Connecting The Dots With De-Facto Standards: How the XDR Alliance’s Open-Sourced CIM and API Specs Unify Best-of-Breed Tools

Gorka Sadowski
4 min readAug 25, 2023


From tool interoperability, to integration and to collaboration

By Gorka Sadowski, Chief Strategy Officer, Exabeam and founder, XDR Alliance

By and large, the cybersecurity industry has been built on a “best-of-breed” approach. This means that when organizations need three solutions A, B and C, then they try to acquire the best A possible, the best B possible, and the best C possible. This approach gave us the cybersecurity landscape that we all know today:

Figure 1. Cybersecurity landscape. Source:

A best-of-breed approach is the most powerful, provided that the different solutions work well together. We need to connect the dots.

Working together — the 3 levels

  1. Level 1 — Interoperability

At the simplest level, we can say that several solutions interoperate when they can coexist without breaking each other.

2. Level 2 — Integration

Several solutions are integrated with each other when they become a whole. Notice that there is no expectation on the combined value proposition.

3. Level 3 — Collaboration

At this level, solutions that collaborate work jointly to achieve something that no solution alone can achieve. This is coined by the proverbial “1+1=3” and “1+1+1=5.”

Figure 2. Value and Complexity continuum for different levels of tools working together. Source: Gorka Sadowski

When several best-of-breed solutions collaborate, they are capable of achieving together functionality that no other combination can achieve. And their coverage is usually second to none.

So why don’t we see more best-of-breed solutions collaborate? What are the collaboration enablers that most vendors miss?

Tool collaboration — the 2 enablers

For tools and solutions to collaborate seamlessly, we need two mandatory enabling components:

  1. A collaborative Common Information Model (CIM)

Think of a CIM as a common language so each tool can easily understand what the other tools are communicating.

2. A collaborative set of bi-directional API Specifications

Think of APIs as the plumbing for different tools to be able to communicate with each other.

The combination of the common language and the plumbing is what allows tools to efficiently exchange intelligence, ask each other to “do things,” and share data. For example:

  • “Hello EDR, please suspend and force-quit this process.”

Examples of tool collaboration can also take the form of more complex bi-directional communications that provide higher value-add between several tools. For instance:

  • “Hello SIEM/UEBA, please ask the NDR who the user is behind this event, and then compute the risk score of both the event and that user. If the corresponding user’s risk score is too high, please reach out to the IAM and ask it to force a reauthentication of that user.”

XDR Alliance open sources the 2 enablers

The XDR Alliance was founded so end-customers could get more value from their existing best-of-breed technology stack, and specifically:

  • Rationalize their current tools, i.e., have their heterogeneous technology stack behave as one cohesive solution.
  • Achieve broader threat detection investigation and response (TDIR) coverage more easily and with lower total cost of ownership (TCO), i.e., help organizations ensure that their tools work well together to achieve value-add use cases.

To achieve these goals, the XDR Alliance has collaborated closely with its members on a number of technology innovations and defined de-facto standards CIM and API specifications. Again, these are the structural enablers that help organizations combine their own best-of-breed tools into a cohesive solution.

To ensure these innovations are available to all without any hindrance or friction, the XDR Alliance released both of these as Open Source (Apache 2.0 license).

Together, these enable the open XDR operational model that the XDR Alliance defined. The opportunity to exchange data and intelligence between tools; the possibility for some tools to ask other tools to “act” on their behalf; and the opportunity to have heterogeneous, best-of-breed technology stacks behave as one cohesive solution.

Figure 3. Open XDR operational model of an open XDR. Source:

What’s next?

Now that the XDR Alliance has defined and open sourced both the CIM and the API specifications, we can all continue the production and operationalization of high-value, multi-vendor, and multi-tools use cases in threat detection, investigation, and response (TDIR) at scale. Stay tuned…

Special thanks and acknowledgements

I want to thank all the members of the XDR Alliance for their unwavering support in this journey, and a special shout to those members who went above and beyond in helping the definition and open sourcing of the CIM and the API specifications. Huge appreciation to Exabeam for sponsoring this initiative and allowing me to drive it.



Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.