diff --git a/document-store/src/main/java/org/hypertrace/core/documentstore/expression/impl/JsonIdentifierExpression.java b/document-store/src/main/java/org/hypertrace/core/documentstore/expression/impl/JsonIdentifierExpression.java
index 6d3abf4f..277af0f2 100644
--- a/document-store/src/main/java/org/hypertrace/core/documentstore/expression/impl/JsonIdentifierExpression.java
+++ b/document-store/src/main/java/org/hypertrace/core/documentstore/expression/impl/JsonIdentifierExpression.java
@@ -29,19 +29,14 @@ public static JsonIdentifierExpression of(final String columnName, final String.
   }
 
   public static JsonIdentifierExpression of(final String columnName, final List<String> jsonPath) {
-    // Validate column name to prevent SQL injection
     BasicPostgresSecurityValidator.getDefault().validateIdentifier(columnName);
 
-    // Validate each element in the JSON path
     if (jsonPath == null || jsonPath.isEmpty()) {
       throw new IllegalArgumentException("JSON path cannot be null or empty");
     }
 
-    // Validate JSON path to prevent SQL injection
     BasicPostgresSecurityValidator.getDefault().validateJsonPath(jsonPath);
 
-    // Create unmodifiable defensive copy using List.copyOf (Java 10+)
-    // If already unmodifiable, returns the same instance
     List<String> unmodifiablePath = List.copyOf(jsonPath);
 
     // Construct full name for compatibility: "customAttr.myAttribute"
diff --git a/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/query/v1/transformer/FlatPostgresFieldTransformer.java b/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/query/v1/transformer/FlatPostgresFieldTransformer.java
index 6ff6f790..65e84faf 100644
--- a/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/query/v1/transformer/FlatPostgresFieldTransformer.java
+++ b/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/query/v1/transformer/FlatPostgresFieldTransformer.java
@@ -32,7 +32,6 @@ public FieldToPgColumn transform(
   public FieldToPgColumn visit(IdentifierExpression expression) {
     String fieldName = expression.getName();
 
-    // Validate identifier to prevent SQL injection (defense in depth)
     BasicPostgresSecurityValidator.getDefault().validateIdentifier(fieldName);
 
     // Check if this field has been unnested (e.g., "tags" -> "tags_unnested")
@@ -50,9 +49,7 @@ public FieldToPgColumn visit(IdentifierExpression expression) {
    */
   @Override
   public FieldToPgColumn visit(JsonIdentifierExpression expression) {
-    // Validate column name and JSON path to prevent SQL injection (defense in depth)
-    // This is redundant with validation in JsonIdentifierExpression.of(), but provides
-    // an additional security layer in case the expression is constructed through other means
+
     BasicPostgresSecurityValidator.getDefault().validateIdentifier(expression.getColumnName());
     BasicPostgresSecurityValidator.getDefault().validateJsonPath(expression.getJsonPath());
 
diff --git a/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/utils/BasicPostgresSecurityValidator.java b/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/utils/BasicPostgresSecurityValidator.java
index d231cf93..e126bf98 100644
--- a/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/utils/BasicPostgresSecurityValidator.java
+++ b/document-store/src/main/java/org/hypertrace/core/documentstore/postgres/utils/BasicPostgresSecurityValidator.java
@@ -14,21 +14,25 @@ public class BasicPostgresSecurityValidator implements PostgresSecurityValidator
   /**
    * Default pattern for PostgreSQL column/table identifiers.
    *
-   * <p>Pattern: {@code ^[a-zA-Z_][a-zA-Z0-9_]*$}
+   * <p>Pattern: {@code ^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)*$}
    *
    * <p><b>Allowed:</b>
    *
    * <ul>
    *   <li>Must start with: letter (a-z, A-Z) or underscore (_)
-   *   <li>Can contain: letters (a-z, A-Z), digits (0-9), underscores (_)
-   *   <li>Examples: {@code "myColumn"}, {@code "user_id"}, {@code "_internal"}, {@code "TABLE1"}
+   *   <li>Can contain: letters (a-z, A-Z), digits (0-9), underscores (_), dots (.) for nested field
+   *       notation
+   *   <li>Examples: {@code "myColumn"}, {@code "user_id"}, {@code "_internal"}, {@code "TABLE1"},
+   *       {@code "field.name"}, {@code "nested.field.name"}
    * </ul>
    *
    * <p><b>Not allowed:</b>
    *
    * <ul>
    *   <li>Starting with numbers: {@code "123column"}
-   *   <li>Special characters: {@code "col-name"}, {@code "field.name"}
+   *   <li>Starting or ending with dots: {@code ".field"}, {@code "field."}
+   *   <li>Consecutive dots: {@code "field..name"}
+   *   <li>Special characters: {@code "col-name"}
    *   <li>Spaces: {@code "my column"}, {@code "field OR 1=1"}
    *   <li>Quotes: {@code "field\"name"}, {@code "field'name"}
    *   <li>Semicolons: {@code "col;DROP"}
@@ -38,7 +42,8 @@ public class BasicPostgresSecurityValidator implements PostgresSecurityValidator
    * href="https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS">PostgreSQL
    * Documentation</a>
    */
-  private static final String DEFAULT_IDENTIFIER_PATTERN = "^[a-zA-Z_][a-zA-Z0-9_]*$";
+  private static final String DEFAULT_IDENTIFIER_PATTERN =
+      "^[a-zA-Z_][a-zA-Z0-9_]*(\\.[a-zA-Z_][a-zA-Z0-9_]*)*$";
 
   /**
    * Default pattern for JSON field names within JSONB columns.
@@ -126,7 +131,7 @@ public void validateIdentifier(String identifier) {
       throw new SecurityException(
           String.format(
               "Identifier '%s' is invalid. Must start with a letter or underscore, "
-                  + "and contain only letters, numbers, and underscores.",
+                  + "and contain only letters, numbers, underscores, and dots (for proper dot notation).",
               identifier));
     }
   }
diff --git a/document-store/src/test/java/org/hypertrace/core/documentstore/postgres/utils/PostgresSecurityValidatorTest.java b/document-store/src/test/java/org/hypertrace/core/documentstore/postgres/utils/PostgresSecurityValidatorTest.java
index 9c723458..83ae9ed9 100644
--- a/document-store/src/test/java/org/hypertrace/core/documentstore/postgres/utils/PostgresSecurityValidatorTest.java
+++ b/document-store/src/test/java/org/hypertrace/core/documentstore/postgres/utils/PostgresSecurityValidatorTest.java
@@ -8,55 +8,52 @@
 import java.util.List;
 import org.junit.jupiter.api.Test;
 
-/** Security tests for BasicPostgresSecurityValidator to prevent SQL injection attacks. */
 public class PostgresSecurityValidatorTest {
 
   private final PostgresSecurityValidator validator = BasicPostgresSecurityValidator.getDefault();
 
-  // ===== Column/Identifier Validation Tests =====
-
   @Test
-  void testValidIdentifier_Letters() {
+  void testValidIdentifierLetters() {
     assertDoesNotThrow(() -> validator.validateIdentifier("props"));
     assertDoesNotThrow(() -> validator.validateIdentifier("myColumn"));
     assertDoesNotThrow(() -> validator.validateIdentifier("UPPERCASE"));
   }
 
   @Test
-  void testValidIdentifier_StartsWithUnderscore() {
+  void testValidIdentifierStartsWithUnderscore() {
     assertDoesNotThrow(() -> validator.validateIdentifier("_internal"));
     assertDoesNotThrow(() -> validator.validateIdentifier("_"));
   }
 
   @Test
-  void testValidIdentifier_WithNumbers() {
+  void testValidIdentifierWithNumbers() {
     assertDoesNotThrow(() -> validator.validateIdentifier("field123"));
     assertDoesNotThrow(() -> validator.validateIdentifier("col_1"));
   }
 
   @Test
-  void testInvalidIdentifier_Null() {
+  void testInvalidIdentifierNull() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier(null));
     assertTrue(ex.getMessage().contains("cannot be null or empty"));
   }
 
   @Test
-  void testInvalidIdentifier_Empty() {
+  void testInvalidIdentifierEmpty() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier(""));
     assertTrue(ex.getMessage().contains("cannot be null or empty"));
   }
 
   @Test
-  void testInvalidIdentifier_StartsWithNumber() {
+  void testInvalidIdentifierStartsWithNumber() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("123column"));
     assertTrue(ex.getMessage().contains("Must start with a letter or underscore"));
   }
 
   @Test
-  void testInvalidIdentifier_SqlInjection_DropTable() {
+  void testInvalidIdentifierSqlInjection_DropTable() {
     SecurityException ex =
         assertThrows(
             SecurityException.class,
@@ -65,42 +62,61 @@ void testInvalidIdentifier_SqlInjection_DropTable() {
   }
 
   @Test
-  void testInvalidIdentifier_SqlInjection_Quote() {
+  void testInvalidIdentifierSqlInjection_Quote() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("column\"name"));
     assertTrue(ex.getMessage().contains("invalid"));
   }
 
   @Test
-  void testInvalidIdentifier_SqlInjection_Semicolon() {
+  void testInvalidIdentifierSqlInjection_Semicolon() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("col;SELECT"));
     assertTrue(ex.getMessage().contains("invalid"));
   }
 
   @Test
-  void testInvalidIdentifier_Hyphen() {
+  void testInvalidIdentifierHyphen() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("field-name"));
     assertTrue(ex.getMessage().contains("invalid"));
   }
 
   @Test
-  void testInvalidIdentifier_Dot() {
-    SecurityException ex =
-        assertThrows(SecurityException.class, () -> validator.validateIdentifier("field.name"));
-    assertTrue(ex.getMessage().contains("invalid"));
+  void testValidIdentifierWithDotNotation() {
+    assertDoesNotThrow(() -> validator.validateIdentifier("field.name"));
+    assertDoesNotThrow(() -> validator.validateIdentifier("api.dataTypeIds"));
+    assertDoesNotThrow(() -> validator.validateIdentifier("nested.field.name"));
+    assertDoesNotThrow(() -> validator.validateIdentifier("internal.field"));
+  }
+
+  @Test
+  void testInvalidDotNotation() {
+    // Can't start with a dot
+    SecurityException ex1 =
+        assertThrows(SecurityException.class, () -> validator.validateIdentifier(".field"));
+    assertTrue(ex1.getMessage().contains("invalid"));
+
+    // Can't end with a dot
+    SecurityException ex2 =
+        assertThrows(SecurityException.class, () -> validator.validateIdentifier("field."));
+    assertTrue(ex2.getMessage().contains("invalid"));
+
+    // Can't have consecutive dots
+    SecurityException ex3 =
+        assertThrows(SecurityException.class, () -> validator.validateIdentifier("field..name"));
+    assertTrue(ex3.getMessage().contains("invalid"));
   }
 
   @Test
-  void testInvalidIdentifier_Space() {
+  void testInvalidIdentifierSpace() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("field name"));
     assertTrue(ex.getMessage().contains("invalid"));
   }
 
   @Test
-  void testInvalidIdentifier_TooLong() {
+  void testInvalidIdentifierTooLong() {
     String longIdentifier = "a".repeat(64); // PostgreSQL max is 63
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier(longIdentifier));
@@ -108,52 +124,49 @@ void testInvalidIdentifier_TooLong() {
   }
 
   @Test
-  void testValidIdentifier_MaxLength() {
+  void testValidIdentifierMaxLength() {
     String maxLengthIdentifier = "a".repeat(63); // Exactly at limit
     assertDoesNotThrow(() -> validator.validateIdentifier(maxLengthIdentifier));
   }
 
-  // ===== JSON Path Validation Tests =====
-
   @Test
-  void testValidJsonPath_SingleLevel() {
+  void testValidJsonPathSingleLevel() {
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of("brand")));
   }
 
   @Test
-  void testValidJsonPath_MultiLevel() {
+  void testValidJsonPathMultiLevel() {
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of("seller", "address", "city")));
   }
 
   @Test
-  void testValidJsonPath_WithNumbers() {
+  void testValidJsonPathWithNumbers() {
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of("field123")));
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of("1st_choice")));
   }
 
   @Test
-  void testValidJsonPath_StartsWithUnderscore() {
+  void testValidJsonPathStartsWithUnderscore() {
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of("_private")));
   }
 
   @Test
-  void testInvalidJsonPath_Null() {
+  void testInvalidJsonPathNull() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateJsonPath(null));
     assertTrue(ex.getMessage().contains("cannot be null or empty"));
   }
 
   @Test
-  void testInvalidJsonPath_Empty() {
+  void testInvalidJsonPathEmpty() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateJsonPath(List.of()));
     assertTrue(ex.getMessage().contains("cannot be null or empty"));
   }
 
   @Test
-  void testInvalidJsonPath_NullElement() {
-    // Note: List.of() doesn't allow null elements, so we need to create a list differently
-    java.util.List<String> pathWithNull = new java.util.ArrayList<>();
+  void testInvalidJsonPathNullElement() {
+    List<String> pathWithNull = new ArrayList<>();
     pathWithNull.add("field");
     pathWithNull.add(null);
     pathWithNull.add("name");
@@ -164,7 +177,7 @@ void testInvalidJsonPath_NullElement() {
   }
 
   @Test
-  void testInvalidJsonPath_EmptyElement() {
+  void testInvalidJsonPathEmptyElement() {
     SecurityException ex =
         assertThrows(
             SecurityException.class,
@@ -173,7 +186,7 @@ void testInvalidJsonPath_EmptyElement() {
   }
 
   @Test
-  void testInvalidJsonPath_SqlInjection_Quote() {
+  void testInvalidJsonPathSqlInjectionQuote() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("brand' OR '1'='1")));
@@ -181,7 +194,7 @@ void testInvalidJsonPath_SqlInjection_Quote() {
   }
 
   @Test
-  void testInvalidJsonPath_SqlInjection_DoubleQuote() {
+  void testInvalidJsonPathSqlInjectionDoubleQuote() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("name\"--")));
@@ -189,7 +202,7 @@ void testInvalidJsonPath_SqlInjection_DoubleQuote() {
   }
 
   @Test
-  void testInvalidJsonPath_SqlInjection_Semicolon() {
+  void testInvalidJsonPathSqlInjectionSemicolon() {
     SecurityException ex =
         assertThrows(
             SecurityException.class,
@@ -198,7 +211,7 @@ void testInvalidJsonPath_SqlInjection_Semicolon() {
   }
 
   @Test
-  void testInvalidJsonPath_Hyphen() {
+  void testInvalidJsonPathHyphen() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("field-name")));
@@ -206,7 +219,7 @@ void testInvalidJsonPath_Hyphen() {
   }
 
   @Test
-  void testInvalidJsonPath_Dot() {
+  void testInvalidJsonPathDot() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("field.name")));
@@ -214,7 +227,7 @@ void testInvalidJsonPath_Dot() {
   }
 
   @Test
-  void testInvalidJsonPath_Space() {
+  void testInvalidJsonPathSpace() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("field name")));
@@ -222,7 +235,7 @@ void testInvalidJsonPath_Space() {
   }
 
   @Test
-  void testInvalidJsonPath_TooDeep() {
+  void testInvalidJsonPathTooDeep() {
     List<String> deepPath = new ArrayList<>();
     for (int i = 0; i < 11; i++) { // Max is 10
       deepPath.add("level" + i);
@@ -233,7 +246,7 @@ void testInvalidJsonPath_TooDeep() {
   }
 
   @Test
-  void testValidJsonPath_MaxDepth() {
+  void testValidJsonPathMaxDepth() {
     List<String> deepPath = new ArrayList<>();
     for (int i = 0; i < 10; i++) { // Exactly at limit
       deepPath.add("level" + i);
@@ -242,7 +255,7 @@ void testValidJsonPath_MaxDepth() {
   }
 
   @Test
-  void testInvalidJsonPath_FieldTooLong() {
+  void testInvalidJsonPathFieldTooLong() {
     String longField = "a".repeat(101); // Max is 100
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateJsonPath(List.of(longField)));
@@ -250,22 +263,20 @@ void testInvalidJsonPath_FieldTooLong() {
   }
 
   @Test
-  void testValidJsonPath_MaxFieldLength() {
+  void testValidJsonPathMaxFieldLength() {
     String maxLengthField = "a".repeat(100); // Exactly at limit
     assertDoesNotThrow(() -> validator.validateJsonPath(List.of(maxLengthField)));
   }
 
-  // ===== Real-world Attack Scenarios =====
-
   @Test
-  void testAttackScenario_CommentInjection() {
+  void testAttackScenarioCommentInjection() {
     SecurityException ex =
         assertThrows(SecurityException.class, () -> validator.validateIdentifier("field\"--"));
     assertTrue(ex.getMessage().contains("invalid"));
   }
 
   @Test
-  void testAttackScenario_UnionInjection() {
+  void testAttackScenarioUnionInjection() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateIdentifier("col\" UNION SELECT"));
@@ -273,7 +284,7 @@ void testAttackScenario_UnionInjection() {
   }
 
   @Test
-  void testAttackScenario_OrInjection() {
+  void testAttackScenarioOrInjection() {
     SecurityException ex =
         assertThrows(
             SecurityException.class,
@@ -282,7 +293,7 @@ void testAttackScenario_OrInjection() {
   }
 
   @Test
-  void testAttackScenario_NestedQuotes() {
+  void testAttackScenarioNestedQuotes() {
     SecurityException ex =
         assertThrows(
             SecurityException.class, () -> validator.validateJsonPath(List.of("field'\"'; DROP")));