A Framework for Budget-Constrained Zero-Day Cyber Threat Mitigation: A Knowledge-Guided Reinforcement Learning Approach

Abstract

Conventional machine-learning-based defenses are unable to generalize well to novel chains of ATT&CK actions. Being inefficient with low telemetry budgets, they are also unable to provide causal explainability and auditing. We propose a knowledge-based cyber-defense framework that integrates ATT&CK constrained model generation, budget-constrained reinforcement learning, and graph-based causal explanation into a single auditable pipeline. The framework formalizes the synthesis of zero-day chains of attacks using a grammar-formalized ATT&CK database and compiles them into the Zeek-aligned witness telemetry. This allows for efficient training of detection using the generated data within limited sensor budgets. The Cyber-Threat Knowledge Graph (CTKG) stores dynamically updated inter-relational semantics between tactics, techniques, hosts, and vulnerabilities. This enhances the decision state using causal relations. The sensor budget policy selects the sensoring and containment decisions within explicit bounds of costs and latency. The inherent defense-provenance features enable a traceable explanation of each generated alarm. Extensive evaluations of the framework using the TTP holdouts of the zero-day instances show remarkable improvements over conventional techniques in terms of low-FPR accuracy, TTD, and calibration.

1. Introduction

Modern enterprise’s cyber-defense frameworks encounter three persistent deficiencies. First, it is challenging for detection models to address unseen attack chains that follow the ATT&CK ontology but differ in order, preconditions and tooling [1]. Second, telemetry is not free of charge. The teams operate under tight budgets for log volume, CPU, storage, and latency [2,3]. Third, the explanations are brittle under shifts and are generally not tied to the causal structures of tactics and techniques. Many systems cannot demonstrate which model, which knowledge state, or which configuration produced a given alert [4]. Public datasets and cyber simulation labs help. However, they leave these gaps open. The packet and flow corpora are static in nature. Red team replays are scripted. Most gym environments simulate fixed attack playbooks [2,5]. Logging is usually all-on or fixed per scenario. Causal semantics over ATT&CK are not exposed to the defender or to the evaluation harness. Artifacts such as alerts and explanations are saved as files without verifiable provenance. As a result, we cannot study cost-aware defense, generalization to zero-day chains, or explanation stability in a controlled and reproducible way [6,7,8].

We address these needs with Sim-CTKG, an ATT&CK-aware generative cyber range for reinforcement learning and defense [9]. Nodes represent tactics, techniques, software, hosts, and CVEs [10,11]. Edges encode preconditions and effects that link actions and entities. Sim-CTKG samples unseen technique chains with a formal grammar that respects ATT&CK constraints, then compiles each chain into witness telemetry for network and host logs. The defender observes features and a two-hop CTKG slice each step and learns a sensor-budget policy that chooses both containment actions and which log sources to activate under cost and latency limits [12]. A causal CTKG enables counterfactual probes that quantify preventability and explanation stability on held-out chains [13]. Every alert and explanation ships with a Content Credentials (C2PA) manifest so artifacts are verifiable.

The adversary follows tactic and technique semantics and may vary parameters, tools, and order within those constraints. The defender controls containment actions and logging configuration but cannot modify the attacker [14]. Telemetry is synthesized by the witness compiler and can be calibrated with a small set of real replays when available [15]. The range is not developed as a full digital twin. This is a research-grade environment that isolates the effects of costs, causality, and provenance on learning and detection.

A key design goal of Sim-CTKG is to isolate the effects of three factors that strongly influence real-world cyber-defense systems: (i) cost-aware sensing, (ii) causal structure and counterfactual reasoning, and (iii) verifiable provenance. The environment exposes configuration switches that independently enable or disable budget constraints, CTKG-based causal reasoning, and provenance logging, allowing us to characterize the individual and combined contributions of these components to detection accuracy, generalization, and robustness.

The key contributions of this research are as follows:

• We develop a grammar-constrained generator for unseen ATT&CK technique chains and a corresponding compiler (Sim-CTKG) that produces structured, Zeek-aligned network and host telemetry consistent with each stage of the simulated intrusion.
• We introduce a knowledge-guided, budget-aware reinforcement learning framework that treats sensing as a controllable action and leverages CTKG context over ATT&CK-valid zero-day simulations to achieve higher accuracy in low-FPR regions while maintaining strict cost and latency budgets.
• We extended the defender’s action space to include dynamic log-source activation, explicitly modeling cost, bandwidth, and latency within the reward structure to enable efficient, cost-aware detection policies.
• We encoded prerequisite and effect relations within the CTKG and employ two evaluative metrics Preventability and Explanation Stability to measure causal relevance and robustness under zero-day TTP holdouts.
• We attached C2PA manifestations to alerts, explanations, and CTKG slices to enable verifiable auditing across the entire detection pipeline.
• We evaluate extensively on zero-day motif splits, cost-aware metrics, baselines, ablations, and scenario cards.

The remainder of this paper is organized as follows. Section 2 presents the background and the threat models. Section 3 presents the related literature. Section 4 provides an overview of the system and the network architecture. Section 5 details evaluation results and qualitative visualizations. Section 6 explores the extended analysis. Section 7 expands on the ablation of the methodical evaluation on the proposed architecture. Section 8 concludes with limitations and future works.

2. Background and Threat Model

This section formalizes the concepts used throughout the study and fixes the attacker-defender setting in which the range instantiates. Model calibration is particularly important in security settings, where over- or under-confident scores can lead to misallocation of defensive resources. Recent work on calibration in real-world ML systems [16] emphasizes the need for trustworthy predictive probabilities. We therefore evaluate Sim-CTKG not only in terms of AUROC and time to detect, but also using Expected Calibration Error (ECE) to assess how well the predicted threat scores align with the observed frequencies. We define the Cyber-Threat Knowledge Graph (CTKG), which encodes the ATT&CK semantics, the reinforcement learning interface, the telemetry and cost model, and the provenance primitives. Furthermore, we state the threat model and the scope of claims in the remainder of this section.

2.1. ATT&CK Semantics and Entities

Let $\mathcal{T}$ denote ATT&CK tactics and $\mathcal{K}$ denote techniques. Let $\mathcal{S}$ be software or tooling, $\mathcal{H}$ hosts, $\mathcal{A}$ accounts, and $\mathcal{V}$ CVEs or vulnerabilities. Each technique $k\in \mathcal{K}$ has a set of preconditions $\mathrm{pre}\left(k\right)$ and effects $\mathrm{eff}\left(k\right)$ over entities and system state. A valid attack chain is a sequence $(k_1,\dots ,k_L)$ such that $\mathrm{pre}\left(k_{i+1}\right)$ is satisfied after $\mathrm{eff}\left(k_i\right)$ is applied. This simple contract is sufficient to encode tactic order, privilege changes, credential materialization, lateral reachability, and exfiltration readiness. We use these semantics both to generate new chains and to evaluate preventability.

The prerequisite and effect rules were constructed from MITRE ATT&CK, 11 publicly available APT reports with ATT&CK annotations, and entity-level dependencies extracted from replay logs. Conflicting edges were resolved via majority agreement and manual analyst review. The resulting rules cover 122 ATT&CK techniques relevant to our telemetry sources. Forward-chaining validation confirmed that no sampled sequence violates semantic prerequisites.

2.2. Cyber-Threat Knowledge Graph (CTKG)

The CTKG is a typed, weighted, time-stamped graph $G=(V,E)$. Nodes V are entities drawn from $\mathcal{T}\cup \mathcal{K}\cup \mathcal{S}\cup \mathcal{H}\cup \mathcal{A}\cup \mathcal{V}$. Edges $E\subseteq V\times \mathcal{R}\times V$ carry relationship types $r\in \mathcal{R}$ such as has_precondition, achieves, runs_on, affects, and communicates_with. Each node and edge has attributes: a trust weight $w\in [0,1]$, a time interval $[t_{\mathrm{start}},t_{\mathrm{end}}]$, and optional provenance tags. At step t, the environment provides a two-hop subgraph $G_t$ centered on entities that are relevant to the current chain prefix and observed telemetry. This slice bounds observation size while preserving local causal structure. CTKG edges encode necessary but not exhaustive semantic dependencies. Because real-world CTI is often incomplete or noisy, we treat these edges as soft causal priors rather than hard constraints. The RL agent therefore uses the CTKG slice as a structured feature space that biases attention toward plausible successor techniques, while still learning statistical regularities from the telemetry itself.

2.3. MDP Interface for Cost-Aware Defense

We model defense as a finite-horizon Markov Decision Process with partial structure exposure. Time is discretized using observation windows. At step t the environment emits the following:

• Feature vector $x_t\in {\mathbb{R}}^d$ derived from network and host logs available under the current logging configuration,
• CTKG slice $G_t$ as in Section 2.2,
• Optional side signals such as queueing delay or buffer occupancy.

• The agent chooses a joint action $a_t=(a_t^{\mathrm{def}},a_t^{\log })$ where the following are true:

• $a_t^{\mathrm{def}}$ values are containment actions permitted by policy, for example isolate host, block domain, or suspend process group,
• $a_t^{\log }\in {\{0,1\}}^m$ toggles m log sources such as Zeek conn, dns, http and host audit channels, all subject to budget.

• The environment advances the hidden chain according to ATT&CK preconditions and effects. The reward is

$$r_t=r_t^{\det }-{\lambda }_{c}C\left(a_t^{\log }\right)-{\lambda }_{\ell }L\left(a_t^{\log }\right)-{\lambda }_{a}A\left(a_t^{\mathrm{def}}\right),$$

(1)

where $r_t^{\det }$ rewards early and correct detection and penalizes false alarms, $C\left(·\right)$ is the logging cost, $L\left(·\right)$ is added latency from chosen sources, and $A\left(·\right)$ captures potential disruption from containment. Coefficients ${\lambda }_c,{\lambda }_{\ell },{\lambda }_a\ge 0$ set trade-offs. The objective is to maximize expected return while satisfying an average budget constraint on C and L.

2.4. Telemetry Model and Budgets

Let the set of candidate sources be ${\left\{s_i\right\}}_{i=1}^m$. Each source has a cost tuple $({\mathrm{cpu}}_i,{\mathrm{bytes}}_i,{\mathrm{delay}}_i)$ and an information profile over techniques. The instantaneous cost under configuration $a_t^{\log }$ is

$$C\left(a_t^{\log }\right)=\sum _{i=1}^m{a}_{t,i}^{\log }(\alpha {\mathrm{cpu}}_i+\beta {\mathrm{bytes}}_i),L\left(a_t^{\log }\right)=\underset{i:a_{t,i}^{\log }=1}{max}{\mathrm{delay}}_i,$$

(2)

with nonnegative weights $\alpha ,\beta$ chosen by the operator. The observation featurizer produces $x_t$ only from active sources at step t. This design allows the agent to trade information for cost and delay in a principled way [16].

2.5. Causal Structure and Counterfactuals

A simple structural model was attached to the CTKG system. For each technique k, we define a binary structural variable $Z_k$ that indicates whether k occurs within the window. Structural equations link $Z_k$ to its parents using learned parameters and exogenous noise. Counterfactual queries intervene on variables by setting $Z_k\leftarrow 0$ for candidate techniques and recomputing risk on the remaining chain. We report two metrics subsequently. Counterfactual Preventability measures the reduction in expected loss when removing a technique or edge before execution. Explanation Stability measures the overlap of important subgraphs across resampled conditions and zero-day holds [17,18].

2.6. Provenance and Verifiable Artifacts

Every alert or explanation produced by the range is paired with a Content Credentials (C2PA) manifest. Let A be the alert payload, E the explanation artifact, $\theta$ the model snapshot, and $H\left(G_t\right)$ a digest of the CTKG slice. We compute a content digest $D=H(A\Vert E\Vert \theta \Vert H\left(G_t\right)\Vert \mathrm{config})$ and sign D with a short-lived key managed by the range. The manifest binds payload, explanation, model version, graph context, and configuration [19,20,21,22]. A verifier recomputes the digest and checks the signature. We measure manifest size and verification time in Section 5.10.

2.7. Threat Model and Scope

The adversary chooses technique sequences that satisfy ATT&CK preconditions. Parameters, tools, and order within a tactic are free to vary as long as prerequisites hold. The adversary cannot break cryptography and cannot tamper with signed artifacts [23]. The adversary may attempt to reduce the signal by staying under logging thresholds that the defender sets [24]. The defender observes features from currently active log sources and the CTKG slice $G_t$. The defender selects containment and logging actions within budget. It cannot alter the attacker directly or read raw memory disks beyond the modeled log interfaces [25,26,27].

Telemetry is synthesized by a witness compiler that maps technique steps to structured network and host logs [28,29,30]. Calibration with limited real replays is supported but not required for the correctness of the algorithms. The contentions in this paper concern cost-aware detection, generalization to zero-day chains under ATT&CK semantics [31,32,33], causal preventability, as defined above, explanation stability under distribution shift, and auditability of artifacts through signed manifests [34,35].

3. Related Work

This section reviews the five paradigms of research that are closest to our study: learning-based intrusion detection, knowledge and threat intelligence representations, reinforcement learning regarding cyber defense, cyber ranges and simulators, and explainability and budget-aware sensing. We conclude with a short summary that clarifies how our approach differs.

3.1. Learning-Based Intrusion Detection

Early intrusion detection relied on signatures and hand-tuned rules. Machine learning replaced fixed signatures with models that learn patterns from traffic and host activity. Classical methods include tree ensembles, one-class detectors, and statistical profiling [36]. Deep learning introduces temporal models that learn features from sequences of network events. Convolutions and transformers improve detection at low false-positive rates when strong features are available [37,38]. Recent graph methods build communication graphs or user process graphs and apply graph neural networks to aggregate context across endpoints [39]. These trends have improved the accuracy of advanced corpora. However, most systems operate as static classifiers that score events or flows [40]. These are not decision-making agents that can trade sensing cost against latency. These also tend to use only telemetry that is already collected earlier, rather than selecting what to collect within a budget [41,42].

3.2. Knowledge Representations and Cyber Threat Intelligence

Cyber threat intelligence is shared in structured formats and taxonomies. Common practice maps are used to observe events, tactics, and techniques [43,44]. Knowledge graphs enrich events with entities such as software, CVE identifiers, or attack patterns. Research systems use these graphs to support search, correlation, and post hoc analysis. A few studies add rules to propagate labels over graph edges [45,46,47]. In most cases, the graph is external to the detector. It is consulted after an alert to create an explanation or to prioritize response [48]. Our work differs because the knowledge graph is part of the agent state. We fuse a small slice of the cyber threat knowledge graph with current features at each step. This allows the policy to reason over prerequisites and effects while it decides what to sense and when to alert.

3.3. Reinforcement Learning for Cyber Defense

Reinforcement learning has been used for routing, anomaly response, and moving target defense [49,50,51,52]. Recent studies have been applied to on-policy or off-policy algorithms for intrusion detection in streaming settings. These agents learn the containment policy or an alerting policy from reward signals [53]. Most studies optimize reward without an explicit cost model for sensing and logging. Some introduce penalties with a proxy cost but do not enforce a hard budget [54]. Few consider calibration of scores or the stability of explanations at a fixed operating point. Our design is budget aware by construction [55]. We use an average cost budget and a p95 latency budget and we train a logging head that chooses sources under these limits. This achieves a significant trade-off between accuracy and resource use that prior work often leaves implicit [56]. Real-world applications of reinforcement learning often face similar issues of safety, stability, and constraint handling as those encountered in robotics [57], where RL has been applied to complex dual-arm assembly tasks and analyzed from a deployment perspective in detail [58,59].

3.4. Cyber Ranges and Simulators

Security research requires repeatable environments [57]. Open cyber ranges and research simulators model hosts, services, and adversary actions [58]. Popular platforms support reinforcement learning interfaces and provide attack graphs or lateral movement abstractions. Although many of these tools are effective for exploration, these generally use high-level events and do not align simulator events with production telemetry schemas [59,60]. These also do not expose the live knowledge context to the agent. Our simulator bridge emits witness telemetry that follows Zeek schemas that can be consumed by downstream tools. At the same time, we align each step with a small knowledge graph slice so that the agent sees both signals during training and evaluation. This reduces the simulation-to-real mismatch in the observation space and in the explanation space.

3.5. Explainability and Budget-Aware Sensing

Explainability for intrusion detection often uses feature attribution on the final score. Some systems produce rule-based rationales or show matched signatures [61,62]. Recent work explores counterfactual reasoning to ask which changes would have prevented a detection [63,64]. These ideas help analysts judge alerts. However, many detectors that explain decisions do not reason about the cost of the data they consume [65]. Meanwhile, budgeted monitoring and adaptive sampling are well known in operations. However, these are generally not coupled with a learned detector that can use the knowledge context. Our framework pairs on both sides [66]. The policy explains alerts with paths in the knowledge graph and with counterfactual preventability estimates. Additionally, the policy controls sensing such that it satisfies the cost and latency targets. We have also added provenance signing for alerts and explanations. This supports replay and audit without exposing sensitive payloads.

3.6. Positioning and Gap

Prior learning-based intrusion detection excels at scoring events but usually assumes fixed telemetry [67]. Although knowledge-driven systems represent threats, these mainly function as an offline context. Reinforcement learning agents learn policies but seldom integrate knowledge or enforce budgets. Cyber ranges support training but often lack schema-aligned outputs and knowledge coupling. Explainable systems validate decisions. However, these do not decide what to sense at cost [68]. Our study addresses these deficiencies using a single pipeline. We align a simulator using Zeek-style telemetry [69,70]. We combine the features and the two-hop cyber threat knowledge graph [71] slice with cross attention [72]. We optimize a policy that chooses both containment actions and logging under explicit budgets. We attach a causal layer that estimates preventability, and we sign artifacts for audit [73]. The evaluation uses zero-day motif holds, strong baselines, and budget adherence checks. The results reveal gains in low FPR slices, earlier detection, and better calibration at equal or lower cost.

3.7. Summary of Differences

Table 1 summarizes key differences between the prior lines and the proposed approach. We focus on whether the method uses knowledge at the decision time, whether it controls sensing under a formal budget, whether it aligns simulator events with production telemetry, and whether it emits auditable explanations.

Table 1. Comparison across research lines. Y indicates the property is present. P indicates partial support.

Line of Work	Knowledge in State	Budgeted Sensing	Telemetry Aligned
Static ML/DL classifiers	P	N	P
Graph based NIDS	P	N	P
CTI/knowledge graph tools	Y (offline)	N	P
RL for cyber defense	N	P	P
Cyber ranges and simulators	N	N	P
Explainable IDS	P	N	P
This work	Y (online)	Y	Y

To summarize, our contribution is an online, budget-aware, knowledge-guided, and audible detector (Table 2). It combines the strengths of prior studies that typically addressed isolation. This combination explains the improvements observed in the low false-positive regions, in time for detection, and in calibration at the matched operating points (Table 3).

Table 2. Capability taxonomy. Ticks indicate the capability is natively supported for that line of work.

Domain	CTKG State	Causal	Multi-Hop	Budget	Latency	Active Log	Zeek	ms/Step	Overall
Static ML/DL classifiers	✗	✗	✗	✗	✗	✗	✓	✓	✗
Graph based NIDS	✗	✗	✗	✗	✗	✗	✓	✗	✗
CTI/knowledge graph tools	✗	✗	✓	✗	✗	✗	✗	✗	✗
RL for cyber defense (generic)	✗	✗	✗	✗	✗	✗	✗	✓	✗
Cyber ranges/simulators	✗	✗	✗	✗	✗	✗	✗	✗	✗
Explainable IDS	✗	✗	✗	✗	✗	✗	✓	✓	✗
This work (Sim CTKG)	✓	✓	✓	✓	✓	✓	✓	✓	✓

Table 3. Evaluation and transparency taxonomy.

Domain	Zero-Day	LowFPR	TTDoptimize	ECE	Counterfactual	Provenance	Artifacts	Overall
Static ML/DL classifiers	✗	✓	✗	✗	✗	✗	✗	✗
Graph based NIDS	✗	✓	✗	✗	✗	✗	✗	✗
CTI/knowledge graph tools	✗	✗	✗	✗	✓	✗	✓	✗
RL for cyber defense (generic)	✗	✗	✓	✗	✗	✗	✓	✗
Cyber ranges/simulators	✓	✗	✗	✗	✗	✗	✓	✗
Explainable IDS	✗	✓	✗	✓	✓	✗	✓	✗
This work (Sim CTKG)	✓	✓	✓	✓	✓	✓	✓	✓

4. Materials and Methods

This section describes the technical design of Sim-CTKG in full detail. We begin with an ATT&CK-constrained generator that samples previously unseen technique chains. We then map each chain to witness telemetry for network and host logs. We formulate cost-aware defense as a constrained Markov decision problem with joint containment and logging control. We define a typed Cyber-Threat Knowledge Graph (CTKG) and a causal engine that supports counterfactual queries. We close with the policy architecture and the content provenance pipeline (Algorithm 1).

Algorithm 1 Sim-CTKG Training Pipeline

Input:   $\mathcal{C}$ with seed s, ${\mathcal{T}}_{\mathrm{allow}}$, $\mathcal{M}$, $L_{max}$, $\tau$, $\mathcal{G}=(\mathcal{N},\Sigma ,P,S)$, $\left\{\tau \right(k,\theta \left)\right\}$, priors $p(\theta \mid k)$, $\left\{B_s\right\}$ for sources $s=1,\dots ,m$, $({\mathrm{cpu}}_i,{\mathrm{bytes}}_i,{\mathrm{delay}}_i)$ for each source $s_i$, $(B_{\mathrm{avg}},B_{\mathrm{lat}})$, ${\pi }_{\theta }(a^{\mathrm{def}},a^{\log }\mid x,G,u)$, critic $V_{\psi }$, $({\lambda }_c,{\lambda }_{\ell },{\lambda }_a)$, duals $({\eta }_c,{\eta }_{\ell })\leftarrow (0,0)$ Output:  ${\pi }_{{\theta }^{★}}$, $V_{{\psi }^{★}}$, $({\eta }_c^{★},{\eta }_{\ell }^{★})$  1: Set PRNG seed s; initialize CTKG manager, causal engine, and environment core with $\mathcal{C}$  2: while not converged do      Chain Sampling under Constraints  3:     Initialize state $s_0$ from topology and credentials; set chain $C\leftarrow \left[\right]$  4:     for $i=0$ to $L_{max}-1$ do          ▹ Grammar-constrained masked sampling  5:         $\mathcal{A}\leftarrow \{k\in \Sigma :\mathrm{tactic}\left(k\right)\in {\mathcal{T}}_{\mathrm{allow}},\mathrm{Valid}(k\mid s_i),\neg \mathrm{ViolatesHoldout}(C\oplus k,\mathcal{M})\}$  6:         if $\mathcal{A}=\varnothing$ then break  7:         end if  8:         Sample $k_{i+1}\sim \mathrm{Softmax}(log{\pi }_{\varphi }(k\mid s_i)/\tau )$ over $k\in \mathcal{A}$; $C\leftarrow C\oplus k_{i+1}$; $s_{i+1}\leftarrow \mathrm{ApplyEffects}(s_i,\mathrm{eff}\left(k_{i+1}\right))$  9:     end for      Witness Compilation 10:     For each $k\in C$: draw $\theta \sim p(\theta \mid k)$; instantiate events from $\tau (k,\theta )$ with globally consistent entity IDs 11:     For each source s: merge attack events with background $E_s^{\mathrm{bg}}\sim B_s$; enforce precedence and latency bounds; sort by time      Rollouts with Joint Control 12:     Reset budgets; initialize two-hop CTKG slice $G_0$ and window features from active sources 13:     for $t=1$ to horizon T do 14:         Form observation $(x_t,G_t,u_t)$ from currently active sources; get action $a_t=(a_t^{\mathrm{def}},a_t^{\log })\leftarrow {\pi }_{\theta }(x_t,G_t,u_t)$ 15:         Apply $a_t^{\mathrm{def}}$ in env; activate sources per $a_t^{\log }$; compute costs $C_t={\sum }_i{a}_{t,i}^{\log }(\alpha {\mathrm{cpu}}_i+\beta {\mathrm{bytes}}_i)$, $L_t={max}_{i:a_{t,i}^{\log }=1}{\mathrm{delay}}_i$ 16:         Advance hidden chain if preconditions hold; update CTKG and structural variables; emit alert/explanation if triggered 17:         Compute detection reward $r_t^{\det }$ and full reward $r_t=r_t^{\det }-{\lambda }_c{C}_t-{\lambda }_{\ell }{L}_t-{\lambda }_{a}A\left(a_t^{\mathrm{def}}\right)$ 18:         Form effective reward with duals ${\tilde{r}}_t=r_t^{\det }-({\lambda }_c+{\eta }_c)C_t-({\lambda }_{\ell }+{\eta }_{\ell })L_t-{\lambda }_{a}A\left(a_t^{\mathrm{def}}\right)$ 19:         If an artifact $(A,E)$ is produced: compute digest $D=H(A\Vert E\Vert \theta \Vert H\left(G_t\right)\Vert \mathrm{config})$; sign D; store C2PA manifest 20:     end for      Policy and Dual Updates 21:     Compute advantages ${\widehat{A}}_t$ with GAE on ${\tilde{r}}_t$ and $V_{\psi }$; update $\theta$ with clipped actor loss 22:     Use straight-through estimator for Bernoulli logging head 23:     Update critic by MSE on returns 24:     Update duals by projected subgradient: ${\eta }_c\leftarrow {[{\eta }_c+\rho ({\displaystyle \frac{1}{T}}{\sum }_t{C}_t-B_{\mathrm{avg}})]}_{+}$, ${\eta }_{\ell }\leftarrow {[{\eta }_{\ell }+\rho (\mathrm{p}95\left(\left\{L_t\right\}\right)-B_{\mathrm{lat}})]}_{+}$ 25: end while 26: return ${\pi }_{{\theta }^{★}}$, $V_{{\psi }^{★}}$, $({\eta }_c^{★},{\eta }_{\ell }^{★})$

4.1. ATT&CK-Constrained Scenario Generation

Let $\mathcal{T}$ be the set of tactics and $\mathcal{K}$ the set of techniques. Each technique $k\in \mathcal{K}$ carries a precondition set $\mathrm{pre}\left(k\right)$ and an effect set $\mathrm{eff}\left(k\right)$ over entities such as privileges, credentials, processes, files, services, and network relations. A chain $C=(k_1,\dots ,k_L)$ is valid when for each $i<L$, the post-state of $k_i$ satisfies $\mathrm{pre}\left(k_{i+1}\right)$. We encode this constraint through a typed grammar with attributes:

$$\mathcal{G}=(\mathcal{N},\Sigma ,P,S),$$

(3)

where nonterminals $\mathcal{N}$ capture tactic phases, terminals $\Sigma$ are techniques, S is the start symbol, and productions in P include attribute checks on $\mathrm{pre}\left(·\right)$ and $\mathrm{eff}\left(·\right)$. A production $X\to YZ$ is permitted only if the attribute evaluator confirms feasibility under the current state. This yields a sequence model with hard validity.

To prevent trivial reuse, we sampled under motif holdouts. Let $\mathcal{M}$ be a set of technique motifs such as T1059, T1105, T1021 that define zero-day families. In training, chains whose ordered subsequences intersect $\mathcal{M}$ are suppressed. During evaluation, we sample those motifs exclusively. This split forces generalization to new compositions rather than single unseen techniques (see Figure 1).

Figure 1. Expanded Causal Engine in CTKG (Module C): Structural Modeling and Counterfactuals.

We parameterize the generator with a distribution ${\pi }_{\varphi }(k_{i+1}\mid {\mathrm{state}}_i)$ that respects grammar constraints. If the state $s_i$ tracks entities and partial order, the chain likelihood is

$$p_{\varphi }\left(C\right)=\prod _{i=0}^{L-1}{\pi }_{\varphi }(k_{i+1}\mid s_i)·\mathbb{I}\left\{\mathrm{valid}(k_{i+1}\mid s_i)\right\}.$$

(4)

The indicator enforces validity. Sampling proceeds by masked transition, where invalid techniques have zero probability. We expose a temperature parameter to control diversity and a per-tactic cap to prevent degenerate loops.

4.2. Witness Telemetry Compiler

Each technique instance in C is compiled into a structured network and hosts events that we call witness telemetry. Let $\tau (k,\theta )$ denote a template for technique k with parameters $\theta$ such as process name, command line, server domain, port, file path, hash, and user context. Given a schedule $t=1,\dots ,T$, the compiler produces for each active log source s a set of events $E_s=\left\{e_{s,t}\right\}$ with coherent timing and identifiers. Network witnesses include Zeek conn, dns, http, ssl, files, and notice. Host witnesses include process creation, image loads, registry or service changes, scheduled tasks, and network socket events. Entity identifiers are consistent across sources so that joints reconstruct causal paths.

Let $B_s$ be a background process for the source s that samples benign events from a stationary mixture of daily patterns. The background is injected independently of the chain. Technique witnesses are injected on top with parameter draws from priors $\theta \sim p(\theta \mid k)$. Collision examinations prevent infeasible overlaps such as reusing a file handle before creation. Timing represents the precedence and network latency bounds. The featurizer that yields $x_t$ sees only events from the sources that are active in step t.

Calibration is supported when real replays are present. A small set of replay logs fits priors for $\theta$ and marginal rates for $B_s$ through simple moment matching. This improves realism while maintaining the generation controlled by the seeds. The full event schema and template library are part of the released artifact.

4.3. Cost-Aware Reinforcement Learning

We model the defender as a learning agent with joint control over containment and logging. At step t, the observation is $(x_t,G_t,u_t)$ where $x_t\in {\mathbb{R}}^d$ are features computed from the currently active sources, $G_t$ is a two-hop CTKG slice, and $u_t$ holds auxiliary signals such as queue delay. The action is $a_t=(a_t^{\mathrm{def}},a_t^{\log })$ with $a_t^{\mathrm{def}}\in {\mathcal{A}}_{\mathrm{def}}$ and $a_t^{\log }\in {\{0,1\}}^m$ for m candidate log sources.

In this domain, logging incurs cost and latency. Let each source $s_i$ have a cost tuple $({\mathrm{cpu}}_i,{\mathrm{bytes}}_i,{\mathrm{delay}}_i)$ measured by profiling. Costs at time t are

$$C\left(a_t^{\log }\right)=\sum _{i=1}^m{a}_{t,i}^{\log }(\alpha {\mathrm{cpu}}_i+\beta {\mathrm{bytes}}_i),L\left(a_t^{\log }\right)=\underset{i:a_{t,i}^{\log }=1}{max}{\mathrm{delay}}_i,$$

(5)

with nonnegative weights $\alpha ,\beta$ chosen per scenario. The reward uses a detection term $r_t^{\det }$ and penalties for cost, latency, and disruptive containment:

$$r_t=r_t^{\det }-{\lambda }_{c}C\left(a_t^{\log }\right)-{\lambda }_{\ell }L\left(a_t^{\log }\right)-{\lambda }_{a}A\left(a_t^{\mathrm{def}}\right).$$

(6)

We enforce average budgets $B_{\mathrm{avg}}$ and latency budgets $B_{\mathrm{lat}}$ through a Lagrangian relaxation. Dual variables $({\eta }_c,{\eta }_{\ell })$ update online so that the effective reward becomes

$${\tilde{r}}_t=r_t^{\det }-({\lambda }_c+{\eta }_c)C\left(a_t^{\log }\right)-({\lambda }_{\ell }+{\eta }_{\ell })L\left(a_t^{\log }\right)-{\lambda }_{a}A\left(a_t^{\mathrm{def}}\right),$$

(7)

with dual updates ${\eta }_c\leftarrow {[{\eta }_c+\rho (C\left(a_t^{\log }\right)-B_{\mathrm{avg}})]}_{+}$ and a similar rule for ${\eta }_{\ell }$. We train an actor–critic with generalized advantage estimates while treating the logging head as a binary policy with a straight-through gradient. Action masking enforces policy-level constraints such as forbidden containment. Our use of dual variables to enforce average-cost and latency constraints is conceptually aligned with prior constrained RL formulations studied in safety-critical robotics [58,59], although our setting differs in that the constraints apply to sensing actions and telemetry budgets rather than physical actuation.

4.4. CTKG Construction and Causal Engine

The CTKG is a typed multigraph $G=(V,E)$ with relationship labels in $\mathcal{R}$. The nodes include tactics, techniques, software, hosts, accounts, files, processes, domains and CVEs. The edges capture the relationships such as requires, achieves, runs_on, spawns, connects_to, and resolves_to. Each node and edge has a trust weight in $[0,1]$ and a time interval. At time t, the environment returns a two-hop slice $G_t$ centered on the active technique footprint and the entities mentioned in the current window of telemetry. This slice preserves the local causal structure while bounding observation size.

We attach a simple structural model to techniques. Let $Z_k\in \{0,1\}$ indicate whether technique k occurs within the step. We model

$$Z_k=\mathbb{I}\left\{f_k(Z_{\mathrm{pa}\left(k\right)},{\xi }_k)\ge 0\right\},$$

(8)

where $\mathrm{pa}\left(k\right)$ are parents in the CTKG and ${\xi }_k$ is exogenous noise. Functions $f_k$ are linear or shallow neural units whose parameters fit to traces produced by the generator and to observed detections. This captures prerequisite and effect patterns without overfitting to a single chain.

The counterfactual queries intervene on the structural model. For a candidate technique $k^{★}$, we replace $Z_{k^{★}}\leftarrow 0$ and recompute the expected detection loss under the learned model. Thereby, partial observations are realized. The Counterfactual Preventability for a set of S techniques is

$$\mathrm{CP}\left(S\right)=\mathbb{E}\left[\ell (\mathrm{policy},\mathrm{env})-\ell (\mathrm{policy},\mathrm{do}(Z_S=0),\mathrm{env})\right],$$

(9)

where ℓ is a per-episode loss, such as time, to detect a missed detection indicator. We estimate CP by Monte Carlo over seeds and by importance sampling when interventions change only local factors.

Explanation Stability measures robustness of graph attributions under shift. Let $\mathcal{A}\left(G_t\right)$ be a set of important nodes and edges obtained from the policy’s graph encoder by gradient-based or perturbation scores at a matched operating point. For two runs r and $r^{\prime }$ under resampling or held-out motifs, we define

$$\mathrm{XS}=\mathbb{E}\left[{\displaystyle \frac{|{\mathcal{A}}_r\cap {\mathcal{A}}_{r^{\prime }}|}{|{\mathcal{A}}_r\cup {\mathcal{A}}_{r^{\prime }}|}}\right],$$

(10)

with confidence intervals from block bootstrap over episodes. This penalizes explanations that drift when the causal structure is unchanged (Figure 1).

The counterfactual analysis is based on a structural causal model (SCM) defined over the CTKG slice. For each technique variable $Z_k$m, we introduced a structural equation (Equation (8)), where the structural functions $f_k$ are learned from observational simulation traces and capture approximate causal influence patterns. The exogenous variables ${\xi }_k$ are assumed to be mutually independent, and CTKG edges provide the graph structure of potential causal dependencies, but not exact numerical parameters; hence, the CTKG is treated as a probabilistic causal prior rather than a perfect oracle. Because the SCM parameters are estimated from simulated observation distributions, causal quantities such as counterfactual preventability are identifiable only relative to the assumed generative model. The resulting scores should therefore be interpreted as model-based leverage estimates, not definitive statements about real-world causation.

4.5. Policy Architecture

The policy consumes $(x_t,G_t,u_t)$ and emits $a_t^{\mathrm{def}}$ and $a_t^{\log }$. We encode $x_t$ with a residual multilayer perceptron that includes feature-wise linear modulation from $u_t$. We encode $G_t$ with a graph attention network over relation-specific projections. The encoders produce embeddings $h_x$ and $h_g$ which are fused by cross-attention where $h_x$ queries $h_g$. The joint representation feeds two heads. The containment head outputs a categorical distribution over ${\mathcal{A}}_{\mathrm{def}}$. The logging head outputs m Bernoulli logits for sources. We share lower layers and separate the final projections.

Training uses an actor–critic objective with clipped policy updates to stabilize learning under binary logging choices. We include an attribution-consistency penalty that encourages stable graph rationales across resampled windows. Weights for penalties are set per scenario card and validated by grid search on training splits.

4.6. Provenance and Verifiable Artifacts

Every alert and explanation receives a content manifest that binds the payload to the model and the CTKG context. Let A be the alert payload and E be the explanation artifact such as a vector or a highlighted subgraph. Let $\theta$ be a model snapshot and let $H\left(G_t\right)$ be a digest of the CTKG slice. We compute a content digest

$$D=H\left(A\parallel E\parallel \theta \parallel H\left(G_t\right)\parallel \mathrm{config}\right)$$

(11)

and sign D with a short-lived key under a content–credentials profile. The verifier recomputes the digest and checks the signature. The manifest stores public metadata, including model identifier, scenario card, and hash algorithms. Signing and verification latencies are recorded during evaluation to quantify overhead (see Figure 2).

Figure 2. Overview of Sim-CTKG network architecture.

Analytic utility and scope. The provenance pipeline does not modify the learning dynamics or inference behavior of Sim-CTKG and can be disabled without affecting detection accuracy or cost efficiency. Instead, it serves as a verification layer that strengthens the credibility of the reported results. Because our evaluation involves motif-holdout generalization and budget-constrained sensing, reproducible analysis requires reconstructing the exact sequence of sensing actions, CTKG slices, and scenario–card configurations. The provenance module records (i) activated telemetry sources and their timestamps, (ii) the CTKG slice used at each step, (iii) hashes of the model parameters, and (iv) the metadata of the simulated scenario. This enables independent auditors to confirm that no leakage occurred from held-out motifs and that all reported results respect the declared sensing budgets.

4.7. Feature Featurization and Windowing

Let events within window $[t-W,t)$ from active sources ${\mathcal{S}}_t=\{s_i:a_{t,i}^{\log }=1\}$ be ${\mathcal{E}}_{s_i,t}$. Each source s has a feature map $F_s:{\mathcal{E}}_{s,t}\to {\mathbb{R}}^{d_s}$ composed of counts, rates, and sketch statistics:

$$F_s\left({\mathcal{E}}_{s,t}\right)=\left[\mathrm{cnt},\mathrm{rate},\mathrm{uniq},\mathrm{top}-k,\mathrm{cmsketch},\mathrm{tf}·log{\displaystyle \frac{T}{\mathrm{df}}}\right].$$

(12)

We compute per-destination and per-host aggregates and concatenate

$$x_t=\mathrm{Norm}\left(\underset{s\in {\mathcal{S}}_t}{⨁}{F}_s\left({\mathcal{E}}_{s,t}\right)\right),\mathrm{Norm}\left(z\right)={\displaystyle \frac{z-\mu }{\sigma +\epsilon }}.$$

(13)

Incremental updates use prefix-sums and rolling sketches; the update cost is $O\left(\right|{\mathcal{E}}_t\left|\right)$ per step with $|{\mathcal{E}}_t|={\sum }_{s\in {\mathcal{S}}_t}\left|{\mathcal{E}}_{s,t}\right|$.

4.8. Relation-Aware Graph Encoder

Each CTKG slice $G_t=(V_t,E_t)$ has node features $h_v^{\left(0\right)}=[\mathrm{type}\mathrm{onehot};\mathrm{tfidf}\mathrm{of}\mathrm{IOC}/\mathrm{soft}$; $\mathrm{risk}\mathrm{prior}]$. We use $L_g$ layers of relation-aware attention (R-GAT) with the residual and layer norm:

$$e_{uvr}^{\left(l\right)}=\mathrm{LeakyReLU}\left(a_r^{\top }[W_r^{\left(l\right)}{h}_u^{\left(l\right)}\parallel W_r^{\left(l\right)}{h}_v^{\left(l\right)}]\right),{\alpha }_{uvr}^{\left(l\right)}={\mathrm{softmax}}_{u\in {\mathcal{N}}_r\left(v\right)}{e}_{uvr}^{\left(l\right)},$$

(14)

$$h_v^{(l+1)}=\mathrm{LN}\left(h_v^{\left(l\right)}+\sigma \left(\sum _{r\in \mathcal{R}}\sum _{u\in {\mathcal{N}}_r\left(v\right)}{\alpha }_{uvr}^{\left(l\right)}{W}_r^{\left(l\right)}{h}_u^{\left(l\right)}\right)\right).$$

(15)

We set $(L_g,d_{\mathrm{hid}},H)=(3,128,4)$ heads unless stated. The complexity per layer is $O\left({\sum }_r\left|E_{t,r}\right|H{d}_{\mathrm{hid}}\right)$.

4.9. Containment Semantics and Safety Mask

Actions $a_t^{\mathrm{def}}\in \{\mathrm{ISOLATE}\left(h\right),\mathrm{BLOCK}\_\mathrm{FQDN}\left(d\right),\mathrm{KILL}\left(p\right),\mathrm{SINKHOLE}\left(c2\right)\}$. A safety mask $M_t$ forbids actions that violate policy or prerequisites; we apply masked sampling:

$${\pi }_{\theta }(a_t^{\mathrm{def}}\mid x_t,G_t)\propto exp{z}_{\theta }\left(a\right)·\mathbb{I}\{a\in M_t\}.$$

(16)

Operational cost penalizes harmful interventions:

$$A\left(a_t^{\mathrm{def}}\right)={\kappa }_1\mathbb{I}\left\{\mathrm{wrong}\mathrm{host}\mathrm{isolate}\right\}+{\kappa }_2\mathbb{I}\left\{\mathrm{critical}\mathrm{process}\mathrm{kill}\right\}+{\kappa }_3\mathbb{I}\left\{\mathrm{excessive}\mathrm{actions}\right\}.$$

(17)

4.10. Cost Profiling and Source Calibration

For each source $s_i$, we measure tuples $({\mathrm{cpu}}_i,{\mathrm{bytes}}_i,{\mathrm{delay}}_i)$ by replaying synthetic bursts at rate r and fitting

$${\mathrm{cpu}}_i\left(r\right)={\alpha }_i^{\mathrm{cpu}}+{\beta }_i^{\mathrm{cpu}}r,{\mathrm{bytes}}_i\left(r\right)={\alpha }_i^{\mathrm{io}}+{\beta }_i^{\mathrm{io}}r,{\mathrm{delay}}_i\left(r\right)={\alpha }_i^{\Delta }+{\beta }_i^{\Delta }r.$$

(18)

During training we plug the realized per-window rate ${\widehat{r}}_{i,t}=\left|{\mathcal{E}}_{s_i,t}\right|/W$.

4.11. Background and Noise Model

Each source uses a seasonal inhomogeneous Poisson process with lognormal marks for sizes:

$${\lambda }_s\left(\tau \right)={\lambda }_{0,s}\left(1+\sum _{k=1}^K{a}_{k,s}sin{\displaystyle \frac{2\pi k\tau }{24}}+b_{k,s}cos{\displaystyle \frac{2\pi k\tau }{24}}\right),S\sim \mathrm{LogNormal}({\mu }_s,{\sigma }_s^2).$$

(19)

Cross-source correlation is induced by a Gaussian copula with correlation matrix $\Sigma$ estimated from benign calibration traces. Collision resolution shifts events by $\delta \sim \mathrm{Exp}\left(\eta \right)$ subject to precedence constraints.

4.12. Policy Heads and Loss

Encoders yield $h_x$ and $h_g$; fusion uses cross-attention $h^{★}=\mathrm{Attn}(Q=h_x,K,V=h_g)$. Heads:

$${\pi }_{\theta }^{\mathrm{def}}=\mathrm{softmax}\left(W_d{h}^{★}\right),{\pi }_{\theta }^{\log }=\mathrm{Bernoulli}\left(\sigma \left(W_{\ell }{h}^{★}\right)\right).$$

(20)

Actor loss is the clipped surrogate on joint policy ${\pi }_{\theta }={\pi }_{\theta }^{\mathrm{def}}·{\pi }_{\theta }^{\log }$; critic loss is MSE on $V_{\psi }$. We add attribution-consistency $L_{\mathrm{cons}}={\lambda }_{\mathrm{cons}}·\mathrm{JSD}({\mathcal{A}}_t,{\mathcal{A}}_{t^{\prime }})$ for matched points.

4.13. Provenance Keying and Verification

We fix hash $H=\mathrm{SHA}-256$ and signatures $\mathrm{Sig}=\mathrm{Ed}25519$. Manifests include payload_hash, explanation_hash, model_id, ctkg_hash, scenario_card, and time. Keys rotate every R hours; manifests carry the key ID. Verification checks $D=H(A\parallel E\parallel \theta \parallel H\left(G_t\right)\parallel \mathrm{config})$ and $\mathrm{Verify}(D,\sigma ,\mathrm{key}\_\mathrm{id})$.

4.14. Scalability and Complexity

Let chain length be L, average feasible fan-out $\overline{d}$, and window events $E_t$. Grammar sampling is $O\left(L\overline{d}\right)$ with attribute checks. Compilation is $O\left({\sum }_t\right|E_t\left|\right)$. CTKG updates are $O\left(\right|E_t|+{\sum }_r|E_{t,r}\left|\right)$. Graph encoding is $O\left(L_{g}H{d}_{\mathrm{hid}}\right|E_t\left|\right)$ per step. Overall single-episode complexity is linear in emitted events and slice edges.

4.15. Leakage Controls

Zero-day motif holdout is enforced at generation time (training suppresses evaluation targets). Structural parameters for the causal engine are fit only on training runs and do not read evaluation motifs. Hyperparameters are selected on a validation set that excludes $\mathcal{M}$. All random seeds are recorded in scenario cards.

5. Evaluation and Results

This section presents a full evaluation of the proposed system under zero-day motif holds, explicit sensor and latency budgets, and causal accountability. All scenario data, seeds, and budgets are fixed before training. We report per-episode metrics with $95\%$ confidence intervals from block bootstrap over episodes. Operating points satisfy both the average cost and p95 latency constraints.

5.1. Dataset

This section documents all datasets used in the study. Each card follows a consistent template that covers motivation, composition, collection, preprocessing, labeling, splits, statistics, cost profiles, known limits, and access.

5.1.1. Sim-CTKG Zeek Telemetry (Primary)

This is a training and evaluation set for budgeted detection policies that fuse telemetry with a cyber threat knowledge graph (CTKG). The dataset aligns simulator events with Zeek log schemas and exposes held-out attack motifs for zero-day testing, such as, multi-source network and host telemetry as Zeek-style tabular records from $K=11$ sources: conn, dns, http, ssl, files, notice, proc, image, svc/reg, task, socket. Each record is time-stamped and keyed by host and flow identifiers. Features are compacted into $x_t\in {\mathbb{R}}^{d_x}$ by a streaming compiler. A two-hop CTKG slice $G_t$ is bound at each step.

Events are produced by an ATT&CK-constrained simulator with parameterized scenario cards. The generator draws benign background and attack process trees, network motifs, and timing parameters from card priors. Each step emits both witness telemetry and an alignment tuple that binds events to ATT&CK technique labels and CTKG entities.

We normalize continuous features per source, bucket counts with log transforms, and encode categorical fields with learned embeddings. Sliding windows build $x_t$ with window size $w=5$ steps and stride 1. We drop fields that leak labels by construction.

Labels exist at three levels: (i) per-step technique indicator $y_t$ and tactic group, (ii) chain-level success, and (iii) first correct alert time for TTD. Only labels from held-out motifs are used at test time.

We use 12 scenario cards grouped by stage: Execution, Command and Control, Lateral Movement, and Exfiltration (three per stage). For each card we generate episodes with motif holds: no instance of a held-out chain is present in training. Per card, we use 200 train episodes, 60 validation episodes, and 200 test episodes. This yields $12\times (200+60+200)=5520$ episodes total (Table 4).

Table 4. Sim-CTKG v1.0 split summary and basic episode statistics.

Split	# Cards	# Episodes	Median Steps/Ep	Attack% (Ep.)
Train	12	2400	520	12.1
Validation	12	720	510	10.7
Test	12	2400	525	11.4

Episode length: median 520 steps (IQR 360 to 640). Attack-labeled steps: $8\%$ to $15\%$ per card. Benign-only episodes: $25\%$ of validation, $25\%$ of test. Budgets used: $B_{\mathrm{avg}}\in \{0.8,1.3,2.0\}$; latency budget $B_{\mathrm{lat}}$: p95 $\le 3.0$ s (Table 5).

Table 5. Logging sources and normalized cost/latency used by the budget controller.

Source	Cost Unit ${\mathit{c}}_{\mathit{k}}$	p95 Latency [ms]
conn	0.10	0.8
dns	0.12	0.9
http	0.18	1.1
ssl	0.22	1.4
files	0.28	2.2
notice	0.06	0.4
proc	0.30	2.8
image	0.36	3.6
svc/reg	0.26	2.4
task	0.14	1.1
socket	0.11	0.9
All active (sum)	2.13	bounded by pipeline

We list the 12 cards used for generation and evaluation. Each card holds at least one motif at test time (Table 6). The generator models common enterprise topologies and timings. Industrial protocols and very long-range chains are beyond the scope of this version of the simulator. Source costs reflect our lab pipeline and may differ for other deployments.

Table 6. Overview of scenario cards. Dominant techniques are ATT&CK IDs used to define chains.

Card	Stage	Dominant Techniques (Examples)
E1	Execution	T1059 (command), T1204 (user exec)
E2	Execution	T1569 (service), T1106 (native API)
E3	Execution	T1218 (signed binary proxy)
C1	C2	T1105 (ingress tool), T1071.001 (web)
C2	C2	T1071.004 (DNS), T1573 (encrypted)
C3	C2	T1095 (non-app protocol)
L1	Lateral	T1021.001 (SMB/Windows Admin Shares)
L2	Lateral	T1021.004 (SSH), T1133 (external remote)
L3	Lateral	T1047 (WMI), T1570 (Lateral Tool Transfer)
X1	Exfiltration	T1041 (exfiltration over C2)
X2	Exfiltration	T1048.003 (exfil over alt protocol: SMTP)
X3	Exfiltration	T1567.002 (exfil to cloud storage)

5.1.2. CTKG Snapshot (Knowledge Graph for Decision Context)

An operational snapshot of a cyber threat knowledge graph is used as part of the agent state. The graph encodes tactics, techniques, software, CVE identifiers, CAPEC patterns, and their typed relationships. A multi-relational directed graph with entities and relationships is listed below (Table 7). The counts reflect the subset used and export time.

Table 7. CTKG composition. Counts refer to the exported subset used in this study.

Entity or Relation Type	Count
Tactics (ATT&CK)	14
Techniques (coarse)	180
Sub-techniques	360
Software/Tools	1200
CVE identifiers (linked)	950
CAPEC patterns	400
Vendors/Platforms (CPE families)	136
Prereq → Effect technique edges	4800
Technique ↔ Software edges	6500
Technique ↔ CVE edges	5900
Technique ↔ CAPEC edges	3700
Tactic → Technique edges	540
Total nodes	≈3240
Total edges	≈21,440

In step, t we consider a two-hop slice around the seeds inferred from telemetry. The slice includes tactics, techniques, software, and CVE nodes within radius $r=2$ with relation types prerequisite, effect, implements, exploits, and belongs_to. The slice is capped by the node budget and used by the graph encoder. We validate schema consistency, remove dangling IDs, and enforce acyclicity on causal edges that represent precondition → effect links. We log version hashes for each export and release verification scripts. The snapshot is a focused subset of the scenarios evaluated here. It does not aim to be complete. Edges that encode causality are supported by public CTI and curated rules. However, certain long-range effects are not included.

5.1.3. DARPA TCAD-Derived Alignment Set (Auxiliary)

An auxiliary set for sanity evaluations is conducted for simulation-to-real alignment. Though we do not train on TCAD, we use public program artifacts to derive distributions of inter-event timings, process tree shapes, and host roles that inform our scenario priors. Thereafter, we validate CTKG mappings on a small number of hand-mapped traces. Derived statistics and mapping are used as support features only. This set is used to verify that the simulator outputs produce Zeek-style records with similar field distributions for key sources such as conn, dns, http, and files. It also informs the causal edges used for preventability analysis. The coverage reflects a subset of enterprise roles and time windows (Table 8).

Table 8. Summary view across dataset cards.

Card	Modality	Primary Use	Zero-Day Holds
Sim-CTKG v1.0	Zeek logs + CTKG slices	Train, val, test	Yes (motif level)
CTKG v1.0	Multi-rel graph	Online state, explainability	n/a
DARPA TCAD	Derived stats	Alignment checks	n/a

5.2. Experimental Configuration

All reinforcement learning experiments use PPO with the hyperparameters summarized in Appendix A. Unless otherwise stated, we train for 1.2 M environment steps per seed with a batch size of 4096 transitions, a PPO clip ratio of 0.20, a discount factor $\gamma =0.99$, and  a GAE parameter $\lambda =0.95$. Budget constraints are enforced through dual variables ${\eta }_c$ and ${\eta }_{\ell }$, which are updated via projected subgradient steps. At each time step, the reward is modified as

$$r_t\leftarrow r_{\det }(y_t,{\widehat{y}}_t)-{\eta }_{c}C\left({\delta }_t\right)-{\eta }_{\ell }\mathbb{I}[\mathrm{lat}\left({\delta }_t\right)>B_{\mathrm{lat}}],$$

where $C\left({\delta }_t\right)$ denotes the sensing cost of the chosen telemetry subset and $B_{\mathrm{lat}}$ is the latency budget. We evaluate three main metrics: (i) AUROC@B (AUROC over episodes that satisfy both cost and latency budgets), (ii) time to detect (TTD), measured as the number of steps between the first adversarial action and the first alert, and  (iii) Expected Calibration Error (ECE), computed using a 10-bin calibration histogram. Budget adherence is reported as the percentage of evaluation episodes that satisfy both constraints.

We use three scenario cards with different tactic structures and holdout motifs. Card-A: Execution → Persistence → Lateral → Exfiltration with ${\mathcal{M}}_A=\left\{(\mathrm{T}1059,\mathrm{T}1105,\mathrm{T}1021)\right\}$. Card-B: Discovery → CredentialAccess → Lateral with ${\mathcal{M}}_B=\{(\mathrm{T}1087,\mathrm{T}1003),(\mathrm{T}1049,\mathrm{T}1021)\}$. Card-C: Command&Control → Collection → Exfiltration with ${\mathcal{M}}_C=\left\{(\mathrm{T}1105,\mathrm{T}1041)\right\}$. Training suppresses any chain that contains a held motif. Evaluation samples from the held motifs only.

Active sources include Zeek (conn, dns, http, ssl, files, notice), and host telemetry for process, image load, service or registry, scheduled task, and socket. Each source $s_i$ has profiled tuples $({\mathrm{cpu}}_i,{\mathrm{bytes}}_i,{\mathrm{delay}}_i)$ that are affine in instantaneous rate ${\widehat{r}}_{i,t}=\left|{\mathcal{E}}_{s_i,t}\right|/W$.

We evaluate three average cost budgets $B_{\mathrm{avg}}\in \{0.8,1.3,2.0\}$ (relative units) and a latency budget $B_{\mathrm{lat}}=\mathrm{p}95\left(L_t\right)\le 3.0\mathrm{s}$. All reported operating points satisfy both constraints.

Our policy uses cross-attention fusion of feature and CTKG encoders with joint heads for containment and logging. Baselines: Flat-RL (PPO on $x_t$ only), KG-noCausal (graph encoder without prerequisite or effect edges), Static-Full (all sources on), Static-Min (fixed minimal pack) (Table 9).

Table 9. Detection under cost and latency budgets.

Method	Budget ${\mathit{B}}_{\mathbf{avg}}$	AUROC@B	AUPRC@B	TTD@B
Sim-CTKG (ours)	0.8	$0.915\pm 0.011$	$0.882\pm 0.014$	$23.5\pm 2.0$
	1.3	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$
	2.0	$0.958\pm 0.008$	$0.931\pm 0.010$	$15.4\pm 1.5$
Flat-RL	0.8	$0.812\pm 0.017$	$0.746\pm 0.019$	$35.6\pm 2.9$
	1.3	$0.846\pm 0.015$	$0.781\pm 0.017$	$31.3\pm 2.7$
	2.0	$0.858\pm 0.014$	$0.794\pm 0.016$	$29.5\pm 2.6$
KG-noCausal	0.8	$0.863\pm 0.015$	$0.806\pm 0.017$	$30.2\pm 2.5$
	1.3	$0.886\pm 0.014$	$0.829\pm 0.016$	$27.0\pm 2.3$
	2.0	$0.897\pm 0.013$	$0.840\pm 0.015$	$25.6\pm 2.1$
Static-Full	0.8	violates average budget
	1.3	violates average budget
	2.0	$0.901\pm 0.012$	$0.843\pm 0.014$	$26.4\pm 2.1$
Static-Min	0.8	$0.733\pm 0.020$	$0.654\pm 0.022$	$44.0\pm 3.5$
	1.3	$0.742\pm 0.019$	$0.666\pm 0.021$	$42.7\pm 3.2$
	2.0	$0.748\pm 0.019$	$0.671\pm 0.020$	$41.8\pm 3.1$

Each card trains for $3\times {10}^6$ environment steps with early stopping on AUROC@budget on a validation split that excludes all motifs in $\mathcal{M}$. Evaluation uses $R=200$ held-out episodes per card. We report per-card and macro averages.

5.3. Primary Detection Under Budgets

The substantial reduction in Time to Detect (TTD) from 31.3 steps (Flat-RL) to 18.2 steps (Sim-CTKG) at $B_{avg}=1.3$ indicates that the agent is not merely detecting more but detecting earlier. By leveraging the CTKG structure, the policy identifies causal precursors (a specific process spawn) that predict future harm, allowing it to alert before the high-volume exfiltration phase begins. Crucially, the ‘Static-Full’ baseline fails to generate a valid score at lower budgets because it rigidly activates all sensors, violating the cost constraints immediately. This validates the necessity of the learning-based sensor selection.

Our policy gains $+7.7$ to $+14.6$ AUROC points over Flat-RL across budgets and halves TTD at moderate budgets. Static-Full meets budgets only at $2.0$. These gains are consistent across cards (Table 9).

5.4. Operating Characteristics at $B_{\mathrm{avg}}$ = 1.3

Beyond raw accuracy, the significant improvement in Expected Calibration Error (ECE) (0.028 vs. 0.071 for Flat-RL) suggests that the CTKG provides necessary semantic grounding. The Flat-RL baseline, lacking this grounding, tends to be overconfident on out-of-distribution inputs. Lower ECE implies that the Sim-CTKG agent’s confidence scores are more trustworthy proxies for actual threat probability, a critical requirement for automated response systems (Table 10).

Table 10. Operating characteristics at $B_{\mathrm{avg}}=1.3$, $B_{\mathrm{lat}}=3.0$ s. TPR at fixed FPR, precision at fixed recall, ECE.

Method	TPR@FPR = 1%	TPR@FPR = 2%	Prec@Rec = 0.9	TTD p50	ECE
Sim-CTKG (ours)	$0.67\pm 0.03$	$0.74\pm 0.03$	$0.88\pm 0.02$	16	$0.028\pm 0.006$
Flat-RL	$0.47\pm 0.04$	$0.55\pm 0.04$	$0.73\pm 0.03$	29	$0.071\pm 0.010$
KG-noCausal	$0.54\pm 0.04$	$0.62\pm 0.04$	$0.79\pm 0.03$	25	$0.053\pm 0.009$

Calibration improves with the CTKG and causal attachment, which reduces overconfidence at tight budgets (Figure 3).

Figure 3. Budget policy analysis. (a) Source Activation Rate Heatmap. (b) Data Volume vs. Budget analysis. (c) Latency Budget Compliance. (d) Source Importance Ranking.

5.5. Zero-Day Motif Generalization

The high performance ($AUROC>0.94$) on held-out motifs confirms that the agent is learning abstract causal dependencies rather than memorizing signature sequences. For example, in Card-B, the agent successfully detects the ‘Discovery → Credential Access’ chain even though it was trained without the specific (T1087, T1003) dyad (Table 11). This suggests the Graph Encoder successfully aggregates risk across the ‘Prerequisite’ edges, allowing the policy to infer the intent of the novel chain based on its structural similarity to known attacks (Figure 4).

Table 11. Zero-day evaluation on held motifs at $B_{\mathrm{avg}}=1.3$. AUROC and TTD per card with $R=200$ episodes each.

Method	Card–A AUROC/TTD	Card–B AUROC/TTD	Card–C AUROC/TTD
Sim-CTKG (ours)	$0.942\pm 0.012$/$18.9\pm 2.2$	$0.948\pm 0.011$/$17.6\pm 2.0$	$0.940\pm 0.013$/$18.1\pm 2.1$
Flat-RL	$0.842\pm 0.016$/$31.8\pm 2.8$	$0.853\pm 0.016$/$30.7\pm 2.6$	$0.845\pm 0.017$/$31.4\pm 2.7$
KG-noCausal	$0.884\pm 0.014$/$27.6\pm 2.5$	$0.889\pm 0.014$/$26.8\pm 2.3$	$0.882\pm 0.015$/$27.0\pm 2.4$

Figure 4. Zero-day motif generalization performance. (a) Zero-Day AUROC Performance. (b) Zero-Day TTD Performance.

Permutation tests stratified by card give $p<0.01$ for Sim-CTKG vs. both baselines on AUROC and TTD. Cohen’s d ranges from $0.86$ to $1.21$.

5.6. Logging Policy and Resource Use

The policy exhibits distinct economic behaviors across budget regimes. At the tight budget ($B_{avg}=0.8$), the agent relies heavily on low-cost, low-latency sources like ‘notice’ and ‘conn’ (0.62 activation). As the budget relaxes to 2.0, it does not simply turn everything on; instead, it selectively increases the usage of expensive, high-fidelity sources like ‘proc’ (Process Creation), effectively learning to ‘buy’ deeper introspection only when the initial low-cost signals warrant investigation (Table 12).

Table 12. Logging behavior by budget. Activation rate per source (fraction of steps where $a_{t,i}^{\log }=1$), average bytes per episode, and p95 latency.

Source	Metric	${\mathit{B}}_{\mathbf{avg}}=0.8$	${\mathit{B}}_{\mathbf{avg}}=1.3$	${\mathit{B}}_{\mathbf{avg}}=2.0$
conn	act. rate	$0.62\pm 0.06$	$0.78\pm 0.05$	$0.91\pm 0.04$
dns	act. rate	$0.58\pm 0.07$	$0.74\pm 0.06$	$0.88\pm 0.04$
http	act. rate	$0.31\pm 0.07$	$0.52\pm 0.06$	$0.73\pm 0.05$
ssl	act. rate	$0.27\pm 0.06$	$0.45\pm 0.06$	$0.68\pm 0.05$
files	act. rate	$0.18\pm 0.05$	$0.33\pm 0.05$	$0.51\pm 0.05$
notice	act. rate	$0.12\pm 0.04$	$0.22\pm 0.04$	$0.36\pm 0.04$
proc	act. rate	$0.24\pm 0.05$	$0.41\pm 0.05$	$0.63\pm 0.05$
image	act. rate	$0.16\pm 0.04$	$0.28\pm 0.04$	$0.46\pm 0.04$
svc/reg	act. rate	$0.11\pm 0.03$	$0.21\pm 0.04$	$0.35\pm 0.04$
task	act. rate	$0.09\pm 0.03$	$0.16\pm 0.03$	$0.27\pm 0.03$
socket	act. rate	$0.20\pm 0.05$	$0.36\pm 0.05$	$0.57\pm 0.05$
All sources	avg. MB/episode	$38.2\pm 3.6$	$64.7\pm 4.8$	$92.4\pm 6.1$
All sources	p95 latency [s]	$2.4\pm 0.2$	$2.6\pm 0.2$	$2.8\pm 0.2$

This policy prefers low-latency sources in tight budgets and activates high-latency channels near the pivotal windows. This selective stance maintains the p95 latency constraint (Figure 5).

Figure 5. Zero-day generalization: rewards vs. episodes.

5.7. Ablations on Novelty Pillars

The ablation of the ‘Sensor-budget head’ results in the steepest decline in TTD (worsening to 26.2 steps). This isolates the value of active sensing: the ability to dynamically toggle log sources is not just a cost-saving mechanism but a detection enhancer, as it allows the agent to reduce the signal-to-noise ratio by focusing on relevant telemetry channels (Table 13).

Table 13. Ablations at $B_{\mathrm{avg}}=1.3$. Removing any pillar degrades detection or earliness.

Variant	AUROC@B	AUPRC@B	TTD@B	TPR@FPR = 1%
Full model	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$0.67\pm 0.03$
– Generator constraints	$0.909\pm 0.013$	$0.875\pm 0.014$	$24.8\pm 2.2$	$0.58\pm 0.03$
– Sensor-budget head	$0.899\pm 0.014$	$0.863\pm 0.015$	$26.2\pm 2.3$	$0.56\pm 0.04$
– Causal CTKG	$0.905\pm 0.013$	$0.871\pm 0.014$	$25.3\pm 2.2$	$0.57\pm 0.04$

5.8. Robustness to Telemetry Shift

Notably, the system demonstrates resilience to CTI errors. When 25% of the prerequisite edges are randomly removed from the knowledge graph, performance degrades gracefully (<4% drops) (Table 14). This indicates that the R-GAT encoder learns to function as a ‘soft’ reasoner, utilizing the statistical correlations in the telemetry ($x_t$) to bridge gaps where the explicit knowledge graph ($G_t$) is incomplete (Figure 6).

Table 14. Robustness evaluation at $B_{\mathrm{avg}}=1.3$.

Condition	AUROC@B	AUPRC@B	TTD@B	p95 Latency [s]
Base	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$2.6\pm 0.2$
Background $+30\%$	$0.936\pm 0.011$	$0.904\pm 0.013$	$19.1\pm 1.9$	$2.6\pm 0.2$
Missing $20\%$ events	$0.927\pm 0.012$	$0.896\pm 0.013$	$20.4\pm 2.0$	$2.6\pm 0.2$
Clock skew $+250$ ms	$0.939\pm 0.011$	$0.907\pm 0.012$	$19.0\pm 1.9$	$2.7\pm 0.2$
Latency spike p95 + 0.5 s	$0.938\pm 0.011$	$0.905\pm 0.013$	$19.6\pm 1.9$	$3.1\pm 0.2$

Figure 6. Causal analysis. (a) Causal leverage analysis (b) Explanation robustness under shift.

Performance degrades under realistic shifts and remains within budget in all tested conditions. The exception is the forced latency spike, which approaches the latency limit as anticipated.

Because real-world CTI is often incomplete or noisy, we conducted a perturbation study on the CTKG rule set. We randomly removed 15%, 25%, and 35% of the prerequisite edges and added 10% spurious edges. For each perturbed graph, we retrained the detector under identical budgets and report AUROC@B, TTD, and counterfactual preventability. Results show that Sim-CTKG maintains robust performance for moderate noise levels: AUROC decreases by only 1.7% (15% edge removal) and 3.4% (25% removal), while TTD increases by 1.3–2.1 steps. Importantly, the ranking of the top five preventability techniques remained unchanged in 84% of test episodes. This indicates that our cross-attention fusion treats CTKG structure as a soft prior rather than a rigid rule set, enabling graceful degradation when CTI is incomplete.

5.9. Causal Accountability

The Counterfactual Preventability (CP) scores align with operational intuition (Table 15). The high CP for ‘C2 Handoff’ ($0.159$) identifies it as a critical choke point in the kill chain. Furthermore, the high Explanation Stability (XS = $0.71$) (Table 16) to Flat-RL ($0.32$) confirms that the Sim-CTKG agent consistently attributes alerts to the same root causes (nodes), even when the attack instantiation varies.

Table 15. Counterfactual Preventability $\widehat{\mathrm{CP}}\left(S\right)$ at $B_{\mathrm{avg}}=1.3$ for common mid-chain levers. Higher is better.

Technique Set S	Description	$\widehat{\mathbf{CP}}\left(\mathit{S}\right)$
$\left\{\mathrm{T}1105\right\}$	C2 channel establishment	$0.121\pm 0.017$
$\left\{\mathrm{T}1021\right\}$	Lateral remote services	$0.087\pm 0.015$
$\{\mathrm{T}1059,\mathrm{T}1105\}$	Exec → C2 handoff	$0.159\pm 0.019$
$\left\{\mathrm{T}1003\right\}$	Credential dumping	$0.102\pm 0.016$

Table 16. Explanation Stability $\mathrm{XS}$ (Jaccard overlap of important CTKG subgraphs) at matched operating points.

Condition	Within-Card Resample	Across Held-Out Motifs
Sim-CTKG (ours)	$0.71\pm 0.04$	$0.66\pm 0.05$
KG-noCausal	$0.49\pm 0.05$	$0.41\pm 0.06$
Flat-RL	$0.32\pm 0.06$	$0.28\pm 0.06$

The causal engine assigns the highest preventability to C2 establishment and the Execution to C2 handoff, which aligns with known leverage points.

5.10. Throughput and Overhead

The provenance signing overhead ($0.3$ ms) is two orders of magnitude lower than the detection latency, confirming that cryptographic accountability can be enforced in real time without compromising throughput. We log each module artifact concerning latency and overhead (Table 17). Through the provenance manifest logging, we ascertain that the overhead of the proposed framework is small relative to telemetry and inference (Table 18).

Table 17. Per-step runtime breakdown (mean ± std) at $B_{\mathrm{avg}}=1.3$ over all cards.

Component	Latency [ms]	Notes
Featurizer	$0.7\pm 0.1$	rolling sketches and aggregates
Graph encoder	$2.3\pm 0.3$	$L_g=3$, $H=4$, $d_{\mathrm{hid}}=128$
Policy heads	$0.6\pm 0.1$	fused MLP projections
Causal update	$0.3\pm 0.1$	local structural variables
Signing (if emitted)	$0.3\pm 0.1$	SHA-256 + Ed25519
Total (no artifact)	$3.9\pm 0.4$	end-to-end step time
Total (with artifact)	$4.2\pm 0.4$	includes signing

Table 18. Provenance manifest size and verification latency.

Artifact	Manifest Size [kB]	Sign Latency [ms]	Verify Latency [ms]
Alert only	$6.2\pm 0.5$	$0.28\pm 0.03$	$0.41\pm 0.05$
Alert + explanation vector	$9.8\pm 0.6$	$0.31\pm 0.04$	$0.46\pm 0.06$
Alert + highlighted subgraph	$12.4\pm 0.8$	$0.34\pm 0.05$	$0.52\pm 0.06$

5.11. Summary

The defender achieves strong detection under sensor and latency budgets, generalizes to eliminate the motifs, and yields stable, causal explanations. Selective logging is essential in tight budgets, and the provenance overhead is small. Ablations reveal that the generator constraints, sensor-budget control, and causal CTKG are all necessary for the observed gains. An adversarial setting test was conducted with the full defender model. It performed significantly above the benchmark value. The observed operating characteristics match the design of the methodology and validate each component in the pipeline.

6. Extended Analyses

6.1. Pareto Fronts Under Budget Constraints

We visualized the trade-off between detection and resource use using two fronts: TPR at 1% FPR vs. average cost, and Time to Detect vs. average cost. Points correspond to the three budgets evaluated ($B_{\mathrm{avg}}\in \{0.8,1.3,2.0\}$) with the p95 latency constraint satisfied. Our method is positioned on or above the frontier relative to the baselines (Figure 7 and Figure 8).

Figure 7. TPR vs. average cost. Higher is better.

Figure 8. Pareto front: TTD vs. average cost. Lower is better.

6.2. Per-Technique and Stage-Wise Efficacy

We compute the median TTD by stage with bootstrap confidence intervals at $B_{\mathrm{avg}}=1.3$, $B_{\mathrm{lat}}=3.0$ s. The earlier detection at the execution and C2 stages verifies that the CTKG and causal attachment help identify pivotal transitions (Table 19).

Table 19. Stage-wise median TTD (steps) at $B_{\mathrm{avg}}=1.3$. Lower is better.

Method	Exec (T1059)	C2 (T1105)	Lateral (T1021)	Exfil (T1041)
Sim-CTKG (ours)	$12[10,14]$	$14[12,16]$	$17[15,20]$	$19[17,21]$
KG-noCausal	$16[14,18]$	$19[17,21]$	$23[21,26]$	$26[24,29]$
Flat-RL	$19[17,22]$	$22[20,25]$	$27[24,30]$	$31[28,34]$

6.3. Training Stability and Convergence

To characterize the convergence properties of our constrained RL formulation, we trained the detector with 10 different random seeds and report the mean ± 95% confidence intervals of cumulative return. Figure 9 shows that, despite the presence of discrete sensing actions and dual-variable updates, training exhibits smooth and monotonic convergence with no mode collapse or oscillatory instability.

Figure 9. Training stability plot.

We further monitored the dual variables ${\eta }_c$ and ${\eta }_{\ell }$, which enforce the average-cost and latency constraints. As shown in Figure 10, both variables quickly stabilize around feasible values and oscillate within a narrow bounded region after approximately 100 k environment steps. This behavior is consistent with the convergence properties of standard primal–dual optimization methods, indicating that the cost constraints are neither overly loose nor excessively active. Variance across seeds is also low: AUROC@B varies by $\pm 1.2\%$, TTD varies by $1.9$ steps, and budget adherence varies by $2.3\%$. These results confirm that the learning dynamics are stable and reproducible across different initializations (Table 20).

Figure 10. Cost/Latency constraint convergence analysis.

Table 20. Performance comparison across all baseline methods.

Method	AUROC@B	TTD (Steps)	ECE	Budget Adherence (%)
Fixed-Source (FS)	$0.842\pm 0.006$	$11.3\pm 0.8$	$0.091\pm 0.012$	$12.4$
Random-Sampling (RS)	$0.731\pm 0.010$	$15.8\pm 1.7$	$0.142\pm 0.015$	$48.2$
Static Budgeted (SB)	$0.801\pm 0.008$	$13.9\pm 1.1$	$0.104\pm 0.011$	$100.0$
CTI-only (CTKG-Struct)	$0.868\pm 0.009$	$10.4\pm 0.6$	$0.076\pm 0.009$	$100.0$
RL w/o CTKG	$0.882\pm 0.007$	$9.7\pm 0.6$	$0.062\pm 0.010$	$100.0$
RL w/o Cross-Attention	$0.891\pm 0.006$	$9.4\pm 0.5$	$0.058\pm 0.007$	$100.0$
Sim-CTKG (Ours)	$0.934\pm 0.004$	$7.8\pm 0.4$	$0.031\pm 0.006$	$100.0$

6.4. Calibration and Reliability

We report the calibration using the Expected Calibration Error (ECE), Brier score, and negative log-likelihood (NLL) for the validation split and verified similar trends on test (Table 21).

Table 21. Calibration metrics at $B_{\mathrm{avg}}=1.3$. Lower is better.

Method	ECE	Brier	NLL
Sim-CTKG (ours)	$0.028\pm 0.006$	$0.082\pm 0.008$	$0.39\pm 0.04$
KG-noCausal	$0.053\pm 0.009$	$0.104\pm 0.010$	$0.51\pm 0.05$
Flat-RL	$0.071\pm 0.010$	$0.121\pm 0.011$	$0.63\pm 0.06$

6.5. Seed Stability

We trained 10 seeds per card and report the macro-averages and standard deviations. The variance was low. This was consistent with the block-bootstrap CIs reported earlier. The causal conclusions drawn from preventability and explanation stability must be interpreted within the limits of the structural model. Our analysis reflects how interventions change outcomes in the learned SCM, given the CTKG-derived graph structure, rather than an exhaustive account of all possible real-world pathways. Nevertheless, we observe that high-preventability techniques remain stable under perturbations of the CTKG and across random seeds, suggesting that the SCM captures robust patterns that are useful for operational decision-making (Table 22).

Table 22. Seed stability over 10 runs.

Budget	AUROC@B	AUPRC@B	TTD@B	TPR@1% FPR
$B_{\mathrm{avg}}=0.8$	$0.915\pm 0.008$	$0.882\pm 0.010$	$23.5\pm 1.3$	$0.61\pm 0.02$
$B_{\mathrm{avg}}=1.3$	$0.944\pm 0.007$	$0.915\pm 0.009$	$18.2\pm 1.1$	$0.67\pm 0.02$
$B_{\mathrm{avg}}=2.0$	$0.958\pm 0.006$	$0.931\pm 0.008$	$15.4\pm 1.0$	$0.72\pm 0.02$

6.6. Computational Parity and Throughput

We ensure computation impartiality by reporting parameters, approximate FLOPs per step, and wall-clock latency. Sim-CTKG requires marginally more computation than Flat-RL because of the graph encoder. However, it still maintains per-step latency under 5ms and provides a stronger detection rate at equal or lower cost (Table 23).

Table 23. Throughput parity at $B_{\mathrm{avg}}=1.3$. FLOPs are approximate per-step forward ops.

Method	Params [M]	FLOPs/Step [M]	Latency/Step [ms]
Sim-CTKG (ours)	7.8	62	$3.9\pm 0.4$
KG-noCausal	6.2	49	$3.2\pm 0.3$
Flat-RL	5.1	36	$2.7\pm 0.3$

For completeness, the provenance pipeline adds $0.3\pm 0.1$ ms when an artifact is emitted. Verification (offline) requires $0.41$–$0.52$ ms per manifest. Provenance does not contribute directly to the numerical performance metrics, but it ensures that the detection, generalization, and budget-adherence claims in Section 5 and Section 7 remain verifiable and reproducible, which is crucial in safety-critical security applications.

6.7. Pairwise Significance at the Main Operating Point

We report stratified permutation tests at $B_{\mathrm{avg}}=1.3$ with Benjamini–Hochberg correction across endpoints. Sim-CTKG is significant compared with all the baselines at $p<0.01$ (Table 24).

Table 24. Pairwise tests at $B_{\mathrm{avg}}=1.3$ (stratified by card).

Comparison	AUROC@B p	TTD@B p	Cohen’s d (AUROC)	Cohen’s d (TTD)
Ours vs. Flat-RL	<0.001	<0.001	1.12	1.28
Ours vs. KG-noCausal	<0.001	<0.001	0.94	1.03
KG-noCausal vs. Flat-RL	0.004	0.006	0.52	0.61

6.8. Isolation of Cost, Causality, and Provenance Effects

To isolate the contribution of individual components, we conducted controlled experiments where cost constraints, causal reasoning, and provenance were independently disabled. For cost, we compare three regimes: (1) no sensing budgets (all sources always enabled), (2) a static budget where a fixed subset of sources is preselected, and (3) dynamic budgeted RL with dual variables. Dynamic sensing consistently reduces telemetry volume by 40–47% relative to static selection while maintaining a 5–7% AUROC advantage, showing that cost-aware policies learn to prioritize high-value sources.

For causality, we compare RL without CTKG, RL with CTKG but no SCM, and the full CTKG+SCM configuration. Removing CTKG increases mean Time to Detect and degrades AUROC; adding CTKG without SCM improves structural awareness but yields less stable preventability estimates. The full causal engine improves explanation stability and preserves high-preventability techniques across seeds. Provenance does not affect these metrics directly, but it ensures that the generalization results and budget-adherence claims can be audited and reproduced, particularly in motif-holdout evaluations. This isolation of cost, causality, and provenance is one of the key novelties of Sim-CTKG compared to existing cyber-defense simulators and RL-based detectors.

6.9. Implications for Cyber-Defense System Design

The empirical results have several implications for the design of next-generation cyber-defense systems. First, the strong performance of Sim-CTKG under strict sensing budgets suggests that future SOC pipelines can benefit from adaptive telemetry activation instead of static logging policies. The CTKG-enhanced fusion module shows that relational knowledge can guide policies toward high-value sources, reducing unnecessary overhead while preserving detection quality. Second, preventability analysis identifies attack stages where early disruption yields disproportionate reductions in attacker success, providing actionable guidance for prioritizing detection rules and hardening efforts.

6.10. Practical Deployment Considerations

Several practical factors influence how the framework can be adopted in real environments. CTKG construction depends on the availability of host and network telemetry; organizations with fragmented pipelines may need to bootstrap the graph using historical incidents or curated CTI feeds. At inference time, the sensing policy introduces modest overhead, since CTKG slice extraction operates on bounded neighborhoods. However, latency budgets must be calibrated to the specific deployment environment, and noisy latency distributions in cloud-native settings may require online budget adaptation. Provenance manifests integrate with SIEM/EDR systems by providing verifiable records of alerts, CTKG snapshots, and model versions.

6.11. Limitations

The CTKG structure is derived from curated CTI and simulation traces and does not capture all real-world adversarial behaviors. The structural causal model is an approximation learned from observational data, so preventability and explanation stability should be interpreted as model-based diagnostics, not absolute ground truth. Simulator realism, although improved compared to prior work, still abstracts away kernel-level details and intra-host lateral movements. Finally, budget-constrained RL assumes reasonably stable latency profiles.

7. Ablation Study

We perform a thorough ablation to isolate the contribution of each component, stress-test design choices, and compare against strong recent alternatives under the same zero-day motif holds and the same cost/latency budgets. Unless noted, results are for $B_{\mathrm{avg}}=1.3$ and $B_{\mathrm{lat}}$ = p95 $\le 3.0$ s with $R=200$ episodes per card and block-bootstrap $95\%$ confidence intervals.

7.1. Core Components

We remove one pillar at a time from the full system. The cross-attentive fusion over $(x_t,G_t)$, the causal CTKG attachment, and the sensor-budget head each contribute materially to detection and earliness, with improved calibration at the same operating point (Table 25).

Table 25. Core component ablations at $B_{\mathrm{avg}}=1.3$. AUROC/AUPRC are at budget.

Variant	AUROC@B	AUPRC@B	TTD@B	TPR@1%FPR	ECE
Full model (ours)	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$0.67\pm 0.03$	$0.028\pm 0.006$
>Generator constraints	$0.909\pm 0.013$	$0.875\pm 0.014$	$24.8\pm 2.2$	$0.58\pm 0.03$	$0.041\pm 0.007$
>Sensor-budget head	$0.899\pm 0.014$	$0.863\pm 0.015$	$26.2\pm 2.3$	$0.56\pm 0.04$	$0.046\pm 0.008$
>Causal CTKG	$0.905\pm 0.013$	$0.871\pm 0.014$	$25.3\pm 2.2$	$0.57\pm 0.04$	$0.043\pm 0.008$
Cross-attn → Concat	$0.914\pm 0.012$	$0.886\pm 0.013$	$22.1\pm 2.0$	$0.61\pm 0.03$	$0.036\pm 0.007$
Cross-attn → FiLM	$0.923\pm 0.011$	$0.896\pm 0.013$	$20.7\pm 2.0$	$0.63\pm 0.03$	$0.033\pm 0.007$

7.2. Fusion and CTKG Scope Sensitivity

We vary the CTKG slice hop radius r, the relation-aware layers $L_g$, and the attention heads H. We observe that larger slices and deeper stacks improve detection, but at the same time, they increase latency. Our default ($r=2,L_g=3,H=4$) sits on the knee of the curve (Table 26) (Figure 11).

Table 26. Sensitivity to CTKG scope and encoder depth at $B_{\mathrm{avg}}=1.3$. Latency is per step forward time for the graph encoder.

Config $(\mathit{r},{\mathit{L}}_{\mathit{g}},\mathit{H})$	AUROC@B	AUPRC@B	TTD@B	Graph Latency [ms]
(1, 2, 2)	$0.926\pm 0.011$	$0.893\pm 0.013$	$20.9\pm 1.9$	$1.4\pm 0.2$
(2, 3, 4) (default)	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$2.3\pm 0.3$
(3, 4, 6)	$0.949\pm 0.010$	$0.919\pm 0.011$	$17.7\pm 1.8$	$3.5\pm 0.4$
(4, 4, 8)	$0.951\pm 0.010$	$0.921\pm 0.011$	$17.6\pm 1.8$	$4.8\pm 0.5$

Figure 11. Core component and budget analysis. (a) AUROC performance. (b) Detection time performance.

7.3. Budget Sweep and Operating Slices

We report the full model and key ablations across budgets and operating slices at low FPR. Selective logging interacts strongly with the budget; without the budget head, TTD and calibration degrade even when AUROC is similar (Table 27).

Table 27. Budget sweep. Mean ± 95% CI across cards.

Method	${\mathit{B}}_{\mathbf{avg}}$	AUROC@B	TTD@B	TPR@1%FPR
Full model (ours)	0.8	$0.915\pm 0.011$	$23.5\pm 2.0$	$0.61\pm 0.03$
	1.3	$0.944\pm 0.010$	$18.2\pm 1.8$	$0.67\pm 0.03$
	2.0	$0.958\pm 0.008$	$15.4\pm 1.5$	$0.72\pm 0.03$
>Sensor-budget head	0.8	$0.883\pm 0.014$	$28.9\pm 2.5$	$0.53\pm 0.04$
	1.3	$0.899\pm 0.014$	$26.2\pm 2.3$	$0.56\pm 0.04$
	2.0	$0.914\pm 0.012$	$23.8\pm 2.2$	$0.60\pm 0.03$
>Causal CTKG	0.8	$0.894\pm 0.013$	$27.6\pm 2.4$	$0.55\pm 0.04$
	1.3	$0.905\pm 0.013$	$25.3\pm 2.2$	$0.57\pm 0.04$
	2.0	$0.919\pm 0.012$	$22.9\pm 2.1$	$0.61\pm 0.03$

7.4. Comparisons to Recent Alternatives

We include strong non-RL detectors and advanced RL baselines trained under the same splits and tuned with equal hyper-parameter budgets. All numbers respect the same cost and latency constraints. Where a method cannot meet the budget, the cell is marked (Table 28).

Table 28. Non-RL detectors at $B_{\mathrm{avg}}=1.3$.

Method	AUROC@B	AUPRC@B	TTD@B	ECE
Sim-CTKG (ours)	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$0.028\pm 0.006$
T-Transformer ($x_t$ only)	$0.902\pm 0.012$	$0.855\pm 0.014$	$24.3\pm 2.1$	$0.051\pm 0.008$
TCN-Detector ($x_t$ only)	$0.887\pm 0.013$	$0.838\pm 0.015$	$26.0\pm 2.3$	$0.058\pm 0.009$
RelGAT-only ($G_t$ only)	$0.868\pm 0.014$	$0.814\pm 0.016$	$27.8\pm 2.4$	$0.063\pm 0.010$
MoE-Selector + Static heads	$0.891\pm 0.013$	$0.844\pm 0.015$	$25.6\pm 2.2$	$0.055\pm 0.008$

TCN-Detector is a temporal convolutional model on $x_t$; T-Transformer is a telemetry-only transformer on $x_t$; RelGAT-only uses the CTKG slice without telemetry; MoE-Selector uses a mixture-of-experts with a heuristic source selector (Figure 12).

Figure 12. Attacker vs. Defender dynamics across attack scenarios.

Flat-RL is PPO on $x_t$; KG-noCausal is PPO with graph encoder but without prerequisite/effect edges; InfoBottleneck-RL adds an information bottleneck on $x_t$; Heuristic-RL uses a scripted log selector with PPO containment (Table 29).

Table 29. RL baselines at $B_{\mathrm{avg}}=1.3$.

Method	AUROC@B	AUPRC@B	TTD@B	TPR@1%FPR
Sim-CTKG (ours)	$0.944\pm 0.010$	$0.915\pm 0.012$	$18.2\pm 1.8$	$0.67\pm 0.03$
Flat-RL ($x_t$)	$0.846\pm 0.015$	$0.781\pm 0.017$	$31.3\pm 2.7$	$0.47\pm 0.04$
KG-noCausal	$0.886\pm 0.014$	$0.829\pm 0.016$	$27.0\pm 2.3$	$0.54\pm 0.04$
InfoBottleneck-RL	$0.904\pm 0.013$	$0.851\pm 0.015$	$24.9\pm 2.2$	$0.57\pm 0.04$
Heuristic-RL (selector)	$0.878\pm 0.014$	$0.822\pm 0.016$	$28.3\pm 2.4$	$0.52\pm 0.04$

7.5. Robustness Under Telemetry Shift

We perturb background intensity, drop events uniformly at random, add clock skew, and induce latency spikes. We report the relative AUROC change and the TTD increase (Table 30). Our policy degrades gracefully and retains budget adherence.

Table 30. Robustness at $B_{\mathrm{avg}}=1.3$: relative AUROC drop (negative is worse) and $\Delta$TTD in steps.

Condition	Ours	KG-noCausal	Flat-RL	T-Transformer
Background $+30\%$	$-0.8\%$, $+0.9$	$-2.4\%$, $+2.6$	$-3.6\%$, $+3.8$	$-3.1\%$, $+3.2$
Missing $20\%$ events	$-1.8\%$, $+2.2$	$-4.3\%$, $+3.9$	$-5.7\%$, $+5.4$	$-4.9\%$, $+4.8$
Clock skew $+250$ ms	$-0.5\%$, $+0.8$	$-1.6\%$, $+1.9$	$-2.1\%$, $+2.3$	$-1.9\%$, $+2.0$
Latency spike p95 + 0.5 s	$-0.6\%$, $+1.4$	$-2.0\%$, $+2.7$	$-3.0\%$, $+3.5$	$-2.6\%$, $+3.0$

To evaluate robustness with respect to inaccuracies in curated CTI, we perturb the CTKG by randomly removing 15–25% of prerequisite edges and adding 10% spurious dges. Across these conditions, AUROC decreases by only 1.7–3.4% and the mean time to detect increases by 1–2 steps compared to the unperturbed CTKG, indicating that Sim-CTKG is not brittle with respect to moderate rule noise or incompleteness.

7.6. Compute Parity

We report parameter counts, approximate FLOPs per step, and measured per-step latency. The graph encoder adds cost, but the total latency remains under 5 ms. Compute-normalized comparisons still favor our policy under budgets (Table 31).

Table 31. Compute parity at $B_{\mathrm{avg}}=1.3$. FLOPs are approximate forward ops per step.

Method	Params [M]	FLOPs/Step [M]	Latency/Step [ms]
Sim-CTKG (ours)	$7.8$	62	$3.9\pm 0.4$
KG-noCausal	$6.2$	49	$3.2\pm 0.3$
T-Transformer	$8.1$	58	$3.5\pm 0.3$
Flat-RL	$5.1$	36	$2.7\pm 0.3$
RelGAT-only	$4.6$	31	$2.4\pm 0.3$

7.7. Fairness Protocol and Significance

All external baselines train on the same training split with motif suppression, use the same early stopping rule, and are tuned with the same hyper-parameter budget. We cap wall-clock and batch sizes for parity and report only operating points that satisfy both budgets. Pairwise stratified permutation tests at $B_{\mathrm{avg}}=1.3$ remain significant at $p<0.01$ (Benjamini–Hochberg) for AUROC@B and TTD@B when comparing the full model to each baseline. Effect sizes range from $d=0.9$ to $1.3$ for AUROC and from $d=1.0$ to $1.3$ for TTD.

7.8. Adversarial Scenario

The competitive dynamics between attacker and defender agents across six distinct attack scenarios are presented in Figure 12. It demonstrates the superior performance of our Sim-CTKG framework. The visualizations reveal that our model consistently outperforms baseline methods (KG-noCausal, Flat-RL, Static-Full, Heuristic-RL) by maintaining a defensive advantage even under critical attack conditions. Blue lines represent the proposed model’s defender agents, while red lines depict the corresponding attacker performance. Green-shaded regions indicate defender advantage zones, with Sim-CTKG expanding these zones significantly during critical attack scenarios, whereas other models fail to maintain effective defense. The results demonstrate our proposed model’s robustness in adversarial learning environments, achieving 1.4 times performance in critical scenarios compared to 0.6–0.9 times for competing approaches. This emphasizes the key findings: our proposed model’s novelty, consistent performance across scenarios, effectiveness in critical attacks, and clear demonstration of defensive advantage.

To ensure that the performance improvements of Sim-CTKG are not artifacts of hyperparameter tuning, we conducted a controlled sensitivity analysis. We varied (i) the PPO learning rate by $\pm 2\times$, (ii) the dual-update step size $\rho \in \{0.5\times ,1\times ,2\times \}$, (iii) the CTKG hidden dimension by $\pm 50\%$, and (iv) the sensing penalty ${\lambda }_c$ by $\pm 0.2$. Across all settings, Sim-CTKG retained a consistent margin over the strongest baseline. For example, under a doubled learning rate, AUROC decreased by only $0.013$, while the relative improvement over the strongest baseline remained $0.051$. Disabling cross-attention or removing the CTKG slice, however, caused large degradations ($-0.074$ AUROC, $+7.3$ TTD), confirming that the observed gains stem from the architectural components rather than favorable tuning.

8. Conclusions and Future Work

This work introduced Sim-CTKG, a research-grade cyber-defense environment designed to study the interplay between cost-aware sensing, causal structure, and provenance in reinforcement-learning-based intrusion detection. Our results show that structured knowledge and budget constraints can significantly reduce telemetry usage while maintaining high detection performance and that causal preventability analysis provides actionable insights into high-leverage stages of the attack chain.

Several concrete research directions follow from this work. First, model-based or long-horizon RL algorithms could improve the agent’s ability to anticipate future attack stages and plan proactive mitigations rather than reacting myopically. Second, integrating online CTKG learning with live SOC telemetry would allow the causal structure to adapt to emerging techniques and organization-specific behaviors. Third, adaptive budget allocation strategies could incorporate asset criticality and uncertainty estimates, dynamically shifting sensing resources toward the most valuable or at-risk components.

Extending Sim-CTKG to different cyber-threat domains is an important direction. Cloud-native attack paths, such as privilege escalation through misconfigured IAM roles or serverless functions, require CTKG schemas that capture identity, configuration, and control-plane events. ICS/SCADA environments introduce physical process variables and strict real-time constraints, necessitating domain-specific causal models and latency budgets. Identity-centric attacks (Kerberos or OAuth abuse) and IoT/5G deployments would also require tailored telemetry models and CTKG node types.

The CTKG is derived from curated CTI and simulated traces and therefore may omit rare or novel adversarial patterns. The structural causal model is an approximation learned from observation and cannot capture all real-world causal pathways. Simulator realism, while improved over prior work, still abstracts away low-level kernel and microarchitectural details. Finally, the budget-constrained RL formulation assumes that latency distributions are reasonably stable over time.

Future work will focus on data-driven refinement of CTKG structure, incorporating real EDR/NDR logs into the SCM learning process, and performing hardware-in-the-loop or shadow deployments to close the sim-to-real gap. We also plan to explore federated or multi-tenant versions of Sim-CTKG, enabling organizations to share causal knowledge and budgeted sensing strategies without exposing raw telemetry. These extensions will help overcome current limitations and move closer to deployable, trustworthy, and adaptable causal RL systems for cyber-defense.