Skip to main content

Exceptions & Remediation

When Something Is Blocked

When a block rule matches, the request is stopped and the user sees a page on their device explaining that Cerbera blocked it and why. A coding agent like Claude Code simply reports that the call did not succeed, and the block page provides the context.

Requesting an Exception

Often a block is too broad for one legitimate workflow. Cerbera supports exceptions for those cases.

  • Today: the user emails a designated address (at your company or at Cerbera) and the exception is granted manually.
  • Roadmap: a Request exception button on the block page sends the request straight into your Slack or email, where you approve or reject it, similar to requesting access to a Google document. Exceptions can be temporary (for a one-off workflow) or longer-term (for someone whose job depends on a given tool).
tip

If you run deny-by-default, expect a burst of exception requests at first. The recommended path is to monitor first (for example a month), allow what you see, and only then switch on deny-by-default once roughly 90% of legitimate tools and MCP servers are known. This avoids disrupting the company by blocking everything at once.

Tiered Allow Lists

For MCP in particular, you can take a middle road: allow the official, provider-maintained servers (such as Slack's) and block the unknown or more exotic ones. See MCP Governance for the rule mechanics.

Automated Remediation

As you harden, Cerbera puts automated remediations in place so issues resolve with minimal effort from your team. Examples:

  • A user with a misconfigured MCP receives a notification telling them to change the configuration and revoke the exposed token.
  • A user on a personal account is prompted to switch to the enterprise account.

The aim is to push the work to the right person automatically, rather than adding a recurring management burden on the security team.

Export to Your SIEM

Every alert and rule match is available in OpenTelemetry format, so you can forward it to your SIEM and drive downstream automation there. The intent is for people to spend as little time in the Cerbera app as possible and to plug AI alerts into the workflows you already run.

IntegrationStatus
OpenTelemetry to SIEMAvailable
MCPAvailable
WebhooksRoadmap
Infrastructure-as-code configurationRoadmap

Webhooks and IaC configuration are not available yet, but are planned. Until self-service workflows mature, Cerbera handles much of this for you and progressively hands control back.

Next Steps