The content layer

Five content pillars, above the standards.

SecOps-NG is a portable content layer. It does not replace the formats the industry has already settled on — it curates and maps them, fills the gaps, and ships an open metrics catalogue alongside. Each pillar below is portable on its own and coherent with the others.

Playbooks — CACAO

Response playbooks are authored against CACAO, the OASIS standard for portable, machine-readable response procedures. The commons contributes the curated library and the mappings between playbooks, controls, and detections.

Detections — Sigma references

Detection content references the Sigma rule corpus rather than re-inventing it. The commons curates a working set, annotates it with the controls and playbooks it supports, and tracks coverage gaps. Sigma is detection-only; response lives in CACAO.

Controls — OSCAL and D3FEND

Control content is expressed against OSCAL for catalogue and profile structure, and D3FEND for the defensive techniques those controls implement. Mappings to the European regulatory baseline live alongside, as operator-to-operator guidance rather than legal advice.

Data shape — OCSF

The shape of data crossing boundaries — events, findings, alerts — is expressed in the Open Cybersecurity Schema Framework. Playbooks consume OCSF; detections emit it; controls are evidenced against it. One shape across the stack means content stays portable as the orchestrator underneath changes.

Metrics catalogue

The gap none of the standards above fills: a shared, versioned catalogue of operational metrics — mean time to triage, coverage of a control set, detection precision against a baseline. The commons publishes the catalogue, the definitions, and reference queries against OCSF-shaped data.

Cross-cutting commitments

Two properties hold across every pillar, not as features but as the conditions under which the commons accepts content at all.

  • Auditability — every artefact in the commons is plain text, diff-reviewable, and versioned in the open. Curation decisions live in pull requests, not in private threads.
  • Sovereignty — reference deployments target European-resident, European-governed infrastructure. AI providers are pluggable; nothing in the content layer pins the operator to a non-EU service.

Compile targets

Content is portable because it compiles. Three launch targets are maintained by the commons:

  • n8n — visual, self-hosted automation.
  • Temporal — durable, restartable workflows.
  • LangGraph — graph-shaped agentic flows.

Community-contributed adapters are welcome for MindStudio, Make, Zapier, StackAI, CrewAI, and anything else operators run. The commons does not ship its own runtime.

Regulatory alignment

The control pillar carries mappings to the European regulatory baseline — NIS2, DORA, CRA — alongside the OSCAL catalogues. The mappings are operator-to-operator guidance, not legal advice, and live as ordinary content in the repository.