System and method for identifying, assessing and remedying cyberthreats
The system automates cybersecurity assessments by analyzing organizational documents and representing postures as vectors, addressing the challenge of resource constraints and improving risk understanding and decision-making.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HOGG JASON JUDE
- Filing Date
- 2026-01-07
- Publication Date
- 2026-07-16
AI Technical Summary
Organizations face challenges in determining their cybersecurity posture and risk levels with limited human resources and budget, and existing tools require labor-intensive manual input for assessments, making it difficult to understand and address cybersecurity risks effectively.
A system that uses artificial intelligence to automate the cybersecurity assessment process by analyzing organizational documents and representing cybersecurity postures as vectors, enabling K-nearest neighbor searches to identify risk levels and recommend remedial actions.
Provides objective and understandable risk assessments and recommended improvements, reducing the burden on cybersecurity staff and enabling informed decision-making on cybersecurity investments.
Smart Images

Figure US2026010480_16072026_PF_FP_ABST
Abstract
Description
SYSTEM AND METHOD FOR IDENTIFYING, ASSESSING AND REMEDYING CYBERTHREATSCross-Reference to Related Application
[0001] This application claims the benefit of and priority to U.S. Provisional Patent Application No. 63 / 743,148, filed January 8, 2025, the disclosure of which is incorporated herein by reference in its entirety.Background
[0002] Cyberattacks are a growing problem. As technologies both proliferate into more hands and evolve into new products and forms, attack vectors and attack surfaces multiply. This leads to an expansion of opportunities for malicious actors to launch cyberattacks and exploit vulnerabilities. Moreover, as industrial applications of technology expand, the aggregate volume of money that is contingent upon the proper security of cyber systems continues to expand - meaning there is ever more riding upon their security. In 2024, the year of filing of this document, it is estimated that cybersecurity events (cybercrime) will have a collective cost of $9.2 trillion United States Dollars. This cost is expected to grow at a compounded annual growth rate of 14%, reaching $15.6 trillion United States Dollars by the year 2029. The stakes surrounding cybersecurity are escalating.
[0003] New technologies not only expand attack vectors and surfaces, they expand the realm of potential protective measures that an organization's information, cyber and technology security staff must contemplate. Most organizations must deploy reasonable and effective cybersecurity measures within a budget measured in terms of financial outlay and a finite human capacity for attention, management and comprehension. Every conceivable security measure cannot be contemplated, let alone put in place. Moreover, it is difficult for such cybersecurity staffs to understand the risk they face in objective terms, and to determine which particular measures are worthy of their pursuit.
[0004] There exists a need for a tool that determines an organization's existing cybersecurity posture, with minimal imposition upon the organization's cyber security staff, such as by minimizing the need for such staff to manually answer cybersecurity-related questions in service of a cybersecurity assessment. Such a task is oftentimes labor-intensive, and asdiscussed previously, cybersecurity staffs often have limited personnel. Further, there exists the need for a tool to express the risk of the organization remaining in its present security posture in objective and easily understandable terms. Still further, there exists a need for a tool that identifies the particular changes in security posture that an organization should take - and does so in a way that is defendable in objective terms.Summary
[0005] This disclosure generally relates to the field of cyberthreat assessment, and more particularly to a system, such as a web-accessible system, for identifying the cybersecurity posture of an organization, optionally employing artificial intelligence techniques to automate some or all of a question-answering process related to the aforementioned cybersecurity-posture-identification process, and optionally employing artificial intelligence techniques for assessing risks and threats associated with such posture and recommending certain remediations to improve such posture.
[0006] Herein is disclosed a system for receiving and processing documents, such as multimodal documents, in order to use such documents as a base of knowledge, and on the basis of such documents, calculate answers to a set of questions related to a particular organization's cybersecurity state of affairs. According to some embodiments, the answer set may be represented as a vector or a plurality of vectors, and such vector or vectors may be used as a search vector to locate a quantity of K-nearest neighboring vectors (representing the answers of other organizations to such set of questions), and on the basis of those nearest neighboring vectors and other information associated with them, determine the cybersecurity risk associated with the aforementioned answer set. According to some embodiments, cybersecurity risk levels determined on the basis of a K-nearest neighbor search may be used to train a model to relate answers to the aforementioned set of questions to a modeled risk score. According to some embodiments, a risk score determined on the basis of a K-nearest neighbor query subjected to a filtering process, wherein the distance between the vector that served as the basis of the query and the population of returned vectors is determined, and if the distance exceeds a threshold, then the modeled risk is used to represent cybersecurity risk, instead of the risk level determined from the K-nearest neighbor approach. According to some embodiments, an answer may besubjected to a sensitivity analysis (using the aforementioned model associating answers to a risk level), in order to determine efficient remedial actions.Brief Description of the Drawings
[0007] Figures 1, 2A and 2B depict exemplary embodiments of a cybersecurity system, in accordance with certain embodiments.
[0008] Figure 3 depicts an exemplary embodiment of a system for interpreting multimodal data and establishing a vector database for use by a retrieval augmented generative system, in accordance with certain embodiments.
[0009] Figure 4 depicts an exemplary embodiment of a question-answering system, in accordance with certain embodiments.
[0010] Figures 5-10 depict exemplary screens that may be used in association with a user interface of a cybersecurity system, in accordance with certain embodiments.Detailed Description
[0011] Figure 1 depicts a cybersecurity system 100. According to some embodiments, the system 100 may be web-accessible, so that its users may access it via a web browser, and make use of its various capabilities (discussed below) via its user interfaces (also discussed below). The system 100 may be constituted of various units of software, certain embodiments of which are discussed below, and these units of software may execute on one or more computing platforms or servers operating cooperatively and in communication with one another via a network, such as servers within a server farm or cloud computing platform (example: AMAZON WEB SERVICES®).
[0012] The system 100 may be used by employees of an organization to establish their organization's cybersecurity posture, understand the risks associated with such posture and learn of recommended remedies that are calculated to best improve their posture. For example, the system 100 may be used by individuals within the cybersecurity staffs of small and medium sized businesses, although the system 100 is usable by and of value to organizations in any field and of any size.
[0013] The system 100 may be used by an organization in the wake of a cybersecurity event (example: the occurrence of a cybercrime may spur the use of the system 100). The system 100 may also be used as a matter of routine course (example: an organization may procure an annual subscription that permits personnel from the aforementioned organization to access and use the system 100). The system 100 may initially be used as the result of a cybersecurity event having occurred, and in the wake of such use, the organization may use the system 100 as a matter of routine course (e.g., may thereafter subscribe to permit regular use of the system 100).
[0014] The system 100 uses data from an organization to define the organization's cybersecurity posture. For example, the system 100 may ingest data in the form of a questionnaire constituted of a plurality of questions that may be organized into sections by "control areas." A control area is an aspect or realm of informational or physical or operational or computational security or resilience. Examples of control areas: data security; network security; third party security; physical security; business resilience; endpoint and systems security; application security; remote work security. For each control area, the questionnaire may contain a plurality of questions pertaining thereto. Consider the control area of network security. Questions pertaining to such control area may include the following (which are exemplary in nature; an actual questionnaire would contain many more such questions):Do you employ firewalls as network defense tools?YesNoDo you employ an intrusion prevention system as a network defense tool?YesNoDo you engage a third party to conduct external network penetration testing annually?A. An internal team performs such testing at least annuallyB. An internal team performs such testing, but less frequently than annually C. An external team performs such testing at least annuallyD. An external team performs such testing, but less frequently than annually E. No such testing is performedAre network devices configured in accordance with the following (select all that apply)?A. Standard approved configurationsB. Changes to network device configurations exclusively via an approval processC. Denial of requested changes to network devices for high-risk exposures D. Administrative access to network devices limited on need-to-know basis
[0015] As can be seen from the preceding exemplary questions, the questions may be structured so that they are in: (i) yes-no (or True-False) format; (ii) multiple choice format; (iii) select all that apply format; and / or (iv) any other format wherein one or more answers may be selected from a list of potential answers. According to some embodiments, some or all of the questions may include a field wherein an optional free-form explanation may be entered. These questions may be presented to the user via a user interface, such as a web-accessible user interface, examples of which are presented below.
[0016] According to some embodiments, questions pertaining to an organization's cybersecurity posture (such as on a control-area-by-control-area basis) are presented by the system 100 to a user in the general form of a questionnaire, so that the user may respond to the questions, such as over a period of time (e.g., over plural sessions), recruiting assistance internally from domain experts, as needed. This has the advantage of ensuring human input in the selection of every answer within the questionnaire, but carries with it the disadvantage of being burdensome, and by virtue of the effort required, users may be dissuaded from using the system 100 or engaging with it frequently to "update" their answers as the facts on the ground change.
[0017] According to some embodiments, various documents may be uploaded to the system, and artificial intelligence may be used to extract some or all of the answers to theaforementioned questions, based on the contents of the documents. For example, a multimodal retrieval augmented generative system may be used to compute answers based on the contents of such documents. An exemplary multimodal retrieval augmented generative system is discussed below. Such documents may include documents arising from incident response activities, documents arising from proactive activities, documents developed by the organization in the course of its day-to-day operation, and other documents (examples: penetration testing reports, red team reports, threat intelligence reports, incident response reports, risk mitigation strategy reports, vulnerability assessment reports, security architecture diagrams, training documents such as security training documents, board presentation materials, policy documents such as data classification policies, access policies, and so on). These documents may be uploaded as they are created or on a periodic basis. The system 100 may compute the answers to the aforementioned questions on the basis of the content of these documents and prepopulate the questionnaire with answers. According to some embodiments, a confidence score may be determined for each answer determined via artificial intelligence. An example of a scheme for calculating such confidence score is discussed below. According to some embodiments, the confidence score is presented along with the prepopulated answer to assist a user in knowing where to spend his attention and effort in reviewing the prepopulated answers. According to some embodiments, the confidence score is compared to a threshold and if the confidence score falls beneath such threshold, the prepopulated answer is identified as uncertain via a visual indicator presented via a user interface. According to some embodiments, the confidence score is compared to a threshold and if the confidence score falls beneath such threshold, the question is not prepopulated with an answer, thereby compelling the user of the system 100 to attend to such question and produce an answer thereto by human effort.
[0018] Upon having personnel from an organization having completed the questionnaire, the organization's cybersecurity posture is determined. Stated another way, an organization's cybersecurity posture is equal to its complete set of answers to the questionnaire:Answer Set = Cybersecurity Posture.
[0019] Previously, it was stated that an organization may initially use the system 100 as the result of having been victimized by an act of cybercrime, and may thereafter become a regular user of such system 100. Considering such a scenario, such an organization may, for example, complete the questionnaire (either through human effort, Al "effort," or a hybrid effort) in the immediate wake of having been compromised by cybercrime, and may thereafter update their answers to such questionnaire on a regular basis (example: quarterly, annually, etc.). Considering the scenario in which such an organization updates their answers on a quarterly basis, then it follows that after one year of use, the system will have stored five cybersecurity postures for the organization: (i) the initial posture that was associated with the occurrence of a cybersecurity event; and (ii) four additional quarterly postures, presumably unassociated with any cybersecurity event, i.e., during the period in which the organization was in the posture reflected by the questionnaire, no cybersecurity event occurred.
[0020] The system 100 may store in a data store, such as a database, each such posture in association with other data indicating information about the posture and / or the organization, itself. Examples: date the posture was entered into the system; an indication of whether the posture was the subject of a cybersecurity event; the attack vector or vectors by which such event was perpetrated; the date of the event; the cost of the event to the organization; the business sector of the organization; total revenue of the organization; and other such sorts of information characterizing the attack and / or the organization. Thus, conceptually, after one year of use by the aforementioned hypothetical organization the system may store the following data:{Posturei, 9 / 27 / 24, EVENT_YES, SQLJ NJ ECTION, 9 / 25 / 24, COST, PAYMT_PROCESSOR, 100M-1B}{Posture2, 12 / 30 / 24, EVENT_NO, NULL, NULL, NULL, PAYMT_PROCESSOR, 100M-1B} {Postures, 3 / 7 / 25, EVENT_NO, NULL, NULL, NULL, PAYMT_PROCESSOR, 100M-1B} {Posture4, 6 / 3 / 25, EVENT_NO, NULL, NULL, NULL, PAYMT_PROCESSOR, 100M-1B} {Postures, 9 / 27 / 25, EVENT_NO, NULL, NULL, NULL, PAYMT_PROCESSOR, 100M-1B}
[0021] As can be seen from the preceding example, with the determination of each posture, each such posture is stored and associated with information indicating whether or not the organization was the subject of an instance of cybercrime while in such posture, along with information characterizing the attack and / or the organization. Example: the first exemplary conceptual record contains: (i) a representation of the answer set (i.e., the cybersecurity posture) associated with the aforementioned organization's first use of the system 100; (ii) an indication that the posture was recorded on the 27thof September 2024; (iii) an indication that the associated organization was in such posture while the subject of an act of cybercrime; (iv) an indication that the attack vector was SQL injection; (v) an indication that the act of cybercrime occurred two days prior to the recordation of the posture, i.e., on the 25thof September 2024; (vi) an indication of the cost of the event to the organization; (vii) an indication that the organization associated with the posture is engaged in the business sector of payment processing; and (viii) an indication that the total revenue of such organization is in the range of $100M to $1B in United States Dollars. Note: such record is referred to as "conceptual" because, typically, the data would not be literally stored in such a manner for reasons relating to normalization (and other reasons), as is well understood by those of ordinary skill in the art, but can be usefully thought of as having been stored as such for the purpose of this discussion.
[0022] On the other hand, the second exemplary conceptual record contains: : (i) a representation of the answer set associated with the aforementioned organization's second use of the system 100; (ii) an indication that the posture was recorded on the 30thof December 2024; (iii) an indication that no act of cybercrime was associated with the organization while it was in such posture; (iv) a null attack vector, because no act of cybercrime occurred at all; (v) a null attack date, again, because no act of cybercrime occurred at all; (vi) a null attack cost, because no act of cybercrime occurred at all; (vii) an indication that the organization associated with the posture is engaged in the business sector of payment processing; and (viii) an indication that the total revenue of such organization is in the range of $100M to $1B in United States Dollars.
[0023] The other exemplary conceptual records are understandable in view of the above discussion and are not discussed further.
[0024] The information contained in such exemplary conceptual records may be made available to other organizational users of the system 100 for use in determining risk levels associated with their respective cybersecurity postures, as discussed below. Notably, the information made available to other users is anonymous, although embodiments of the system 100 where anonymity is excluded as a feature is possible, in principle, and may be useful and desirable in certain contexts.
[0025] The reader is now asked to consider a scenario in which the system 100 has stored a quantity of 50,000 cybersecurity postures emanating from various organizations on a range of dates - wherein the quantity of 50,000 is simply a concrete example of a large sampling of such postures.
[0026] Turning to Figure 2A, it can be seen that each posture 200 (i.e., answer set) can be supplied as an input to a model 202. The model uses the answer set to represent the answer set, as a whole, as a vector, and also uses the answer set to represent the set of answers relating to the first control area as another vector, the set of answers relating to the second control area as yet another vector, and so on, thereby producing: (i) a first vector representing the answer set as a whole; and (ii) additional vectors - one for each control area - wherein each such additional vector represents the answer set pertaining to a respective one of the control areas.
[0027] Figure 2A depicts a vector store 204 (example: a vector database) containing 50,000 exemplary conceptual records - in keeping with the hypothetical scenario wherein the system 100 has stored quantity of 50,000 cybersecurity postures. The first such record is depicted as containing ten vectors (VECTORi,o, VECTORi , VECTORI,2, ...VECTORI,9).VECTORi,o is to be understood as a vector representing the first answer set (posture) in the system 100, as a whole. VECTORi,i is to be understood as a vector representing the narrower answer set pertaining to just the first control area from the first posture. VECTORI,2 is to be understood as a vector representing the narrower answer set pertaining to just the second control area from the first posture. And so on. So that the final vector in the exemplary hypothetical record, i.e., VECTORI,9, is to be understood as a vector representing the narrower answer set pertaining to just the ninth control area from the first posture.
[0028] Similarly, VECTOR2,o is to be understood as a vector representing the second posture in the system 100, as a whole. VECTOR2 is to be understood as a vector representing the narrower answer set pertaining to just the first control area from the second posture.VECTOR2,2 is to be understood as a vector representing the narrower answer set pertaining to just the second control area from the second posture. And so on. So that the final vector in the exemplary hypothetical record, i.e., VECTOR2,9, is to be understood as a vector representing the narrower answer set pertaining to just the ninth control area from the second posture.
[0029] Finally, VECTORsoooo.o is to be understood as a vector representing the fiftythousandth posture in the system 100, as a whole. VECTORsoooo.i is to be understood as a vector representing the narrower answer set pertaining to just the first control area from the fifty-thousandth posture. VECTORsoooo,2 is to be understood as a vector representing the narrower answer set pertaining to just the second control area from the fifty-thousandth posture. And so on. So that the final vector in the exemplary hypothetical record, i.e., VECTORSOOOO,9, is to be understood as a vector representing the narrower answer set pertaining to just the ninth control area from the fifty-thousandth posture.
[0030] The upshot is that every posture stored in the system 100 is represented, as a whole, by a vector, and on a control-area-by-control-area basis by other vectors (one vector representing those particular answers pertaining to a corresponding one of the control areas), and those vectors are associated with the additional data indicating: (i) whether a cyber event had occurred while the corresponding organization had been in such posture; (ii) the characteristics of the cyber event, assuming any such event in fact transpired; and (iii) the characteristics of the corresponding organization.
[0031] Before moving on to the benefits of having represented the answer sets (i.e., postures) thusly, a brief discussion of how such representation may be accomplished is presently presented.
[0032] One may consider every possible answer in the questionnaire presented by the system 100 as a dimension of a vector. Thus, for example, if the questionnaire contained 200 questions, with each question having, on average, 3.5 potential answers (consider: somequestions are in the form of yes-no, some are multiple choice, and so on), then then any particular posture could be represented as a vector having 700 dimensions.
[0033] For example, consider the previously presented exemplary questions related to the control area of network security. Suppose that the answers to those questions were: (i) Yes (i.e., meaning that firewalls are deployed as network defense tools); (ii) No (i.e., meaning that an intrusion prevention system is not used as a network defense tool); (iii) C (i.e., meaning that an external team performs network penetration testing at least annually); and (iv) A and D (i.e., meaning that network devices are configured using standard approved configurations, that changes to these configurations do not require approval emanating from an approval process, that changes to these configurations are therefore not denied for reason of such changes having been deemed a high-risk exposure, and that administrative access to network devices is limited on a need-to-know basis.)
[0034] he total number of possible answers to those four exemplary questions is 13: two possible answers to question 1 (Yes or No); two possible answers to question 2 (Yes or No); five possible answers to question 3 (A, B, C, D or E); and four possible answers to question 4 (any combination of (A, B, C and D). Thus, the answer to the first question could be expressed as[1, 0], i.e., Yes (the first option) was selected, and No (the second option) was not selected. The second answer could be expressed as [0, 1], i.e., Yes (the first option) was not selected. Carrying on with this scheme, the answer to the third question could be expressed as [0, 0, 1, 0, 0] and the answer to the fourth question could be expressed as [1, 0, 0, 1]. Expressing these individual vectors together, one arrives at [1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1] - a thirteen-dimension vector, with each dimension representing a possible answer. Thus, in the context of a questionnaire having 700 potential answers (as referred to above), then a posture could be expressed as a 700-dimension vector. If the questions pertaining to the first control are presented a total of 36 possible answers, then the vector representing the answer set pertaining to that control area would be expressed as a 36-dimension vector. And so on, on a control-area-by-control-area basis. This is one mechanism for representing a posture as a vector, but is not the only such mechanism.
[0035] Another mechanism to express the answers as text, and then to supply such text to an embedding model which then produces a vector representing such text. Carrying on withthe preceding example, the answers could be expressed textually and appended: "Firewalls are deployed as network defense tools. An intrusion prevention system is not used as a network defense tool. An external team performs network penetration testing at least annually. Network devices are configured using standard approved configurations. Changes to network device configurations do not require approval emanating from an approval process.Changes to network device configurations are not denied for reason of such changes having been deemed a high-risk exposure. Administrative access to network devices is limited on a need-to-know basis." This text could then be supplied as an input to an embedding model 202, which would then produce a vector representing such text. This may be done for the answer set, as a whole, and on a control-area-by-control-area basis.
[0036] Consider an organization making use of the system 100 with 50,000 postures stored in a vector database 204, with such postures being represented as vectors (such as described above, and as depicted in Figure 2A). Upon such organization having completed its questionnaire, and thereby having established its posture, the system 100 would then express the posture - as a whole - as a vector, and would also express the answers pertaining to each control area as individual vectors (one vector for each corresponding control area). The system 100 would then generate a query 206. The query 206 would contain the vector representing the entire posture, and would instruct the vector database 204 to return a quantity of K (example: K = 50) nearest neighboring vectors. The database 204 would then return the records corresponding to the 50 postures most like the organization that just completed its questionnaire. From those records, risk calculator 208 can determine the risk associated with the organization being in such cybersecurity posture. For example, the system 100 may present the user with data indicating that it has identified the top 0.1% of cybersecurity postures bearing the greatest resemblance to the organization's posture (assuming K=50, as given in the above example, then 50 nearest neighboring postures out of 50,000 total postures = 0.1%), and given that the records associated with each posture include data that indicates whether the corresponding organizations were in such postures while having been the victims of a cybercrime, and also includes the costs to the organization of such cybercrime events and the attack vectors by which such crimes were perpetrated, then that means that the system 100 can present datato a user that communicates the following: (1) the K most similar cybersecurity postures to the one you are in right now have been identified; (2) X% of the organizations corresponding to those postures were in such posture while victimized; (3) those instances of cybercrime cost the victimized organization $D dollars on average; and (4) those instances of cybercrime were conducted by exploitation of the following attach vectors. Assume K=50, X=28% and $D=1.5M. Then the user could interpret this data in a manner similar to: "28% of the organizations conducting their cyber affairs most similarly to my organization were the victims of cybercrime, and that crime cost such organizations $1.5M on average. The attack vectors exploited were Vector_l, Vector_2, and Vector_3." According to some embodiments, this percentage is calculated using a weighted average based upon the number of days the organization was in such posture. This permits the risk to be expressed on an annual basis or some other chosen normative time-based basis: "In a given year, 28% of the organizations conducting their cyber affairs most similarly to my organization were the victims of cybercrime, and that crime cost such organizations $1.5M on average." In other words, the risk level can be expressed in terms of rate of incidence. According to some embodiments, risk scores may be presented to the user as a simple numerical score such as ranging from zero to five. Example: risk score = (1 - risk) * 5. Thus if 28% of the organization most similar to a given user's organization were victimized in a given year, that risk level may be expressed as 3.6, i.e., (1 - .28) * 5 = 3.6. (Certain exemplary user interfaces presented below express calculated risk scores in such a manner, although such a presentation is not necessary - it is but one example of a neat, clean, simple expression of risk that provides a high-quality user experience.). According to some embodiments, the attack vectors may be reported to the user in order of prevalence. According to some embodiments, a particular quantity of the most prevalent attack vectors may be reported to the user of the system 100 (example: the three most prevalent attack vectors from among the K most similar cybersecurity postures.)
[0037] According to some embodiments, the queries 206 contain certain restrictions. For example, the same sort of K-nearest neighbors query may be executed, with the query being restricted by business sector and / or total revenue range (as examples of useful restrictions). Thus, an organization may use the system 100 to find those particular other organizations that: (i) conduct their cyber affairs most similarly to the way it conducts its own (i.e., thosethat have the most similar cybersecurity posture); and (ii) is in the same business sector and revenue range. The insight here is that the likelihood of the occurrence a cyber security event may be influenced by at least two considerations: (i) an organization's cybersecurity posture; and (ii) the attractiveness of the organization as a prospective victim, e.g., the value of its data, the capacity of the organization to pay a meaningful ransom for restoration of its data or systems, the proportion of high net worth individuals among its top executive ranks, and so on - considerations that track closely with the particular business sector in which an organization operates and with the organization's total revenue. For example, consider a situation in which an unrestricted K-nearest neighbor search yielded the result that "28% of the organizations conducting their cyber affairs most similarly to my organization were the victims of cybercrime, and that those crimes cost such organizations $1.5M on average," but the same search when restricted to those postures corresponding to organizations with matching / similar business sectors and total revenues yielded the result that "42% of the organizations conducting their cyber affairs most similarly to my organization were the victims of cybercrime, and that those crimes cost such organizations $10. IM on average." The dramatic increases in percentage of victimhood and costs associated with victimhood indicates that not only would the prospect of carrying on in such a cybersecurity posture be risky (as revealed by the unrestricted search), but that its business sector and revenue range make it an attractive target, so much so, that it is much less likely to "get by" with lax cybersecurity measures than other organizations. This is learned by comparing the unrestricted K-nearest neighbor search to the restricted one.
[0038] The queries 206 may be restricted other ways. For example, rather than seeking out those particular quantity of K nearest neighboring vectors that represent end-to-end cybersecurity postures most closely resembling the vector contained in the query 206, the query may supply a vector representing only those answers pertaining to a particular control area (example: a vector representing only those answers pertaining to network security) and instruct the database 204 to return a quantity of K records containing those particular nearest neighboring vectors pertaining to the same control area as the vector supplied in the query. The system 100 may do this on a control-area-by-control-area basis so that risk may be understood in objective, well defined terms for each control area. Thus, such data presented by the system 100 may be interpreted by the user to mean: "8% of theorganizations conducting their cyber affairs most similarly to my organization in the realm of network security were the victims of cybercrime, and those crimes cost such organizations $57k on average; but, 38% of the organizations conducting their cyber affairs most similarly to my organization in the realm of endpoint security were the victims of cybercrime, and those crimes cost such organizations $1.2M on average." (And so on, on a control-area-by-control-are basis). Such information permits a user to understand where his or her organization should focus their effort, attention and budget - and does so in well defined, easy to communicate terms.
[0039] According to some embodiments, the system 100 may, from time to time, such as on a periodic basis, conduct a K-nearest neighbor search for each subscribing organization (using data from its most recent cyber security posture as the query vector, and optionally restricting the search to the population of postures corresponding to organizations in the same or similar business sectors and / or having revenues in the same or similar range, among other possible query restrictions - which include, without limitation, restricting the search to the population of postures entered into the system 100 within a given timeframe), and determine for each such organization whether a new vector has entered into its top-quantity-of-X-most-prevalent attack vectors, and proactively present such information to personnel from such organization. Example: "A new attack vector has gained prevalence in exploits targeting organizations that are in your organization's business sector, have revenues similar to your organization's revenues, and conduct cybersecurity affairs in a manner similar to the way in which your organization conducts its cybersecurity affairs. Predictable Resource Enumeration has entered the Top-3 most prevalent attack vectors this week."
[0040] The point is that by representing a cybersecurity posture as a vector (either the posture as a whole or on a control-area-by-control-area basis), it is possible to identify those other vectors (which represent the postures of other organizations) that are its nearest neighbors. (Example: the vector database 204 may employ one of several KNN algorithms, such as cosine similarity or inner product, in order to identify a quantity of K vectors that are nearest to the vector supplied in the query.) And by identifying nearest neighbors (with or without additional query 206 restrictions), an objective and defensible measure of risk for an organization can be calculated and associated with a cost. This sort of information isrequired by cybersecurity executives to communicate internally with their peers, who may not be cybersecurity personnel, but may instead be members of the broader executive suite (examples: the peer executives may be a CEO, COO, President, CFO and the like). Armed with this sort of information, the broader executive suite can begin to weigh the importance of cybersecurity alongside the importance of other corporate goals, objectives and risks, in terms of allocating attention and budget.
[0041] In addition to permitting discussion of cybersecurity risk in language that is anchored in defined, understandable terms that do not descend into a conversational subjective quagmire ("It is risky not to employ an intrusion prevention system." "What does that mean? How risky?" "We can't do without it - it's too risky. I'm the cybersecurity expert: trust me." "But is it really worth the cost? Don't we have firewalls?"), there is another advantage. If, with respect to a particular given posture, one considers the percentage of cybercrime victimhood associated with its K nearest neighboring postures to be the risk of victimhood of the aforementioned particular given posture, then, a risk can be determined for each of the 50,000 postures - wherein for any given posture, the other 49,999 postures are used as the pool from which to draw the K nearest neighbors and express risk. This means that in the context of a system 100 storing posture data (and other data discussed previously) for 50,000 organizations (as an arbitrary example of a large quantity), then it is the case that there exists a quantity of50,000 {answer set, risk} pairs with which to train a model to calculate risk on the basis the basis of an organization's answers to the questionnaire posed by the system 100. Stated another way, one may consider the system 100 as containing:{answer seti, riski}(answer set2, risk2}{answer setsoooo, risksoooo}.
[0042] These pairings of answer sets and risk levels (achieved initially through a K-nearest neighbors approach) can be used to train a linear or non-linear model through various well understood techniques, such as those based upon gradient descent. The system 100 mayre-train such model or models on a periodic basis, such as on a daily, weekly, monthly, or quarterly basis, for example.
[0043] In the wake of having created such a model, the risk presented by a particular answer set may be calculated in two ways: (i) via a K-nearest neighbors approach; and / or (ii) via use of the answers as independent variables, making use of the model to calculate the risk on the basis of those independent variables. This is significant because, when determining the risk presented by a new cybersecurity posture, a K-nearest neighbor approach compels that new posture to be situated among the older pre-existing postures: it literally finds the quantity of K nearest such postures and determines the risk on the basis of their outcomes as reflected in their respective records. But it may be the case that the nearest neighbors are not actually all that near - they are simply the nearest that are available to be located in the vector store 204. In such situations, the risk determined by such an approach may not reflect reality. But a model can be trained to reflect the trends in the existing data, matching independent variables (i.e., answers) to risk trends. Calculating risk on the basis of a model permits a risk to be determined for a new posture that is substantially outside of the neighborhood of the existing postures.
[0044] I n view of the above, according to some embodiments, the risk for a given posture may be initially calculated on the basis of a KNN approach, and returned with an indication of the distances between the given posture and its nearest neighbors (example: a distance may be returned for each nearest neighbor, in order to reflect the distance between such neighbor and the aforementioned given posture; alternatively, a single distance may be returned, reflecting the average distance between the aforementioned given posture and each nearest neighbor). A decision about whether to use the risk data calculated on the basis of the KNN approach may be made based upon the distance data (example: if the average distance is greater than a chosen threshold, then the risk determined via the KNN approach is not used), and in the event of a decision not to use the KNN-derived risk calculation, the risk may be calculated based on using the model, instead.
[0045] In the wake of having determined the risk or risks associated with a given organization's cybersecurity posture (recall: the system 100 may calculate and return risk levels on a control-area-by-control-area basis), the system 100 may identify one or more questions from the questionnaire that, if answered differently, would most improve theorganization's risk. For example, the system 100 may take a particular answer set, such as one arising from a newly-completed questionnaire or an answer set otherwise selected by a user, and use it as an answer-set-under-analysis. The answers within the answer-set-under-analysis are each independent variables. On an answer-by-answer basis, the system 100 alters each answer while holding all of the other answers constant to create a hypothetical answer set. The hypothetical answer is supplied to the aforementioned model to create a corresponding hypothetical risk score. Therefore, in the wake of this process, there will exist a like number of hypothetical answer sets and hypothetical risk scores, wherein each such hypothetical answer set includes only a single altered answer. The altered answer from within the hypothetical answer set with the lowest corresponding hypothetical risk score is selected as indicating the most valuable potential change to the corresponding organization's cybersecurity posture, and it is presented to the user, along with the calculated risk improvement from having adopted such singular change to his or her organization's cybersecurity posture.
[0046] According to some embodiments, the just-described process if performed iteratively, according to a user-selected quantity of recommendations. In other words, the system 100 presents the user with a user interface permitting the user to request a quantity of N top recommended changes (Example: the user may select a quantity of N=5 recommended changes). In response, the system 100 iterates the aforementioned process N times, and at the end of any particular iteration, the hypothetical answer set corresponding to the lowest corresponding hypothetical risk score is used as the answer-set-under-analysis to begin the next iteration. In this way, the best set of singular improvements to the organization's posture are accrued (one best improvement being accrued with each iteration), and at the end of such process, the quantity of N most valuable potential changes are presented to the user, along with the calculated risk improvement from having adopted such changes to his or her organization's cybersecurity posture.
[0047] According to some embodiments, each potential answer is associated with a remedial action (which may be, for example, the adoption of a new organizational behavior or tool or service) (such association is preserved in the various persistence layers, e.g., in one or more of its databases) that, if adopted, would permit the organization to select such answer on the questionnaire in the future. Each such remedial action is associated with anestimated cost of adoption. According to some embodiments, the user interface presents the user with the option to enter a budget within which the recommended remedies (again, which are essentially restatements of altered answers) are to fall. Pursuant to such embodiments, the system 100 may perform the iterative process described above, except that, with each iteration: (i) the cost associated with the proposed altered answer corresponding to the hypothetical answer set with the lowest hypothetical risk score is retrieved; (ii) such cost is provisionally added to a running total-cost-of-proposed-remedies; (iii) the total-cost-of-proposed-remedies is compared to the budget; (iv) if the total-cost-of-proposed-remedies is less than the budget, then the proposed altered answer is adopted as the recommended proposal identified in such iteration; (v) but if the total-cost-of-proposed-remedies is greater than the budget, then the altered answer is not adopted and its cost is withdrawn from the total-cost-of-proposed-remedies, the cost associated with the proposed altered answer corresponding to the hypothetical answer set with the next-lowest hypothetical risk score is retrieved, and the process is returned to the third enumerated step. Such a process arrives at a set of altered answers (which correspond to remedial actions) that improve a cybersecurity posture, while remaining within a pre-determined budget.
[0048] For the sake of clarity, Figure 2B depicts a system structured to: (i) prepopulate a questionnaire posed to a particular organization with answers, on the basis of documents, such as multimodal documents originating from such organization; (ii) calculate a confidence score associated with each such prepopulated answer; (iii) filer out those particular prepopulated answers associated with confidence scores that do not meet a threshold; (iv) receive a completed questionnaire from a representative of the aforementioned organization; (v) use a model to represent the answer set derived from the completed questionnaire as a vector; (vi) store such vector in a vector database; (vii) train a model to relate a modeled risk score on the basis of the answer set; (viii) present a user interface to a representative of the aforementioned organization permitting such representative to initiate an analysis of his or her organization's cybersecurity posture in view of certain restrictions; (ix) perform a K-nearest neighbor search to locate those nearest neighboring vectors satisfying the restrictions; (x) determine the cybersecurity risk as exhibited by those nearest neighbors ("the KNN risk"); (xi) determine the distance between the population of nearestneighbors and the vector used to conduct the search; (xii) return the KNN risk to the aforementioned representative via the user interface (along with other information) if the distance is less than a threshold, and otherwise return the modeled risk; (xii) present a user interface to the aforementioned representative permitting such representative to initiate the generation of recommended remedial steps to best improve his or her organization's cybersecurity posture in view of a selected quantity of suggested remediations and / or in view of a budget; (xiii) perform a sensitivity analysis on the answer set associated with the organization's answer set and return such suggested remediations to the representative via the user interface.
[0049] To this point, discussion has focused on how the system 100 represents cybersecurity postures, uses such representations to calculate risk score(s) associated with any particular posture, calculates proposed changes to any particular posture in order to maximally reduce its risk score, and conform such proposals to a maximum-quantity-of-changes "budget" or to a financial budget. Previously, it was mentioned that the system 100 may include artificial intelligence capabilities that permit it to ingest media or documents of various forms and formats (text in the format of a pdf; text in the format of a WORD® document; a spreadsheet in the format of an EXCEL® document; an image in the format of a JPEG, such as an image of a network diagram; and so on), and in view of such documents, attempt to prepopulate some or all of the questionnaire presented by the system 100. According to some embodiments, these capabilities are delivered via a retrieval augmented generative system. Such a system requires the media / documents to be organized into units or chunks that are associated with vectors, known as "embeddings," that represent the relationships and meanings of the data within such units or chunks; the vectors and associated chunks or units are typically stored in a vector database for later retrieval, based upon a query vector. The database identifies those particular stored vectors that are nearest neighbors to the query vector and returns the units or chunks into the context window of a large language model as context along with a prompt, in order to stimulate a calculated response from the large language model. Discussion now turns to those aspects of the system 100 related to interpreting multimodal data and establishing a vector database for use by a retrieval augmented generative system. What follows is an exemplary embodiment.
[0050] It is expected that the predominance of media ingested by the system 100 will be in the form of text (example: text in a PDF, text in a WORD document, and so on). Stated another way, the primary expected modality is text. Consequently, according to some embodiments, it may be advantageous to use text as the primary modality of the aforementioned retrieval augmented generative system, meaning that all other modalities will be converted into some form of textual description or metadata that, in turn, will be represented as a vector embedding that indexes the original media. (Example: from an image, a textual description of the image is generated; from the textual description of the image, a vector embedding is created; the vector embedding and original image are stored in association with one another in a vector data store, such as a vector database; and the same general process is used in connection with modalities other than imagery.)
[0051] Figure 3 depicts an exemplary embodiment of a system for interpreting multimodal data and establishing a vector database for use by a retrieval augmented generative system. Figure 3 depicts a plurality of input documents 300. Input documents 300 may be in a variety of modalities and formats, including formats housing mixed modalities (Examples of mixed modalities: a PDF including both textual passages and accompanying images; an EXCEL spreadsheet including both tabular data and associated textual discussion of such data; and so on). Input documents 300 may include penetration testing reports, red team reports, threat intelligence reports, incident response reports, risk mitigation strategy reports, vulnerability assessment reports, security architecture diagrams, network diagrams, training documents such as security training documents, board presentation materials, policy documents such as data classification policies, access policies, and so on.
[0052] As can be seen from Figure 3, the exemplary system depicted therein includes a plurality of pipelines 302, 304 and 306, the output of each such pipeline 302, 304 and 306 being an embedding that is stored in a vector store 308, such as a vector database 308. AlthoughFigure 3 depicts three such pipelines 302, 304 and 306, the system could contain any number of such pipelines, in principle. There may be one pipeline 302, 304 and 306 for each format of document 300 to be ingested by the system, or one pipeline 302, 304 and 306 for each modality or mixture of modalities to be handled by the system. Example: one pipeline 302, 304 and 306 for text / image composites, one pipeline 302, 304 and 306 for tabulardata / text composites, and so on. Each such pipeline 302, 304 and 306 is substantially similar, so the discussion herein will focus only on pipeline 302. The discussion related to pipeline 302 will predominantly focus on a mixed modality of text and image, i.e., a document containing textual passages along with accompanying figures, pictures or other imagery. This is for the purpose of grounding the discussion in a concrete example - one that is expected to be the dominant such mixture ingested by the system - but it should be kept in mind that the teachings herein are useful for any mixture of modalities, and occasional reference to other such mixtures is made herein from time to time.
[0053] A document 300 is initially supplied to an extractor 310. The extractor 310 separates the modalities contained within the document 300. Example: separates out the text from the figures, so that they are isolated in separate files, such as a text file containing the text within the document 300 and one or more image files (example: JPEG, TIFF, BMP, etc.). The extractor 310 delivers the segregated modalities to a formatter 312.
[0054] The formatter 312 receives the data from the extractor 310, and converts it into a format expected by the next stage of the pipeline 302. For example, with respect to image data, such data is delivered to a multimodal large language model 314, which may, for example, be structured to handle image data that is in a portable pixel map format (PPM format). In such an instance, the formatter 312 converts each image file received from the extractor 310 into a PPM file, and delivers each such file to the multimodal large language model 314. (Similarly, if the mixed modality document 300 being handled by the pipeline 302 had been a mixture of tabular data and textual passages, then the tabular data would have been extracted by the extractor 310 and sent to the formatter 312, and the formatter 312 would convert it into a format expected by the multimodal large language model 314, such as converting it into a comma-separated value file, i.e., a CSV file.) With respect to the text delivered to the formatter 312, it is converted into a format expected by the text splitter 316, such as conversion into a text file, i.e., a TXT file.
[0055] Discussion now focuses on the scenario wherein text had been delivered to the formatter 312, before discussing the scenario wherein a different modality had been delivered (e.g., an image or other modality).
[0056] In the event that text had been supplied to the formatter 312, then such textual data would have been converted into the proper format for reception by the text splitter or chunker 316, and then delivered thereto. The text splitter 316 divides the textual data into a succession of individual "chunks" of textual data - each of a proper size so that it may be supplied to the input stage of an embedding model 318. It should be kept in mind that chunks should contain a complete thought to the extent possible. To accommodate this, the splitter 316 may divide the textual data into chunks on a one-paragraph-to-one-chunk basis, according to some embodiments. So, the textual data as a whole may be thought of as being the sum of each of the various chunks into which the splitter 316 divides such data:Aggregate Textual Data = Chunki + Chunk2 + ...Chunkn.
[0057] On a one-by-one basis, each chunk is delivered to the input stage of an embedding model 318. The embedding model 318 receives such textual chunk of input and represents it as a vector, i.e., the output of the model 318 is a vector embedding representing the textual chunk supplied to it. The textual chunk and vector that represents it are stored in association with one another in the vector store 308, so that it may be later determined "what textual chunk corresponds with this particular vector?" Thus, the vector database 308 may be thought of as containing:{Vectori, Chunki}, {Vector, Chunk2}, ...{Vectorn, Chunkn}.
[0058] Turning to the case wherein an image (or other modality) had been supplied to the formatter 312, then such image data would have been converted into the proper format for reception by the multimodal large language model 314. For background, a multimodal large language model is a large language model that can receive as inputs data of more than one modality (example: image data and text data). As of the filing of this document, KOSMOS-2 from MICROSOFT® is an example of a multimodal large language model that may receive image data and text data as inputs. Returning to the aforementioned case involving an image, such image is delivered to the input of the multimodal large language model 314 ascontext for a prompt directing the multimodal large language model 314 to produce a summary of the image i.e., produce a textual passage summarizing the image.
[0059] The textual summary produced by the multimodal large language model 314 is passed to a large language model 320 as context for a prompt directing the large language model 320 to answer whether the image that was delivered to the aforementioned multimodal large language model 314 was an image of something that should be handled by a specialized multimodal large language model 322. Example: Is the image an image of a chart? Although Figure 3 depicts the inclusion of only on such specialized multimodal large language model 322 and depicts the large language model 322 as being engaged in making only one such decision concerning whether a specialized multimodal large language model should be used in processing of the image, in principle the pipeline 302 may include plural specialized multimodal large language models 322 and the large language model 320 may be prompted to indicate whether any one of those plurality should process the image, and, if so, which one. By way of background, a generalized multimodal large language model 314 may not be suitable for extracting all of the data contained in certain sorts of images. For example, in the context of an image of various forms of charts (such as could be made via EXCEL from a table of data containing a quantity of R rows and C columns), a specialized multimodal large language model 322 may extract all such information in linearized textual passages akin to: "the image is a chart containing data pertaining to the price of gold and silver per ounce. Gold is in column 1, and Silver is in column 2. Each Row pertains to a year. Row l: 2010, $630, $13. Row 2: 2011, $710, $17. Row 3: 2012, $690, $18." As of the filing of this document, DEPLOT from GOOGLE® is an example of such a specialized large language model 322 that produces linearized text describing the contents of an image containing different forms of charts. The point here is that a generalized multimodal large language model 314 is not suitable for performing such a task, but it could, for example, in response to a prompt directing it to summarize the image produce a textual summary indicating that the image is a chart. Using such textual summary as context, the large language model 320 can be prompted to indicate in yes-or-no fashion: "Is the image an image of a chart?"
[0060] Assuming the normative case wherein the image does not require handling by a specialized multimodal large language model 322, then the description of the image produced by the multimodal large language model 314 is delivered to the embedding model318. The embedding model 318 receives such textual image description as input and represents it as a vector, i.e., the output of the model 318 is a vector embedding representing the textual image description supplied to it. The image and vector representing its textual image description it are stored in association with one another in the vector store 308, so that it may be later determined "what image corresponds with this particular vector?"
[0061] Turning to the case wherein the image does, in fact, require handling by a specialized multimodal large language model 322, in such a case, the image is passed to the specialized multimodal large language model 322, which responds by producing the linearized description of the special-case image (example: a chart) as described above. Linearized text is structurally different than ordinary language. As such it is not advisable to take such text and supply it to the embedding model 318 for vectorization. Instead, such linearized text may be supplied to a large language model 324 as context with a prompt directing the large language model 324 to produce a summary of the linearized language. Such textual summary is then supplied to the embedding model 318. The embedding model 318 vectorizes it (as has been described above) and stores it in association with the linearized text from the specialized multimodal large language model 322.
[0062] In summary, the pipelines 302, 304 and 306 serve to create a vector database 308 populated with units of information useful in responding to questions about a given organization's cybersecurity posture and vectors representing each such unit of information. Discussion now turns to the question-answering system employing the vector database 308.
[0063] An exemplary embodiment of the question-answering system is depicted in Figure 4. As shown in Figure 4, the various queries from the questionnaire are stored in a database 400. On a one-by-one basis each query is retrieved and supplied to the input stage of an embedding model 402. The embedding model 402 responds by representing the query as a vector embedding. The vector embedding is used to query the vector database to identify a quantity of K most closely neighboring vector embeddings stored therein as a result of the process described with regard to Figure 3, and, upon having identified such vectors, to return the information associated with such vectors (e.g., to return the associated textual paragraphs or chunks, linearized text, images and so on).
[0064] Assuming the unit of information is a textual chunk or linearized text, then such textual chunk or linearized text is introduced into the input stage of a large language model 404 as context. On the other hand, assuming the unit of information is not in the form of text, then it is introduced into the input of a corresponding multimodal large language model 406, 408, 410 that is of the sort that is able to accept such non-textual data as an input, i.e., as context. (Example: if the received information was an image, the image would be supplied to a particular multimodal large language model 406, 408, 410 that is structured to accept an image as an input). The aforementioned corresponding multimodal large language model 406, 408, 410 is also supplied with the query that had been retrieved from the database 400. (Example: a multimodal large language model is supplied with an image of an entrance to an organization's facility - retrieved from the vector database 308 - and then prompted with a query asking whether, given the evidence in the image, there appears to be adequate lighting at the entrance. The multimodal large language model 406, 408, 410 produces a textual response.). The response from the corresponding multimodal large language model 406, 408, 410 is also supplied to the large language model 404 as context. Finally, the large language model 404 is prompted with the query that was initially retrieved from the database 400, and produces an answer on the basis of the various units of context that had been delivered to it. Thus, as can be seen from. Figure 4, according to this embodiment, the large language model 404 actually producing the answers is ultimately supplied with context that is in the form of the primary modality, i.e., text, and the answers it generates are based upon such context and the directives given by the query.
[0065] According to some embodiments, the answer generated by the large language model 404 is used to fill in a corresponding question on the questionnaire. According to other embodiments, a confidence score is calculated by a confidence calculator 412, and a decision is made whether or not to answer the corresponding question on the basis of such confidence score. For example, in the wake of the large language model 404 having generated an answer to a particular query / question of the questionnaire, the large language model 404 may be prompted to indicate whether the answer provided was correct (example: "Is the provided response correct? Answer Yes or No."). The confidence score is determined by taking the probabilities scores within the final matrix of the large language model 404 corresponding to Yes and No, and performing the following calculation:Confidence Score = P(yes | prompt) / [ p(yes | prompt) + P(no | prompt)].
[0066] According to some embodiments, if the confidence score fails to exceed a threshold, the output of the large language model 404 is not used to answer the question drawn from the database 400. According to some embodiments, the output of the large language model 404 is used to answer such questions, irrespective of such score, and each confidence score is presented along with it corresponding prepopulated answer. According to some embodiments, the output of the large language model 404 is used to answer such questions, irrespective of such score, and if the confidence score falls below a threshold, then the answer is visually indicated as questionable to the user via the user interface of the system 100, to draw the user's attention to that question-answer combination.
[0067] Figures 5-10 depict exemplary embodiments of various screens for use in connection with a user interface of the system described herein. Other screens may be used in connection with such a user interface, as will be understood by those of ordinary skill in the art.
[0068] The foregoing outlines features of several embodiments so that those skilled in the art may better understand the aspects of the present disclosure. Those skilled in the art should appreciate that they may readily use the present disclosure as a basis for designing or modifying other processes and structures for carrying out the same purposes and / or achieving the same advantages of the embodiments introduced herein. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the present disclosure, and that they may make various changes, substitutions, and alterations herein without departing from the spirit and scope of the present disclosure.
Claims
What is claimed is:
1. A system for identifying, assessing, and remedying cyberthreats of an organization, the system comprising:a data ingestion module configured to receive and process a plurality of documents associated with the organization, the documents comprising multimodal data including text and images;an embedding module configured to generate vector embeddings from the received documents by extracting and converting the multimodal data into textual descriptions and embedding the textual descriptions into vectors;a questionnaire module configured to present a cybersecurity questionnaire comprising a plurality of control areas to a user associated with the organization and to receive an answer set comprising answers to the plurality of questions;a vector representation module configured to represent the answer set as a plurality of vectors, wherein at least one vector represents the answer set as a whole and at least one vector represents answers corresponding to a respective control area;a vector database configured to store a plurality of cybersecurity postures of multiple organizations, each posture represented as a plurality of vectors associated with metadata including cyber event occurrence and organizational characteristics;a query module configured to:generate a query vector based on the vector representation of the organization's answer set; andperform a K-nearest neighbor search in the vector database to identify a plurality of nearest neighboring postures;a risk assessment module configured to determine a cybersecurity risk score for the organization based at least in part on cyber event data associated with the plurality of nearest neighboring postures and, when a distance metric between the query vector and the nearest neighbors exceeds a threshold, to calculate the risk score using a trained risk model;a recommendation module configured to perform a sensitivity analysis on the answer set using the trained risk model to identify one or more changes to answers that would reduce the cybersecurity risk score, and to generate remedial actions correspondingto the identified changes, wherein the recommendation module is further configured to select the remedial actions based on a user-defined budget constraint; anda user interface module configured to present the determined cybersecurity risk score, the recommended remedial actions, and confidence scores associated with answers prepopulated by the system.
2. The system of claim 1, wherein the data ingestion module comprises a plurality of pipelines, each pipeline configured to process documents of a respective modality or format, and wherein each pipeline extracts modality-specific information, converts such information into textual form, and supplies the textual form to the embedding module for vectorization.
3. The system of claim 1, wherein the questionnaire module is further configured to prepopulate answers to at least a subset of the plurality of questions using the vector embeddings generated from the received documents and to associate a confidence score with each prepopulated answer, and wherein the user interface module visually indicates questions with confidence scores below a predefined threshold.
4. The system of claim 1, wherein the risk assessment module is configured to train the risk model using a plurality of historical cybersecurity postures and associated risk data obtained from the vector database, and to periodically retrain the risk model based on accumulated data.
5. The system of claim 1, wherein the recommendation module is configured to iteratively identify a plurality of remedial actions up to a user-selected number N, wherein each iteration uses the answer set updated with previously identified remedial actions, and wherein during each iteration, remedial actions whose cumulative estimated cost exceed the user-defined budget are excluded.
6. A method for identifying, assessing, and remedying cyberthreats of an organization, the method comprising:receiving and processing, by a computing system, a plurality of documents associated with the organization, the documents comprising multimodal data including text and images;generating, by the computing system, vector embeddings from the plurality of documents by extracting and converting the multimodal data into textual descriptions and embedding the textual descriptions into vectors;presenting, by the computing system, a cybersecurity questionnaire comprising a plurality of control areas to a user associated with the organization;receiving, by the computing system, an answer set comprising answers to the plurality of questions;representing, by the computing system, the answer set as a plurality of vectors, wherein at least one vector represents the answer set as a whole and at least one vector represents answers corresponding to a respective control area;querying, by the computing system, a vector database storing a plurality of cybersecurity postures of multiple organizations, each posture represented as a plurality of vectors associated with metadata including cyber event occurrence and organizational characteristics, by:generating a query vector based on the vector representation of the organization's answer set; andperforming a K-nearest neighbor search in the vector database to identify a plurality of nearest neighboring postures;determining, by the computing system, a cybersecurity risk score for the organization based at least in part on cyber event data associated with the plurality of nearest neighboring postures and, when a distance metric between the query vector and the nearest neighbors exceeds a threshold, calculating the risk score using a trained risk model; performing, by the computing system, a sensitivity analysis on the answer set using the trained risk model to identify one or more changes to answers that would reduce the cybersecurity risk score;generating, by the computing system, remedial actions corresponding to the identified changes;selecting, by the computing system, the remedial actions based on a user-defined budget constraint; andpresenting, by the computing system via a user interface, the determined cybersecurity risk score, the recommended remedial actions, and confidence scores associated with answers prepopulated by the system.
7. The method of claim 6, wherein receiving and processing the plurality of documents comprises:processing the documents through a plurality of pipelines, each pipeline configured to handle documents of a respective modality or format;extracting modality-specific information from each document;converting the extracted information into textual form; andsupplying the textual form to an embedding model to generate vector embeddings.
8. The method of claim 6, further comprising:prepopulating answers to at least a subset of the plurality of questions using the vector embeddings generated from the received documents;associating a confidence score with each prepopulated answer; andvisually indicating, via the user interface, questions with confidence scores below a predefined threshold.
9. The method of claim 6, further comprising training the risk model using a plurality of historical cybersecurity postures and associated risk data obtained from the vector database, and periodically retraining the risk model based on accumulated data.
10. The method of claim 6, wherein selecting the remedial actions comprises:iteratively identifying a plurality of remedial actions up to a user-selected number N, wherein each iteration uses the answer set updated with previously identified remedial actions;estimating a cumulative cost of the identified remedial actions during each iteration; andexcluding remedial actions whose cumulative estimated cost exceed the user-defined budget.