One Powerful Opening Sentence
Imagine a world where security teams can effortlessly correlate events across different tools and products, without the need for time-consuming translation and normalization. A world where the same language is spoken across the entire security ecosystem, allowing for seamless integration and analysis of security data. Sounds like a pipe dream? Not anymore.
A Common Infrastructure Long Felt Like a Pipe Dream
The security industry has spent the last year talking about models, copilots, and agents, but a quieter shift is happening one layer below all of that: Vendors are lining up around a shared way to describe security data. The Open Cybersecurity Schema Framework (OCSF), is emerging as one of the strongest candidates for that job. It gives vendors, enterprises, and practitioners a common way to represent security events, findings, objects, and context.
OCSF: The Answer to a Long-Standing Problem
Security teams have to spend a lot of effort normalizing data from different tools so that they can correlate events. For example, detecting an employee logging in from San Francisco at 10 a.m. on their laptop, then accessing a cloud resource from New York at 10:02 a.m. could reveal a leaked credential. Setting up a system that can correlate those events, however, is no easy task: Different tools describe the same idea with different fields, nesting structures, and assumptions. OCSF was built to lower this tax.
How OCSF Works
OCSF is an open-source framework for cybersecurity schemas. It’s vendor neutral by design and deliberately agnostic to storage format, data collection, and ETL choices. In practical terms, it gives application teams and data engineers a shared structure for events so analysts can work with a more consistent language for threat detection and investigation. That sounds dry until you look at the daily work inside a security operations center (SOC).
The Benefits of OCSF
OCSF helps vendors map their own schemas into a common model and helps customers move data through lakes, pipelines, security incident and event management (SIEM) tools without requiring time-consuming translation at every hop. The last two years have been unusually fast. Most of OCSF’s visible acceleration has happened in the last two years. The project was announced in August 2022 by Amazon AWS and Splunk, building on work contributed by Symantec, Broadcom, and other well-known infrastructure giants.
The OCSF Community
The OCSF community has kept up a steady cadence of releases over the last two years. The community has grown quickly. AWS said in August 2024 that OCSF had expanded from a 17-company initiative into a community with more than 200 participating organizations and 800 contributors, which expanded to 900 when OCSF joined the Linux Foundation in November 2024.
OCSF in Action
OCSF is showing up across the industry. In the observability and security space, OCSF is everywhere. AWS Security Lake converts natively supported AWS logs and events into OCSF and stores them in Parquet. AWS AppFabric can output OCSF — normalized audit data. AWS Security Hub findings use OCSF, and AWS publishes an extension for cloud-specific resource details. Splunk can translate incoming data into OCSF with edge processor and ingest processor. Cribl supports seamless converting streaming data into OCSF and compatible formats. Palo Alto Networks can forward Strata sojourn Service data into Amazon Security Lake in OCSF.
AI and OCSF
AI is giving the OCSF story fresh urgency. When enterprises deploy AI infrastructure, large language models (LLMs) sit at the core, surrounded by complex distributed systems such as model gateways, agent runtimes, vector stores, tool calls, retrieval systems, and policy engines. These components generate new forms of telemetry, much of which spans product boundaries. Security teams across the SOC are increasingly focused on capturing and analyzing this data.
The Future of OCSF
For OCSF, 2025 was all about AI. The central question often becomes what an agentic AI system actually did, rather than only the text it produced, and whether its actions led to any security breaches. A shared security schema becomes more valuable in that world, especially when AI is also being used on the analytics side to correlate more data, faster.
Verdict
OCSF is the shared data language security teams have been missing. It’s an open-source framework for cybersecurity schemas that gives vendors, enterprises, and practitioners a common way to represent security events, findings, objects, and context. With its growing community, increasing adoption, and integration with AI, OCSF is poised to become a standard operational plumbing across the industry.
