Frequently Asked Questions
Deployment & Compatibility
How is the proxy deployed?
Through your MDM in one click. On macOS and Windows it is pushed from the MDM (for example Jamf, or an MSI through Intune); the user restarts once and it works out of the box. Without an MDM, users run a downloadable installer. On Linux there is no MDM path, so installation is via an emailed script. See Deployment.
Will it conflict with my VPN, ZTNA, secure web gateway, or EDR?
Cerbera AI chains with existing proxies (for example Cato ZTNA or Jamf Security Cloud) and in practice runs without issue. Because any new layer can have side effects, Cerbera always tests against your specific stack before a fleet-wide rollout. Include at least one pilot device running each of your existing layers.
How do users disable or uninstall it?
It is installed as a system proxy, so disabling it means going into the device's network settings, harder than toggling a VPN icon but straightforward for anyone technical. The goal is to cover the careless user, not to stop a malicious insider. If anyone reports a problem, the proxy can be uninstalled in one click from the MDM.
Does it work offline?
Yes. Rules are signed and cached locally, so enforcement keeps working even if Cerbera is unreachable.
Performance
Does the proxy add latency?
Median (P75) latency is under a millisecond and P99 is around 10 milliseconds. At the API layer this is imperceptible, and on AI tools that take seconds to respond it is far below the noise floor.
Will more rules slow things down?
Rules are signature-based (regex and binary logic), not a local model, so they are fast. As with any firewall, evaluate latency as you add rules. See How It Works.
Privacy
What does Cerbera collect by default?
Only metrics, for example that a user used Claude. No prompt body and no response. See Privacy.
Can Cerbera read employee prompts?
Not by default. Logging prompts or responses must be enabled in two separate places in the app, is auditable, and can be disabled organization-wide so the option no longer even exists. During a pilot, a local-logging mode keeps logs on the user's device; Cerbera only sees an identifier, and the user chooses whether to share the content.
Isn't this surveillance of employees?
The default posture is privacy-preserving, and seeing a prompt is a deliberate, auditable exception. The same visibility already exists in tooling you likely run (EDR, VPN). Cerbera can help frame the program for works-council (CSE) discussions as security, not monitoring.
Architecture & Security
How does it see both browser and local traffic?
It is a local proxy positioned in the request path, so any traffic to AI tools, whether from a browser tab or a local application, passes through it before reaching the provider. The main thing it cannot see is purely in-cloud context, such as instructions hidden in a Notion page that Notion AI reads server-side.
Does it perform TLS interception, and is that safe?
Yes, it performs HTTPS interception and a certificate is installed into the trust store via MDM. Cerbera holds no root CA; each device generates its own certificate, so compromising Cerbera does not yield a key to intercept your traffic. Rules are signed, the agent verifies signatures, and Cerbera is third-party pen-tested and SOC 2 and ISO 27001 certified. See How It Works.
How is it different from an EDR?
An EDR watches system calls and can flag an agent launching ssh, but it cannot read prompts or block specific AI network calls. Cerbera AI is purpose-built for AI: it sees prompts, redacts secrets, governs MCP, and covers the browser as well as the device.
What happens if an AI provider changes its API overnight?
Enforcement is allow-by-default for unrecognized traffic. If a provider changes its private API without warning, the new traffic is simply not recognized and is allowed through rather than blocking users, and Cerbera then updates the rules. In practice such changes are usually visible in advance because providers A/B test before a full rollout.
Detection & Rules
Do you offer prompt-injection detection?
Not yet. Classifying prompts would require a local AI model, which is resource-intensive and would not run well on every corporate machine. Today the rules are signature-based for performance. Better detection without hurting performance is on the roadmap.
Do you share detection patterns between customers?
No customer data is shared and no model is trained on your traffic. What is shared is anonymized knowledge: a risky pattern seen in one environment can inform the rule catalog for everyone, the same way an MSSP or SOC operates. There is no global AI score; it is rule logic.
Can I deny by default?
Yes. The recommended path is to monitor first (for example a month), allow what you see, then switch on deny-by-default once roughly 90% of legitimate tools and MCP servers are known. A blocked user sees a page explaining why and can request an exception. See Exceptions & Remediation.
Integrations & Metrics
Can I export alerts to my SIEM?
Yes. All alerts and rule matches are available in OpenTelemetry format. Webhooks and infrastructure-as-code configuration are on the roadmap. MCP is supported today. See Openness & Interoperability.
Can it report token usage per person?
It can give rough, fleet-level figures, with the caveat that tokens are not comparable across providers and usage outside the device (for example on a phone) is not captured. Treat token figures as broad orders of magnitude. This is roadmap rather than a precise feature today.
How is access to the console secured?
Authentication is delegated to Clerk, with SSO and MFA.