industry: OCSF explained: The shared data language security teams
OCSF, an open-source framework, is rapidly standardizing cybersecurity data across vendors, streamlining threat detection and investigation. Its adoption is critical for managing AI's increasing complexities in security operations.
The cybersecurity industry is undergoing a quiet but profound transformation with the emergence of the Open Cybersecurity Schema Framework (OCSF). This open-source, vendor-neutral initiative is rapidly becoming the industry standard for normalizing security data, enabling a common language for describing security events, findings, and context across a fragmented landscape of tools and platforms. Spearheaded by Amazon AWS and Splunk in 2022, OCSF significantly reduces the operational burden on security teams, allowing them to focus more on threat detection and less on data translation, a critical need as AI introduces new complexities to the security domain.
Unifying Disparate Security Data
At its core, OCSF provides a shared structure for cybersecurity events, independent of storage format or data collection methods. This seemingly technical detail has massive practical implications for Security Operations Centers (SOCs). Historically, correlating security events—such as an employee logging in from two different geographical locations within minutes—has been a monumental task due to varying field names, data structures, and assumptions across different security products. OCSF directly addresses this "tax" by helping vendors map their proprietary schemas into a universal model, streamlining data flow through security information and event management (SIEM) tools, data lakes, and pipelines without constant reformatting.
Rapid Growth and Widespread Adoption
OCSF’s ascent has been remarkably swift over the last two years. Initially announced in August 2022 by AWS and Splunk, with foundational contributions from Symantec and Broadcom, the initiative quickly attracted major players including Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. The community expanded from 17 companies to over 200 participating organizations and 800 contributors by August 2024, before officially joining the Linux Foundation in November 2024, now boasting 900 contributors.
This widespread acceptance is evident in its integration across numerous industry products. AWS Security Lake, AppFabric, and Security Hub all natively support OCSF, converting logs and events into the standardized format. Splunk and Cribl facilitate the translation of incoming or streaming data into OCSF, while Palo Alto Networks forwards Strata Logging Service data to Amazon Security Lake in OCSF. CrowdStrike leverages OCSF on both ends, translating Falcon data for Security Lake and positioning its Falcon Next-Gen SIEM to ingest and parse OCSF-formatted data, solidifying OCSF’s status as essential operational plumbing.
AI's Urgency for Standardized Security
The proliferation of AI infrastructure, particularly Large Language Models (LLMs) and complex agentic systems, has injected fresh urgency into OCSF's mission. These AI systems generate novel forms of telemetry that span multiple product boundaries. Security teams are increasingly challenged to understand not just the output of an AI, but the full chain of actions—tool calls, data retrievals, and policy engine interactions—that led to it, especially when investigating potential security breaches or misuse.
In this environment, an AI assistant calling the wrong tool or accessing sensitive data creates a complex security event that demands a unified understanding across systems. A shared security schema like OCSF becomes indispensable, especially as AI is also increasingly deployed for faster, more comprehensive security analytics.
Evolving Capabilities: Focus on AI-driven Security
OCSF’s development roadmap reflects this pivot towards AI. Updates in versions 1.5.0, 1.6.0, and 1.7.0 were specifically designed to help security teams piece together AI-related incidents. For instance, if an AI assistant begins behaving unusually—pulling incorrect files or using unauthorized tools—OCSF helps flag the anomalous behavior, trace tool calls step-by-step, and identify who had access to connected systems, moving beyond just the final AI output to the full sequence of actions.
Looking ahead, OCSF 1.8.0 aims to further enhance AI-incident investigation. It will enable security teams to discern details like the specific AI model and provider involved in an interaction, message roles, and changes in token counts. A sudden surge in prompt or completion tokens, for example, could signal an abnormally large hidden prompt, excessive data retrieval from a vector database, or an overly verbose response, all of which could increase the risk of sensitive information leakage. This level of granular, standardized data provides crucial investigative clues.
A Standard Takes Hold
OCSF has rapidly transcended its origins as a community effort to become a foundational, everyday standard in cybersecurity. Its robust governance, frequent releases, and practical support across data lakes, ingest pipelines, SIEM workflows, and partner ecosystems underscore its widespread adoption. As AI continues to expand the attack surface through new scams, abuses, and vulnerabilities, security teams will increasingly rely on OCSF to seamlessly connect and contextualize data from disparate systems, ultimately enhancing their ability to protect critical information in an ever-evolving threat landscape.
FAQ
Q: What problem does OCSF primarily solve for security teams? A: OCSF addresses the major challenge of data silos and disparate formats from various security tools. It provides a common, standardized schema for security events, significantly reducing the effort and time security teams spend on normalizing data, building custom parsers, and translating information between different products.
Q: How does OCSF interact with AI and large language models (LLMs) in a security context? A: OCSF is becoming crucial for securing AI systems by providing a framework to understand and trace the actions of LLMs and AI agents. It helps security teams analyze AI-generated telemetry, understand tool calls, data retrievals, and policy interactions, which is vital for investigating potential AI-related security incidents or misuse beyond just the AI's final output.
Q: Which major organizations support or integrate OCSF? A: OCSF was initially launched by Amazon AWS and Splunk, with contributions from Symantec and Broadcom. It has since grown to include over 200 organizations and 900 contributors under the Linux Foundation. Key integrations are seen in AWS services (Security Lake, AppFabric, Security Hub), Splunk, Cribl, Palo Alto Networks, and CrowdStrike, among others.
Related articles
Microsoft Unveils ASSERT, Simplifying AI Behavior Testing with Text
Microsoft has launched ASSERT, an open-source framework designed to simplify AI behavior testing. It enables developers to create comprehensive, application-specific evaluations using natural language descriptions, ensuring AI systems act as intended for particular products and services. The tool translates high-level goals into structured tests, generates scenarios, scores results, and logs execution paths.
Trump Orders Voluntary AI Model Review Before Release
President Trump has signed an executive order creating a voluntary framework for AI companies to share advanced models with the federal government before release. This initiative aims to bolster secure innovation and protect critical infrastructure, reflecting a shift from the administration's previous hands-off approach to AI safety. Companies opting for pre-release review may receive confidentiality protections.
Blue Origin's New Glenn Explosion: Key Components Survive, 2026
Blue Origin announced that critical fuel tanks and key launch pad components survived last week's New Glenn rocket explosion, paving a faster path back to flight. CEO Dave Limp pledges a return to orbital missions before year-end, which is crucial for NASA's Artemis lunar program to maintain its tight schedule for crewed landings.
ZeroDrift raises $10M to protect AI models from themselves: AI
ZeroDrift, an AI compliance startup, has secured $10 million in seed funding from investors like a16z Speedrun. The company's service acts as a crucial intermediary, detecting compliance violations in AI-generated messages and rewriting them to meet regulatory standards like SOC 2 and GDPR. This rapid, oversubscribed funding round highlights the urgent demand for robust AI governance solutions as businesses scale AI adoption.
startups: The White House is at war with itself over who gets to
An intense internal power struggle within the Trump administration has stalled US federal AI regulation, leaving a policy vacuum after Anthropic's Mythos model revealed critical cybersecurity risks. Factions within the Commerce Department, intelligence agencies, and pro-industry groups are locked in a "knife fight" over who gets to evaluate and oversee advanced AI systems. This paralysis follows the abrupt cancellation of a landmark executive order and the unexplained withdrawal of AI testing announcements.
Navigating the Global AI Arena: Beyond Silicon Valley's Borders
The international AI landscape presents unique challenges and opportunities, requiring developers to think beyond traditional tech hubs. Key aspects include adapting AI models to local languages and cultures, navigating the complex global supply chain for critical hardware like semiconductors, and understanding how venture capital assesses these international ventures. Success hinges on deep local market understanding, robust technical solutions for localization, and resilience against logistical hurdles.