Cerbos
Capability scores
Methodology →- Authentication
- 1.5
- SSO & Federation
- 1.5
- Authorization
- 4.5
- Lifecycle & Provisioning
- 3.0
- MFA & Passwordless
- 1.0
- Governance & Audit
- 3.5
- Developer Experience
- 4.5
- Deployment Flexibility
- 4.5
- Pricing Transparency
- 4.0
- Support & Ecosystem
- 3.5
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
Cerbos is an open-source (Apache 2.0) authorization layer where you write access policies in YAML and run a stateless decision engine alongside your services. It is a policy-as-code tool in the same family as Open Policy Agent, but purpose-built for application authorization (attribute- and role-based access control) rather than general infrastructure policy. Founded in 2021, Cerbos Inc. follows an open-core model: the engine is free, and Cerbos Hub is the commercial control plane. It decouples access rules from application code so policy can evolve independently.
What it is good at
The model is clean policy-as-code: resource and principal policies in YAML, version-controlled and testable in CI, evaluated by a stateless policy decision point (PDP) you deploy as a sidecar or service. This keeps decisions fast and authorization logic out of your codebase, and the developer tooling is strong, including local testing, audit logs, and query plans that let you filter lists of resources rather than checking one at a time. For PBAC/ABAC across microservices it is excellent, and statelessness makes it easy to scale horizontally.
Where it falls short
Because it is stateless and attribute-driven, Cerbos is not a relationship store like Zanzibar-style engines, so deeply relational permissions (nested sharing, ownership graphs across millions of objects) need extra modeling or a different tool such as OpenFGA or AuthZed. Like other pure authorization engines it does nothing for authentication, SSO, or MFA.
Pricing
The core engine is free and open source under Apache 2.0. Cerbos Hub offers a free tier plus paid plans for policy management, distribution, and audit at scale. Model the difference with the TCO calculator.
Best for, and who should look elsewhere
Choose Cerbos if you want clean, testable policy-as-code for ABAC/PBAC across services and prefer a stateless engine you control. Compare OpenFGA vs Cerbos and Styra/OPA vs Cerbos, or the three-way OpenFGA vs AuthZed vs Cerbos. See the authorization guide.
Bottom line
Pick Cerbos for clean, testable policy-as-code ABAC/PBAC across services when you want a stateless engine you control rather than a relationship store.
Cerbos comparisons
More Authorization vendors
All Authorization →- AuthZed4.3/5
- Styra / Open Policy Agent4.3/5
- OpenFGA4.2/5
- AWS Verified Permissions4.1/5
- Warrant (WorkOS)4.1/5
By SWI Community Team · Last evaluated 2026-06-19
Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to community@startwithidentity.com.