diff --git a/cheatsheets/Enterprise API Security Architectural Patterns Cheat Sheet.md b/cheatsheets/Enterprise API Security Architectural Patterns Cheat Sheet.md
new file mode 100644
index 0000000000..1bcddbab1a
--- /dev/null
+++ b/cheatsheets/Enterprise API Security Architectural Patterns Cheat Sheet.md	
@@ -0,0 +1,531 @@
+# Enterprise API Security Architectural Patterns Cheat Sheet
+
+## Overview
+
+Architectural patterns for enterprise API security that address complex threats beyond standard security controls. These proven structural approaches provide comprehensive security frameworks for enterprise environments where basic security measures are insufficient.
+
+**What you'll get:**
+
+- **8 enterprise security patterns** across 4 architectural domains
+- **Pattern selection matrix** to choose the right patterns for your scenario
+- **Implementation roadmap** with performance-optimized ordering
+- **Failure modes and warning signs** for each pattern
+- **Complete lifecycle guidance** from assessment to monitoring
+- **Threat landscape mapping** to enterprise pattern solutions
+
+## Prerequisites
+
+**Essential foundation - implement these first:**
+
+- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - Core API vulnerabilities
+- [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) - User identity verification
+- [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md) - Access control patterns
+- [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) - Protocol-specific security
+- [Input Validation Cheat Sheet](Input_Validation_Cheat_Sheet.md) - Data sanitization
+- [Error Handling Cheat Sheet](Error_Handling_Cheat_Sheet.md) - Secure error responses
+- [Logging Cheat Sheet](Logging_Cheat_Sheet.md) - Security event logging
+
+**Technical requirements:**
+
+- API gateway or reverse proxy in place
+- Centralized logging and monitoring
+- Basic rate limiting implemented
+- HTTPS enforced across all endpoints
+
+**Organizational readiness:**
+
+- Security team involvement in API design
+- Incident response procedures established
+- Compliance requirements clearly defined
+
+## Decision Guide
+
+**Basic security suffices when:**
+
+- Single-tenant, internal-only APIs
+- Simple architecture with unified team ownership
+- No regulatory compliance requirements
+
+**Enterprise patterns required when:**
+
+- **Data isolation needs:** Multi-tenant SaaS, shared infrastructure
+- **Trust boundaries:** Cross-organization APIs, partner integrations
+- **Compliance mandates:** SOC2, HIPAA, PCI, or multiple frameworks
+- **High-risk operations:** Financial transactions, sensitive data processing
+- **Architectural complexity:** Multiple protocols, distributed ownership
+
+**Implementation approach:**
+
+- Start with 2-3 patterns addressing your primary risks
+- Expand coverage based on threat evolution and business growth
+- Prioritize patterns with immediate compliance or security impact
+
+## Data Isolation & Trust Patterns
+
+### Multi-Tenant Isolation
+
+Ensures complete data separation between tenants in shared infrastructure environments. Critical for SaaS platforms where multiple customers share the same application instance but must never access each other's data.
+
+#### API-Level Tenant Validation
+
+**Problem:** Data leakage between tenants at API boundary  
+**Solution:** Validate tenant access at every API call  
+**Use when:** SaaS with multiple customers sharing infrastructure  
+**Fails when:** Validation logic is inconsistent across endpoints
+
+```javascript
+function validateTenant(user, tenantId) {
+    return user.tenants.includes(tenantId);
+}
+```
+
+#### Database-Level Tenant Isolation
+
+**Problem:** Data leakage through direct database access or background jobs  
+**Solution:** Enforce tenant boundaries at database level  
+**Use when:** Multiple services access shared database  
+**Fails when:** Row-level security policies are misconfigured or bypassed
+
+```javascript
+function addTenantFilter(query, tenantId) {
+    return query.where('tenant_id', tenantId);
+}
+```
+
+#### Network-Level Tenant Segmentation
+
+**Problem:** Cross-tenant network traffic and service communication  
+**Solution:** Network policies and service mesh isolation per tenant  
+**Use when:** Microservices architecture with tenant-specific workloads  
+**Fails when:** Network policies are too permissive or service mesh configuration drifts
+
+```javascript
+function routeToTenantService(request, tenantId) {
+    const tenantCluster = getTenantCluster(tenantId);
+    return proxy.forward(request, tenantCluster);
+}
+```
+
+### Cross-Organization Federation
+
+Enables secure API access across organizational boundaries by establishing trust relationships and identity verification between different companies or domains.
+
+#### Partner Trust Management
+
+**Problem:** Establishing and maintaining trust with external partners  
+**Solution:** Dynamic trust scoring based on partner behavior and security posture  
+**Use when:** B2B integrations with varying trust levels  
+**Fails when:** Trust scores become stale or partner security changes aren't detected
+
+```javascript
+function allowAccess(partner, resource) {
+    return partner.trustScore >= resource.requiredTrust;
+}
+```
+
+#### Federated Identity Validation
+
+**Problem:** Verifying user identities across organizational boundaries  
+**Solution:** Cross-domain identity verification with partner identity providers  
+**Use when:** Users from partner organizations need API access  
+**Fails when:** Identity provider certificates expire or federation metadata is outdated
+
+```javascript
+function validateFederatedUser(token, partnerDomain) {
+    const idp = getPartnerIdentityProvider(partnerDomain);
+    return idp.validateToken(token);
+}
+```
+
+### Token & Policy Security
+
+Protects against token theft and ensures consistent security policy enforcement across all API endpoints and services.
+
+#### Proof of Possession
+
+**Problem:** Stolen bearer tokens  
+**Solution:** Require cryptographic proof with each request  
+**Use when:** High-value transactions, PCI compliance  
+**Fails when:** Clock skew between client/server or key rotation isn't handled properly
+
+```javascript
+function verifyProof(token, signature, nonce, publicKey) {
+    return crypto.verify(`${token}:${nonce}`, signature, publicKey);
+}
+```
+
+#### Gateway Security
+
+**Problem:** Inconsistent security policies  
+**Solution:** Centralized policy enforcement  
+**Use when:** Many microservices  
+**Fails when:** Services bypass the gateway or policies become too complex to maintain
+
+```javascript
+function enforcePolicy(request) {
+    const user = authenticate(request);
+    return authorize(user, request.resource);
+}
+```
+
+### Multi-Protocol Patterns
+
+Unifies security controls across different API protocols (REST, GraphQL, gRPC) to prevent inconsistencies and security gaps in mixed-protocol environments.
+
+#### Cross-Protocol Rate Limiting
+
+**Problem:** Different limits across REST/GraphQL/gRPC  
+**Solution:** Unified rate limiting  
+**Use when:** Multiple API protocols  
+**Fails when:** Protocol differences aren't normalized properly or Redis becomes a bottleneck
+
+```javascript
+function checkLimit(userId, endpoint) {
+    return redis.incr(`rate:${userId}:${endpoint}`) <= LIMIT;
+}
+```
+
+#### Unified Authentication
+
+**Problem:** Different auth mechanisms across API protocols  
+**Solution:** Protocol-agnostic token validation  
+**Use when:** REST, GraphQL, and gRPC APIs with shared users  
+**Fails when:** Protocol-specific requirements conflict with unified approach
+
+```javascript
+function authenticateRequest(request, protocol) {
+    const token = extractToken(request, protocol);
+    return validateJWT(token);
+}
+```
+
+## Implementation
+
+### Start Simple
+
+Don't implement all patterns at once. Choose 2-3 patterns that address your most critical security challenges first, then expand based on results and evolving needs.
+
+#### Choose your starting point
+
+**For SaaS platforms:**
+
+1. Multi-tenant isolation (prevents data leakage)
+2. Gateway security (centralizes policies)
+3. Cross-protocol rate limiting (unified abuse prevention)
+
+**For B2B integrations:**
+
+1. Cross-organization federation (partner trust)
+2. Gateway security (policy enforcement)
+3. Proof of possession (high-value transactions)
+
+**For complex API architectures:**
+
+1. Gateway security (consistent policies)
+2. Multi-tenant isolation (if multi-tenant)
+3. Cross-protocol rate limiting (if multiple API types)
+
+**Implementation order matters - each pattern builds security depth.**
+
+### Performance Impact
+
+Each pattern adds latency and resource overhead. Implement in performance-optimized order to maintain acceptable user experience while building security depth.
+
+#### Implementation order by overhead
+
+**Low impact (start here):**
+
+1. **Cross-protocol rate limiting** - Cache lookups only
+2. **Unified authentication** - Token validation once per request
+3. **Gateway security** - Policy evaluation at entry point
+
+**Medium impact:**
+
+4. **API-level tenant validation** - User permission checks
+5. **Partner trust management** - Trust score lookups
+6. **Federated identity validation** - External identity provider calls
+
+**High impact (add last):**
+
+7. **Database-level tenant isolation** - Query filtering on every database call
+8. **Network-level tenant segmentation** - Infrastructure changes required
+9. **Proof of possession** - Cryptographic operations per request
+
+#### Why this order works
+
+- Quick wins first - immediate protection with minimal cost
+- Build authentication foundation before adding isolation
+- Save expensive operations for last when infrastructure is ready
+
+### Safe implementation approach
+
+Minimize risk by deploying incrementally with careful monitoring and ready rollback plans. Test thoroughly before full production deployment.
+
+#### Deployment strategy
+
+- Implement one pattern per release cycle
+- Start with lowest-traffic endpoints for initial testing
+- Gradually increase traffic exposure: 1% → 10% → 50% → 100%
+- Keep rollback plan ready for each pattern
+
+#### Performance optimization
+
+- Cache tenant permissions, trust scores, and policy decisions
+- Use connection pooling for external identity providers
+- Pre-compute expensive validations where possible
+- Set reasonable timeouts for all external calls
+
+#### Monitoring essentials
+
+- Track response times before and after each pattern
+- Monitor error rates and timeout frequencies
+- Alert on database connection pool exhaustion
+- Watch for authentication provider rate limits
+
+### Rollback triggers
+
+Recognize warning signs early and rollback immediately when patterns negatively impact system stability or user experience.
+
+#### Performance degradation
+
+- Response times consistently exceed acceptable thresholds
+- Latency distribution shifts significantly from baseline
+- New timeout patterns emerge in previously stable endpoints
+
+#### System resource exhaustion
+
+- Error rates trend upward beyond normal operational variance
+- Database connection pools approach capacity limits
+- Memory consumption patterns deviate from established norms
+- Sustained CPU utilization exceeds operational comfort zones
+
+#### Business impact indicators
+
+- User experience complaints correlate with deployment timing
+- Authentication success rates decline without external factors
+- Partner integrations report intermittent connectivity issues
+
+### Performance validation
+
+Validate each pattern's impact through systematic testing before full deployment. Establish clear success criteria and measure against baseline performance.
+
+#### Pre-deployment assessment
+
+- Establish baseline metrics across critical endpoints
+- Document current system capacity and utilization patterns
+- Identify performance-sensitive user journeys
+
+#### Controlled testing approach
+
+- Deploy to isolated test environment first
+- Conduct load testing with realistic traffic patterns
+- A/B test on production subset with careful monitoring
+- Validate both peak and sustained load scenarios
+
+#### Success criteria
+
+- System maintains acceptable performance under normal load
+- No degradation in critical user experience metrics
+- Resource utilization remains within operational boundaries
+- Pattern provides expected security benefit without compromise
+
+### When to Stop
+
+Know when you have sufficient security coverage. Adding more patterns beyond your needs creates unnecessary complexity and maintenance burden.
+
+#### Stop adding patterns when
+
+**Team capacity limits:**
+
+- Implementation complexity exceeds team expertise
+- Maintenance burden impacts feature development velocity
+- Debugging becomes significantly more difficult
+- On-call incidents increase due to pattern interactions
+
+**Business impact thresholds:**
+
+- Performance degradation affects user satisfaction
+- Implementation costs outweigh security risk reduction
+- Compliance requirements are fully satisfied
+- Diminishing returns on additional security layers
+
+**Success indicators - you have sufficient coverage when:**
+
+- Tenant data isolation meets regulatory requirements
+- Partner federation supports all business relationships
+- Abuse prevention handles identified threat scenarios
+- Security audit findings are addressed
+- Incident response capabilities match threat landscape
+
+## Before Enterprise Patterns
+
+Start with simpler approaches before implementing enterprise patterns. Upgrade only when basic patterns can't meet your security, scale, or compliance requirements.
+
+### Foundation patterns - implement these first
+
+#### Data separation
+
+- **Separate databases per tenant** → Upgrade to multi-tenant isolation when infrastructure costs become prohibitive
+
+#### Authentication & authorization
+
+- **Standard OAuth 2.0** → Upgrade to cross-org federation when partner integrations require dynamic trust
+- **Short-lived JWT tokens** → Upgrade to proof of possession when token theft becomes a material risk
+
+#### Traffic management
+
+- **Load balancer rate limiting** → Upgrade to gateway security when policy complexity exceeds infrastructure capabilities
+- **Single-protocol rate limits** → Upgrade to cross-protocol limiting when API diversity creates enforcement gaps
+
+### When to upgrade
+
+Upgrade from foundation patterns when external pressures or operational challenges exceed what simple approaches can handle.
+
+#### Compliance pressure
+
+- Audit findings require stronger isolation guarantees
+- Regulatory frameworks demand enhanced controls
+- Customer security requirements exceed current capabilities
+
+#### Operational scale
+
+- Infrastructure costs of simple patterns become unsustainable
+- Management complexity of distributed policies creates operational risk
+- Security incidents indicate current controls are insufficient
+
+## Pattern Selection Matrix
+
+Quick reference to select the right patterns for your specific scenario. Start with essential patterns, then add optional ones based on evolving requirements.
+
+| Your Scenario | Essential Patterns | Optional Patterns |
+|---------------|-------------------|-------------------|
+| **SaaS Platform** | Multi-tenant isolation, Gateway security | Cross-protocol limiting, Proof of possession |
+| **B2B Integrations** | Cross-org federation, Gateway security | Partner trust management, Proof of possession |
+| **Complex API Architectures** | Gateway security, Unified authentication | Cross-protocol limiting, Multi-tenant isolation |
+| **High-Value Transactions** | Proof of possession, Gateway security | Multi-tenant isolation, Partner trust management |
+| **Regulated Industry** | Multi-tenant isolation, Gateway security, Proof of possession | All patterns based on compliance requirements |
+| **Mixed Protocols** | Cross-protocol limiting, Unified authentication | Gateway security, Multi-tenant isolation |
+
+## Quick Security Checklist
+
+Validate your security implementation with this comprehensive checklist. Complete foundation items first, then select enterprise patterns based on your architecture.
+
+### Foundation (required before enterprise patterns)
+
+- [ ] Input validation and sanitization on all endpoints
+- [ ] Authentication mechanisms properly implemented
+- [ ] Authorization controls enforce least privilege
+- [ ] Rate limiting prevents abuse scenarios
+- [ ] HTTPS enforced across all communications
+- [ ] Error responses don't leak sensitive information
+- [ ] Security headers configured appropriately
+
+### Enterprise patterns (choose based on your architecture)
+
+#### Multi-tenant environments
+
+- [ ] Tenant isolation at API, database, and network levels
+- [ ] Cross-tenant access prevention validated
+- [ ] Tenant-specific audit trails maintained
+
+#### Cross-organization integrations
+
+- [ ] Partner trust management implemented
+- [ ] Federated identity validation configured
+- [ ] B2B API access controls established
+
+#### High-security requirements
+
+- [ ] Proof of possession for sensitive operations
+- [ ] Centralized gateway security policies
+- [ ] Advanced threat monitoring and alerting
+- [ ] Compliance framework controls implemented
+
+## Common API Threats
+
+Map enterprise threats to appropriate security patterns. Use this threat landscape to prioritize which patterns address your most critical risks.
+
+### Data isolation threats
+
+- **Cross-tenant data leakage** → Multi-tenant isolation (API + database + network levels)
+- **Unauthorized tenant access** → API-level tenant validation + gateway security
+- **Shared infrastructure exploitation** → Network-level tenant segmentation
+
+### Identity and trust threats
+
+- **Token theft and replay attacks** → Proof of possession + short token lifetimes
+- **Compromised partner credentials** → Partner trust management + federated identity validation
+- **Privilege escalation across organizations** → Gateway security + cross-org federation
+- **Identity provider compromise** → Federated identity validation with multiple verification layers
+
+### Protocol and traffic threats
+
+- **Rate limit evasion across protocols** → Cross-protocol rate limiting + unified authentication
+- **API gateway bypass** → Gateway security with comprehensive policy enforcement
+- **Resource exhaustion attacks** → Cross-protocol limiting + gateway security
+- **Protocol-specific abuse patterns** → Unified authentication + protocol-aware policies
+
+### Business logic threats
+
+- **Partner API abuse** → Partner trust management + dynamic trust scoring
+- **High-value transaction manipulation** → Proof of possession + enhanced audit logging
+- **Compliance violation through data access** → Multi-tenant isolation + gateway security
+
+### Threat assessment approach
+
+1. **Inventory sensitive endpoints** - Identify high-value data and operations
+2. **Map threat scenarios** - Match business risks to technical threat patterns
+3. **Prioritize by impact** - Focus on threats with highest business consequence
+4. **Select appropriate patterns** - Choose enterprise patterns that address priority threats
+5. **Implement incrementally** - Deploy patterns in performance-optimized order
+6. **Validate effectiveness** - Monitor for threat reduction and pattern performance
+
+## References
+
+### Standards (IETF)
+
+- [RFC 6749 - OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
+- [RFC 8725 - JSON Web Token Best Current Practices](https://datatracker.ietf.org/doc/html/rfc8725)
+- [RFC 7800 - Proof-of-Possession Key Semantics for JWTs](https://datatracker.ietf.org/doc/html/rfc7800)
+- [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication](https://datatracker.ietf.org/doc/html/rfc8705)
+
+### Government Standards (NIST)
+
+- [SP 800-204 - Security Strategies for Microservices-based Application Systems](https://csrc.nist.gov/publications/detail/sp/800-204/final)
+- [SP 800-207 - Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
+
+### Implementation Guides
+
+- [Cloud Security Alliance - Security Guidance v4.0](https://cloudsecurityalliance.org/research/guidance/)
+- [Istio Service Mesh - Security Policies](https://istio.io/latest/docs/concepts/security/)
+- [Security Technical Implementation Guide](https://www.sonarsource.com/resources/library/security-technical-implementation-guide/)
+- [API Common Security Threats and Security Protection Strategies](https://www.researchgate.net/publication/386204013_API_Common_Security_Threats_and_Security_Protection_Strategies)
+
+### Multi-Tenant Implementation
+
+- [Azure Multi-Tenant Applications](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/)
+- [Postgres Row Level Security](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)
+- [Azure Guidance For Secure Isolation](https://learn.microsoft.com/en-us/azure/azure-government/azure-secure-isolation-guidance)
+
+### Proof of Possession Implementation
+
+- [OAuth 2.0 DPoP Draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)
+- [mTLS Implementation Guide](https://developers.cloudflare.com/ssl/client-certificates/)
+- [Protect Your Access Tokens with DPoP](https://auth0.com/blog/protect-your-access-tokens-with-dpop/)
+
+### Rate Limiting & Gateway Security
+
+- [Red Hat Rate Limiting Policies](https://www.redhat.com/en/blog/api-security-importance-rate-limiting-policies-safeguarding-your-apis)
+- [Azure WAF rate limiting on Application Gateway](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/rate-limiting-overview)
+- [Rate Limiting and Threat Detection in Intelligent API Gateways](https://www.researchgate.net/publication/391980763_Rate_Limiting_and_Threat_Detection_in_Intelligent_API_Gateways)
+
+### Monitoring & Compliance
+
+- [How To Monitor APIs](https://www.splunk.com/en_us/blog/learn/api-monitoring.html)
+- [Securing HTTP-based APIs](https://www.ncsc.gov.uk/collection/securing-http-based-apis/6-logging-and-monitoring)
+
+### Industry Patterns & Practices
+
+- [Microsoft Azure Architecture Center - API Design](https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design)
+- [AWS Well-Architected Framework - Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html)
+- [Google Cloud Architecture Framework - Security](https://cloud.google.com/architecture/framework/security)