Runtime security for AI agent execution. Detects and correlates Lethal Trifecta conditions across privileged data access, untrusted content, and outbound behavior.
Project description
cerberus-ai (Python SDK)
Runtime security for AI agent execution — Python SDK.
This package is the Python distribution of Cerberus Core. The product home and documentation are the canonical reference for current product boundaries, evidence, and roadmap:
- Home:
https://cerberus.sixsenseenterprise.com - PyPI:
https://pypi.org/project/cerberus-ai/
Cerberus Core focuses on the runtime path where an agent can access trusted data, ingest untrusted content, and take outbound action.
This SDK is part of the Cerberus Core surface. Historical validation artifacts, research writeups, and current-branch reruns live in the repo. Benchmark and product claims should always be tied to a specific evidence set and run date.
What's New in 1.5.0
- Unified Python SDK — consolidated into a single
cerberus-aisuperset package, version-aligned to the current Cerberus release line - One canonical source — Cerberus publishes from a single source of truth; product boundaries and evidence live at the product home
Install
pip install cerberus-ai
With framework integrations:
pip install cerberus-ai[langchain]
pip install cerberus-ai[crewai]
pip install cerberus-ai[openai]
pip install cerberus-ai[anthropic]
pip install cerberus-ai[all]
Quickstart
from cerberus_ai import Cerberus
from cerberus_ai.models import CerberusConfig, DataSource, ToolSchema
cerberus = Cerberus(CerberusConfig(
data_sources=[
DataSource(name="customer_db", classification="PII", description="Customer records")
],
declared_tools=[
ToolSchema(name="send_email", description="Send email", is_network_capable=True),
ToolSchema(name="search_db", description="Search CRM", is_data_read=True),
],
))
result = cerberus.inspect(
messages=messages,
tool_calls=tool_calls,
)
if result.blocked:
raise Exception(f"Security block [{result.severity}]: {[e.event_type for e in result.events]}")
The Lethal Trifecta
| Condition | Description |
|---|---|
| L1 — Privileged Data Access | Agent has access to sensitive data (RAG, DB, PII, credentials) |
| L2 — Untrusted Content Injection | Prompt injection or poisoned content in execution context |
| L3 — Outbound Exfiltration Path | Agent has an active mechanism to send data externally |
All three present simultaneously = LETHAL TRIFECTA → BLOCK in the guarded runtime path.
This Python SDK exposes Cerberus session inspection APIs plus selected integrations and hardening features. The product home and documentation remain the canonical reference for which Core behaviors are production-hardened, benchmarked, and actively advertised.
Async + Streaming
# Async
async with Cerberus(config) as cerberus:
result = await cerberus.inspect_async(messages=messages, tool_calls=tool_calls)
# Streaming — chunks released only after full-turn inspection passes
async for chunk in cerberus.stream(messages=messages):
print(chunk)
Framework Integrations
LangChain
from cerberus_ai.integrations.langchain import wrap_chain, wrap_agent
secured_chain = wrap_chain(my_chain, config=config)
result = secured_chain.invoke({"input": "Do something"})
secured_agent = wrap_agent(agent_executor, config=config)
CrewAI
from cerberus_ai.integrations.crewai import wrap_crew
secured_crew = wrap_crew(my_crew, config=config)
result = secured_crew.kickoff()
OpenAI Convenience Wrapper
from cerberus_ai.integrations.openai import CerberusOpenAI
client = CerberusOpenAI(config=config)
response = client.chat.completions.create(model="gpt-4o", messages=messages)
# SecurityError raised automatically on block
Anthropic Convenience Wrapper
from cerberus_ai.integrations.openai import CerberusAnthropic
client = CerberusAnthropic(config=config)
response = client.messages.create(model="claude-opus-4-6", messages=messages, max_tokens=1024)
Detection Response Matrix
| L1 | L2 | L3 | Severity | Action |
|---|---|---|---|---|
| ○ | ○ | ○ | BASELINE | Monitor |
| ● | ○ | ○ | LOW | Log + Watch — session elevated |
| ○ | ● | ○ | LOW | Advisory Alert — injection logged |
| ○ | ○ | ● | LOW | Log + Watch — Cerberus primed |
| ● | ○ | ● | MEDIUM | Elevated Watch — 2 of 3 active |
| ○ | ● | ● | MEDIUM | Elevated Watch — 2 of 3 active |
| ● | ● | ○ | HIGH | High Alert — injection into privileged context |
| ● | ● | ● | CRITICAL | BLOCK + ALERT — Lethal Trifecta |
Late Tool Registration
from cerberus_ai.models import ToolSchema
success, message = cerberus.register_tool_late(
tool=ToolSchema(name="new_tool", description="...", is_network_capable=True),
reason="user_requested_capability",
authorized_by="user_session_id",
)
# Blocked automatically if L2 injection was active during registration
Configuration
from cerberus_ai.models import CerberusConfig, ObserveConfig, StreamingMode
config = CerberusConfig(
streaming_mode=StreamingMode.BUFFER_ALL, # BUFFER_ALL | PARTIAL_SCAN | PASSTHROUGH
max_buffer_bytes=2 * 1024 * 1024, # 2MB turn buffer
context_window_limit=32_000, # tokens before priority scoring
observe=ObserveConfig(
mode="LOCAL_ONLY", # LOCAL_ONLY | LOCAL_PLUS_SIEM | LOCAL_PLUS_SYSLOG
log_path="/var/log/cerberus/events", # NDJSON, append-only
),
data_sources=[...],
declared_tools=[...],
)
Running Tests
pip install cerberus-ai[dev]
pytest tests/adversarial/test_evasion.py -v
The Python SDK includes its own tests and implementation. Public benchmark and product-proof claims should still be anchored to the published Cerberus artifacts and bounded Core evidence.
Architecture
cerberus_ai/
├── __init__.py # Cerberus public API
├── models.py # All data types
├── inspector.py # Session orchestrator
├── detectors/
│ ├── normalizer.py # 6-pass encoding normalization
│ ├── l1.py # Privileged data access
│ ├── l2.py # Injection detection
│ ├── l3.py # Exfiltration path + cross-turn tracking
│ ├── tool_chain.py # Multi-hop exfiltration chain detection
│ ├── outbound_encoding.py # Encoded data in outbound arguments
│ └── split_exfil.py # Chunked exfiltration across multiple calls
├── egi/
│ └── engine.py # Execution Graph Integrity
├── telemetry/
│ └── observe.py # Signed tamper-evident telemetry
└── integrations/
├── langchain.py # LangChain callback + wrap_chain/agent
├── crewai.py # CrewAI wrap_crew
└── openai.py # CerberusOpenAI / CerberusAnthropic drop-ins
TypeScript / Node.js
The TypeScript SDK (@cerberus-ai/core) is the main Core package. The Python
SDK is a Python distribution of Cerberus Core concepts and APIs; the product
home and documentation are the canonical source for current Core boundaries,
current benchmark evidence, and public product language.
Odingard Security by Six Sense Enterprise Services
sixsenseenterprise.com · cerberus.sixsenseenterprise.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cerberus_ai-1.5.3.tar.gz.
File metadata
- Download URL: cerberus_ai-1.5.3.tar.gz
- Upload date:
- Size: 116.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
436fec8fcebdf3390092ef0f550ef76c50e34fb72682b2fc459264afd6450f4a
|
|
| MD5 |
7eb0b0f962dae363789be67aa7c2dcba
|
|
| BLAKE2b-256 |
de202091c35c6d16faa8dbf6991cf05c1958640206a0d6c96510dfaaa989c18b
|
File details
Details for the file cerberus_ai-1.5.3-py3-none-any.whl.
File metadata
- Download URL: cerberus_ai-1.5.3-py3-none-any.whl
- Upload date:
- Size: 136.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
09f10ac8b84b0b06de0ae3a54e4145f36fc95ad1efbf2b9dfa0461e88725375a
|
|
| MD5 |
886c18fa3e502a6479d07831a470a931
|
|
| BLAKE2b-256 |
cef0af828950aae746c0c50eb13eebba5be6058e2d8effb123a7e5f5d6a1b339
|
