industry: OCSF explained: The shared data language security teams
OCSF, an open-source framework, is rapidly standardizing cybersecurity data across vendors, streamlining threat detection and investigation. Its adoption is critical for managing AI's increasing complexities in security operations.
The cybersecurity industry is undergoing a quiet but profound transformation with the emergence of the Open Cybersecurity Schema Framework (OCSF). This open-source, vendor-neutral initiative is rapidly becoming the industry standard for normalizing security data, enabling a common language for describing security events, findings, and context across a fragmented landscape of tools and platforms. Spearheaded by Amazon AWS and Splunk in 2022, OCSF significantly reduces the operational burden on security teams, allowing them to focus more on threat detection and less on data translation, a critical need as AI introduces new complexities to the security domain.
Unifying Disparate Security Data
At its core, OCSF provides a shared structure for cybersecurity events, independent of storage format or data collection methods. This seemingly technical detail has massive practical implications for Security Operations Centers (SOCs). Historically, correlating security events—such as an employee logging in from two different geographical locations within minutes—has been a monumental task due to varying field names, data structures, and assumptions across different security products. OCSF directly addresses this "tax" by helping vendors map their proprietary schemas into a universal model, streamlining data flow through security information and event management (SIEM) tools, data lakes, and pipelines without constant reformatting.
Rapid Growth and Widespread Adoption
OCSF’s ascent has been remarkably swift over the last two years. Initially announced in August 2022 by AWS and Splunk, with foundational contributions from Symantec and Broadcom, the initiative quickly attracted major players including Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. The community expanded from 17 companies to over 200 participating organizations and 800 contributors by August 2024, before officially joining the Linux Foundation in November 2024, now boasting 900 contributors.
This widespread acceptance is evident in its integration across numerous industry products. AWS Security Lake, AppFabric, and Security Hub all natively support OCSF, converting logs and events into the standardized format. Splunk and Cribl facilitate the translation of incoming or streaming data into OCSF, while Palo Alto Networks forwards Strata Logging Service data to Amazon Security Lake in OCSF. CrowdStrike leverages OCSF on both ends, translating Falcon data for Security Lake and positioning its Falcon Next-Gen SIEM to ingest and parse OCSF-formatted data, solidifying OCSF’s status as essential operational plumbing.
AI's Urgency for Standardized Security
The proliferation of AI infrastructure, particularly Large Language Models (LLMs) and complex agentic systems, has injected fresh urgency into OCSF's mission. These AI systems generate novel forms of telemetry that span multiple product boundaries. Security teams are increasingly challenged to understand not just the output of an AI, but the full chain of actions—tool calls, data retrievals, and policy engine interactions—that led to it, especially when investigating potential security breaches or misuse.
In this environment, an AI assistant calling the wrong tool or accessing sensitive data creates a complex security event that demands a unified understanding across systems. A shared security schema like OCSF becomes indispensable, especially as AI is also increasingly deployed for faster, more comprehensive security analytics.
Evolving Capabilities: Focus on AI-driven Security
OCSF’s development roadmap reflects this pivot towards AI. Updates in versions 1.5.0, 1.6.0, and 1.7.0 were specifically designed to help security teams piece together AI-related incidents. For instance, if an AI assistant begins behaving unusually—pulling incorrect files or using unauthorized tools—OCSF helps flag the anomalous behavior, trace tool calls step-by-step, and identify who had access to connected systems, moving beyond just the final AI output to the full sequence of actions.
Looking ahead, OCSF 1.8.0 aims to further enhance AI-incident investigation. It will enable security teams to discern details like the specific AI model and provider involved in an interaction, message roles, and changes in token counts. A sudden surge in prompt or completion tokens, for example, could signal an abnormally large hidden prompt, excessive data retrieval from a vector database, or an overly verbose response, all of which could increase the risk of sensitive information leakage. This level of granular, standardized data provides crucial investigative clues.
A Standard Takes Hold
OCSF has rapidly transcended its origins as a community effort to become a foundational, everyday standard in cybersecurity. Its robust governance, frequent releases, and practical support across data lakes, ingest pipelines, SIEM workflows, and partner ecosystems underscore its widespread adoption. As AI continues to expand the attack surface through new scams, abuses, and vulnerabilities, security teams will increasingly rely on OCSF to seamlessly connect and contextualize data from disparate systems, ultimately enhancing their ability to protect critical information in an ever-evolving threat landscape.
FAQ
Q: What problem does OCSF primarily solve for security teams? A: OCSF addresses the major challenge of data silos and disparate formats from various security tools. It provides a common, standardized schema for security events, significantly reducing the effort and time security teams spend on normalizing data, building custom parsers, and translating information between different products.
Q: How does OCSF interact with AI and large language models (LLMs) in a security context? A: OCSF is becoming crucial for securing AI systems by providing a framework to understand and trace the actions of LLMs and AI agents. It helps security teams analyze AI-generated telemetry, understand tool calls, data retrievals, and policy interactions, which is vital for investigating potential AI-related security incidents or misuse beyond just the AI's final output.
Q: Which major organizations support or integrate OCSF? A: OCSF was initially launched by Amazon AWS and Splunk, with contributions from Symantec and Broadcom. It has since grown to include over 200 organizations and 900 contributors under the Linux Foundation. Key integrations are seen in AWS services (Security Lake, AppFabric, Security Hub), Splunk, Cribl, Palo Alto Networks, and CrowdStrike, among others.
Related articles
Volkswagen's MOIA and Uber Launch Self-Driving ID. Buzz Tests in LA
Volkswagen's MOIA America and Uber have officially begun on-road testing of self-driving ID. Buzz minibuses in Los Angeles, marking the first U.S. city in their multi-city rollout strategy. The initial fleet operates with human safety operators, targeting commercial service by late 2026 and fully driverless operations by 2027. This move leverages the specialized ID. Buzz AD equipped with a 27-sensor Mobileye platform and Uber's extensive ride-hailing network.
Intel & SambaNova AI Platform: Ambitious Heterogeneous Approach
Intel and SambaNova's new heterogeneous AI inference platform combines GPUs/AI accelerators, SambaNova RDUs, and Intel Xeon 6 processors. Targeting a broad range of agentic workloads for H2 2026, it promises easy data center integration and competitive performance, aiming to challenge market leaders.
Intel Joins Elon Musk’s Terafab Chips Project
Intel has joined Elon Musk's Terafab chips project, partnering with SpaceX and Tesla to build a new semiconductor factory in Texas. This collaboration leverages Intel's chip manufacturing expertise to produce 1 TW/year of compute for AI, robotics, and other advanced applications, significantly bolstering Intel's foundry business.
Apple’s foldable iPhone is on track to launch in September, report
Apple's first foldable iPhone is reportedly on track for a September launch alongside the iPhone 18 Pro and Pro Max, according to a new report from Bloomberg's Mark Gurman. This news mitigates earlier concerns about potential delays due to engineering complexities, suggesting Apple has made significant strides in addressing screen quality, durability, and crease visibility issues. The highly anticipated device is poised to position Apple as a strong competitor in the growing foldable smartphone market.
Tech Moves: Microsoft Leader Jumps to Anthropic, New CEO at Tagboard
Microsoft veteran Eric Boyd has joined AI leader Anthropic to head its infrastructure team, marking a major personnel shift in the competitive AI sector. Concurrently, Tagboard, a Redmond-based live broadcast production company, announced Marty Roberts as its new CEO, succeeding Nathan Peterson. Expedia Group also promoted Ryan Desjardins to Vice President of Technology, bolstering its efforts in AI integration.
in-depth: My Blissful Week as a ‘Do Not Disturb’ Maximalist: Digital
A technology journalist embarked on a week-long experiment, embracing "Do Not Disturb" (DND) maximalism to silence all smartphone notifications. The experience, though challenging socially, revealed a path to greater focus and personal boundaries, highlighting a growing trend to reclaim attention in a constantly connected world.