We are entering the final year of our SAFE4SOC project that should hopefully end with IDMEFv2 standardisation, so I’m taking this opportunity to share a brief update with you.
IDMEFv2 efficiency: Bridging the Gap Between Cyber and Physical Security
The recent webinar in June 2026, held alongside our fellow IDMEFv2 project partners, underscored the critical role of the IDMEFv2 standard in modern incident detection. The sessions highlighted its unique relevance in managing both cyber and physical incidents, with a particular focus on Critical Infrastructure Protection (CIP). As part of the Safe4Soc project (Standard Alert Format Exchange for SOCs), we are currently leveraging IDMEFv2 to achieve seamless interconnection between multiple SIEM platforms – including Splunk, QRadar, and RSA – within a comprehensive cyber environment.The collective feedback from these initiatives confirms a strategic reality: IDMEFv2 is not merely a relevant tool; it stands as the only viable alternative for organizations seeking a unified format to correlate cyber and physical security incidents effectively.
IDMEFv2 relevance:The Evolution of IDMEFv2: From Vision to Vital Necessity
When we first embarked on the IDMEFv2 journey, the world looked fundamentally different. Europe was at peace, drones were primarily seen as toys, and “hybrid warfare” was little more than a buzzword. At that time, IoT was in its infancy, mobile robotics felt like science fiction, and the catastrophic impact of climate change on our critical infrastructure – along with the surge in natural hazards – was not yet the glaring reality it is today.Today, however, the landscape has shifted. For anyone looking even slightly into the near future, the urgency of multi-incident detection has become undeniable. While the IDMEFv2 format is still being refined and we continue to fine-tune its complexities, current geopolitical tensions – particularly within Europe – validate our mission. We need a standardized, unified format not only to protect our vital interests but also to foster the collaboration required to defend against a new generation of aggressors.
IDMEFv2 Standardization: The Missing Link in Multi-Domain Detection
IDMEFv2 serves as the essential link between previously siloed detection domains, including cybersecurity, physical security, system availability, and natural hazards. Historically, its predecessor, IDMEFv1, was focused purely on cybersecurity and was defined through the IETF (RFC 4765). However, as a data format rather than a network protocol, it struggled to move beyond the “experimental” standardization status. Today, the challenge is even more pronounced: the IETF remains hesitant toward format-heavy standards and maintains a strictly digital focus, leaving a gap where physical security integration is concerned. Nevertheless, we remain highly confident. The sheer volume of projects currently implementing IDMEFv2 – combined with the significant number of partners involved – is rapidly establishing it as a de facto standard for securing cyber-physical systems research projects. This momentum is the key to securing an “Experimental RFC,” which will ensure the standard’s long-term sustainability and impact far beyond the lifespan of individual projects.
IDMEFv2 Dissemination: Overcoming Market Compartmentalization
Despite its growing relevance, the innovative nature of IDMEFv2 faces a significant hurdle: convincing security software vendors to embrace it. The security market remains deeply fragmented; many editors see little short-term financial incentive in mutualisation and interoperability – often quite the opposite. Even within the research community, few are truly prepared for the convergence of physical and digital security and the unique detection requirements it demands. While the European Commission is injecting significant funding into these areas – signaling the topic’s critical importance – research efforts remain scattered. Too many projects are still unaware that they could leverage a pre-standardized format like IDMEFv2 to ensure their findings are interoperable from the start. In this final year, the dissemination of IDMEFv2 will be our primary mission. We aim to break down these silos and we invite you to join us in making this standard the cornerstone of a more integrated security ecosystem.
Safe4Soc Insights: The Reality of SIEM Interoperability
The architecture we are currently developing focuses in Safe4Soc project on interconnecting multiple proprietary SIEMs using IDMEFv2 over HTTPS, all feeding into a centralized IDMEFv2-native SIEM (Concerto SIEM). To design the “SIEM connectors” responsible for translating various incident formats into IDMEFv2, we conducted a comprehensive comparative study of existing market standards. Our findings are telling: modern SIEMs rely on vastly different concepts, vocabularies, attributes, and processes. Even when underlying concepts are identical, the lack of naming conventions creates significant friction.This fragmentation reinforces our conviction. Given the growing ecosystem of projects and partners adopting IDMEFv2, we are successfully establishing it as a de facto standard for securing cyber-physical systems. We remain confident that obtaining an “Experimental RFC” will be the definitive step toward ensuring the sustainability of these efforts beyond individual project lifecycles.
Our 2026 Roadmap: Driving National Security & Standardization
Building on the momentum of our recent findings, our primary focus for 2026 is to engage directly with organizations at the forefront of National Security and Critical Infrastructure Protection.We are launching a large-scale outreach initiative to share our breakthroughs with key stakeholders, including National Security Agencies, Ministries of Defence, and both cyber and physical end-user communities. We are also intensifying our dialogue with research groups, industry associations, and standardization bodies – notably the IETF and major European standards organizations – as well as security software vendors. Specialised documentation is currently being finalized to support these strategic partnerships.
Key Milestones for the Year Ahead:
- End of March 2026: Submission of the stable version of the IDMEFv2 format, integrating all technical feedback from our active projects.
- April – August 2026: A six-month intensive phase dedicated to simulations, pilot programs, and real-world testing to ensure maximum reliability.
- September 2026: Ultimate version finalisation and release , which will be formally submitted for official standardisation.
How You Can Engage & What’s Next
The journey toward interoperable, resilient security is a collective one. We are not just building a format; we are building a community. Here is how you can take part:
- For Partners & the Technical Community: Your insights are invaluable. We welcome your technical feedback by end-February to help us finalize the stable version scheduled for release at the end of March.
- Help Us Build Momentum: Advocacy is key. Please share this update within your professional networks to advance the conversation on cyber-physical security standardization.
- For the Broader Community: Stay connected. Follow the #IDMEFv2 and #Safe4Soc hashtags for real-time updates and visit idmefv2.org for deep-dives and resources and subscribe to IDMEFv2 mailing list.
Let’s build the standard format we need to defend our vital infrastructure.
The IDMEFv2 Task Force