Knogin
[Developers]

Security Orchestration: CACAO Playbooks

When a ransomware strain hits a hospital network at 3 a.m., the last thing a responder needs is to improvise containment steps from memory. Standardised, machine-readable response procedures mean the right actions happen

Back to All Modules
Category: ManagementLast Updated: Mar 18, 2026
management

Overview#

When a ransomware strain hits a hospital network at 3 a.m., the last thing a responder needs is to improvise containment steps from memory. Standardised, machine-readable response procedures mean the right actions happen in the right order, every time, regardless of who is on shift. Argus implements CACAO v2.0 (Collaborative Automated Course of Action Operations), the OASIS standard for describing and sharing cybersecurity playbooks. CACAO playbooks define structured response workflows, from initial triage through containment and recovery, as machine-readable JSON that can be imported, stored, and exported across organisations.

The underlying CACAO service also includes OpenC2 execution support for service-layer orchestration, enabling automated actions such as blocking an IP or isolating a host without manual intervention.

Key Features#

CACAO v2.0 Playbook Import#

Submit CACAO playbooks as JSON via the importCacaoJson mutation. The service validates the document structure against the CACAO v2.0 schema, parses playbook metadata, and persists the canonical JSON alongside extracted metadata to PostgreSQL. Invalid playbooks are rejected with structured validation errors before any storage occurs.

OpenC2 Command Execution#

CACAO workflow steps of type action with an OpenC2 command target can be executed directly from Argus via the platform's OpenC2 execution layer. This enables automated responses, such as blocking an IP on a firewall, isolating a host, or revoking a session token, triggered by CACAO step execution without manual intervention. OpenC2 actuator endpoints are configured per organisation.

CACAO Bundle Export#

Export stored playbooks as standards-compliant CACAO v2.0 JSON bundles via the exportCacaoPlaybook mutation. An internal adapter serialises the stored playbook record back to the CACAO format, ready for sharing with partner organisations via MISP, STIX bundles, or direct exchange. Each export is logged as an interop export audit event.

Clearance-Filtered Playbook Listing#

The playbook inventory enforces row-level secrecy filtering so that playbooks tagged SECRET or above are invisible to analysts with lower clearance. This allows a shared playbook library to contain response procedures across multiple classification levels, each visible only to cleared personnel.

Playbook Status and Versioning#

The current cacaoPlaybooks query returns summary metadata for imported playbooks, including name, CACAO identifier, CACAO version, and creation time.

Use Cases#

  • Ransomware Response Automation: Import a CACAO playbook defining ransomware containment steps and use OpenC2 execution to automatically isolate confirmed infected hosts the moment an indication is confirmed.
  • Intel-Driven Response: Link a CACAO playbook to a Sigma rule or MISP indicator set. When a detection fires, the associated playbook provides the verified response procedure for the analyst to execute or automate.
  • Cross-Agency Playbook Sharing: Export verified incident response playbooks as CACAO bundles and share with partner CERTs or allied organisations in a machine-readable format they can import into their own platforms.
  • Compliance Exercise Automation: Run tabletop exercises using CACAO playbooks with OpenC2 execution against sandbox environments to validate response procedures before operational use.

Integration#

Available via GraphQL: cacaoPlaybooks (query); importCacaoJson, exportCacaoPlaybook (mutations). All operations require authentication and organisation scoping.

Implements the OASIS CACAO v2.0 specification. OpenC2 command execution follows the OpenC2 Language Specification v1.0. Works alongside the Playbooks domain (for Argus-native playbooks), MISP and STIX integrations (for intelligence-linked response), and the Sigma rules engine (for detection-triggered playbook activation).

Open Standards#

  • OASIS CACAO v2.0 (Collaborative Automated Course of Action Operations): The core standard this capability implements; playbooks are validated against the CACAO v2.0 schema, persisted as canonical CACAO JSON, and exported as standards-compliant CACAO v2.0 bundles for cross-organisation sharing.
  • OpenC2 Language Specification v1.1 (OASIS): Action steps within a CACAO workflow are executed using the OpenC2 command language, enabling automated commands such as deny, contain, and investigate against remote actuator endpoints.
  • OASIS STIX 2.x (Structured Threat Information Expression): Exported CACAO playbook bundles are designed for direct exchange alongside STIX bundles, allowing response procedures to be shared with partner organisations and threat-intelligence platforms in a mutually interoperable format.
  • MISP Standard (Malware Information Sharing Platform): Exported playbooks can be distributed via MISP, and the capability is designed to be activated by MISP indicator sets, linking intelligence-driven detections directly to verified response procedures.
  • GraphQL (June 2018 specification): All playbook operations, including listing, import, and export, are exposed through a GraphQL API using typed queries and mutations with organisation-scoped permission enforcement.
  • JSON (RFC 8259): Playbooks are stored, validated, imported, and exported as UTF-8 JSON documents; the OpenC2 execution layer also uses JSON as the wire format for command and response payloads.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.