diff --git a/.gitignore b/.gitignore
index 9350043..0a51743 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .idea/
 node_modules/
 *.iml
+internal/tools/bin/
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8cc8d43..daf71d2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,17 @@
 
 ### Fixes
 
+## v0.4.0 (2024-12-17)
+
+### Breaking
+
+### Features
+
+- add definitions for custom security control actions.
+  ([#8](https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/pull/8))
+
+### Fixes
+
 ## v0.3.0 (2024-03-06)
 
 ### Breaking
diff --git a/docs/actions/security-control.md b/docs/actions/security-control.md
new file mode 100644
index 0000000..f6a0dec
--- /dev/null
+++ b/docs/actions/security-control.md
@@ -0,0 +1,20 @@
+# Semantic Conventions for `security-control` Actions
+
+Used when span name is `security-control`.
+
+<!-- semconv contrast.action.span.security-control(full) -->
+| Attribute                 | Type | Description                                                  | Examples                              | Requirement Level |
+|---------------------------|---|--------------------------------------------------------------|---------------------------------------|-------------------|
+| `security.control.method` | string | The method of the custom security control.                   | `com.Acme.OldSecurity.DoLegacySecurity` | Required          |
+| `security.control.name`   | string | The name of the custom security control.                     | "My Custom Security Control"           | Recommended       |
+| `security.control.rules`  | string | The rules applicable to the custom security control.         | `reflected-xss`; `path-traversal` | Recommended       |
+| `security.control.type`   | string | The custom security control type.                            | `sanitizer`; `validator`              | Recommended       |
+
+`security.control.type` MUST be one of the following:
+
+| Value               | Description     |
+|---------------------|-----------------|
+| `sanitizer`         | Sanitizer       |
+| `input-validator`   | Input Validator |
+| `regex-validator`   | Regex Validator |
+<!-- endsemconv -->
diff --git a/model/metrics/contrast-actions.yaml b/model/metrics/contrast-actions.yaml
index fb9b922..0222633 100644
--- a/model/metrics/contrast-actions.yaml
+++ b/model/metrics/contrast-actions.yaml
@@ -49,6 +49,9 @@ groups:
             - id: ognl-execution
               value: "ognl-execution"
               brief: "Object-Graph Navigation Language expression execution."
+            - id: security-control
+              value: "security-control"
+              brief: "Custom security controls defined by the user."
 
   - id: attributes.contrast.action.metric
     extends: attributes.contrast.actions
diff --git a/model/trace/contrast-actions.yml b/model/trace/contrast-actions.yml
index 5c1c27e..953d6d6 100644
--- a/model/trace/contrast-actions.yml
+++ b/model/trace/contrast-actions.yml
@@ -191,12 +191,14 @@ groups:
           "#{20 - 1}",
           "'Just a string value'.substring(5)"
         ]
+
   - id: contrast.action.span.el-execution
     type: span
     extends: attributes.contrast.code-exec
     brief: >
       Describes attributes for Contrast Action span of type el-execution. The Spring Expression Language (SpEL for short) is a
       powerful expression language that supports querying and manipulating an object graph at runtime.
+
   - id: contrast.action.span.ognl-execution
     extends: attributes.contrast.code-exec
     type: span
@@ -204,3 +206,44 @@ groups:
       Describes attributes for Contrast Action span of type ognl-execution. OGNL stands for Object-Graph Navigation Language.
       It is an expression language for getting and setting properties of Java objects, plus other extras such as list projection
       and selection and lambda expressions. You use the same expression for both getting and setting the value of a property.
+
+  - id: contrast.action.span.security-control
+    type: span
+    brief: >
+      Describes attributes for Contrast Action span of type security-control.
+    attributes:
+      - id: method
+        brief: >
+          The method of the custom security control.
+        requirement_level: required
+        examples: [ com.Acme.OldSecurity.DoLegacySecurity ]
+        type: string
+      - id: name
+        brief: >
+          The name of the custom security control.
+        requirement_level: recommended
+        examples: [ "My Custom Security Control" ]
+        type: string
+      - id: rules
+        brief: >
+          The rules applicable to the custom security control.
+        requirement_level: recommended
+        examples: [ reflected-xss; path-traversal ]
+        type: string
+      - id: type
+        brief: >
+          The custom security control type.
+        requirement_level: recommended
+        examples: [ sanitizer; input-validator ]
+        type:
+          allow_custom_values: false
+          members:
+            - id: sanitizer
+              value: sanitizer
+              brief: Sanitizer
+            - id: input-validator
+              value: input-validator
+              brief: Input Validator
+            - id: regex-validator
+              value: regex-validator
+              brief: Regex Validator
diff --git a/schema-next.yaml b/schema-next.yaml
index 64626c4..7c78d3a 100644
--- a/schema-next.yaml
+++ b/schema-next.yaml
@@ -2,6 +2,7 @@ file_format: 1.1.0
 schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/next/next
 versions:
   next:
+  0.4.0:
   0.3.0:
   0.2.0:
   0.1.0:
diff --git a/schemas/0.4.0 b/schemas/0.4.0
new file mode 100644
index 0000000..018cb00
--- /dev/null
+++ b/schemas/0.4.0
@@ -0,0 +1,7 @@
+file_format: 1.1.0
+schema_url: https://github.com/Contrast-Security-OSS/secobs-semantic-conventions/releases/download/v0.4.0/0.4.0
+versions:
+  0.4.0:
+  0.3.0:
+  0.2.0:
+  0.1.0: