Every query. Every database.Watched at the kernel.
eBPF-based activity monitoring for PostgreSQL and MongoDB — full capture, ~40 threat rules, compliance-tagged, with near-zero impact on database performance.
SELECT * FROM cards WHERE 1=1;
Kernel-level capture → real-time detection → ClickHouse → audit-ready reports
The problem
Legacy DAM was built for a world that no longer exists.
Network taps miss loopback and encrypted traffic. In-database agents add overhead and break on upgrades. Either way you get blind spots, latency, and audits you can’t pass. Mergen watches from the kernel with eBPF — complete visibility, nothing in the query path.
Network tap / DB agent
- ✕Blind to local & TLS traffic
- ✕Query-path latency
- ✕Breaks on DB upgrades
Mergen — eBPF at the host
- ✓Sees every query
- ✓Zero query-path overhead
- ✓No driver or proxy changes
How Mergen works
Capture → Detect → Comply → Report
Capture
eBPF probes reconstruct every PostgreSQL and MongoDB statement on the wire — local, TCP, or TLS.
Detect
~40 rules score SQL injection, data exfiltration, privilege abuse, and RCE in real time.
Comply
Each detection is auto-tagged to the control your auditor asks about — PCI, HIPAA, GDPR, KVKK.
Report
Everything lands in ClickHouse; search any query and export an audit in the console.
Under the hood
From kernel probe to audit report
eBPF capture
Kernel-level probes capture the raw wire stream beside your database — no agent in the query path.
Parse & reconstruct
The protocol framer rebuilds each session and statement, attributing user, source IP, and application.
Detect & tag
~40 rules evaluate every statement and tag hits to compliance frameworks.
Store & report
Detections stream to ClickHouse; the console turns them into searchable, exportable audit evidence.
Detection depth
~40 rules across four attack classes
Not a signature list bolted on — detection is built into the capture engine, from classic injection to kernel-adjacent RCE.
SQL / NoSQL injection
Tautology, UNION, stacked, blind/time-based, JSONB filter bypass, Mongo $where & operator injection.
Data exfiltration
Bulk export, byte-volume and time-pattern anomalies, file/LO functions, COPY, aggregation dumps.
Privilege abuse
Role impersonation, dangerous GRANT (superuser/file/exec roles), BYPASSRLS, priv-esc chains.
RCE & persistence
COPY … PROGRAM, untrusted functions/extensions, ALTER SYSTEM code-load, event-trigger backdoors.
Compliance
Turn monitoring into audit evidence
Every detection maps to the standard your auditor asks about. KVKK is first-class — with on-prem ClickHouse for data localization.
KVKK Madde 12 · VERBİS · özel nitelikli veri (Kurul 2018/10) — mapped to rules and reports.
Coverage
PostgreSQL and MongoDB today
The same eBPF capture engine covers both — with more data stores on the roadmap.
Reporting console
Search every query. Build the report. Export the audit.
A fast web console over ClickHouse: live detections, per-rule and per-user reports, compliance views, and fleet management.
- ▸Live detection stream
- ▸Compliance report packs
- ▸Fleet & agent management
- ▸Role-based access (RBAC)
See Mergen on your data.
A short proof-of-concept in your own environment — live capture, a detection walkthrough, and a compliance report.