The safety business has spent the final 12 months speaking about fashions, copilots, and brokers, however a quieter shift is occurring one layer under all of that: Distributors are lining up round a shared strategy to describe safety information. The Open Cybersecurity Schema Framework (OCSF), is rising as one of many strongest candidates for that job.
It provides distributors, enterprises, and practitioners a typical strategy to symbolize safety occasions, findings, objects, and context. Which means much less time rewriting subject names and customized parsers and extra time correlating detections, working analytics, and constructing workflows that may work throughout merchandise. In a market the place each safety crew is stitching collectively endpoint, id, cloud, SaaS, and AI telemetry, a typical infrastructure lengthy felt like a pipe dream, and OCSF now places it inside attain.
OCSF in plain language
OCSF is an open-source framework for cybersecurity schemas. It’s vendor impartial by design and intentionally agnostic to storage format, information assortment, and ETL decisions. In sensible phrases, it provides software groups and information engineers a shared construction for occasions so analysts can work with a extra constant language for risk detection and investigation.
That sounds dry till you take a look at the each day work inside a safety operations middle (SOC). Safety groups have to spend so much of effort normalizing information from totally different instruments in order that they’ll correlate occasions. For instance, detecting an worker logging in from San Francisco at 10 a.m. on their laptop computer, then accessing a cloud useful resource from New York at 10:02 a.m. might reveal a leaked credential.
Organising a system that may correlate these occasions, nonetheless, is not any straightforward process: Completely different instruments describe the identical concept with totally different fields, nesting constructions, and assumptions. OCSF was constructed to decrease this tax. It helps distributors map their very own schemas into a typical mannequin and helps clients transfer information by lakes, pipelines, safety incident and occasion administration (SIEM) instruments with out requiring time consuming translation at each hop.
The final two years have been unusually quick
Most of OCSF’s seen acceleration has occurred within the final two years. The venture was introduced in August 2022 by Amazon AWS and Splunk, constructing on labored contributed by Symantec, Broadcom, and different well-known infrastructure giants Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Development Micro, and Zscaler.
The OCSF group has stored up a gradual cadence of releases during the last two years
The group has grown shortly. AWS stated in August 2024 that OCSF had expanded from a 17-company initiative right into a group with greater than 200 collaborating organizations and 800 contributors, which expanded to 900 wen OCSF joined the Linux Basis in November 2024.
OCSF is exhibiting up throughout the business
Within the observability and safety area, OCSF is in all places. AWS Safety Lake converts natively supported AWS logs and occasions into OCSF and shops them in Parquet. AWS AppFabric can output OCSF — normalized audit information. AWS Safety Hub findings use OCSF, and AWS publishes an extension for cloud-specific useful resource particulars.
Splunk can translate incoming information into OCSF with edge processor and ingest processor. Cribl helps seamless changing streaming information into OCSF and appropriate codecs.
Palo Alto Networks can ahead Strata sogging Service information into Amazon Safety Lake in OCSF. CrowdStrike positions itself on either side of the OCSF pipe, with Falcon information translated into OCSF for Safety Lake and Falcon Subsequent-Gen SIEM positioned to ingest and parse OCSF-formatted information. OCSF is a kind of uncommon requirements that has crossed the chasm from an summary customary into customary operational plumbing throughout the business.
AI is giving the OCSF story recent urgency
When enterprises deploy AI infrastructure, giant language fashions (LLMs) sit on the core, surrounded by complicated distributed methods resembling mannequin gateways, agent runtimes, vector shops, software calls, retrieval methods, and coverage engines. These parts generate new types of telemetry, a lot of which spans product boundaries. Safety groups throughout the SOC are more and more centered on capturing and analyzing this information. The central query typically turns into what an agentic AI system really did, somewhat than solely the textual content it produced, and whether or not its actions led to any safety breaches.
That places extra strain on the underlying information mannequin. An AI assistant that calls the fallacious software, retrieves the fallacious information, or chains collectively a dangerous sequence of actions creates a safety occasion that must be understood throughout methods. A shared safety schema turns into extra priceless in that world, particularly when AI can also be getting used on the analytics aspect to correlate extra information, quicker.
For OCSF, 2025 was all about AI
Think about an organization makes use of an AI assistant to assist workers search for inside paperwork and set off instruments like ticketing methods or code repositories. At some point, the assistant begins pulling the fallacious recordsdata, calling instruments it mustn’t use, and exposing delicate info in its responses.
Updates in OCSF variations 1.5.0, 1.6.0, and 1.7.0 assist safety groups piece collectively what occurred by flagging uncommon habits, exhibiting who had entry to the linked methods, and tracing the assistant’s software calls step-by-step. As an alternative of solely seeing the ultimate reply the AI gave, the crew can examine the complete chain of actions that led to the issue.
What's on the horizon
Think about an organization makes use of an AI buyer help bot, and at some point the bot begins giving lengthy, detailed solutions that embrace inside troubleshooting steerage meant just for workers. With the sorts of adjustments being developed for OCSF 1.8.0, the safety crew might see which mannequin dealt with the change, which supplier provided it, what position every message performed, and the way the token counts modified throughout the dialog.
A sudden spike in immediate or completion tokens might sign that the bot was fed an unusually giant hidden immediate, pulled in an excessive amount of background information from a vector database, or generated a very lengthy response that elevated the possibility of delicate info leaking. That provides investigators a sensible clue about the place the interplay went off track, as a substitute of leaving them with solely the ultimate reply.
Why this issues to the broader market
The larger story is that OCSF has moved shortly from being a group effort to turning into an actual customary that safety merchandise use day by day. Over the previous two years, it has gained stronger governance, frequent releases, and sensible help throughout information lakes, ingest pipelines, SIEM workflows, and associate ecosystems.
In a world the place AI expands the safety panorama by scams, abuse, and new assault paths, safety groups depend on OCSF to attach information from many methods with out shedding context alongside the way in which to maintain your information secure.
Nikhil Mungel has been constructing distributed methods and AI groups at SaaS corporations for greater than 15 years.
