Announcing the Tenzir MCP Server: AI-Generated OCSF Mappings

In the world of security operations, the pipeline is king. It's the digital assembly line that transforms raw, chaotic data into structured, actionable intelligence. A critical, yet often arduous, part of this process is mapping diverse data sources to a standard schema like the Open Cybersecurity Schema Framework (OCSF).

Today, we're excited to debut the first step in a new direction: Tenzir's new Model Context Protocol (MCP) server. This initial v0.1 release is an open-source tool that uses AI to automatically generate valid Tenzir Query Language (TQL) pipelines for OCSF mappings.

Talk is cheap, so we built a small app to prove it. Watch this video to see the Tenzir MCP server turn a raw log into a perfect, schema-compliant TQL pipeline in seconds. No cuts, no edits.

The Debut of the Tenzir MCP Server

At its core, the Tenzir MCP server acts as an intelligent bridge to a Large Language Model (LLM), specifically tailored for security data transformations. For this first release, we're tackling the challenge of schema mapping. You provide with a log sample, and the MCP server returns a validated TQL pipeline that maps it to OCSF.

Our goal with this initial version is to accelerate OCSF adoption by making the mapping process faster, easier, and more accessible. We're just getting started, and this is the first of many capabilities we plan to build.

What's in v0.1

This first release is a functional tool, not just a proof of concept. It includes key features designed to be immediately useful for security teams.

🤖 OCSF-Native AI

The Open Cybersecurity Schema Framework (OCSF) is the future of standardized security data. Our MCP server was built with OCSF at its core. It has complete knowledge of all schema versions, event classes, and objects. This allows it to generate validated, 100%-schema-conforming OCSF mappings. Thanks to Tenzir's native and deterministic OCSF operators, ocsf::applyand ocsf::derive, you can be confident that the AI-generated data transformations are accurate and compliant.

📚 Accurate and Up-to-Date Pipelines

Reliability is paramount. The generated TQL is accurate because the underlying AI is always provided with the latest context from our documentation and the official OCSF schema via Retrieval-Augmented Generation (RAG). This ensures the generated pipelines reflect current TQL best practices and are always in sync with the latest OCSF standards.

💻 Local Execution and Open Source

The Tenzir MCP server is completely open source, available at github.com/tenzir/mcp. You can run it locally, on your own infrastructure, giving you full control over your data and your AI models. We believe in empowering our users, not locking them into a proprietary ecosystem. Contributions are welcome, and we're excited to see the community help shape the future of this tool.

The MCP Power Struggle

The growing adoption of the Model Context Protocol (MCP) has kicked off an industry-wide conversation about a "new power struggle in the SaaS stack." The central question: will AI-driven interfaces turn established vendors into "dumb infra"? It's a revealing anxiety, one that makes perfect sense if your business model is built on a proprietary UI and customer lock-in. For SaaS companies, this is a power struggle. For us at Tenzir, it's just another Tuesday. Our open-source philosophy means we see this not as a threat, but as an opportunity.

Empowerment Over Entrapment

The "fear" of becoming commoditized infrastructure stems from a business model built on controlling the user experience. Our model is different. Tenzir is built on the principle of empowerment. By open-sourcing our MCP server from day one, we aren't ceding control—we're distributing it to our users. We believe the future isn't a single, monolithic UI, but a diverse ecosystem of tools, and we want to be the powerful, open engine that drives them.

The Engine is the Value

While the Cribl post discusses the risk of the UI being abstracted away, we see the MCP server as just another powerful interface to the real value: the Tenzir pipeline engine. The magic isn't just in generating TQL from a prompt; it's in our engine's ability to execute that TQL at scale with high performance and efficiency. When your foundation is a powerful, flexible, and open-source engine, you welcome new interfaces rather than fear them.

From "Dumb Pipe" to "Smart Lego Brick"

The concern that MCP just exposes "raw data" is also worth addressing. We see our MCP server not as a dumb pipe, but as a smart, programmable building block. Even in this first v0.1 release, its deep OCSF awareness allows it to create validated, schema-conforming mappings and sophisticated dataflows. It's a higher-level function that elevates Tenzir from simple infrastructure to a smart, composable component in a modern security stack.

Join Us on the Journey

The Tenzir MCP server represents a new paradigm for interacting with security data. This v0.1 release is our first step, empowering analysts and streamlining the critical task of OCSF mapping. We're incredibly excited to share it with the world and build its future in the open.

Ready to get started? Check out our GitHub repository to download the MCP server and take it for a spin. Join our community Discord to ask questions, share your feedback, and connect with other Tenzir users. The future of security data pipelines is here, and we're building it together.