The Cost of a Correct Triage
Raw logs get AI triage wrong every time - zero correct verdicts across nine test runs, because the model can't tell malicious from benign without enrichment context. OCSF-normalized data fixes that: enrich once at ingest instead of per query, and you get correct triage at $0.48 per alert - 23% cheaper than raw logs, with the accuracy raw logs can't reach at any price.

We ran Claude Opus 4.8 through the triage of one security alert, three ways - as raw vendor logs, as OCSF-normalized events, and as field-pruned OCSF - repeated and graded for correctness against known ground truth. Every number here is measured, not modeled - using OCSF as the test variable, though the mechanism generalizes to any security-semantic normalization schema.
Other vendors also normalize to OCSF - but normalization that relies on AI agents/co-pilots introduces fragility because of the non-deterministic nature of AI. Axoflow normalizes autonomously and deterministically: the same security-semantic field mapping, every source, every run, without manual intervention. That determinism is what makes the cost reduction shown here reproducible in production, not just in a benchmark.
Raw logs can't be triaged correctly at any price.
0/9 correct runs on raw logs, even with Opus 4.8 at high effort
No geo/intel/asset context → benign traffic gets flagged as hostile.
OCSF's value is not cheaper tokens - it is making a correct, low-false-positive triage achievable cheaply.
Where enrichment lives determines what a correct triage costs.
OCSF moves enrichment from query time - paid on every alert - to ingest time, paid once. Across hundreds of alerts a day, that's the number that compounds.
Results at a Glance
One alert, 82 correlated logs, Claude Opus 4.8, agentic loop. Each tier in its best correct-capable configuration, 3 runs each, graded against ground truth:

And the finding that frames everything - raw without enrichment cannot be made correct at any price:

Raw failed every no-enrichment run on false positives - flagging benign IPs as hostile - because raw logs carry no geo/intel/asset fields to separate the RU known-scanner from benign US traffic. OCSF carries them inline; raw must fetch them, and only then gets it right.
Boundary Conditions
How the Alert Is Handled with Raw Logs
A detection engineer drops the correlated logs into a file and points the agent at it. From the actual run transcripts, raw triage proceeds:
- Write to file, then "parse and triage raw.log."
- Discover the formats - the agent runs
headsamples and finds four different formats mixed together. - Try
jq- works on the CloudTrail/EDR JSON, dies on the ASA syslog and the tab-delimited Windows 4625. - Hand-roll a parser per non-JSON format - switch to
sed/awk/regex, write a pattern, get a partial match, re-read the fat raw line to fix field offsets, wrestle the priority header and duplicatedip/port (ip/port)tuples, retry. This dominated the loop (raw baseline ran 14-32 turns). - Dedup, correlate across formats, render a verdict.
And here is where raw fails: with no enrichment, the agent cannot distinguish the malicious 198.51.100.23 from benign IPs that also touched the DMZ - so it either flags them all or mis-attributes. All 9 no-enrichment raw runs produced false positives; 0 were correct. To get it right, raw must additionally look up each IP/host/hash in a threat-intel source - extra turns to acquire what OCSF already carries.raw vs OCSF (curated) vs OCSF (pruned) - the Workflows

The two reduction tiers attack different things: OCSF normalization removes the parser-crafting and supplies the enrichment inline; field-pruning further shrinks the payload per record. Both shorten the loop - but pruning has a floor.
Token & Cost Per Tier
Full investigation, default settings (4 runs/tier, mean)

Raw to OCSF at default settings: 45% fewer tokens, 31% cheaper. Real, but modest - and erodable by a good prompt.
The metric that counts - cost to a correct triage (3 runs/tier, graded)

- OCSF is 23% cheaper than raw per correct triage; pruned 54% cheaper - but pruned hit a fidelity floor: 1 of 3 runs missed the multi-stage chain. It produced no false positives, but under-called the attack.
- Raw's premium is the price of re-acquiring enrichment. Raw went 0/9 to 3/3 only once given a threat-intel lookup; it then costs 23-54% more than OCSF.
Where Did the Tokens Go?
Across every tier, the cost is re-reading the accumulating transcript each turn, not the logs themselves:

87-93% of all tokens are cache re-reads. Because this re-read cost grows with the number of turns, anything that shortens the loop attacks the dominant term directly. In the best-correct configs, fewer turns drop the read share to 78-83% and the totals to 135-248K.
Possible Cost Levers
Measured token reduction vs the default baseline (factorial across tiers):

The single biggest token reducer is the system prompt (-69%) - but it is correctness-blind. The same prompt that makes raw cheap makes it wrong: it dispositions fast on data it can't disambiguate, and over-flags.
The operation that contributes most to using fewer tokens while staying correct is OCSF normalization plus its inline enrichment. It is the only lever that lets the agent go cheap and reach the right verdict - because it removes the parser-crafting and hands the agent the geo/intel/asset facts it would otherwise have to spend turns fetching.
Get started with Axoflow
Ready to normalize your security data?
Axoflow normalizes to OCSF deterministically - same field mapping, every source, every run. No AI agents in the pipeline.