
| Security issues | Token exposure, personal accounts, risky agent behavior, and other flagged findings |
| Active users | Users with at least one AI interaction |
| Alerts | Rule matches over the selected period, by action and severity |
From here you can filter by tool, user, device, or time, and pivot into the detail views below.
Per-User View
For any employee, Cerbera AI shows the AI tools and agents they use, the MCP servers they connect to, and every alert raised for them. This is how you answer questions like "who is using personal accounts on Claude Code?" or "which users connected to an unapproved MCP server?"
Per-Agent View
The per-agent view focuses on how a given agent (for example Claude Code) is configured and behaving across the fleet:
- Whether it uses enterprise or personal accounts
- Whether it has attempted risky actions such as SSH commands or
.envaccess - Which MCP servers it connects to and whether tokens are exposed
See Agent Controls for the behaviors these views surface.
Alert Types
Alerts fall into a few broad categories:
Usage alerts
A user or device used a particular AI tool, model, or MCP server. The foundation of discovery and the lightest-touch signal.
Configuration issues
Risky setup detected, such as a personal (non-enterprise) account, an exposed token on an MCP server, or access to SSH keys.
Redaction events
A rule redacted sensitive data (an API key, an AWS key, PII) from a request before it left the device. The workflow continued; the secret did not leave.
Policy violations
A block rule matched and stopped a request. The user saw a pop-up explaining why and can request an exception.
What an Alert Contains
By default an alert records only that a rule matched, for which user, at what time. Logging the request body is optional and governed by your privacy settings:
| Mode | What the alert carries |
|---|---|
| Alert only (default) | Rule, user, timestamp. No prompt body, no response. |
| Body logged locally | Stays on the user's device; retrievable by the user via an identifier. |
| Body logged to Cerbera | Request body attaches to the alert; requires a deliberate double opt-in. |
See Privacy for how these modes are configured and audited.
AI Usage Analytics
Beyond individual alerts, Cerbera AI can show aggregate usage: which classes of tool are used and in what proportion. This is deliberately sensitive territory. The goal is security insight, not monitoring individuals, so analytics respect the same privacy framework and the boundaries you set with your works council. Token figures, where shown, are rough fleet-level orders of magnitude (see Privacy).
Export
Every alert and rule match is available in OpenTelemetry format, so dashboards do not have to be the only place you consume this data. Stream alerts into your SIEM and existing workflows. See Openness & Interoperability.