Open Standard For Security Investigation Logic

Implement Once. Stay Interoperable.

TENSOR defines a deterministic graph contract for investigations across analytics platforms, automation systems, and AI-assisted workflows.

Use stable node and edge semantics, run the shared conformance suite, and contribute improvements without forking core behavior.

Implement Core in 30 Minutes Run Conformance Suite Propose an Improvement Join Governance Version 0.20260206e

Why This Standard Exists

Most SOC stacks duplicate investigation logic across SIEM, SOAR, and custom playbooks. Tool-specific branching semantics make cross-platform verification difficult.

Failure Mode It Targets

AI-assisted workflows can drift when branch rules are implied in prompts instead of encoded in deterministic graph transitions.

Result

TENSOR keeps investigation intent stable while allowing implementation details to vary by vendor and organization.

Stable IDs

Node and edge identifiers remain portable across releases, enabling replay, diffing, and migration checks.

Explicit Decisions

Every transition resolves to yes, no, or unknown, so execution rules are testable.

Overlay Compatibility

Teams can layer local business logic without mutating core investigative semantics.

Conformance Evidence

Baseline fixtures and release telemetry provide objective signals for implementation readiness.

Conformance Levels

Adoption is incremental. Implement the level that matches your product role, then move upward as your integration matures.

Level What You Support Pass Criteria
Consumer Load and validate canonical graph + schema artifacts. Accept valid fixtures and reject invalid fixtures with deterministic errors.
Executor Traverse decisions using graph semantics in runtime workflows. Produce reproducible branch transitions and audit records for traversals.
Authoring Tool Create or modify graphs while preserving compatibility policy. Emit schema-valid artifacts and maintain stable IDs across revisions.

Implementation Path

  1. Load pinned schema and graph release artifacts.
  2. Run conformance fixtures and document pass/fail output.
  3. Map runtime execution to explicit yes/no/unknown transitions.
  4. Ship with release pinning and publish your compatibility statement.

Open the full implementation guide.

Contribution Path

  1. Open an issue describing a concrete gap with reproducible context.
  2. Draft an RFC-level proposal with compatibility impact.
  3. Add or update fixtures proving behavior and edge cases.
  4. Merge through governance review and release notes.

Open contribution workflow.

Loading live framework metrics…

Investigation Model Shift

From tool-specific flows to a shared graph contract

Traditional workflows are usually linear with optional loop-backs. TENSOR preserves those patterns, but encodes reusable logic once so integrators can apply the same semantics across platforms.

Next step: review standards and compatibility policy before implementation.

Comparison of mostly linear workflows versus shared graph-based investigation logic