The fellowship addressed key limitations found in version 2.0 of the OASIS Collaborative Automated Course of Action Operations (CACAO) standard. While CACAO v2.0 introduced the first machine-readable format for cybersecurity playbooks, real-world use revealed gaps that limited interoperability and automation. The most critical issues included ambiguous schema elements, unclear execution semantics, and limited support for graphical and modular representations needed to visualize and exchange playbooks. From a European standpoint, these shortcomings directly affected operations. SOCs, CSIRTs, and critical infrastructure operators faced difficulties creating executable playbooks, hindering the coordinated responses envisioned by the NIS2 Directive, the Cyber Solidarity Act, and the EU Cyber Crisis Blueprint.
The fellowship, therefore, focused on three main goals:
1. Consolidating feedback from European and international stakeholders who implemented CACAO v2.0.
2. Designing and drafting CACAO v3.0 — a major revision introducing structural schema improvements, more precise execution semantics, and modular extensibility.
3. Aligning the work with EU cybersecurity policy and operational priorities so that standardized, machine-readable playbooks can support coordinated preparedness and response.
The effort resulted in the ongoing working CACAO v3.0 Draft Specification and accompanying validation outputs, now progressing toward formal adoption within OASIS. By resolving the main technical and semantic issues, the fellowship strengthened Europe’s role in cybersecurity standardization. It established a solid, vendor-neutral foundation for automated, collaborative cyber defense across the EU.
