Not every compliance program fits neatly into an industry-standard framework. Some programs may require frameworks that Strike Graph doesn't support. Whether you're tracking internal security requirements, managing a proprietary compliance program, or working within a niche regulatory environment, Custom Frameworks gives you the flexibility to define and manage your own criteria inside Strike Graph — and bring them to life alongside your existing compliance work.
With Custom Frameworks, you can upload your own criteria via CSV, map them to controls in your Control Library, and track coverage directly from the Compliance Dashboard, the same way you would with any standard framework.
Availability and permissions
Custom Frameworks is available for Enterprise plan customers. If you're interested in adding this feature to your plan, reach out to your Customer Success Manager.
To create or update a Custom Framework, you'll need Manager permissions within your Strike Graph organization.
How Custom Frameworks work
Once created, a Custom Framework appears as its own tab on your Compliance Dashboard alongside your other active frameworks. Your custom criteria can be mapped to controls in your Control Library, and you can track coverage and evidence the same way you would for any other framework.
You manage Custom Frameworks by uploading a CSV file that defines your framework's categories and criteria. You can create a new framework from scratch or update an existing one by uploading a revised CSV.
Setting up a Custom Framework
Navigate to Settings in the main Strike Graph menu (the gear icon next) and open the Team Settings tab. If Custom Frameworks is enabled for your organization, you'll see a Custom Frameworks section with an Upload Custom Framework button.
Clicking that button opens a two-step setup wizard.
Step 1: Select or create a framework
You'll first be asked how you want to proceed:
Create New Framework — Use this option to set up a brand new custom framework. Please note that once you create a new custom framework, you cannot remove it. You'll need to provide two things:
Display Name — The name of your framework as it will appear throughout Strike Graph (e.g., "Internal Security Program").
Prefix — A short identifier for your framework (3–10 alphanumeric characters, no spaces or special characters). This prefix is used to label your criteria ahead of the criteria's number (e.g. "ACME" would be prefixed to criteria like so — "ACME.2.31.b").
Update Existing Framework — Use this option if you've already created a Custom Framework and want to upload an updated set of criteria. Select the framework you want to update from the dropdown list.
Click Continue to proceed to the CSV upload step. If you selected Create New Framework, Strike Graph will create your framework before advancing to the next step.
Step 2: Upload your CSV
Select a CSV file containing your custom framework categories and criteria, then click Continue to run the import. Once the upload is complete, you'll see a confirmation message and your framework will be ready to use.
CSV format requirements
Your CSV file defines the structure and content of your custom framework's criteria. Strike Graph uses the columns in your CSV to build the framework hierarchy, so it's important that the file is formatted correctly before uploading.
Required columns
Your CSV must include a header row with at least these two columns, spelled exactly as shown:
Category Suffix — A short identifier that makes each row (and criteria) unique within your framework. This suffix is combined with your framework's prefix to form the full category identifier (e.g., a prefix of
ACMEand a suffix of1.1producesACME.1.1). Suffixes must be unique across all rows in your CSV. If a row's Category Suffix is left blank, it updates the name and narrative of the framework root itself rather than creating a new category. Once you create a suffix, you cannot change it.Name — The display name for the criteria as it will appear in Strike Graph (e.g., "Access Control" or "Incident Response") on the framework tree, criteria cards, etc.
Optional columns
Parent Category Suffix — The Category Suffix of this row's parent criteria. Use this column to define a hierarchy within your framework. If left blank, the criteria is treated as a top-level entry under the framework root. If populated, the referenced Parent Category Suffix must exist somewhere else in the same CSV.
Narrative — A description of the category. This is optional but recommended, as it gives context to users working with your framework.
Formatting tips
The Category Suffix does not need to start with a dot (e.g., .1, .CC, .1.1) as it will be added automatically. Suffixes can follow whatever numbering or naming convention your framework uses — there's no required format beyond uniqueness within the file.
Here's a simple example of what a well-formed CSV looks like:
Category Suffix | Name | Parent Category Suffix | Narrative |
| My Custom Program |
| Root description for the framework |
1 | Access Control |
| Requirements related to access management |
1.1 | User Access Reviews | .1 | Periodic review of user accounts and permissions |
1.2 | Least Privilege | .1 | Ensure users have only the access they need |
2 | Incident Response |
| Requirements for responding to security incidents |
In this example, 1.1 and 1.2 are children of 1, which is itself a top-level category under the framework root.
Updating an existing framework with a new CSV
When you upload a CSV to an existing framework, Strike Graph will add new criteria and update the name, narrative, and parent of any category that already exists. Criteria are matched by their suffix. Criteria that are not present in the new CSV will remain unchanged — uploading a revised CSV does not delete existing criteria.
Review your control mappings after updating to make sure they still reflect your intent.
Using your Custom Framework
Once created, your Custom Framework will appear as a new tab on the Compliance Dashboard. From there, you can:
View criteria coverage — See how much of your custom framework is currently satisfied based on the controls mapped to it.
Map criteria to controls — Navigate to the Control Library and map your custom criteria to existing controls, the same way you'd map any standard framework criteria.
Collect and attach evidence — Evidence collection, automated collection, and Verify AI all work with custom frameworks just as they do with standard frameworks.
Updating a Custom Framework
If your compliance requirements evolve, you can update your framework at any time by uploading a revised CSV. Return to Team Settings, click Upload Custom Framework, and select Update Existing Framework. Choose the framework you want to update from the dropdown, upload your new CSV, and confirm.