diff --git a/changelogs/unreleased/dz-scope-security-routes.yml b/changelogs/unreleased/dz-scope-security-routes.yml
new file mode 100644
index 0000000000000000000000000000000000000000..04aa8cd3656d428b2c2460ce352c50befb261baa
--- /dev/null
+++ b/changelogs/unreleased/dz-scope-security-routes.yml
@@ -0,0 +1,5 @@
+---
+title: Move security routes under - scope
+merge_request: 24287
+author:
+type: changed
diff --git a/config/routes/project.rb b/config/routes/project.rb
index 791f6cc2a4ebda6a21ce67960ee3ebe5e93c4c42..3f3d7452a84371f5543bd6b1997cdb2c7ee009f4 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -468,7 +468,8 @@
                                             :forks, :group_links, :import, :avatar, :mirror,
                                             :cycle_analytics, :mattermost, :variables, :triggers,
                                             :environments, :protected_environments, :error_tracking,
-                                            :serverless, :clusters, :audit_events, :wikis, :merge_requests)
+                                            :serverless, :clusters, :audit_events, :wikis, :merge_requests,
+                                            :vulnerability_feedback, :security, :dependencies)
     end
 
     # rubocop: disable Cop/PutProjectRoutesUnderScope
diff --git a/ee/config/routes/project.rb b/ee/config/routes/project.rb
index 71718fc0c1f7a8ce8ff4ba9f00643b3fd713aa95..29ca9ceff5fd725efe95b3bf40403eea82d77716 100644
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -56,8 +56,6 @@
 
         resources :subscriptions, only: [:create, :destroy]
 
-        resources :licenses, only: [:index, :create, :update]
-
         resource :threat_monitoring, only: [:show], controller: :threat_monitoring
 
         resources :logs, only: [:index] do
@@ -79,6 +77,16 @@
           resources :waf_anomalies, only: [] do
             get :summary, on: :collection
           end
+
+          resources :dashboard, only: [:show, :index], controller: :dashboard
+          resource :configuration, only: [:show], controller: :configuration
+          resource :discover, only: [:show], controller: :discover
+
+          resources :vulnerability_findings, only: [:index] do
+            collection do
+              get :summary
+            end
+          end
         end
 
         namespace :analytics do
@@ -88,6 +96,9 @@
         resources :approvers, only: :destroy
         resources :approver_groups, only: :destroy
         resources :push_rules, constraints: { id: /\d+/ }, only: [:update]
+        resources :vulnerability_feedback, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
+        resources :dependencies, only: [:index]
+        resources :licenses, only: [:index, :create, :update]
       end
       # End of the /-/ scope.
 
@@ -146,22 +157,6 @@
           post :query
         end
       end
-
-      namespace :security do
-        resources :dashboard, only: [:show, :index], controller: :dashboard
-        resource :configuration, only: [:show], controller: :configuration
-        resource :discover, only: [:show], controller: :discover
-
-        resources :vulnerability_findings, only: [:index] do
-          collection do
-            get :summary
-          end
-        end
-      end
-
-      resources :vulnerability_feedback, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
-
-      resources :dependencies, only: [:index]
       # All new routes should go under /-/ scope.
       # Look for scope '-' at the top of the file.
       # rubocop: enable Cop/PutProjectRoutesUnderScope
diff --git a/ee/spec/presenters/merge_request_presenter_spec.rb b/ee/spec/presenters/merge_request_presenter_spec.rb
index 08f3796453a694bcf2a88ac30c15a4c00cb53e55..9804fa167c5061f1dc826671ea5ef862f3265b87 100644
--- a/ee/spec/presenters/merge_request_presenter_spec.rb
+++ b/ee/spec/presenters/merge_request_presenter_spec.rb
@@ -105,7 +105,7 @@
     with_them do
       subject { described_class.new(merge_request, current_user: user).public_send(create_feedback_path, merge_request.project) }
 
-      it { is_expected.to eq("/#{merge_request.project.full_path}/vulnerability_feedback") }
+      it { is_expected.to eq("/#{merge_request.project.full_path}/-/vulnerability_feedback") }
 
       context 'when not allowed to create vulnerability feedback' do
         let(:unauthorized_user) { create(:user) }
diff --git a/ee/spec/routing/project_routing_spec.rb b/ee/spec/routing/project_routing_spec.rb
index ed6c79c6d13bd5c805743f4021be1e5c037a7b05..add7e04332c7c58b7548e25be206c42b53bf2816 100644
--- a/ee/spec/routing/project_routing_spec.rb
+++ b/ee/spec/routing/project_routing_spec.rb
@@ -12,15 +12,19 @@
   # project_vulnerability_feedback  DELETE /:project_id/vulnerability_feedback/:id(.:format) projects/vulnerability_feedback#destroy
   describe Projects::VulnerabilityFeedbackController, 'routing', type: :routing do
     it "to #index" do
-      expect(get("/gitlab/gitlabhq/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
+      expect(get("/gitlab/gitlabhq/-/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
     end
 
     it "to #create" do
-      expect(post("/gitlab/gitlabhq/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#create', namespace_id: 'gitlab', project_id: 'gitlabhq')
+      expect(post("/gitlab/gitlabhq/-/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#create', namespace_id: 'gitlab', project_id: 'gitlabhq')
     end
 
     it "to #destroy" do
-      expect(delete("/gitlab/gitlabhq/vulnerability_feedback/1")).to route_to('projects/vulnerability_feedback#destroy', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
+      expect(delete("/gitlab/gitlabhq/-/vulnerability_feedback/1")).to route_to('projects/vulnerability_feedback#destroy', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
+    end
+
+    describe 'legacy routing' do
+      it_behaves_like 'redirecting a legacy project path', "/gitlab/gitlabhq/vulnerability_feedback", "/gitlab/gitlabhq/-/vulnerability_feedback"
     end
   end
 
diff --git a/ee/spec/serializers/merge_request_widget_entity_spec.rb b/ee/spec/serializers/merge_request_widget_entity_spec.rb
index becc41ea80a96b89e28575ab351cb1aa6950b7d2..13680858333a9f9e73f2814d1a9ac06927fb6ae2 100644
--- a/ee/spec/serializers/merge_request_widget_entity_spec.rb
+++ b/ee/spec/serializers/merge_request_widget_entity_spec.rb
@@ -208,7 +208,7 @@ def create_all_artifacts
 
   it 'has vulnerability feedback paths' do
     expect(subject.as_json[:vulnerability_feedback_path]).to eq(
-      "/#{merge_request.project.full_path}/vulnerability_feedback"
+      "/#{merge_request.project.full_path}/-/vulnerability_feedback"
     )
     expect(subject.as_json).to include(:create_vulnerability_feedback_issue_path)
     expect(subject.as_json).to include(:create_vulnerability_feedback_merge_request_path)