Runtime security platform for agentic AI systems. Detects the Lethal Trifecta: simultaneous privileged data access, untrusted content injection, and outbound exfiltration paths.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for andrebyrd87 from gravatar.com andrebyrd87

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Six Sense Enterprise Services
  • Tags ai , security , runtime , prompt-injection , llm , agentic , cerberus
  • Requires: Python >=3.10
  • Provides-Extra: langchain , crewai , autogen , llamaindex , openai , anthropic , google , all , dev
Classifiers
Report project as malware

Project description

cerberus-ai (Python SDK)

Runtime security for agentic AI — Python SDK.

Detects the Lethal Trifecta: the simultaneous convergence of privileged data access, untrusted content injection, and an outbound exfiltration path within a single AI execution turn.

Validated: N=525 attack trials across OpenAI, Anthropic, Google — 100% L1/L2 detection, 0.0% false positive rate, ~52μs p50 overhead.

Install

pip install cerberus-ai

With framework integrations:

pip install cerberus-ai[langchain]
pip install cerberus-ai[crewai]
pip install cerberus-ai[openai]
pip install cerberus-ai[anthropic]
pip install cerberus-ai[all]

Quickstart

from cerberus_ai import Cerberus
from cerberus_ai.models import CerberusConfig, DataSource, ToolSchema

cerberus = Cerberus(CerberusConfig(
    data_sources=[
        DataSource(name="customer_db", classification="PII", description="Customer records")
    ],
    declared_tools=[
        ToolSchema(name="send_email", description="Send email", is_network_capable=True),
        ToolSchema(name="search_db",  description="Search CRM",  is_data_read=True),
    ],
))

result = cerberus.inspect(
    messages=messages,
    tool_calls=tool_calls,
)

if result.blocked:
    raise Exception(f"Security block [{result.severity}]: {[e.event_type for e in result.events]}")

The Lethal Trifecta

Condition Description
L1 — Privileged Data Access Agent has access to sensitive data (RAG, DB, PII, credentials)
L2 — Untrusted Content Injection Prompt injection or poisoned content in execution context
L3 — Outbound Exfiltration Path Agent has an active mechanism to send data externally

All three present simultaneously = LETHAL TRIFECTA → BLOCK.

Cerberus is never silent — each condition triggers graduated detection independently. EGI (Execution Graph Integrity) runs on every turn regardless of Trifecta state.

Async + Streaming

# Async
async with Cerberus(config) as cerberus:
    result = await cerberus.inspect_async(messages=messages, tool_calls=tool_calls)

# Streaming — chunks released only after full-turn inspection passes
async for chunk in cerberus.stream(messages=messages):
    print(chunk)

Framework Integrations

LangChain

from cerberus_ai.integrations.langchain import wrap_chain, wrap_agent

secured_chain = wrap_chain(my_chain, config=config)
result = secured_chain.invoke({"input": "Do something"})

secured_agent = wrap_agent(agent_executor, config=config)

CrewAI

from cerberus_ai.integrations.crewai import wrap_crew

secured_crew = wrap_crew(my_crew, config=config)
result = secured_crew.kickoff()

OpenAI (drop-in)

from cerberus_ai.integrations.openai import CerberusOpenAI

client = CerberusOpenAI(config=config)   # drop-in for openai.OpenAI()
response = client.chat.completions.create(model="gpt-4o", messages=messages)
# SecurityException raised automatically on block

Anthropic (drop-in)

from cerberus_ai.integrations.openai import CerberusAnthropic

client = CerberusAnthropic(config=config)
response = client.messages.create(model="claude-opus-4-6", messages=messages, max_tokens=1024)

Detection Response Matrix

L1 L2 L3 Severity Action
BASELINE Monitor — EGI + audit trail active
LOW Log + Watch — session elevated
LOW Advisory Alert — injection logged
LOW Log + Watch — Cerberus primed
MEDIUM Elevated Watch — 2 of 3 active
MEDIUM Elevated Watch — 2 of 3 active
HIGH High Alert — injection into privileged context
CRITICAL BLOCK + ALERT — Lethal Trifecta

Late Tool Registration

from cerberus_ai.models import ToolSchema

success, message = cerberus.register_tool_late(
    tool=ToolSchema(name="new_tool", description="...", is_network_capable=True),
    reason="user_requested_capability",
    authorized_by="user_session_id",
)
# Blocked automatically if L2 injection was active during registration

Configuration

from cerberus_ai.models import CerberusConfig, ObserveConfig, StreamingMode

config = CerberusConfig(
    streaming_mode=StreamingMode.BUFFER_ALL,   # BUFFER_ALL | PARTIAL_SCAN | PASSTHROUGH
    max_buffer_bytes=2 * 1024 * 1024,          # 2MB turn buffer
    context_window_limit=32_000,               # tokens before priority scoring
    l3_behavioral_intent_threshold=0.60,       # L3 intent scoring threshold
    cross_turn_data_flow_enabled=True,         # track data flow across turns
    observe=ObserveConfig(
        mode="LOCAL_ONLY",                     # LOCAL_ONLY | LOCAL_PLUS_SIEM | LOCAL_PLUS_SYSLOG
        log_path="/var/log/cerberus/events",   # NDJSON, append-only
    ),
    data_sources=[...],
    declared_tools=[...],
)

Running Tests

pip install cerberus-ai[dev]
pytest tests/adversarial/test_evasion.py -v

38 adversarial tests covering: direct injection, encoding obfuscation (base64/unicode/url/html/zero-width), structural injection (RTL, prompt boundary spoofing), L1/L2/L3 detection, full Trifecta, EGI violations, and false positive baseline.

Architecture

cerberus_ai/
├── __init__.py          # Cerberus public API
├── models.py            # All data types
├── inspector.py         # Session orchestrator
├── detectors/
│   ├── normalizer.py    # 6-pass encoding normalization
│   ├── l1.py            # Privileged data access
│   ├── l2.py            # Injection detection
│   └── l3.py            # Exfiltration path + cross-turn tracking
├── egi/
│   └── engine.py        # Execution Graph Integrity
├── telemetry/
│   └── observe.py       # Signed tamper-evident telemetry
└── integrations/
    ├── langchain.py     # LangChain callback + wrap_chain/agent
    ├── crewai.py        # CrewAI wrap_crew
    └── openai.py        # CerberusOpenAI / CerberusAnthropic drop-ins

TypeScript / Node.js

The TypeScript SDK (@cerberus-ai/core) lives in src/. The Python SDK is a full-parity port with identical detection logic.

OdinForge Security by Six Sense Enterprise Services
sixsenseenterprise.com · github.com/odinforge/cerberus

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for andrebyrd87 from gravatar.com andrebyrd87

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Six Sense Enterprise Services
  • Tags ai , security , runtime , prompt-injection , llm , agentic , cerberus
  • Requires: Python >=3.10
  • Provides-Extra: langchain , crewai , autogen , llamaindex , openai , anthropic , google , all , dev
Classifiers

Release history Release notifications | RSS feed

1.4.0

1.3.0

1.2.0

1.1.2

1.1.0

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cerberus_ai-1.0.0.tar.gz (29.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cerberus_ai-1.0.0-py3-none-any.whl (32.7 kB view details)

Uploaded Python 3

File details

Details for the file cerberus_ai-1.0.0.tar.gz.

File metadata

  • Download URL: cerberus_ai-1.0.0.tar.gz
  • Upload date:
  • Size: 29.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cerberus_ai-1.0.0.tar.gz
Algorithm Hash digest
SHA256 11df0bdb8d12bd61abce8a2b64a40b595bc8a4bcac737c17109e9a18f42389e0
MD5 58a8f876418fc8886870bb6c369e11de
BLAKE2b-256 1fae14ee5d7777cb2d7a2ca23a9d633584000d9117edd5c278961120a56a8119

See more details on using hashes here.

Provenance

The following attestation bundles were made for cerberus_ai-1.0.0.tar.gz:

Publisher: python-sdk.yml on Odingard/cerberus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cerberus_ai-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: cerberus_ai-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 32.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cerberus_ai-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 602cbf184b1a3f5fac77360e19d74f30c079ecb7a7d5cef38f170ca15bec32fc
MD5 d4d95a75893974c665e07c32bc348845
BLAKE2b-256 726abdfa4f3b2afb15d700ef0ca564463296eb64f2429c4a75fe4383ae43c2b8

See more details on using hashes here.

Provenance

The following attestation bundles were made for cerberus_ai-1.0.0-py3-none-any.whl:

Publisher: python-sdk.yml on Odingard/cerberus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page