Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation

(1) Background: Cybersecurity has grown in scale and complexity, increasing the need for shared conceptual frameworks that enable consistent, interoperable, and machine-readable representations of security knowledge. Ontologies address this need by structuring core cybersecurity concepts, yet existing efforts vary widely in purpose and methodological rigour. Prior developments tend to follow either an instrumental path—prioritizing usability and rapid adoption—or a formal path, emphasising logical precision and reasoning capabilities. This divergence has resulted in a fragmented landscape lacking analytical synthesis. (2) Methods: To clarify current practices and uncover research opportunities, we conducted a systematic literature review of 93 cybersecurity ontologies published over the past decade. Following PRISMA guidelines, we analysed their conceptual coverage, development methods, validation strategies, and alignment with the NIST Cybersecurity Framework (CSF) 2.0. (3) Results: Despite heterogeneity in scope, the ontologies consistently model core entities such as Asset, Threat, Vulnerability, Attack, and Countermeasure. However, conceptual coverage remains uneven: most contributions focus on the Identify and Detect functions of the NIST CSF, while Respond and Recover are largely underrepresented. This reveals a prevailing emphasis on preventive security rather than resilience and highlights gaps in empirical validation and industrial deployment. (4) Conclusions: The field shows strong conceptual maturation but limited methodological consistency and operational impact. Advancing cybersecurity ontologies will require integrating pragmatic and formal modelling traditions, incorporating emerging techniques such as knowledge graphs and LLM-assisted ontology learning, and expanding coverage toward post-incident response and recovery. These steps are essential for developing a unified, explainable, and adaptive cybersecurity knowledge base capable of supporting real-world security operations.