diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index 740fb667780..de9fff4d1dd 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -658,6 +658,10 @@ sbom_sources:
   - table: organizations
     column: organization_id
     on_delete: async_delete
+security_categories:
+  - table: namespaces
+    column: namespace_id
+    on_delete: async_delete
 security_scans:
   - table: p_ci_builds
     column: build_id
diff --git a/db/docs/security_categories.yml b/db/docs/security_categories.yml
new file mode 100644
index 00000000000..44c12e15437
--- /dev/null
+++ b/db/docs/security_categories.yml
@@ -0,0 +1,12 @@
+---
+table_name: security_categories
+classes:
+- Security::Category
+feature_categories:
+- security_asset_inventories
+description: Stores security label categories for root namespaces
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197798
+milestone: '18.3'
+gitlab_schema: gitlab_sec
+sharding_key:
+  namespace_id: namespaces
diff --git a/db/migrate/20250714103334_create_security_categories.rb b/db/migrate/20250714103334_create_security_categories.rb
new file mode 100644
index 00000000000..7dfd0e530fc
--- /dev/null
+++ b/db/migrate/20250714103334_create_security_categories.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class CreateSecurityCategories < Gitlab::Database::Migration[2.3]
+  milestone '18.3'
+
+  SECURITY_CATEGORIES_NAME_NAMESPACE_INDEX = 'index_security_categories_namespace_name'
+
+  def change
+    create_table :security_categories do |t|
+      t.bigint :namespace_id, null: false
+      t.timestamps_with_timezone null: false
+      t.integer :editable_state, null: false, default: 0, limit: 2
+      t.integer :template_type, null: true, limit: 2
+      t.boolean :multiple_selection, null: false, default: false
+      t.text :name, null: false, limit: 255
+      t.text :description, default: nil, limit: 255
+
+      t.index [:namespace_id, :name], unique: true, name: SECURITY_CATEGORIES_NAME_NAMESPACE_INDEX
+    end
+  end
+end
diff --git a/db/schema_migrations/20250714103334 b/db/schema_migrations/20250714103334
new file mode 100644
index 00000000000..dccbd666c37
--- /dev/null
+++ b/db/schema_migrations/20250714103334
@@ -0,0 +1 @@
+1c61b56bb5b90ed74a50fb337a0898621c4a66cc960a493b5cd9e07d75333e37
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 42f730a4f51..73a2e78f0d2 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -23329,6 +23329,29 @@ CREATE TABLE secret_detection_token_statuses (
     status smallint DEFAULT 0 NOT NULL
 );
 
+CREATE TABLE security_categories (
+    id bigint NOT NULL,
+    namespace_id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL,
+    editable_state smallint DEFAULT 0 NOT NULL,
+    template_type smallint,
+    multiple_selection boolean DEFAULT false NOT NULL,
+    name text NOT NULL,
+    description text,
+    CONSTRAINT check_6a761c4c9f CHECK ((char_length(name) <= 255)),
+    CONSTRAINT check_d643dfc44b CHECK ((char_length(description) <= 255))
+);
+
+CREATE SEQUENCE security_categories_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE security_categories_id_seq OWNED BY security_categories.id;
+
 CREATE SEQUENCE security_findings_id_seq
     START WITH 1
     INCREMENT BY 1
@@ -28673,6 +28696,8 @@ ALTER TABLE ONLY scim_identities ALTER COLUMN id SET DEFAULT nextval('scim_ident
 
 ALTER TABLE ONLY scim_oauth_access_tokens ALTER COLUMN id SET DEFAULT nextval('scim_oauth_access_tokens_id_seq'::regclass);
 
+ALTER TABLE ONLY security_categories ALTER COLUMN id SET DEFAULT nextval('security_categories_id_seq'::regclass);
+
 ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security_findings_id_seq'::regclass);
 
 ALTER TABLE ONLY security_orchestration_policy_configurations ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_configurations_id_seq'::regclass);
@@ -31723,6 +31748,9 @@ ALTER TABLE ONLY scim_oauth_access_tokens
 ALTER TABLE ONLY secret_detection_token_statuses
     ADD CONSTRAINT secret_detection_token_statuses_pkey PRIMARY KEY (vulnerability_occurrence_id);
 
+ALTER TABLE ONLY security_categories
+    ADD CONSTRAINT security_categories_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY security_findings
     ADD CONSTRAINT security_findings_pkey PRIMARY KEY (id, partition_number);
 
@@ -38064,6 +38092,8 @@ CREATE UNIQUE INDEX index_scim_identities_on_user_id_and_group_id ON scim_identi
 
 CREATE UNIQUE INDEX index_scim_oauth_access_tokens_on_group_id_and_token_encrypted ON scim_oauth_access_tokens USING btree (group_id, token_encrypted);
 
+CREATE UNIQUE INDEX index_security_categories_namespace_name ON security_categories USING btree (namespace_id, name);
+
 CREATE INDEX index_security_orchestration_policy_rule_schedules_on_namespace ON security_orchestration_policy_rule_schedules USING btree (namespace_id);
 
 CREATE INDEX index_security_orchestration_policy_rule_schedules_on_project_i ON security_orchestration_policy_rule_schedules USING btree (project_id);