eBPF captureNo DB or app changesNear-zero DB impact

Every query. Every database.Watched at the kernel.

eBPF-based activity monitoring for PostgreSQL and MongoDB — full capture, ~40 threat rules, compliance-tagged, with near-zero impact on database performance.

Capture
Detect
Store
Report
postgres · session 41883
SELECT * FROM cards WHERE 1=1;
Critical sql_injection · tagged PCI-DSS 6.5.1

Kernel-level capture → real-time detection → ClickHouse → audit-ready reports

PostgreSQL + MongoDB
one capture engine
40+
detection rules
Real-time
detection monitoring
Custom rules
extend the engine
Email & Slack
real-time alerts
Near-zero
DB performance impact
PCI · HIPAA · GDPR · KVKK
compliance-tagged

The problem

Legacy DAM was built for a world that no longer exists.

Network taps miss loopback and encrypted traffic. In-database agents add overhead and break on upgrades. Either way you get blind spots, latency, and audits you can’t pass. Mergen watches from the kernel with eBPF — complete visibility, nothing in the query path.

Network tap / DB agent

  • Blind to local & TLS traffic
  • Query-path latency
  • Breaks on DB upgrades

Mergen — eBPF at the host

  • Sees every query
  • Zero query-path overhead
  • No driver or proxy changes

How Mergen works

Capture → Detect → Comply → Report

01

Capture

eBPF probes reconstruct every PostgreSQL and MongoDB statement on the wire — local, TCP, or TLS.

02

Detect

~40 rules score SQL injection, data exfiltration, privilege abuse, and RCE in real time.

03

Comply

Each detection is auto-tagged to the control your auditor asks about — PCI, HIPAA, GDPR, KVKK.

04

Report

Everything lands in ClickHouse; search any query and export an audit in the console.

Under the hood

From kernel probe to audit report

01

eBPF capture

Kernel-level probes capture the raw wire stream beside your database — no agent in the query path.

02

Parse & reconstruct

The protocol framer rebuilds each session and statement, attributing user, source IP, and application.

03

Detect & tag

~40 rules evaluate every statement and tag hits to compliance frameworks.

04

Store & report

Detections stream to ClickHouse; the console turns them into searchable, exportable audit evidence.

Detection depth

~40 rules across four attack classes

Not a signature list bolted on — detection is built into the capture engine, from classic injection to kernel-adjacent RCE.

SQL / NoSQL injection

Tautology, UNION, stacked, blind/time-based, JSONB filter bypass, Mongo $where & operator injection.

Data exfiltration

Bulk export, byte-volume and time-pattern anomalies, file/LO functions, COPY, aggregation dumps.

Privilege abuse

Role impersonation, dangerous GRANT (superuser/file/exec roles), BYPASSRLS, priv-esc chains.

RCE & persistence

COPY … PROGRAM, untrusted functions/extensions, ALTER SYSTEM code-load, event-trigger backdoors.

Compliance

Turn monitoring into audit evidence

Every detection maps to the standard your auditor asks about. KVKK is first-class — with on-prem ClickHouse for data localization.

KVKKPCI DSSHIPAAGDPR

KVKK Madde 12 · VERBİS · özel nitelikli veri (Kurul 2018/10) — mapped to rules and reports.

Coverage

PostgreSQL and MongoDB today

The same eBPF capture engine covers both — with more data stores on the roadmap.

PostgreSQL 14–18MongoDB 6–8TLS & loopbackCross-distro CO-RE

Reporting console

Search every query. Build the report. Export the audit.

A fast web console over ClickHouse: live detections, per-rule and per-user reports, compliance views, and fleet management.

  • Live detection stream
  • Compliance report packs
  • Fleet & agent management
  • Role-based access (RBAC)
Detectionslast 24h
sql_injectionCritical
excessive_data_exportWarning
dangerous_grantCritical
login_failedWarning
login_successInfo

See Mergen on your data.

A short proof-of-concept in your own environment — live capture, a detection walkthrough, and a compliance report.