About OpenCASE

About OpenCASE

OpenCASE is an open source cybersecurity framework which has been developed specifically for small Enterprise. If you run, or work for a small enterprise (or any small organisation) and want to be better at cybersecurity but don’t know where to start, then OpenCASE is for you. If you work with small enterprise customers or partners and want them to be better at cybersecurity, OpenCASE is how you start that conversation.

Objectives

OpenCASE aims to define a public standard for small enterprise cybersecurity that actually makes sense. Not “small to medium enterprise”, SMALL.

To make sense in this context, the standard must be:

  • Freely available and usable.
  • Easy to understand and follow.
  • Accompanied by clear, practical guidance on implementation.
  • Designed specifically for modern small business IT environments, not legacy models from 10-20 years ago.
  • Designed specifically to address the cybersecurity risk profile of small enterprises, not adapted from a reductionist or cherry picked version of a more complex enterprise framework.
  • Realistically achievable with the time, resources, and expertise available to typical a small enterprise.

In addition to making sense, OpenCASE aims to deliberately exclude any content which is not useful to the intended target audience. In other words:

  • No controls and capabilities which are not applicable, feasible, or appropriate for small enterprise.
  • Avoid “freebies” - controls and capabilities which are commonly built-in, on by default, and/or do not require any specific additional configuration.

Design Assumptions

The design of OpenCASE is guided by the objectives above. Since the framework is targeted explicitly at small enterprise, it’s important to define what exactly is considered a small enterprise. OpenCASE is based on the following assumptions about the nature of modern small enterprise:

  • Less than 50 seats (head count).
  • Distributed / remote / hybrid workforce.
  • May or may not have physical office or premises.
  • Physical office space may be shared/unsecured (e.g. co-working).
  • Pure cloud-based IT environment. No physical IT or network infrastructure, with the possible exception of office Internet connectivity.
  • If an office network exists at all, it is not a trusted or otherwise special location. No important resources are hosted on it.
  • Limited internal IT or cybersecurity expertise, most likely none.
  • May or may not have a third party IT services provider.

Further to this, the 3 Implementation levels are targeted explicitly according to an assumed level of implementation capability. Review the HOWTO for more details.

LICENSE

OpenCASE Framework © 2025 by The OpenCASE Project is licensed under Creative Commons Attribution-ShareAlike 4.0 International. The full text of this license is in the LICENSE file. It can also be viewed at https://creativecommons.org/licenses/by-sa/4.0/

TL;DR :

  • You are free to use OpenCASE in a commercial setting, as long as proper attribution is provided and you do not claim endorsement by, or affiliation with the project or it’s maintainers.
  • You may adapt and build upon the material with attribution, but must release any derivative works under the same terms as this license.

CONTRIBUTING

As an open source project, OpenCASE welcomes contributions from the community. While constructive feedback on the content and structure of the specification is welcome, the greatest value for OpenCASE users will come from additional resources which aid implementation - detailed platform-specific guides, document templates, scripts, etc.

All contributions should be made via the source repo, which is the source of truth for the framework.

Please submit an issue in the source if you:

  • Find any typos, spelling or grammatical errors, inconsistencies, contradictions, etc.
  • Want to make suggestions for improvements or additions to the framework.
  • Want to submit some constructive criticism.

Please submit a PR if you:

  • Want to contribute additional collateral, e.g. technical guides, templates, scripts, etc.
  • Feel charitable enough to fix any typos you find yourself.

Please get in the bin if you:

  • Don’t like OpenCASE.
  • Disagree with OpenCASE’s approach/design/content/flavour.
  • Just want to complain.