Compendium

Cybersecurity Deep-Tier DSLs Family Index

16 min read

Cybersecurity Deep-Tier DSLs Family Index

type: language-family-index family: cybersec-deep languages_catalogued: 32 tags: [language-reference, family-index, cybersec-deep, ebpf-krsi, tetragon, falco, kql, codeql, semgrep, sentinel, lql, cosign, landlock, seccomp]

Cybersecurity Deep-Tier DSLs — Family Index

Family overview

The cybersecurity DSL landscape splits into a well-documented open-standards layer — Sigma, STIX/TAXII, OPA Rego, Cedar, OpenSCAP, MITRE ATT&CK, OSCAL — and a much larger, faster-moving operational vendor layer that the open standards have never been able to subsume. This family catalogues the vendor layer plus the deep kernel-security primitives that sit beneath it. The open-standards siblings live in identity-auth-policy, forensic-evidence and government-civictech; this note picks up where they leave off.

The most important shift in the 2020–2026 arc is the eBPF revolution at the kernel security layer. eBPF KRSI (BPF + LSM), upstreamed by Google’s KP Singh into Linux 5.7 in 2020, made it possible to attach arbitrary BPF programs to the existing 200+ LSM hook points — meaning that any security vendor could now ship runtime detection / enforcement without a kernel module and without recompiling the kernel. By 2023 more than 80% of major distros enabled BPF-LSM out of the box (AccuKnox 2024 survey), and the entire generation of products around it — Tetragon (Isovalent, now Cisco), Falco’s modern eBPF driver, Tracee (Aqua), KubeArmor — became practical to deploy. In parallel Landlock (mainline since Linux 5.13, June 2021) gave userspace its own LSM, letting unprivileged processes sandbox themselves without root; Linux 6.7 (2024) added TCP network restrictions and Linux 6.19 (Feb 2026) added shadow stack and lockdown hardening.

The second shift is the cloud-security-posture vendor DSL fragmentation problem. Wiz (acquired by Google for $32B, closed March 11 2026), Lacework (acquired by Fortinet Aug 2024, now FortiCNAPP, LQL still in active development at v26.x), Datadog Cloud Security Management, Orca, Prisma Cloud, Snyk Cloud, CrowdStrike Falcon Cloud Security — every CNAPP vendor has invented its own graph- or table-shaped query DSL over essentially the same underlying cloud-asset graph. There is no convergent standard at this layer; OPA Rego covers admission-control and IaC validation, and KQL has become a partial SIEM lingua franca, but the CSPM query surface remains balkanised.

The third shift is KQL’s quiet emergence as the SIEM lingua franca via Microsoft. The same Kusto Query Language now drives Azure Data Explorer, Azure Monitor / Log Analytics, Azure Resource Graph, Microsoft Sentinel, and Microsoft Defender XDR Advanced Hunting — and as of July 1 2026, all Sentinel UI operations migrate from the Azure portal into the Defender portal, consolidating around KQL as the single hunt-and-detect surface. KQL is cross-listed in forensic-evidence (the EQL/Sigma sibling) and graph-log-event-query; this note treats the Microsoft-stack variants (Sentinel KQL, Defender XDR Advanced Hunting, Resource Graph KQL) as a coherent family. The fourth shift is CodeQL vs Semgrep settling into complementary positions in SAST: CodeQL (2.25.4, May 2026) for deep dataflow on a smaller set of supported languages with a Datalog-style query language, and Semgrep (Multimodal launch March 2026) for fast pattern-matching across 30+ languages with a YAML/AST-pattern DSL.

In our deep library

No standalone deep-library notes exist for the vendor DSLs in this family — they are all proprietary surface languages over commercial platforms. Cross-link:

  • identity-auth-policy — sibling for OPA Rego, Cedar, JWT, IAM JSON, OIDC, SCIM. Rego appears here only in its Conftest / Terraform-policy use.
  • forensic-evidence — sibling for KQL (forensic context), EQL, Sigma, DFXML, CASE/UCO, plaso. KQL is cross-listed in both.
  • government-civictech — sibling for STIX/TAXII, MITRE ATT&CK STIX bundle, CSAF, OSCAL.
  • network-protocol-dsls — sibling for P4, Snort, Suricata, nftables, eBPF assembly / verifier-level BPF. This note covers higher-level eBPF (KRSI, Tetragon TracingPolicy, bpftrace, bcc).
  • oci-cloud-native — sibling for Falco, Cilium Tetragon, Kubernetes ValidatingAdmissionPolicy / CEL, Gatekeeper. Falco and Tetragon are deliberately cross-listed in both — they sit at the K8s/runtime boundary.
  • cryptography-keys — sibling for Sigstore Cosign verification policy, SLSA in-toto attestations, TUF metadata. This note links to it for image-signing policy DSLs.
  • notation-spec — for formal grammars (LSM-hook policy DSLs share notational ancestry with BNF/CDDL).
  • graph-log-event-query — adjacent for the graph-shaped query surfaces (Wiz, Datadog CSPM, KQL graph operators).

Tier 3 family table — Kernel-layer (eBPF / LSM / seccomp)

FormatFirst appearedOriginTypeStatus (2026)URL
eBPF KRSI (BPF-LSM)2020 (Linux 5.7)Google (KP Singh) — upstreamed 2019, merged May 2020BPF programs attached to LSM hook points; written in restricted C, compiled by Clang to BPF bytecode, verified at loadActive and ubiquitous — >80% of distros enable BPF-LSM out of the box by 2024 (Amazon Linux 2023, RHEL 8.5+ backport, Ubuntu, Debian, Fedora). CVE-2026-43010 (BPF kprobe.multi, fixed mainline April 15 2026) is a reminder it’s still attack surface.https://docs.kernel.org/bpf/prog_lsm.html
Cilium Tetragon TracingPolicy2022 (Isovalent)Cilium / Isovalent, now Cisco (acquired 2024)CRD-driven YAML DSL declaring kprobe/tracepoint/uprobe hooks, selectors, and Post-actions (kill/block/notify). CNCF graduated sub-project of Cilium.Active — process/file/network observability with kernel-stack and userspace-stack traces in ProcessKprobe events; the leading eBPF runtime-security CRD model.https://tetragon.io/docs/policy-library/
bpftrace2018 (v0.1)Brendan Gregg + Alastair Robertson; iovisor → bpftrace org 2023DTrace-inspired high-level tracing DSL (awk-style); compiles to BPF bytecode via libbpf/ClangActive, current release v0.25 (2026); the standard ad-hoc kernel tracing language for Linuxhttps://bpftrace.org/
BCC Python BPF DSL2015iovisor (Brendan Gregg, Sasha Goldshtein)Python frontend that embeds restricted-C BPF source, loads via libbcc/libbpfActive but legacy-trending — libbpf-tools and CO-RE (Compile-Once Run-Everywhere) are replacing BCC’s runtime-compilation model; many flagship tools (execsnoop, biosnoop) have been rewritten in libbpfhttps://github.com/iovisor/bcc
Falco rules YAML + Lua / plugin SDK2016 (Sysdig) → CNCF graduated 2024Sysdig / Falco ProjectYAML rule files (rule, condition, output, priority) over a sysdig-style event filter expression language; plugins extend the source-table modelActive, current release v0.43.1 (April 9 2026). Legacy eBPF, gVisor, and gRPC drivers deprecated in v0.43.0; CO-RE eBPF is now the default. Falco Operator (2026) streamlines K8s deployment.https://falco.org/docs/concepts/rules/
AppArmor profiles2005 (mainline 2010, Linux 2.6.36)Immunix → SUSE → Canonical → Linux mainlinePath-based MAC profile language; per-binary capability, file, network, signal rulesActive, default on Ubuntu/Debian. openSUSE Leap 16 switched to SELinux Feb 2025 — a notable shift in the SUSE camp.https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
SELinux policy (Reference Policy + CIL)2000 (NSA) → mainline Linux 2.6.0 (2003)NSA → Tresys → communityLabel-based MAC; policy written in the Reference Policy macro language compiled to CIL (Common Intermediate Language) since Linux 3.5Active, default on RHEL/Fedora/CentOS Stream/openSUSE 16; the gold-standard MAC with deepest type-enforcement modelhttps://github.com/SELinuxProject/refpolicy
Landlock (unprivileged LSM)2021 (Linux 5.13)Mickaël Salaün (ANSSI)Userspace syscall API + ruleset for path-based access control without rootActive and broadening — filesystem rules 5.13+, TCP network rules 6.7 (Jan 2024), shadow-stack hardening 6.19 (Feb 2026). The user-space LSM alternative to AppArmor/SELinux.https://landlock.io/
Seccomp-BPF filters2012 (Linux 3.5)Will Drewry (Google ChromeOS)Classic-BPF cBPF programs that filter syscalls; Docker/Podman/runc default profiles ship JSON renderingsActive, foundational — every container runtime, Chromium, OpenSSH, systemd, and Kubernetes uses it. Often combined with KRSI rather than replaced.https://docs.kernel.org/userspace-api/seccomp_filter.html
eBPF profiling (Parca/Pyroscope) label DSLs2021–2022Polar Signals (Parca) / Grafana (Pyroscope, acquired 2022)Prometheus-style label selector expressions over continuous-profiling samplesActive, increasingly converging with Grafana Pyroscope’s LogQL-like profile DSLhttps://www.parca.dev/docs/overview/

Tier 3 family table — Cloud-security-posture vendor query DSLs

FormatFirst appearedOriginTypeStatus (2026)URL
Wiz Security Graph queries (GraphQL API + Wiz Query Language)2020Wiz, Inc. (now Google Cloud, acq. closed March 11 2026 for $32B)GraphQL API over the Wiz Security Graph; rule builder UI compiles to a graph-pattern DSL identifying “toxic combinations”Active, now part of Google Cloud post-acquisition; Wiz Skills (RSAC 2026) expose the graph to coding-agent IDEshttps://www.wiz.io/blog/welcoming-wiz-to-google-cloud
Lacework FortiCNAPP LQL2020Lacework, now Fortinet (acquired Aug 1 2024 for ~$200–230M, per Forrester)SQL-like query language for selection/filter/join over polymorphic cloud-event datasourcesActive, current docs at v26.2.0 under the FortiCNAPP brandhttps://docs.fortinet.com/document/forticnapp/26.2.0/lql-reference/598361/lql-overview
Datadog Cloud Security (CSPM) rule DSL2021DatadogCustom-rule expression DSL over the Datadog asset graph; 1000+ built-in rules mapped to PCI/SOC2/HIPAA frameworksActive, generally available with policy-as-code rule authoringhttps://docs.datadoghq.com/security/cspm/
Datadog Logs Query Language (DQL)2017DatadogPipe-style log query language (* + facet filters + `>` aggregations); separate from Datadog APM trace queriesActive
AWS Security Hub Insight / Finding filter2018AWSJSON FilterCriteria and ResourceMappings over ASFF (AWS Security Finding Format)Active, expanded with the v2 ASFF schema for cross-region/cross-account aggregationhttps://docs.aws.amazon.com/securityhub/latest/userguide/asff-syntax.html
AWS GuardDuty FindingCriteria2017AWSJSON filter DSL over GuardDuty findings (account/region/severity/resource conditions)Active, extended to Runtime Monitoring eBPF-driven findings 2024–2026https://docs.aws.amazon.com/guardduty/latest/APIReference/API_FindingCriteria.html
AWS Inspector v2 / Macie / Detective JSON filters2021 (Inspector v2), 2017 (Macie v2), 2020 (Detective)AWSService-specific JSON filter schemas; Detective uses a graph-investigation behavior model (not a user-facing DSL)Active, low velocity in DSL evolutionhttps://docs.aws.amazon.com/inspector/latest/user/findings-managing-filtering.html
Azure Resource Graph KQL2018Microsoft AzureKQL over the ARM resource graph (Resources, ResourceContainers, SecurityResources tables)Active, the canonical Azure CSPM query surfacehttps://learn.microsoft.com/azure/governance/resource-graph/overview
Microsoft Defender for Cloud Apps (MCAS) policy DSL2015 (Adallom) → MicrosoftMicrosoft (Adallom acq. 2015)JSON / UI-driven policy conditions for SaaS posture and CASBActive, integrated into Defender XDRhttps://learn.microsoft.com/defender-cloud-apps/control-cloud-apps-with-policies
GCP Security Command Center filter / Finding query2018Google CloudCEL-flavored filter syntax over the SCC Finding schemaActive, post-Wiz acquisition expected to expand with Wiz Security Graph integrationhttps://cloud.google.com/security-command-center/docs/how-to-api-list-findings
GCP Cloud Asset Inventory CAI query2019Google CloudAsset/policy search filter DSL over the GCP organization’s resource stateActivehttps://cloud.google.com/asset-inventory/docs/searching-resources

Tier 3 family table — XDR / SIEM advanced-hunting

FormatFirst appearedOriginTypeStatus (2026)URL
Microsoft Sentinel KQL2019 (Sentinel GA)Microsoft, on Kusto (2014, Azure Data Explorer)KQL over Sentinel tables; supports adx() operator to query Azure Data Explorer in-lineActive and migrating — Sentinel UI moves from Azure Portal to the Microsoft Defender portal effective July 1 2026, but the service and KQL remainhttps://learn.microsoft.com/azure/sentinel/kusto-overview
Microsoft Defender XDR Advanced Hunting2018 (Microsoft 365 Defender hunting)MicrosoftKQL over a specialised XDR schema (DeviceEvents, EmailEvents, IdentityLogonEvents, CloudAppEvents, AlertEvidence); 30-day raw retentionActive, now the unified hunting surface post-Sentinel-merge (July 2026)https://learn.microsoft.com/defender-xdr/advanced-hunting-overview
CrowdStrike Falcon FQL~2017CrowdStrike<property>:[op]<value> filter expression syntax across Falcon API service collections (Hosts, Detects, Incidents, Discover)Active, current docs maintained via FalconPy SDK and falcon-mcp (2026 MCP server adds FQL guidance for LLM tooling)https://www.falconpy.io/Usage/Falcon-Query-Language.html
CrowdStrike Humio / LogScale FQL2021 (Humio acq.)Humio (Denmark) → CrowdStrikePipeline-style log-query DSL distinct from Falcon API FQL; functions chained by ``Active, current LogScale docs v1.240+ (April 2026)
Panther pypanther (Detection-as-Code)2024 (pypanther beta) → 2025 GAPanther LabsPython class-based detection rules replacing Panther’s previous YAML+Python splitActive, the modern Python-native Detection-as-Code referencehttps://docs.panther.com/detections/rules/python
Snowflake row-access policies / Detection-as-Code on Snowflake2022 (Anvilogic, Hunters, Panther-on-Snowflake)Anvilogic / Hunters / Panther / communitySQL row-access policies + Snowflake-resident detection rules; cross-listed in sql for the warehouse-as-SIEM patternActive, a recognisable architecture pattern in 2025–2026 SIEM modernisationhttps://docs.snowflake.com/en/user-guide/security-row-intro

Tier 3 family table — Code / supply-chain SAST + SCA

FormatFirst appearedOriginTypeStatus (2026)URL
CodeQL2014 (Semmle QL) → 2019 (GitHub acq.)Semmle (Oxford spinout, Oege de Moor) → GitHubDatalog-derived object-oriented query language; queries compiled against a code database (relational AST + dataflow + CFG)Active, v2.25.4 (May 12 2026) adds Swift 6.3.1, models-as-data sanitizers and validators, Vercel serverless analysis. The 2026 Semantic Delta Engine cuts PR scan time ~80% via incremental analysis.https://codeql.github.com/docs/
Semgrep rules YAML2017 (r2c) → 2020 OSSr2c → Semgrep, Inc.YAML rules with pattern / pattern-not / pattern-either AST-pattern syntax over Tree-sitter-derived ASTs; 30+ languagesVery active, Semgrep Multimodal launched March 2026 pairing rule-based analysis with LLM reasoning for IDOR/AuthZ detectionhttps://semgrep.dev/docs/writing-rules/overview
Joern CPG query (Scala / Ocular)2014 (shiftleft / TU Darmstadt)Fabian Yamaguchi et al.Gremlin-style traversal over a Code Property Graph (AST + CFG + PDG); Scala DSLActive, maintained by Qwiet AI (formerly ShiftLeft)https://docs.joern.io/
Trivy policy + Rego checks2019 (Vad Krasil → Aqua acq. 2020)Aqua SecurityYAML + embedded Rego policies for SCA/IaC/misconfig scanning; SBOM generation in CycloneDX/SPDXActive, v0.70.0 (April 17 2026) — note Trivy GitHub Action compromised twice March 2026 (TeamPCP supply-chain campaign), pin by commit SHAhttps://aquasecurity.github.io/trivy/
Grype / Syft (Anchore) + Grant policy2020 (Syft) / 2020 (Grype) / 2024 (Grant)AnchoreSBOM generation (Syft, SPDX/CycloneDX), vuln matching (Grype), license-policy enforcement (Grant — Rego or builtin DSL)Activehttps://github.com/anchore/grype
GitGuardian / TruffleHog secret-detection rules2018 (TruffleHog) / 2017 (GitGuardian)Dylan Ayrey (TruffleHog) / GitGuardianRegex + entropy + provider-specific validator detector definitions (YAML / Go-coded detectors)Active, TruffleHog v3 (Go rewrite) and GitGuardian’s signed-validators ecosystem are the de facto standardshttps://github.com/trufflesecurity/trufflehog

Tier 3 family table — Policy-as-code (vendor / TF / supply chain)

FormatFirst appearedOriginTypeStatus (2026)URL
HashiCorp Sentinel2017HashiCorp (now IBM, acq. April 2024 → closed Feb 2025)Embedded policy-as-code DSL; advisory/soft-mandatory/hard-mandatory enforcement levels in Terraform Cloud/Enterprise, Vault, Consul, NomadActive, pre-written AWS Sentinel policy sets reached GA in 2025; remains the canonical Terraform policy DSL alongside OPA Regohttps://docs.hashicorp.com/sentinel
OPA Rego (Conftest variant for TF / K8s manifests)2018 (Conftest, Gareth Rushgrove)Styra / CNCF Open Policy AgentRego (declarative Datalog-derived) applied to CI artifacts: Terraform plan JSON, K8s YAML, Dockerfile. Rego itself catalogued in identity-auth-policy.Active, OPA graduated CNCF 2021; Conftest is the standard “Rego over arbitrary YAML/JSON” CI gatehttps://www.conftest.dev/
Sigstore Cosign verification policy (ClusterImagePolicy / cosign verify --policy)2022Sigstore (Linux Foundation, OpenSSF)YAML ClusterImagePolicy in Sigstore Policy Controller; Cosign verifies in-toto attestations against CUE or Rego policiesActive, central to SLSA L3+ enforcement; Cosign supports npm Provenance, GitHub Artifact Attestations, Homebrew Provenance verification (2024–2026)https://docs.sigstore.dev/policy-controller/overview/
Tekton Chains attestation policy2021Tekton (CD Foundation)In-toto SLSA provenance generated by Tekton Chains; verified by Cosign + Policy ControllerActive, the canonical SLSA-in-Tekton storyhttps://tekton.dev/docs/chains/

Total catalogued: 32 formats across kernel layer (10), CSPM vendor (10), XDR/SIEM (6), SAST/SCA (6) — with Sentinel/Conftest/Cosign/Tekton Chains as the policy-as-code coda.

Notable threads

  • eBPF KRSI is now the kernel-security primitive of record. Five years after the May 2020 mainline merge, BPF-LSM is the default-on substrate for cloud workloads: Amazon Linux 2023, RHEL 8.5+ (backport), Fedora, Ubuntu, Debian, EKS — and underpins every modern runtime security tool that isn’t still hauling a kernel module around (Tetragon, Falco’s modern driver, Tracee, KubeArmor). The 2026 CVE-2026-43010 reminder (BPF kprobe.multi, mainline-fixed April 15 2026) shows the verifier itself is now part of the kernel attack surface that auditors scrutinise. The displacement of AppArmor/SELinux is not happening — they remain the default MAC layer on their respective distros — but new vendor enforcement is universally being built as BPF-LSM programs rather than as new LSM modules.

  • The CSPM vendor-DSL fragmentation problem has only intensified post-consolidation. Wiz → Google (200–230M, Aug 2024) reduced the vendor count without unifying the languages — Wiz’s Security Graph (GraphQL + WQL) and Lacework’s LQL (SQL-like) remain distinct and incompatible, and Google has signalled the Wiz Skills surface (RSAC 2026) will be exposed to coding agents as a brand, not collapsed into Security Command Center’s CEL filters. There is no convergent industry standard at the CSPM-query layer in 2026, and the Datadog/Orca/Prisma/Snyk camp shows no sign of converging on one. OCSF (Open Cybersecurity Schema Framework, Splunk/AWS, 2022) helps at the schema layer but does nothing at the query-DSL layer.

  • KQL has quietly become the SIEM lingua franca via Microsoft’s full-stack consolidation. The July 1 2026 Sentinel UI migration into the Microsoft Defender portal is the punctuation mark — Sentinel + Defender XDR + Azure Resource Graph + Azure Monitor all share the same KQL surface, the same Kusto engine class, and increasingly the same schema (DeviceEvents, AlertEvidence, CloudAppEvents). The competitive answer from Google (Chronicle UDM / YARA-L 2.0), AWS (Security Hub finding filters + Athena/OpenSearch), and Splunk (SPL2) does not have the same gravitational pull on third-party detection content: GitHub repos of “KQL for hunting” outnumber every other XDR-DSL community by an order of magnitude (cyb3rmik3/KQL-threat-hunting-queries and similar). Sigma remains the cross-vendor abstraction but is mostly used as a transpilation source into KQL/Splunk SPL/Elastic EQL.

  • CodeQL vs Semgrep have settled into complementary positions, not a winner-take-all. CodeQL (Semmle / GitHub, Datalog-derived QL) does deep interprocedural dataflow on a fixed set of supported languages — Swift 6.3.1 added in 2.25.4 (May 2026), models-as-data sanitizers and validators across C/C++/C#/Go/Java/Kotlin/JS/TS/Python/Ruby/Rust, and the 2026 Semantic Delta Engine cuts PR scan time ~80%. Semgrep (r2c, YAML AST-pattern DSL) trades depth for breadth — 30+ languages, faster authoring, and the March 2026 Multimodal launch pairs the deterministic engine with LLM reasoning for IDOR/AuthZ detection that pure pattern-matching misses. CodeQL ships free for OSS and is paid for private repos via GHAS; Semgrep CE is open-source under a non-OSI Semgrep Rules License (Polyform-derived). Both languages remain catalogued at the deep-tier rather than promoted because their query semantics are too vendor-specific to abstract.

  • HashiCorp Sentinel still matters in Terraform policy enforcement, post-IBM acquisition. IBM closed the HashiCorp acquisition in February 2025, and Sentinel retained both its language and its market position — pre-written AWS Sentinel policy sets reached GA in 2025, and Sentinel remains the only policy DSL with a tight, multi-product integration across Terraform Cloud/Enterprise, Vault, Consul, and Nomad with three enforcement levels (advisory / soft-mandatory / hard-mandatory). OPA Rego via Conftest is the open-source alternative and dominates the K8s-admission and CI-gate territory; the two coexist by audience (Sentinel for HCP customers, Rego/Conftest for CNCF stacks). Real-world Terraform shops increasingly run both — Sentinel on TFE, Rego/Conftest on the same plan-JSON in CI.

  • Landlock is the underappreciated user-space LSM story. Mickaël Salaün’s Landlock (ANSSI, mainlined Linux 5.13 in 2021) lets unprivileged processes sandbox themselves via a syscall-driven ruleset — no SELinux policy compilation, no AppArmor profile path, no root. Filesystem rules shipped in 5.13, TCP network restrictions in 6.7 (Jan 2024), and Linux 6.19 (Feb 2026) added shadow-stack hardening and lockdown-mode tightening. As Chromium, systemd, and OpenSSH adopt Landlock fences, the model — sandbox-yourself rather than be-sandboxed-by-admin — increasingly competes with seccomp-BPF for the same role. The DSL is shallow (a syscall struct API, not a textual language), but it belongs in this family as the modern complement to AppArmor/SELinux MAC profiles.

  • Sigstore / Cosign verification policy is the supply-chain convergence point. SLSA L3+ now requires verifiable in-toto attestations, and Cosign’s verification surface — ClusterImagePolicy YAML, CUE policies, Rego policies invoked by cosign verify --policy — is the convergent answer. Cosign’s 2024–2026 expansion to verify npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance signed bundles cements it as the cross-ecosystem verification verb. Cross-link: cryptography-keys covers the underlying key-and-attestation formats; this family covers the policy surface that consumes them.

Citations

Graph View