Periodic Reporting for period 1 - CERTIFAI (Agile conformance assessment for cybersecurity CERTIFication enhanced by Artificial Intelligence)
Reporting period: 2023-09-01 to 2025-02-28
CertifAI is developing an AI-supported framework to assess cybersecurity compliance. We integrate AI technologies like NLP and LLMs to provide practical tools for interpreting and applying cybersecurity standards. It aligns with key frameworks such as the IEC 62443 series and CRA and the AI Act. CertifAI embeds cybersecurity throughout the product lifecycle and adapts to diverse regulatory scenarios and UCs. Key features include: a RAG system for navigating regulations; Definition of SACs for structured compliance assessment; formal methods for verification; AI-driven tool for cross-domain threat modeling; and a risk prioritization engine using SBOM and vulnerability data. These components form a unified compliance framework that streamlines certification processes and strengthens product security assurance.
WP2 introduced an AI-driven methodology for harmonizing and mapping cybersecurity requirements from multiple standards (IEC 62443, NIST SP 800-53, MITRE ATT&CK/D3FEND) into a unified, centralized database. Using NLP techniques and semantic similarity analysis, CertifAI automates requirement decomposition, gap detection, and compliance assessment. A Retrieval-Augmented Generation (RAG) solution supports intelligent navigation across frameworks, and a structured Compliance Assessment Methodology was defined to guide continuous verification throughout the product lifecycle.
WP3 developed Security Assurance Cases structure, automating their generation using intelligent agents. A repository links SAC components with supporting evidence. A risk evaluation framework was built using MITRE and NVD data, enhanced by an AHP-based prioritization model. Task 3.4 introduced a tool for automated SBOM-based vulnerability detection and analysis.
WP4 aligned testing processes with standards like IEC 62443 and the CRA. Innovations include: ML-based test prioritization using CVE data (Task 4.3) dynamic testing via fuzzing and combinatorial techniques (Task 4.2) and a scalable formal methods framework (Task 4.4) . These tools support security verification across critical infrastructure and enhance testing efficiency.
WP5 delivered CTI-driven threat modelling tool supporting multiple domains. It automates threat identification and mitigation mapping. An intrusion detection framework was also built, with ongoing work on interpretable AI for enhanced vulnerability insights.
WP6 focused on integrating the outcomes of WP2–WP5 into a unified CertifAI framework, demonstrating and evaluating it across defined use cases. Key outcomes include the specification of certification subjects (D6.1) delivery of initial and updated tool versions and architecture (D6.2 D6.3 D6.5) and the first release of the compliance assessment framework (D6.4).
WP3 developed Security Assurance Cases structure, automating their generation using intelligent agents. A repository links SAC components with supporting evidence. A risk evaluation framework was built using MITRE and NVD data, enhanced by an AHP-based prioritization model. Task 3.4 introduced a tool for automated SBOM-based vulnerability detection and analysis.
WP4 aligned testing processes with standards like IEC 62443 and the CRA. Innovations include: ML-based test prioritization using CVE data (Task 4.3) dynamic testing via fuzzing and combinatorial techniques (Task 4.2) and a scalable formal methods framework (Task 4.4) . These tools support security verification across critical infrastructure and enhance testing efficiency.
WP5 delivered CTI-driven threat modelling tool supporting multiple domains. It automates threat identification and mitigation mapping. An intrusion detection framework was also built, with ongoing work on interpretable AI for enhanced vulnerability insights.
WP6 focused on integrating the outcomes of WP2–WP5 into a unified CertifAI framework, demonstrating and evaluating it across defined use cases. Key outcomes include the specification of certification subjects (D6.1) delivery of initial and updated tool versions and architecture (D6.2 D6.3 D6.5) and the first release of the compliance assessment framework (D6.4).
WP2 CertifAI introduces an approach to crosswalking cybersecurity standards by leveraging LLMs and semantic similarity techniques to identify relationships between controls, requirements, and threats across frameworks. A RAG solution enhances navigation of standards by combining semantic search with generative AI to produce contextualized, cross-framework guidance, refined via human-in-the-loop validation.
WP3 Innovates through the development of an intelligent agent that automates SAC generation and compliance reasoning using foundation models. This includes interpreting complex standards like IEC 62443, producing CAE-structured SACs, and detecting compliance gaps. WP3 also introduces a structured, AI-supported risk evaluation framework that integrates real-time vulnerability data and uses Analytic Hierarchy Process (AHP) to prioritize risks and mitigation actions in a traceable, data-driven manner.
WP4 delivers a data-driven, automated approach to test case prioritization by linking vulnerabilities, attack techniques, and test cases via NLP and ML. This enables adaptive test optimization with built-in uncertainty quantification. Additionally, WP4 presents a scalable formal methods framework that dramatically reduces manual encoding effort and extends applicability across different system abstraction levels, enabling non-experts to adopt formal verification.
WP5 Introduces ThreatSpider, the first threat modeling tool that integrates five CTI sources and supports multiple technology domains. It automates threat, mitigation, and requirement identification tailored to specific system properties. Another innovation is the development of a system for mining operational traces to build and analyze Execution Units, visualized through a cross-platform tool, with plans to enhance it using logs and network data. Explainable AI is explored for intrusion detection and vulnerability explanation, supporting interpretable cybersecurity assessments.
WP7 CertifAI actively contributes to the standardization efforts, particularly for the CRA, the Radio Equipment Directive, and cybersecurity certification of electrotechnical and AI systems. The project engages with working groups such as CEN/CLC/JTC 13, JTC 21/WG 5, and ISO/IEC JTC 1/SC 42, influencing harmonized standards.
WP3 Innovates through the development of an intelligent agent that automates SAC generation and compliance reasoning using foundation models. This includes interpreting complex standards like IEC 62443, producing CAE-structured SACs, and detecting compliance gaps. WP3 also introduces a structured, AI-supported risk evaluation framework that integrates real-time vulnerability data and uses Analytic Hierarchy Process (AHP) to prioritize risks and mitigation actions in a traceable, data-driven manner.
WP4 delivers a data-driven, automated approach to test case prioritization by linking vulnerabilities, attack techniques, and test cases via NLP and ML. This enables adaptive test optimization with built-in uncertainty quantification. Additionally, WP4 presents a scalable formal methods framework that dramatically reduces manual encoding effort and extends applicability across different system abstraction levels, enabling non-experts to adopt formal verification.
WP5 Introduces ThreatSpider, the first threat modeling tool that integrates five CTI sources and supports multiple technology domains. It automates threat, mitigation, and requirement identification tailored to specific system properties. Another innovation is the development of a system for mining operational traces to build and analyze Execution Units, visualized through a cross-platform tool, with plans to enhance it using logs and network data. Explainable AI is explored for intrusion detection and vulnerability explanation, supporting interpretable cybersecurity assessments.
WP7 CertifAI actively contributes to the standardization efforts, particularly for the CRA, the Radio Equipment Directive, and cybersecurity certification of electrotechnical and AI systems. The project engages with working groups such as CEN/CLC/JTC 13, JTC 21/WG 5, and ISO/IEC JTC 1/SC 42, influencing harmonized standards.