ONVIF Profiles in 2026: A No-Nonsense Guide to S, T, G, M, A, C and D (and Their Add-ons)

Why Fora Soft wrote this playbook

Across 21 years and 625+ delivered products, Fora Soft has shipped more ONVIF-backed VMS, NVR, body-worn, courtroom and analytics projects than we can comfortably list. ONVIF is the single most important interoperability standard in IP surveillance, and it is also the most misunderstood. Nine out of ten integrators who call us already own the hardware and the VMS, but they misread the profiles and then wonder why the system will not talk to itself.

This guide is the briefing we give a client in Week 1 of a new surveillance project — what each ONVIF profile does, where it breaks, which profile to mandate, how to validate conformance in minutes, and where you are going to fall back to vendor SDKs anyway. See our video surveillance services and project portfolio for the kind of deployments it is calibrated against.

What ONVIF actually is (and isn’t)

ONVIF (Open Network Video Interface Forum) is a non-profit industry consortium founded in 2008 by Axis Communications, Bosch Security Systems and Sony Corporation. Its charter is narrow and specific: produce open standards for the interfaces between IP-based physical security products. It publishes spec documents, hosts conformance testing, and maintains a public list of certified products.

At the wire level, ONVIF defines web services using SOAP 1.2 over HTTP(S) with WSDL contracts, plus RTSP/RTP for media. Authentication is Digest or WS-Security UsernameToken. Events travel over SOAP notifications (pull-point or base) — and, since Profile M, optionally over MQTT with JSON payloads.

What ONVIF is not. It is not a video format (H.264, H.265 are codecs, not ONVIF), not a cloud platform, not a management layer. It does not ship reference hardware. And critically it never standardizes proprietary features — Axis ACAP, Bosch IVA, Hikvision AcuSense, Hanwha Wisenet AI all live outside the ONVIF spec, even on ONVIF-certified cameras.

Why ONVIF won the standards war

The only real alternative, PSIA (Physical Security Interoperability Alliance, also founded 2008), covered a wider scope and used REST rather than SOAP — intellectually cleaner but politically isolated. ONVIF got the founding three manufacturers, then Hanwha, Pelco, Hikvision and Dahua, and the market followed. PSIA still exists but is effectively moribund for new deployments. Any integrator who tells you otherwise is 10 years out of date.

The ONVIF profile roster at a glance

There are seven active profiles in 2026 plus a growing set of modular Add-ons. Profile Q was deprecated in 2022 for security reasons. Here is the canonical map:

Profile S: the legacy streaming baseline

Profile S was the first major ONVIF profile (2012) and for a decade it was the default sticker on every IP camera box. It standardizes live H.264 video, audio streaming, PTZ control, motion-detection events and basic metadata. If your VMS supports one ONVIF profile, it is almost always Profile S.

What it covers. RTSP with H.264 baseline/main profile, AAC audio, PTZ absolute/relative/continuous, motion alarm via ONVIF events, digest or WS-Security auth, device discovery over WS-Discovery.

What it misses. No H.265, no image-setting management, no embedded analytics, no tamper events as a first-class citizen. For new deployments in 2026, you are effectively leaving 40% bandwidth and every analytics capability on the table.

Profile T: the modern streaming baseline

Profile T superseded S for 2020-era and newer hardware. It mandates H.265 (plus H.264 for backwards compat), embedded motion and tampering analytics, image-settings management (brightness, contrast, WDR), bi-directional audio, and enhanced event handling including alarms. On a modern Axis Q-series, Bosch Flexidome or Hanwha Wisenet P-series, Profile T is ticked.

Why it matters commercially. H.265 cuts storage and bandwidth by roughly 50% versus H.264 at the same visual quality — for a 1,000-camera site that is the difference between a $12 k/month storage bill and a $6 k/month storage bill. If your VMS is still Profile S-only, you are paying this bill unnecessarily. See our real-time video processing with AI best practices for the pipeline implications.

Profile G: edge recording and playback

Profile G is the profile for NVRs, edge-recording cameras (those with SD cards or internal storage), and any device that records video locally. It standardizes four capabilities: configuring recording schedules, querying recording metadata, retrieving recordings, and controlling playback. It is also the profile under which two-way audio is formalized.

In practice Profile G is essential for any distributed deployment where centralized storage is not viable — remote sites, mobile vehicles, temporary installations, body-worn cameras. It is also the only way to query edge-stored archive from a VMS without proprietary SDKs. Our take on architecture trade-offs lives in scalable video management systems.

Profile M: the analytics metadata profile

Profile M, published in 2021, is the newest streaming-adjacent profile. It standardizes how IP devices share analytics metadata — bounding boxes, classifications (human, vehicle, face, license plate), events (line crossing, counting, loitering), and geolocation. It also introduces the optional MQTT binding for events, turning a camera into a first-class IoT node.

Profile M is growing fast on enterprise AI cameras (Axis ARTPEC-9, Bosch 7000 series, Dallmeier, Hanwha Wisenet P/X, Pelco Sarix Enhanced). Mid-tier and budget brands (Hikvision, Dahua) still rely on proprietary SDKs. We have a dedicated deep-dive: ONVIF Profile M and Object Detection.

Profiles A, C, D: the access-control triad

ONVIF’s access-control profiles were long overshadowed by video, but since the industry’s convergence of video surveillance with physical access control systems (PACS), these three profiles are worth real attention.

Profile A handles configuration: credentials, schedules, access rules, access-point definitions. It is the management surface for an ACS.

Profile C handles run-time events: door-state notifications, access-granted/denied events, operational status. A VMS subscribes to Profile C to display door events next to a live camera feed.

Profile D handles peripherals: RFID and QR readers, biometric devices, keypads, door sensors, REX buttons. It is the newest of the three and adoption is uneven; proprietary reader SDKs still dominate in many deployments.

ONVIF Add-ons — the modular extension story

Add-ons are a 2023 ONVIF innovation: lightweight, versioned specifications that extend an existing profile rather than standing alone. A product must already conform to at least one profile to claim add-on conformance. Examples include secure boot and device identity, which plugs into the NIST 800-213 family of IoT security guidance, plus emerging add-ons around AI model integrity and firmware attestation.

Unlike profiles, add-ons carry version numbers (1.0, 1.1, 1.2) so they can evolve without breaking interoperability. For buyers this means: when you see an add-on name, check the version number in the DoC — 1.2 is not automatically compatible with a 1.0 client.

Verifying conformance in five minutes

The only authoritative source is the ONVIF Conformant Products List. ONVIF itself notes that fraudulent logo use and overstated conformance claims are common on spec sheets. Treat every marketing page as suspect; the DoC is the contract.

The 6-step DoC workflow

1. Find the exact model. Search by manufacturer and model number in the Conformant Products database. Watch for model revisions — a DS-2CD2663G0 is not a DS-2CD2663G1.

2. Match the firmware. Each DoC is tied to a tested firmware version. If your stock has different firmware, that DoC does not apply.

3. Download the DoC PDF. Read the first page for the profiles claimed (e.g., “Profile S, T, G, M”).

4. Scan the feature tables. Every feature is marked M (mandatory — must work), C (conditional — must work if the functionality exists at all), or O (optional). Features you care about should be ticked.

5. Cross-check with a live tool. ONVIF Device Manager (free, Windows-only) connects to the camera and enumerates supported services. Compare against the DoC.

6. Pin the firmware. In your deployment bill of materials, lock the exact firmware version and include a re-test step for any firmware upgrade.

The six profile bundles you actually deploy

Vendor adoption reality check

Enterprise. Axis, Bosch, Hanwha, Pelco, Dallmeier publish clean DoCs, maintain firmware, and keep Profile M current. These are the brands where “ONVIF compliant” on the box matches the DoC in the database.

Mid-tier. Vivotek, i-PRO, Lorex offer decent Profile S + T, partial G, and are slowly adding M. DoCs are usually accurate but you may find optional features missing on budget SKUs.

High-volume / budget. Hikvision and Dahua are ONVIF members and ship Profile S/T widely, but their advanced analytics and storage features live behind proprietary ISAPI and DH-SDK interfaces. You will almost always run a proprietary SDK path alongside ONVIF for these brands — budget accordingly.

Cloud / VSaaS. Verkada, Eagle Eye, Spot AI tend to wrap ONVIF behind a gateway: the edge camera speaks ONVIF upstream, the cloud UI is proprietary. This is fine as long as you remember that ONVIF feature parity stops at the gateway.

Our AI-powered IP camera trends piece goes deeper on the SoC and firmware roadmaps driving this.

Mini case — a 400-camera hospital migration

Situation. A regional hospital group ran a 10-year-old Milestone XProtect Corporate rig with ~400 Axis P-series cameras on Profile S H.264. Storage was chewing through 2.5 petabytes a year on a central SAN. The CISO wanted HIPAA-grade audit, better analytics for after-hours loitering, and a way to forward access-control events into the SOC dashboard without another vendor integration.

The 10-week plan. Weeks 1–2: DoC audit, firmware plan, rolling H.264-to-H.265 transition via Profile T. Weeks 3–5: enabling Profile M on 120 newer P-series units, MQTT broker for metadata. Weeks 6–7: access-control Profile A + C integration with existing HID Global readers. Weeks 8–9: audit trail, SOC UI integration. Week 10: load test, runbooks, handoff.

Outcome. Storage footprint fell 47% after the H.265 rollout, after-hours alert latency dropped from 4 s to under 1.2 s, and access events now show side-by-side with camera feeds in the SOC dashboard — no extra vendor plugin. For context on the VMS side see 12 essential features of modern VMS software.

Tooling that keeps an ONVIF project moving

ONVIF Device Manager (Windows, free). Still the fastest way to connect to a camera, enumerate services, check DoC claims and pull a test stream.

ONVIF Device Test Tool (vendor-only). Used by manufacturers to run the official conformance suite. If you are building a device, you live in it.

gSOAP, python-zeep, onvif-zeep. WSDL-to-code generators for C/C++ and Python clients. Keep local copies of the ONVIF WSDLs — online resolution is brittle.

Wireshark with RTSP and SOAP dissectors. When the DoC says one thing and the camera says another, the wire is where the truth is.

Happytime ONVIF Server / ONVIF Emulator. Spin up a synthetic device to test your VMS consumer without touching physical hardware.

What an ONVIF consumer really costs to build

Estimates below assume our Agent Engineering-accelerated workflow. Non-accelerated teams should budget 40–60% more hours.

A decision framework — which profiles to mandate in five questions

Q1. Will you deploy H.265 today? Yes → Profile T is non-negotiable. No → Profile S is still acceptable for 2–3 more years.

Q2. Will recording live on the edge? Yes → Profile G required. No → central VMS only, Profile G optional.

Q3. Is cross-vendor analytics metadata part of scope? Yes → Profile M is required; plan MQTT and metadata archive. No → skip M, proprietary analytics may be cheaper.

Q4. Is access control being unified with video? Yes → Profile A + C, likely D. No → skip ACD, save integration hours.

Q5. Does the procurement plan include Hikvision or Dahua hardware? Yes → plan for a parallel proprietary-SDK path for advanced features. No → pure ONVIF is realistic.

Five pitfalls that sink ONVIF projects

1. Trusting spec sheets over DoCs. Marketing pages lie. The DoC is the contract. Always audit.

2. Ignoring firmware pinning. Conformance is firmware-specific. A fleet with 12 firmware revisions has 12 different behavioural surfaces.

3. Assuming optional features work. An ONVIF Profile T camera without a tick against “image settings” will not let you set brightness over ONVIF — even if the web UI does.

4. Conflating ONVIF with vendor SDK. If the product depends on Axis ACAP, Bosch IVA, Hikvision DeepinView or Wisenet AI, ONVIF alone will not carry the feature.

5. Skipping WS-Discovery governance. On a flat LAN, WS-Discovery multicast floods the network if hundreds of cameras wake at once. Segment the VLAN or disable multicast discovery and script device addition explicitly.

KPIs: what to measure on an ONVIF stack

Quality KPIs. Live-stream start latency < 800 ms p95 from PLAY to first I-frame; PTZ command round-trip < 400 ms; metadata delivery latency < 500 ms (where Profile M is in play).

Business KPIs. Storage footprint per camera per day (Profile T / H.265 should run 40–50% below Profile S / H.264); alert-to-operator latency < 1 s; number of proprietary SDK code paths (drive to zero for unified vendor sites, accept 1–2 for mixed fleets).

Reliability KPIs. Camera availability per month ≥ 99.5%; ONVIF discovery completion < 30 s for a 500-camera LAN; firmware drift across the fleet ≤ 3 distinct versions at any time.

When ONVIF is the wrong tool

Consumer cloud cameras. Ring, Nest, Wyze do not ship ONVIF. For consumer-facing products that bundle a cloud backend, proprietary protocols win on latency, battery life, and integration simplicity.

Sub-100 ms critical-infrastructure alerting. In ultra-low-latency workflows (perimeter intrusion at nuclear or financial facilities), WebRTC plus in-band alarm metadata beats the ONVIF event pipeline. Use ONVIF for archive and evidentiary chain; keep the hot path tighter.

Single-vendor, closed ecosystem. If the hardware and VMS come from the same vendor and there is zero strategic interest in swapping either, the native SDK gives more features with less ceremony. ONVIF is insurance for vendor-flexibility.

FAQ

What to Read Next

Ready to make ONVIF a competitive advantage?

ONVIF is the connective tissue of modern IP surveillance. The sticker on the box is the beginning of the conversation, not the end: read the DoC, mandate the right profiles for the deployment, and plan around the places where vendor SDKs still carry the advanced features. Done well, an ONVIF-native system is cheaper to run, easier to refresh, and future-proofed against vendor strategy changes you cannot predict today.

Fora Soft has been building ONVIF consumers, VMS back-ends and gateways for over a decade. If you want to skip the learning curve, we will bring the reference architecture, the code, and the operational playbook that have shipped across retail, smart-city, industrial, courtroom, and enterprise-security projects.