A busy week for OSA. We've shipped a completely new icon library, added PCI DSS v4.0.1 compliance mappings, and have some exciting news about what's coming next.
Modernised Icon Library
OSA's icon set has always been one of our most popular resources. Security architecture diagrams need domain-specific symbols that generic icon sets simply don't provide - you won't find a firewall, ICS PLC, or security specialist in Heroicons.
We've rebuilt the entire library from scratch: 73 hand-crafted SVG icons across 12 categories including infrastructure, network devices, endpoints, people roles, industrial control systems, and architectural concepts. Every icon uses a consistent 64x64 grid with clean monochrome strokes, designed to work at any size and in any colour scheme.
Browse the full set on our Icon Library page.
The icons are fully open source under CC BY-SA 4.0 and designed for programmatic use - consistent viewBox, stroke-based rendering with currentColor, and a structured JSON manifest. Perfect for automated diagram generation.
PCI DSS v4.0.1 Compliance Mappings
We've added 1,305 mappings between our NIST 800-53 Rev 5 controls and PCI DSS v4.0.1 requirements. This brings our total compliance framework coverage to seven:
- NIST 800-53 Rev 5 (191 controls)
- ISO 27001:2022
- ISO 27002:2022
- COBIT 2019
- CIS Controls v8
- NIST CSF 2.0
- SOC 2 Trust Services Criteria
- PCI DSS v4.0.1 (new)
Every control page now shows you exactly which PCI DSS requirements it satisfies, alongside all other framework mappings. That's over 5,500 individual compliance mappings across the library.
Explore the mappings on our PCI DSS v4.0.1 framework page.
What's Next: AI-Powered Security Architecture
We're pleased to announce that OSA will be working with Seed Drill, a new AI startup, to develop intelligent features on top of OSA's structured data.
The vision: use OSA's unique control-to-framework graph to power AI-assisted threat modelling, control selection, and compliance gap analysis. Unlike generic AI tools that produce generic advice, this approach maps threats directly to specific, auditable controls across multiple compliance frameworks.
Imagine describing your system architecture and getting back not just a list of threats, but the specific NIST 800-53 controls that mitigate each one, cross-referenced to your PCI DSS, ISO 27001, or SOC 2 audit requirements. That's what structured security architecture data combined with AI makes possible.
More details to follow. Watch this space.
The OSA Core Team