Mergen overview
Mergen is an eBPF-based Database Activity Monitoring (DAM) solution for PostgreSQL and MongoDB. It captures every query at the kernel level, detects threats in real time, tags for compliance, and produces audit-ready reports — with no changes to the database or application, and near-zero performance impact.
The wire protocol is captured via eBPF uprobes (in-line), AF_PACKET network capture, or an off-host collector.
Each statement is parsed into an AST and 53 built-in rules + custom rules run against the live stream.
Detections are tagged against KVKK, PCI-DSS, HIPAA, and GDPR requirements.
Events flow to ClickHouse; the console serves audit-ready reports and real-time alerts.
eBPF uprobe (same host, lowest overhead), AF_PACKET network capture, and a premium off-host collector (SPAN/ERSPAN, no agent on the DB host). Transparent visibility into TLS traffic via uprobes; a fail-loud blindness signal in network-only mode.
PostgreSQL 14–18 (kernels 4.18–7.0, distro-independent via CO-RE) and MongoDB 7.0 (OP_MSG, compressed traffic included). One capture engine, two protocols.
53 built-in rules (injection, recon, exfiltration, privilege, DoS, persistence, anomaly/UEBA, audit) + a behavioral baseline (EWMA + robust z-score, peer-group) + declarative custom rules. Rules split into basic/advanced tiers.
See all rules →Policy-based alerts route to Slack, e-mail (SMTP), and generic webhooks (dedup + delivery history). Agent sinks additionally emit JSON/CEF/LEEF over file, syslog, Kafka (TLS/SASL), and OTLP.
Detections map to KVKK (Law 6698) — including Turkish PII and special-category data — PCI-DSS, HIPAA, and GDPR. The console produces framework-based audit reports.
One agent per database host (systemd), a central console (React + Node, two stores: ClickHouse for events + PostgreSQL for metadata). Licensing is signed and offline-verified; the premium off-host collector runs on a separate host with CAP_NET_RAW only.