The safety trade has spent the final yr speaking about fashions, copilots, and brokers, however a quieter shift is taking place one layer beneath all of that: Distributors are lining up round a shared means to describe safety knowledge. The Open Cybersecurity Schema Framework (OCSF), is rising as certainly one of the strongest candidates for that job.
It provides distributors, enterprises, and practitioners a standard means to characterize security events, findings, objects, and context. Meaning much less time rewriting area names and customized parsers and extra time correlating detections, operating analytics, and constructing workflows that may work throughout merchandise. In a market the place each safety crew is stitching collectively endpoint, identification, cloud, SaaS, and AI telemetry, a standard infrastructure lengthy felt like a pipe dream, and OCSF now places it inside attain.
OCSF in plain language
OCSF is an open-source framework for cybersecurity schemas. It’s vendor impartial by design and intentionally agnostic to storage format, knowledge assortment, and ETL decisions. In sensible phrases, it provides utility groups and knowledge engineers a shared construction for occasions so analysts can work with a extra constant language for risk detection and investigation.
That sounds dry till you have a look at the every day work inside a security operations center (SOC). Safety groups have to spend lots of effort normalizing knowledge from completely different instruments in order that they will correlate occasions. For instance, detecting an worker logging in from San Francisco at 10 a.m. on their laptop computer, then accessing a cloud useful resource from New York at 10:02 a.m. might reveal a leaked credential.
Establishing a system that may correlate these occasions, nonetheless, is no straightforward job: Totally different instruments describe the identical thought with completely different fields, nesting buildings, and assumptions. OCSF was constructed to decrease this tax. It helps distributors map their very own schemas into a standard mannequin and helps prospects transfer knowledge by means of lakes, pipelines, safety incident and occasion administration (SIEM) instruments with out requiring time consuming translation at each hop.
The final two years have been unusually quick
Most of OCSF’s seen acceleration has occurred in the final two years. The undertaking was announced in August 2022 by Amazon AWS and Splunk, constructing on labored contributed by Symantec, Broadcom, and different well-known infrastructure giants Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Development Micro, and Zscaler.
The OCSF neighborhood has saved up a gradual cadence of releases over the final two years
The neighborhood has grown rapidly. AWS mentioned in August 2024 that OCSF had expanded from a 17-company initiative right into a neighborhood with greater than 200 collaborating organizations and 800 contributors, which expanded to 900 wen OCSF joined the Linux Basis in November 2024.
OCSF is displaying up throughout the trade
In the observability and safety house, OCSF is all over the place. AWS Safety Lake converts natively supported AWS logs and occasions into OCSF and shops them in Parquet. AWS AppFabric can output OCSF — normalized audit knowledge. AWS Safety Hub findings use OCSF, and AWS publishes an extension for cloud-specific useful resource details.
Splunk can translate incoming knowledge into OCSF with edge processor and ingest processor. Cribl helps seamless changing streaming knowledge into OCSF and suitable codecs.
Palo Alto Networks can ahead Strata sogging Service knowledge into Amazon Safety Lake in OCSF. CrowdStrike positions itself on either side of the OCSF pipe, with Falcon knowledge translated into OCSF for Safety Lake and Falcon Subsequent-Gen SIEM positioned to ingest and parse OCSF-formatted knowledge. OCSF is a kind of uncommon requirements that has crossed the chasm from an summary commonplace into commonplace operational plumbing throughout the trade.
AI is giving the OCSF story contemporary urgency
When enterprises deploy AI infrastructure, massive language fashions (LLMs) sit at the core, surrounded by advanced distributed techniques reminiscent of mannequin gateways, agent runtimes, vector shops, device calls, retrieval techniques, and coverage engines. These elements generate new types of telemetry, a lot of which spans product boundaries. Safety groups throughout the SOC are more and more centered on capturing and analyzing this knowledge. The central query usually turns into what an agentic AI system really did, reasonably than solely the textual content it produced, and whether or not its actions led to any safety breaches.
That places extra stress on the underlying knowledge mannequin. An AI assistant that calls the flawed device, retrieves the flawed knowledge, or chains collectively a dangerous sequence of actions creates a safety occasion that wants to be understood throughout techniques. A shared safety schema turns into extra useful in that world, particularly when AI is additionally getting used on the analytics facet to correlate extra knowledge, quicker.
For OCSF, 2025 was all about AI
Think about an organization makes use of an AI assistant to assist staff search for inside paperwork and set off instruments like ticketing techniques or code repositories. In the future, the assistant begins pulling the flawed recordsdata, calling instruments it ought to not use, and exposing delicate information in its responses.
Updates in OCSF variations 1.5.0, 1.6.0, and 1.7.0 assist safety groups piece collectively what occurred by flagging uncommon conduct, displaying who had entry to the related techniques, and tracing the assistant’s device calls step-by-step. As a substitute of solely seeing the closing reply the AI gave, the crew can examine the full chain of actions that led to the drawback.
What’s on the horizon
Think about an organization makes use of an AI buyer assist bot, and someday the bot begins giving lengthy, detailed solutions that embrace inside troubleshooting steering meant just for workers. With the sorts of modifications being developed for OCSF 1.8.0, the safety crew might see which mannequin dealt with the change, which supplier provided it, what position every message performed, and the way the token counts modified throughout the dialog.
A sudden spike in immediate or completion tokens might sign that the bot was fed an unusually massive hidden immediate, pulled in an excessive amount of background knowledge from a vector database, or generated a very lengthy response that elevated the probability of delicate information leaking. That provides investigators a sensible clue about the place the interplay went off target, as an alternative of leaving them with solely the closing reply.
Why this issues to the broader market
The larger story is that OCSF has moved rapidly from being a neighborhood effort to turning into an actual commonplace that safety merchandise use every single day. Over the previous two years, it has gained stronger governance, frequent releases, and sensible assist throughout knowledge lakes, ingest pipelines, SIEM workflows, and accomplice ecosystems.
In a world the place AI expands the safety panorama by means of scams, abuse, and new assault paths, safety groups rely on OCSF to join knowledge from many techniques with out dropping context alongside the means to hold your knowledge protected.
Nikhil Mungel has been constructing distributed techniques and AI groups at SaaS corporations for greater than 15 years.
Welcome to the VentureBeat neighborhood!
Our visitor posting program is the place technical specialists share insights and supply impartial, non-vested deep dives on AI, knowledge infrastructure, cybersecurity and different cutting-edge applied sciences shaping the way forward for enterprise.
Read more from our visitor publish program — and take a look at our guidelines should you’re enthusiastic about contributing an article of your individual!
Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.
