CSTS: A Canonical Security Telemetry Substrate for AI-Native Cyber Detection

TL;DR

CSTS is a unified, AI-ready cybersecurity telemetry framework that harmonizes diverse data sources into a common model, facilitating scalable and interoperable cyber AI analytics.

Contribution

The paper introduces CSTS, a formalized, extensible, and deployment-agnostic telemetry substrate that unifies heterogeneous cyber data for advanced AI-driven security analytics.

Findings

CSTS enables consistent representation of heterogeneous cyber data.

Supports anomaly detection, graph learning, and behavior modeling.

Reduces data engineering effort and enhances AI interoperability.

Abstract

Cybersecurity data remains fragmented across vendors, formats, schemas, and deployment environments, forcing AI and analytics programs to spend disproportionate effort on ingestion, normalization, and brittle source-specific engineering. This paper introduces the Canonical Security Telemetry Substrate (CSTS), a canonical, AI-ready telemetry foundation designed to harmonize heterogeneous cyber data into a common representation over persistent entities, typed relations, events, temporal state, and provenance. CSTS is intended to move cybersecurity analytics beyond ad hoc record normalization toward a reusable substrate that supports anomaly detection, graph learning, forecasting, behavior-based modeling, and agentic cyber AI. We formalize the core design principles of CSTS, define its representational components, and explain how it preserves source-specific nuance through explicit mappings and extensible metadata while still enabling portable downstream inference. We further position CSTS as a cloud-agnostic and deployment-agnostic substrate suitable for on-prem, hybrid, and multi-cloud environments. The result is a unifying telemetry model that reduces the blue-collar burden of cyber data engineering and creates a clearer path to scalable, interoperable, and model-agnostic cyber AI.