diff --git a/pkg/acquisition/modules/appsec/appsec-schema.yaml b/pkg/acquisition/modules/appsec/appsec-schema.yaml
new file mode 100644
index 00000000000..3e3035fc27f
--- /dev/null
+++ b/pkg/acquisition/modules/appsec/appsec-schema.yaml
@@ -0,0 +1,103 @@
+$schema: "https://json-schema.org/draft/2020-12/schema"
+# Schema definition for CrowdSec AppSec datasource configuration
+# This schema enforces structure and validation for various configuration options.
+title: CrowdSec AppSec datasource configuration
+type: object
+required:
+  - type
+properties:
+  type:
+    const: appsec
+  listen_addr:
+    type: string
+    description: TCP listen address; defaults to 127.0.0.1:7422 when no socket is set.
+    default: 127.0.0.1:7422
+  listen_socket:
+    type: string
+    description: Unix socket path alternative to listen_addr.
+  path:
+    type: string
+    description: HTTP path served by the datasource; value is prefixed with / if missing.
+    default: /
+  routines:
+    type: integer
+    minimum: 1
+    description: Number of concurrent AppSec runners; coerced to at least 1.
+    default: 1
+  cert_file:
+    type: string
+    description: PEM certificate required together with key_file to enable TLS on listen_addr.
+  key_file:
+    type: string
+    description: PEM key required together with cert_file to enable TLS on listen_addr.
+  appsec_config:
+    type: string
+    description: Inline AppSec config blob passed to AppsecConfig.Load().
+  appsec_configs:
+    type: array
+    items:
+      type: string
+    minItems: 1
+    description: List of inline AppSec config blobs (each passed to AppsecConfig.Load()).
+  appsec_config_path:
+    type: string
+    description: Filesystem path loaded via AppsecConfig.LoadByPath().
+    # Path to the appsec configuration file. Used instead of appsec_config.
+  auth_cache_duration:
+    type: string
+    pattern: "^([0-9]+(ns|us|ms|s|m|h))+$"
+    description: Go duration string for API-key cache TTL; defaults to 1m.
+    default: 1m
+  mode:
+    type: string
+    enum: [tail, cat, server]
+    description: Acquisition mode; defaults to tail.
+    default: tail
+  labels:
+    type: object
+    additionalProperties:
+      type: string
+    description: Optional key/value labels attached to emitted events.
+  log_level:
+    type: string
+    enum: [panic, fatal, error, warn, info, debug, trace]
+    description: Overrides datasource logger level.
+  source:
+    type: string
+    description: Custom source string stamped on events.
+  name:
+    type: string
+    description: Datasource name; defaults to socket path or listen_addr+path.
+  use_time_machine:
+    type: boolean
+    description: Enable acquisition time-machine mode.
+  unique_id:
+    type: string
+    description: Stable identifier used for deduplication.
+  transform:
+    type: string
+    description: ExprLang transform applied to events.
+allOf:
+  - oneOf:
+      - required: [appsec_config]  # Configuration provided directly
+        not:
+          anyOf:
+            - required: [appsec_config_path]  # Cannot use path and inline config together
+            - required: [appsec_configs]
+      - required: [appsec_config_path]  # Path to external configuration
+        not:
+          required: [appsec_configs]  # Cannot use multiple configurations
+      - required: [appsec_configs]  # Multiple configurations
+        not:
+          anyOf:
+            - required: [appsec_config]  # Cannot use inline config with multiple configs
+            - required: [appsec_config_path]
+  - anyOf:
+      - required: [listen_addr]  # Address to listen on
+      - required: [listen_socket]  # Socket to listen on
+dependentRequired:
+  cert_file:
+    - key_file
+  key_file:
+    - cert_file
+additionalProperties: false
\ No newline at end of file
diff --git a/pkg/acquisition/modules/appsec/schema/appsec-schema.yaml b/pkg/acquisition/modules/appsec/schema/appsec-schema.yaml
new file mode 100644
index 00000000000..601bface6f2
--- /dev/null
+++ b/pkg/acquisition/modules/appsec/schema/appsec-schema.yaml
@@ -0,0 +1,18 @@
+allOf:
+  - oneOf:
+      - required: [appsec_config]  # Configuration provided directly
+        not:
+          anyOf:
+            - required: [appsec_config_path]  # Cannot use path and inline config together
+            - required: [appsec_configs]
+      - required: [appsec_config_path]  # Path to external configuration
+        not:
+          required: [appsec_configs]  # Cannot use multiple configurations
+      - required: [appsec_configs]  # Multiple configurations
+        not:
+          anyOf:
+            - required: [appsec_config]  # Cannot use inline config with multiple configs
+            - required: [appsec_config_path]
+  - anyOf:
+      - required: [listen_addr]  # Address to listen on
+      - required: [listen_socket]  # Socket to listen on
diff --git a/pkg/acquisition/modules/appsec/schema/tests/invalid/invalid_config.yaml b/pkg/acquisition/modules/appsec/schema/tests/invalid/invalid_config.yaml
new file mode 100644
index 00000000000..3d1346618f2
--- /dev/null
+++ b/pkg/acquisition/modules/appsec/schema/tests/invalid/invalid_config.yaml
@@ -0,0 +1,3 @@
+appsec_config: value
+appsec_config_path: "/path/to/config"
+listen_socket: "/var/run/my.sock"
diff --git a/pkg/acquisition/modules/appsec/schema/tests/valid/valid_config.yaml b/pkg/acquisition/modules/appsec/schema/tests/valid/valid_config.yaml
new file mode 100644
index 00000000000..149f934c158
--- /dev/null
+++ b/pkg/acquisition/modules/appsec/schema/tests/valid/valid_config.yaml
@@ -0,0 +1,3 @@
+appsec_config:
+  key: value
+listen_addr: "0.0.0.0"