OCSF Achieves ITU Support: Powering AI-Ready Security Operations

The security industry stands at an inflection point. In November 2024, the Open Cybersecurity Schema Framework (OCSF) joined the Linux Foundation, cementing its role as a vendor-neutral, open source standard for the global security community. Last summer at Black Hat 2025, we showed you how OCSF was powering AI-driven security operations. Then in December 2025, we saw this vision become reality.Then in December 2025, member states of the International Telecommunication Union (ITU), the United Nations’ (UN) body for information and communication technologies, supported OCSF for ratification as an international standard by June 2026. Standardized security data is no longer a future goal. It’s the foundation organizations are building on today.

When organizations ask me what separates leaders from followers in security, the answer is simple: leaders are no longer asking “what is OCSF?” They’re asking “how fast can we implement it?”

Why Data Standardization Matters More Than Ever

Security is fundamentally a data problem. Security teams today have access to more data than ever before. Modern enterprises generate security logs across on-premises data centers, cloud environments, and SaaS applications. This wealth of information should accelerate detection and response, but inconsistent log formats create friction.

The challenge isn’t the volume of data. It’s making that data actionable. When each security tool uses a different schema, your engineers spend time building data pipelines and custom parsers instead of developing advanced detection algorithms. This slows investigations and limits your ability to leverage AI-powered security operations.

AI and machine learning models need consistent, unambiguous data to reason effectively. Standardized schemas enable AI systems to correlate events across sources, identify patterns, and generate accurate insights. OCSF provides that foundation: an open source standard that automatically normalizes security data from any source into a common language, creating AI-ready data without custom parsers or complex pipelines.

Real-World Impact: How OCSP Powers AI-Ready Security Operations

Organizations across industries are discovering that OCSF doesn’t just solve a data normalization problem — it unlocks entirely new operational capabilities. When security teams no longer need to build and maintain custom parsers for every log source, they reclaim engineering time for strategic work: building advanced detection algorithms, developing automation playbooks, and innovating on threat response. Central logging environments that once required weeks of custom development to onboard new sources can be operational in hours with OCSF and managed AWS security services. Combined with columnar storage formats like Apache Parquet, organizations see meaningful reductions in both storage footprint and query compute costs. The efficiency compounds: cleaner data means faster queries, which means less compute, which means lower cost.

How OCSF Powers Agentic Security Operations

The key to this transformation was OCSF’s standardized schema, which enabled efficient queries that weren’t possible before. Security investigations previously required learning different log formats, developing complex queries for each data source, and manually decoding output into meaningful information. With OCSF, an orchestrator coordinates child agents that automatically retrieve relevant runbooks, pull business context, analyze logs without format translation, and generate actionable insights. The AI doesn’t misinterpret data because OCSF provides consistent attribute definitions, unambiguous data types, and standardized query paths across all log sources.

As Allan highlighted: “OCSF is one of the fastest ways for our organization to get data ready for AI tools. By transforming our central logging environment using OCSF format, we’ve enabled AI-ready data that allows our Agentic SOC prototype to investigate suspicious activity in under 5 minutes.”

What makes Merck’s story particularly compelling is how OCSF enabled use cases beyond traditional security operations. When a customer reported a spike in cost usage, Merck’s engineers used their OCSF-normalized data to identify the root cause, a spike in AWS Key Management Service (KMS) decrypt data events, in less than five minutes. Without OCSF’s universal format, this would have required hours of manually stitching together logs from different services.

OCSF didn’t just improve Merck’s data quality. It gave their AI systems the consistent language they need to reason effectively. Merck demonstrated that with the right data foundation, security operations can shift from reactive analysis to intelligent, automated response. The future of security isn’t about hiring more analysts: it’s about empowering the analysts you have with AI systems that understand their environment.

Technical Evolution: OCSF v1.8.0

The OCSF community continues to evolve the framework to meet emerging security challenges, while maintaining strict backwards compatibility. Since our last update at Black Hat 2025, the community has released v1.8.0 (released March 16th, 2026), with enhancements focused on AI operation observability, network packet-level visibility, and privilege analysis.

Key enhancements in v1.8.0 include:

  • AI Operation Support: A new ai_operation profile and supporting objects (ai_model, message_context) bring native schema coverage for AI workloads, including token usage metrics and role-based interaction tracking.
  • Privilege Analysis with ATT&CK Mapping: New objects (privilege_info, privilege_attack_info, service_privilege_analysis) enable detailed privilege analysis with MITRE ATT&CK technique mapping, supporting unused privilege detection and access risk assessment.
  • macOS Extension and Cross-Platform Improvements: A new macOS extension adds egid and euid to the process object, with related attributes promoted from the Linux extension to the base schema for cross-platform reuse.
  • Network Packet Capture: A new packet object on network event classes enables packet-level data representation, along with a network_observation_point attribute for richer traffic context.

These enhancements reinforce OCSF’s role as the schema for AI-ready security operations, extending native coverage to the AI workloads and network telemetry that modern detection and response demands.

Ecosystem Momentum: From Community to International Standard

The OCSF community has grown rapidly, with over 1,280 contributors across 200 organizations driving the framework forward. This momentum reached a new milestone in December 2025.

The ITU Milestone

In December 2025, ITU member nations formally supported OCSF for ratification as an international standard, a move that highlights the framework’s universal value across diverse regulatory environments and shifting security priorities.

This achievement extends far beyond technical validation. When an international body like the ITU recognizes a framework with unanimous member support, it signals a critical shift: standardization is no longer just an industry preference. It is a global necessity. Slated for official ratification as an ITU x.*** international standard by June 2026, OCSF is poised to play an increasingly vital role as governments worldwide integrate ITU standards into their national cybersecurity policies.

Ultimately, this milestone is the culmination of years of collaboration among enterprises, security vendors, cloud providers, and open source contributors. The journey from an industry consortium to a Linux Foundation project, and now to an international standard, proves what we can achieve when the security community prioritizes interoperability over proprietary silos. OCSF’s success underscores a simple truth: standardizing security data benefits everyone, from individual organizations to the entire global security ecosystem.

The Path Forward: What’s Next for AI-Ready Security

The security industry is entering a new era where AI-powered security operations become the norm rather than the exception. The momentum behind OCSF, from Linux Foundation adoption to ITU ratification, signals a fundamental shift in how organizations approach security operations.

The traditional SOC model, where analysts manually triage alerts, investigate incidents, and respond to threats, cannot scale to meet the velocity and complexity of modern attacks. Agentic AI changes this equation. Organizations that standardize their security data today are building the foundation for autonomous threat hunting and investigation, predictive vulnerability analysis, and intelligent response orchestration. This isn’t a future vision. It’s happening now.

ITU ratification accelerates this transformation. As governments worldwide incorporate ITU standards into national cybersecurity frameworks, the pressure to adopt standardized approaches will intensify, particularly in regulated industries.
On the technical front, OCSF maintainers have initiated collaboration with OpenTelemetry (OTEL) maintainers to integrate security and observability domains. Separating security telemetry from operational telemetry limits how teams understand system behavior under attack. Unified telemetry enables holistic analysis: understanding not just what happened, but why it happened and what it means for the broader system.

The organizations that thrive in this new landscape won’t be those with the most security tools or the largest SOC teams. They’ll be the ones who built their security operations on a foundation of standardized, AI-ready data. OCSF provides that foundation.

The question isn’t whether AI will transform security operations. The question is whether your security data is ready for this transformation: OCSF is how you get there. The community continues to grow, and we invite you to join us at the OCSF Breakfast at RSA Conference on March 25, 2026 in San Francisco to explore these ideas further.

This post first appeared on Read More

Related Posts