The Open XDR Architecture (OXA) project aims to create an open and collaborative architecture for extended detection and response (XDR). OXA aims to offer a framework that brings together complementary solutions and players by aggregating the different capabilities within a product ecosystem to offer composable security that meets the needs of organizations.
The OXA label guarantees the interoperability with OXA of the labelled technological bricks as well as the compliance of these technologies with the cybersecurity standards used in OXA.
The OXA label is issued by the OXA Governance Committee after examination of the application and in accordance with the principles set out in these regulations.
The label aims at recognizing and promoting cybersecurity solutions and products that integrate and comply with the standards and best practices of the Open XDR Architecture.
The purpose of these regulations is to define the conditions and procedures for obtaining and using the OXA label in its different forms: bronze, silver, gold, platinum.
It thus specifies the way in which organisations can use the OXA label as part of a key technological building block can use it.
It defines the different levels of the label that make it possible to highlight labelled products according to their adherence to the OXA project in compliance with these regulations and its specifications.
Rules of use: this document constitutes the rules of use of the OXA label. The regulation of use means the regulation itself, but also the specifications and the logotype annexed to it (Annexes 1 and 2)
OXA Label: Label issued to cybersecurity solutions that comply with the standards and principles of the Open XDR Architecture.
Open XDR Architecture: A set of standards, protocols, and best practices to ensure interoperability and efficiency in extended detection and response (XDR) solutions.
Logotype: the logotype of the OXA label is the figurative elements that can be used by companies. It is reproduced in Annex 2 to this Regulation.
Label grantee: the label grantee are the organisations that are authorised to use the label to guarantee a certain level of compliance with OXA of their technological product, as soon as the governance committee has awarded them the OXA label
Organisations : companies applying for the label
The OXA label is the guarantee for users that the labelled products and technological bricks comply with thes Open XDR Architecture, are interoperable with the other labelled technologies and work with internationally recognized cybersecurity standards.
This guarantee is reinforced by the verification of compliance with the label's specifications and the examination of the application file by the OXA governance committee.
The OXA label is awarded to a range of products or technological components of a product that are capable of being integrated with the Open XDR Architecture and that comply with a framework guaranteeing the interoperability of the said technologies with each other and operating in an Open XDR approach.
The OXA label offers four levels of compliance (Bronze, Silver, Gold and Platinum) which are defined according to the adequacy of a technological product to the standards allowing interoperability with the OXA project.
Each level of compliance represents a step-by-step step towards cybersecurity excellence, with increasing expectations for interoperability and security.
The criteria become stricter as you move from one category to the upper, reflecting a higher level of sophistication and capacity in cybersecurity practices.
Here are the eligibility criteria for each level of the OXA label:
-
MANDATORY - The technology complies with at least 1 of the principles used by the OXA project.
-
Illustration: meet the minimum requirements to interact with at least one capability of OXA ecosystem.
-
The bronze level will be obtained based on self-declaration
-
MANDATORY - The technology complies with at least 2 of the principles used by the OXA project.
-
Illustration: can demonstrate it interacts seamlessly with other technologies within the OXA ecosystem.
-
The silver level will be obtained based on self-declaration
-
MANDATORY - The technology complies with at least 3 of the standards used by the OXA project.
-
MANDATORY - The technology leverages the OXA API to interact with other components
-
Illustration: can interact smoothly with other technologies.
-
The gold level will be obtained based on basic review from a governance member
-
MANDATORY - The technology incorporates all OXA principles and can demonstrate it.
-
MANDATORY - Positively influences the evolution of OXA framework with contributions.
-
Illustration: a vendor that promote OXA and use it to connect with other, the vendor publishes contributions that help the OXA ecosystem to grow
-
The platinum level will be obtained based on thorough review from two governance members
In its capacity as grantee of the label, the company whose product or technological brick is labelled holds a right of use on the label for a period as defined in the following paragraph
By virtue of this right of use, the grantee may use the label for a labelled offer on any advertising or institutional communication medium, as well as for its general terms and conditions of sale.
The use of the logotype must be done in compliance with the graphic rules set out in Appendix 2.
The right of use of the label is strictly personal to the grantee holding the label and cannot be transferred to a third party (company, institution, federation).
In general, the right to use the label for a grantee remains in force until:
The next revision of the specifications, if the tender no longer meets the new conditions.
A modification of the conditions of the operator's offer, as soon as they would lead to non-compliance with the rules of use.
Each labelled offer is labelled for a period of two years. After this period, a renewal procedure must be done.
The right to use the label for an offer of the grantee expires when the latter no longer complies with the conditions and obligations provided for in the rules of use for this offer.
The termination of the right to use the label immediately entails the obligation for the grantee to remove any reference to the label from the communication media and the general terms and conditions of sale of the offer concerned.
In the event of damage to the label, legal proceedings may be initiated.
Exceptionally, and at the grantee's reasoned request, OXA's governance committee may grant the grantee a period to bring its offer into compliance with the rules of use and recover its right to use the label. The reasoned request for a compliance period must be made as described in the Specifications in the Appendix to this document.
Any decision taken on Label validation, Label refusal, Label Cancelling are taken by the OXA governance committee.
Any question or complaint must be addressed to the OXA governance committee.
To be eligible for the OXA Label, the product or solution must allow the interoperability of its solution with the Open XDR Architecture in a manner that complies with the framework defined by the Open Cyber Alliance association.
Procedures for applying for the use of the label
The applicant must start with a Pull Request on the file named “Labelled solutions”. Depending on the claimed level grade, additional details will be asked asynchronously.
The table below explains the requirements depending on the level:
| Bronze Level | Silver | Gold | Platinum | |
|---|---|---|---|---|
| Requirement | ||||
| Self assessment | ✅ | ✅ | ✅ | ✅ |
| Self declarative Pull request | ✅ | ✅ | ✅ | ✅ |
| PR review | ✅ | ✅ | ✅ | ✅ |
| Basic additional review before validation | ✅ | |||
| Thorough additional review before validation | ✅ |
The section below provides the application content of the file “labelled solution template.md” that must be filled up by the candidate.
Organization name: Real company name
Product name: Real product name
Product website: Existing URL
Product OXA page : optional URL
Point of contact name : Real person or Group that can is designated as a contact point and can be visible to any user interesting to know more about the product compliance
Point of contact email : email address of the point of contact
OXA level: Claimed level from Bronze to Platinum
Application date: date of the intial application
Upgrade date : date of the latest commit
OXA capability Open API: [Yes | No] , API Documentation URL
OXA capability OCSF: [Yes | No] , [ Producer | Consumer]
OXA capability automation: [OpenC2, Meshroom] [Sensor| Orchestrator]
OXA capability threat intel: [Yes | No] , [ Producer | Consumer]
OXA capability sharing: [CACAO, ...] [Producer | Consumer]
Each candidate will have to fill the template and propose a pull request.
For gold and platinum request, an OXA governance member will reach out the contact point to get additional information out of band. This information will cover different areas such as:
Explanation of the capability implementation
contributions of the candidates,
willingness to communicate about OXA,
interest to be highlighted for upcoming events.
The applicant must submit a complete application including detailed technical documentation on how the solution enables interoperability with the Open XDR Architecture via the defined standards.
An application file must be sent via the dedicated space on the OXA website where the applicant organisation will find all the technical documentation necessary for the study of its application.
Once the application file has been received, it will be reviewed by the OXA Governance Committee, which will conduct a thorough review of the documentation provided.
Following the study of the documentation, which is based on self-declaration, the OXA governance committee decides on whether to award the OXA label and, if applicable, specifies the quality of the label (platinum, gold, silver, bronze).
A response (label awarded and its level, label refused, or application postponed) is then sent by the OXA governance committee to the applicant.
In the event of a positive response, the applicant company shall receive a certificate for a period of two years and shall become the operator of the label and shall have a right of use over it in accordance with this Regulation.
The applicant must commit to being in line with what he has declared. If, subsequently, the OXA Governance Committee realizes that the label declared and awarded does not correspond to the reality of interoperability of the technology with OXA, the latter reserves the right to carry out compliance tests to verify the correct application of the principles of the Open XDR Architecture.
All validations are made on the fly
The first pack of labelled solutions will be validated on Sept 1st, 2025 to allow companies to get better visibility on the OXA project, align it with their interest and drive the few required technical developments in their roadmaps to get the first level of label.
The specifications annexed to these regulations are likely to be updated and will be subject to revision two years after their publication.
On upcoming major modifications, the OXA Governance Committee informs all grantees of the label of the changes decided by publishing the new conditions. An email will be sent to each declared stakeholder for a labelled product.
Grantees whose solution are no longer compatible with the new specifications are invited to update their solution accordingly and to inform the OXA Governance Committee. A period for compliance may be granted to the grantee who have made an explicit request to the OXA governance committee. This period of compliance may not exceed three months.
Once re-compliance has been achieved, the grantee can claim the compliance with the new specifications. Otherwise, the grantee organisation loses its right to use the OXA label for the technological brick in question.
Logotype for the OXA Platinum Label
Logo for the OXA Gold Label
Logo for the OXA Silver Label
Logo for the OXA Bronze Label
