Cerbos
Capability scores
Methodology →- Authentication
- 1.5
- SSO & Federation
- 1.5
- Authorization
- 4.5
- Lifecycle & Provisioning
- 3.0
- MFA & Passwordless
- 1.0
- Governance & Audit
- 3.5
- Developer Experience
- 4.5
- Deployment Flexibility
- 4.5
- Pricing Transparency
- 4.0
- Support & Ecosystem
- 3.5
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
Cerbos is an open-source (Apache 2.0) authorization layer where you write access policies in YAML and run a stateless decision engine alongside your services. It targets attribute and role-based access control without coupling rules to application logic.
Capability deep-dive
The model is policy-as-code: resource and principal policies in YAML, testable in CI, evaluated by a stateless PDP you deploy as a sidecar or service. This keeps decisions fast and authorization logic out of your codebase, and the developer tooling (local testing, audit logs, query plans for filtering data) is strong. Because it is stateless and attribute-driven, it is excellent for PBAC/ABAC but is not a relationship store like Zanzibar-style engines, so deeply relational permissions need extra modeling or a different tool. Like other pure authorization engines, it does nothing for authentication, SSO, or MFA. Cerbos Hub adds managed policy distribution, audit, and collaboration on a paid plan.
Pricing
Core engine is free and open source under Apache 2.0. Cerbos Hub offers a free tier plus paid plans for policy management, distribution, and audit at scale.
Bottom line
Pick Cerbos if you want clean, testable policy-as-code for ABAC/PBAC across services and prefer a stateless engine you control.