惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA
2026-05-02 · via Cloud Security Alliance

Written by Rock Lambros, CEO & Founder, RockCyber LLC.

Security research lives in PDFs. PDFs are good for humans and useless to machines. That mismatch was annoying a few years ago. It's expensive today.

Detection engineers are feeding those PDFs into RAG pipelines so their copilots can answer questions about threat actors, control mappings, and risk decisions. The pipelines are pulling text out of multi-column layouts, splitting paragraphs at chunk boundaries, and dropping the structure that made the prose comprehensible in the first place. A reasoning chain that took an analyst three pages to construct gets retrieved as a six-line snippet with no surrounding context, no provenance, and no way to verify whether the source has been tampered with. Then your agent confidently quotes it back to you.

The industry has tried to fix the machine-readability problem in narrow slices. STIX carries indicators. OSCAL carries controls. CycloneDX carries components. SARIF carries findings. They do their jobs well. None of them carries the analytical prose that explains a threat model, a risk decision, or a design tradeoff. The why and the how have no standard at all. They sit in PDFs, are poorly extracted, and travel through agent pipelines as low-fidelity text with no integrity guarantees.

Call it the structured narrative gap. It used to be a documentation problem. With agentic security tools shipping into production, it's an attack surface.

Poisoned Guidance With Legitimate Metadata

Wei Zou and his coauthors published PoisonedRAG at USENIX Security 2025. They achieved a 90% attack success rate by injecting five malicious texts into a knowledge base with millions of entries. Five corrupted documents in a corpus of millions. Take that as the floor.

Now, picture your security copilot's knowledge base consisting of CSA whitepapers, NIST drafts, vendor advisories, and internal threat models. PDFs scraped, chunked, and embedded with no integrity check, no signature, and no consistent way to authenticate the publisher. An attacker who places a single document into your retrieval index gets to influence what your incident responder sees at 3 AM.

Structured documents make this worse before they make it better. Most RAG systems give documents with rich metadata preferential retrieval treatment, because the metadata helps with filtering and ranking. A poisoned document that appears structurally legitimate commands higher implicit trust than a noisy PDF extract. The author thinks they're solving a discovery problem. They're handing the attacker a sharper weapon.

Anyone shipping a "structured AI-ready security document" without integrity is shipping a poisoning vector. PoisonedRAG was 2024 work, so the risk is real, and the risk is now because the defenses the authors evaluated didn't hold.

What We Built And Why

Cloud Security Alliance is publishing SAGE today. The acronym stands for Security Analysis and Guidance Exchange. It was Jim Reavis’ brainchild, and I’m honored to co-author the spec with him. The release contains three artifacts: a normative specification, a blank document template, and a guide that walks an author from a blank page to a published document.

SAGE is valid CommonMark with valid YAML frontmatter. Existing renderers and parsers handle it correctly. New tooling extracts the metadata, verifies integrity, propagates trust markings, and chunks semantically along the heading boundaries the author intended.

The frontmatter is classified into three tiers. Ten required fields cover identity, classification, provenance, and integrity. Four conditional fields when AI is involved in authorship. An optional set covering taxonomy, relationships, and machine processing hints. Document identity uses a {ORG}-{YEAR}-{TYPE}-{SEQ} namespace, with self-assigned organization prefixes and CSA and OWASP reserved. The generation_metadata block replaces the old "ai_assisted" boolean with authorship mode, model identifier, version, and human review level. It's extensible for the tool-call traces and delegation chains we'll need as agent authorship matures.

Trust marking lives in frontmatter using FIRST TLP 2.0, with explicit handling rules for multi-agent workflows. Agents must not push TLP:RED or TLP:AMBER+STRICT content into shared context windows. Derivative documents must carry a TLP at least as restrictive as their most restrictive source. Related documents carry a relationship_type from a controlled vocabulary covering supplements, supersedes, references, implements, extends, contradicts, and updates. Consumers follow those relationships programmatically instead of inferring them from prose.

The piece doing the bulk of the work on integrity is content_hash. We hash the document body with SHA-256 after normalizing to UTF-8 NFC and LF line endings. The output is 64-character lowercase hex. The spec ships with normative test vectors, so two independent parsers produce identical hashes for the same input. An optional cryptographic signature block at v1 lets publishers sign over that hash. Tamper detection and publisher authentication are required from day one, because shipping structured AI-ready content without them is irresponsible.

SAGE sits alongside STIX, OSCAL, CycloneDX, and SARIF, not against them. Indicators travel as STIX. Controls travel as OSCAL. Components travel as CycloneDX. Findings travel as SARIF. The reasoning that connects an indicator to a control to a risk decision travels as SAGE.

What You Do Today

CSA is retrofitting its corpus first. Reference tooling follows: a validator, LangChain and LlamaIndex loaders, and a PDF-to-SAGE converter for legacy content. Vendor adoption is the phase after that. OASIS formalization is the phase after that.

You don't have to wait for any of it. Read the specification end-to-end. Run the template through a document you'd otherwise publish as a PDF. Try to break the schema. Compute a content_hash over a draft, ship it to a colleague, have them recompute it, and confirm the hashes match. File an issue where the spec is ambiguous, contradictory, or wrong.

For converting existing content, any2md is an open-source CLI I wrote for my own RAG pipelines and soft-released at RSAC. It takes PDFs, DOCX, HTML, URLs, and plain text and emits SAGE-shaped Markdown with a reproducible content_hash that matches the spec's normalization rules. MIT-licensed, pip-installable, at github.com/rocklambros/any2md.

If you ship security content, start asking your tooling vendors when they'll consume SAGE. If you run a copilot or RAG pipeline that ingests security research, start asking your providers how they verify what they're indexing today. The structured narrative gap was a problem nobody owned. It has owners now.

Security Analysis and Guidance Exchange (SAGE) site