← Foundations

OSA Landscape

The security architecture landscape that maps all 52 OSA patterns across 8 domains.

GOVERNANCE, RISK & COMPLIANCE ISMS · Risk Assessment · Cyber Resilience · Offensive Testing · Third Party Risk · Compliance · Audit SP-018 SP-034 SP-035 SP-042 PERIMETER & NETWORK Firewalls · DMZ · VPN · Proxies Network Zones · Segmentation · TLS Zero Trust · Wireless · PCI IDS/IPS · Email Security SP-006 SP-007 SP-016 SP-017 SP-020 SP-026 SP-029 SC · AC · CA IDENTITY & ACCESS Identity Management · Authentication MFA · Passkeys · FIDO2 · SSO Privileged Access · Federation PKI · Certificates · Directory Services SP-010 SP-032 SP-033 SP-037 AC · IA APPLICATION & CLOUD Web Applications · APIs · SOA Cloud · DevSecOps · CI/CD · SDLC AI/ML Security · Microservices Collaboration · File Exchange SP-004 SP-005 SP-008 SP-011 SP-012 SP-019 SP-021 SP-027 SP-028 SP-030 SP-041 SA · SC · SI DATA PROTECTION Data Classification · Encryption Post-Quantum Cryptography · Privacy Client-Side Encryption · DLP Backup · Retention · Secure Disposal SP-013 SP-039 SP-040 MP · CP · SC · PT ENDPOINTS & DEVICES Workstations · Servers · Mobile BYOD · Remote Working · IoT Industrial Control Systems Configuration · Patch Management SP-001 SP-002 SP-003 SP-015 SP-023 SP-024 CM · MA · PE · SI SECURITY OPERATIONS Monitoring · Detection · SIEM · EDR Incident Response · Forensics Vulnerability Management · Patching Continuous Monitoring · Threat Intel SP-025 SP-031 SP-036 SP-038 AU · IR · SI · CM PEOPLE, AWARENESS & PHYSICAL SECURITY Security Training · Awareness · Board Room · Personnel Security · Physical Protection · Security Culture SP-014 SP-022 Clickable pattern reference · Grey codes = NIST 800-53 control families · 41 patterns across 8 domains OSA Landscape V12 · opensecurityarchitecture.org · 2026

The OSA Landscape defines the topic coverage for security architecture. It organises all 52 patterns into 8 domains, making it easy to identify coverage strengths, spot gaps, and prioritise new pattern development.

Click any pattern badge in the diagram to navigate directly to that pattern.

Domains

Governance, Risk & Compliance

Framework-level patterns that span organisational boundaries: PCI full environment assessments, third-party risk management, cyber resilience (DORA/BoE), and offensive security testing (CBEST/TIBER-EU).

Perimeter & Network

Network architecture from edge to core: firewalls, DMZ design, VPN, content filtering, secure network zones, and zero trust architecture.

Identity & Access

Authentication and authorisation: enterprise identity management, modern authentication (OIDC/OAuth), passkey/FIDO2, and privileged user management (PAM/JIT).

Application & Cloud

The largest domain, covering: SOA security, web services, cloud security, secure SDLC, API security, secure AI integration, developer security baselines, and application-level patterns for messaging and collaboration.

Data Protection

Data-centric security: database security, storage, and data-at-rest protection.

Endpoints & Devices

Endpoint and edge device security: client security, mobile, industrial control systems, secure remote working, vulnerability management, and security monitoring.

Security Operations

Operational security functions: SOC operations, incident response, backup and business continuity, and the overarching enterprise information security management pattern.

People

Human-centred security: awareness and training, and the advanced persistent threat pattern which addresses social engineering and targeted attacks.

Version History

V12 (2026)

Complete rebuild mapping all 52 patterns across 8 domains with clickable navigation. Added 15+ new patterns covering zero trust, AI security, cyber resilience, DevSecOps, passkeys, API security, and more.

V10 (Legacy)

Added Legal and Regulatory, Backup, Change Management, Configuration and Asset Management, extended Service Operations, and reorganised central security services.