The security industry has spent the last year talking about models, co-pilots, and agents, but there’s a quiet change happening in a layer beneath it all: Vendors are lining up around a shared way to describe security data. Open Cyber Security Schema Framework (OCSF), is emerging as one of the strongest candidates for that job.
It gives vendors, enterprises, and practitioners a common way to represent security incidents, findings, objects, and context. This means less time rewriting field names and custom parsers and more time running correlation identification, analytics, and creating workflows that can work across all products. In a market where every security team is tying together endpoint, identity, cloud, SaaS, and AI telemetry, a common infrastructure long felt like a pipe dream, and OCSF now puts it within reach.
OCSF in simple language
OCSF is an open-source framework for cybersecurity schema. It is vendor neutral by design and intentionally agnostic toward storage format, data collection, and ETL options. In practice, it provides application teams and data engineers a shared structure for incidents so that analysts can work with a more consistent language for threat detection and investigation.
It sounds dry until you look at the daily work inside a Security Operations Center (SOC). Security teams have to put a lot of effort into normalizing data from different devices so they can correlate events. For example, detecting an employee logging in to their laptop at 10 am from San Francisco, then accessing a cloud resource from New York at 10:02 am could reveal leaked credentials.
However, setting up a system that can correlate those phenomena is no easy task: different tools describe the same idea with different scope, nesting structures, and assumptions. OCSF was created to reduce this tax. It helps vendors map their own schema to a common model and help customers move data through lakes, pipelines, security incident and event management (SIEM) tools without requiring time-consuming translation at every hop.
The last two years have been unusually fast
Most of OCSF’s visible upside has occurred in the last two years. The project was announced in August 2022 by Amazon AWS and Splunk, building on contributions from Symantec, Broadcom, and other well-known infrastructure giants Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonics, Sumo Logic, Tanium, Trend Micro, and Zscaler.
The OCSF community has maintained a steady rhythm of releases over the past two years
The community has grown rapidly. AWS said in August 2024 that OCSF had expanded from a 17-company initiative to a community with more than 200 participating organizations and 800 contributors, which expanded to 900 when it joined the Linux Foundation in November 2024.
OCSF is visible throughout the industry
In the observability and security domain, OCSF is everywhere. AWS Security Lake natively converts supported AWS logs and events into OCSF and stores them in Parquet. AWS AppFabric can output OCSF – normalized audit data. AWS Security Hub findings use OCSF, and AWS publishes an extension for cloud-specific resource descriptions.
Splunk can translate incoming data into OCSF with edge processors and ingest processors. Cribble supports seamlessly converting streaming data to OCSF and compatible formats.
Palo Alto Networks can forward Strata Sogging Service data to Amazon Security Lake in OCSF. CrowdStrike positions itself on both sides of the OCSF pipe, with Falcon data translated to OCSF for the security lake and Falcon next-gen SIEM deployed to ingest and parse OCSF-formatted data. OCSF is one of those rare standards that has crossed the gap from an abstract standard to standard operational plumbing throughout the industry.
AI is giving new urgency to the OCSF story
When enterprises deploy AI infrastructure, large language models (LLMs) sit at the core, surrounded by complex distributed systems such as model gateways, agent runtimes, vector stores, tool calls, retrieval systems, and policy engines. These components generate new forms of telemetry, most of which span product boundaries. Security teams in SOCs are increasingly focused on capturing and analyzing this data. The central question often becomes what an agentic AI system actually did, not just the text it produced, and whether its actions led to a security breach.
This puts more pressure on the underlying data model. An AI assistant that calls the wrong tool, retrieves the wrong data, or strings together a risky sequence of tasks creates a security incident that needs to be understood across all systems. A shared security schema becomes more valuable in that world, especially when AI is also being used on the analytics side to correlate more data faster.
For OCSF, 2025 was all about AI
Imagine a company uses an AI assistant to help employees view internal documents and trigger tools like a ticketing system or code repository. One day, the assistant starts deleting the wrong files, calling up tools it shouldn’t be using, and revealing sensitive information in its responses.
Updates to OCSF versions 1.5.0, 1.6.0, and 1.7.0 help security teams piece together what happened by flagging unusual behavior, showing who had access to connected systems, and tracing the assistant’s tool calls step by step. Instead of just looking at the last answer returned by the AI, the team can examine the entire chain of actions that led to the problem.
what’s on the horizon
Imagine that a company uses an AI customer support bot, and one day the bot starts giving long, detailed answers that only include internal troubleshooting guidance for employees. With the changes being developed for OCSF 1.8.0, the security team can see which model handled the exchange, which provider supplied it, what role each message played, and how the token count changed during the interaction.
A sudden increase in prompts or completion tokens may indicate that the bot was fed an unusually large hidden prompt, too much background data was pulled from the vector database, or an excessively long response was generated increasing the likelihood of sensitive information being leaked. This gives investigators a practical clue about where the conversation took place, rather than just leaving them with a final answer.
Why does this matter to the broader market?
The bigger story is that OCSF has grown rapidly from a community effort to becoming a de facto standard that security products use every day. Over the past two years, it has achieved strong governance, frequent releases, and practical support across data lakes, ingest pipelines, SIEM workflows, and partner ecosystems.
In a world where AI expands the security landscape through scams, abuse, and new attack paths, security teams rely on OCSF to connect data from multiple systems without losing context to keep your data secure.
Nikhil Mungail has been building distributed systems and AI teams in SaaS companies for over 15 years.
<a href