The security industry has spent the past year talking about models, co-pilots and agents, but beneath it all is a quieter shift: Vendors are aligning around a common way to describe security information. An Open Cybersecurity Framework (OCSF), is emerging as one of the strongest candidates for the job.
It gives vendors, businesses and practitioners a common way to represent security incidentsfindings, objects and context. This means less time rewriting field names and custom analyzers, and more time coordinating detections, running analytics, and building work-flows that work across products. In a market where every security team integrates endpoint, authentication, cloud, SaaS and AI telemetry, common infrastructure has long seemed like a pipe dream, and OCSF is now making it available.
OCSF in plain language
OCSF is an open source framework for cybersecurity schemes. It is vendor neutral by design and intentionally agnostic to storage format, data collection, and ETL options. In practical terms, it gives application teams and data engineers a common structure for incidents so that analysts can work with a more consistent language for threat detection and investigation.
It sounds dry until you look at the day-to-day work inside security operations center (SOC). Security teams must spend a lot of effort normalizing data from different tools so they can correlate incidents. For example, detecting an employee logging in from San Francisco at 10 AM on their laptop, then logging into a cloud resource from New York at 10:02 AM may reveal a leaked credential.
However, building a system that can link these phenomena is not an easy task: Different tools describe the same idea with different fields, nesting structures and assumptions. OCSF was established to reduce this tax. It helps vendors align their schemas to a common model and helps customers move data across lakes, pipelines, and security incident and event management (SIEM) tools without requiring time-consuming translation at each step.
The last two years have gone by at an extraordinary speed
Most of the apparent acceleration of OCSF has occurred in the past two years. It was a project Announced in August 2022 It is built by Amazon AWS and Splunk, with contributions from Symantec, Broadcom and other well-known infrastructure giants Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro and Zscaler.
The OCSF community has maintained a steady pace of releases over the past two years
The community grew rapidly. AWS announced in August 2024 that OCSF had grown from 17 company initiatives to a community with more than 200 participating organizations and 800 contributors, and 900 wen OCSF joined the Linux Foundation in November 2024.
OCSF is reflected throughout the industry
In surveillance and security, OCSF is everywhere. AWS Security Lake converts natively supported AWS logs and events to OCSF and stores them in Parquet. AWS AppFabric OCSF – can extract normalized audit data. AWS Security Hub findings use OCSF and AWS publishes an extension for cloud-specific resource details.
Splunk can convert incoming data to OCSF with an edge processor and an ingest processor. Cribl supports seamless conversion of stream data to OCSF and compatible formats.
Palo Alto Networks can transmit Strata cooling Service data to the Amazon Security Lake at OCSF. CrowdStrike deploys itself on both sides of the OCSF pipe, Falcon data is converted to OCSF for the Security Lake, and Falcon Next-Gen SIEM is deployed to receive and analyze OCSF-formatted data. OCSF is one of the few standards in the industry that has crossed the chasm from an abstract standard to a standard operating plumbing.
Artificial intelligence brings new relevance to the OCSF story
When enterprises deploy AI infrastructure, large language models (LLMs) surrounded by complex distributed systems such as model gateways, agent runtimes, vector stores, tool calls, search engines, and policy engines sit at the core. These components create new forms of telemetry, many of which span product boundaries. SOC security teams increasingly focus on capturing and analyzing this data. The key question is often what the agent AI system actually does, rather than just the text it produces, and whether its actions cause any security breaches.
This puts more pressure on the underlying data model. An AI assistant that invokes the wrong tool, retrieves the wrong data, or combines a sequence of risky actions creates a security event that must be understood between systems. A shared security scheme becomes more valuable in that world, especially when artificial intelligence is used on the analytics side to correlate more data faster.
For OCSF, the year 2025 was all about artificial intelligence
Imagine a company using an AI assistant to help employees search internal documents and launch tools like ticketing systems or code repositories. One day the helper starts pulling the wrong files, calling tools it shouldn’t be using, and exposing sensitive information in its responses.
Updates in OCSF versions 1.5.0, 1.6.0, and 1.7.0 help security teams dissect what’s going on by logging unusual behavior, showing who’s accessing connected systems, and tracing the helper’s tool calls step-by-step. Instead of seeing the final answer the AI provided, the team can explore the entire chain of actions that led to the problem.
What’s on the horizon
Imagine a company using an AI customer support bot, and one day the bot starts giving long, detailed answers that include an internal troubleshooting guide intended only for employees. With the changes made for OCSF 1.8.0, the security team was able to see which model was being driven by the exchange, which provider was providing it, what role each message played, and how the number of tokens changed during the conversation.
A sudden increase in prompt or completion marks may indicate that the bot is being fed an unusually large hidden command, pulling too much background information from the vector database, or generating an excessively long response that increases the chance of leaking sensitive data. This gives investigators a practical clue about where the interaction went off course, rather than just the final answer.
Why it matters to the wider market
The bigger story is that OCSF quickly grew from a community effort to a de facto standard that security products use every day. Over the past two years, it has gained stronger governance, frequent releases, and hands-on support across data lakes, ingest pipelines, SIEM workflows, and partner ecosystems.
In a world where AI is expanding the security landscape through fraud, abuse and new attack avenues, security teams rely on OCSF to combine data from multiple systems without losing context to keep your data safe.
Nikhil Mungel has been building distributed systems and AI teams at SaaS companies for over 15 years.
