- The paper introduces ASTRAL, an LLM-driven framework that reconstructs incomplete CPS architectures for quantitative risk analysis.
- It employs prompt chaining, multimodal analysis, and Bayesian Networks to generate threat models and compute composite risk metrics.
- Empirical case studies in industrial, medical, and solar CPS demonstrate improved risk identification and actionable security insights.
Multimodal LLM-Driven Architecture-Centric Security Assessment in Cyber-Physical Systems
Motivation and Problem Statement
Architectural incompleteness is a pervasive obstacle in cyber-physical systems (CPSs) security assessment. Fragmented, outdated, or missing architectural documentation—exacerbated by legacy technologies, multi-vendor integrations, and complex life-cycle evolution—severely impedes systematic risk analysis. This gap undermines accurate identification of dependencies, attack surfaces, trust boundaries, and risk propagation paths, especially as threat models become rapidly obsolete in operational environments. Existing security assessment frameworks (e.g., STRIDE-LM, attack trees, Bayesian Networks) presuppose exhaustive architectural fidelity, a requirement routinely violated in live CPS deployment.
The paper introduces ASTRAL (Architecture-Centric Security Threat Risk Assessment using LLMs), a prototype framework leveraging prompt chaining with state-of-the-art multimodal LLMs to systematically reconstruct, model, and quantify risk within CPSs, even under severe architectural uncertainty. This investigation is positioned against current LLM-based security automation which, as documented, generally assumes access to comprehensive architectural data and lacks explicit architectural synthesis or integration with downstream risk quantification (2604.05674).
ASTRAL Framework Overview
ASTRAL operationalizes architecture-centric security assessment through a three-phase, tightly integrated pipeline:
- Phase 1: Architectural Reconstruction: Extracts a structured, ontologically-grounded representation of system architecture from incomplete artefacts (e.g., diagrams, partial documentation), applying strict semantic guardrails, prompt chaining, and multimodal pattern completion.
- Phase 2: Security Modelling: Applies LLM-driven structured prompts to generate threat models (STRIDE-LM) and hierarchical attack trees contextualized with system-specific CVEs, hazards, and adversarial objectives.
- Phase 3: Probabilistic Analysis: Synthesizes architectural and threat model outputs into a semantically compliant Bayesian Network (BN), encoded in AutomationML, to facilitate quantitative computation of attack/exposure/impact probabilities and composite risk metrics.
The workflow is illustrated in (Figure 1).
Figure 1: ASTRAL’s workflow: multimodal architectural reconstruction, security modeling, and probabilistic risk analysis.
Technical Approach
Multimodal Architectural Reconstruction
ASTRAL uses LLMs capable of processing both visual (e.g., DFD images) and textual artefacts to curate a normalized architectural narration. Domain-specific ontologies, structural analogy to reference architectures (e.g., Purdue Model), and context-specific semantic guardrails ensure only plausible component/zone/mapping inference. The process is tightly controlled using prompt chaining with low temperature, high top_p, persona-specific prompts (e.g., solution architect vs cybersecurity expert), and explicit schema enforcement aligned to IEC 62714/AutomationML.
The prototype’s interface and intermediate artefact augmentation process are shown in (Figure 2).

Figure 2: Prototype implementation of ASTRAL, reconstructing architecture from incomplete artefacts (ex: DFD).
Structured Threat and Attack Modelling
The reconstructed architecture feeds a security modeling phase, where LLMs are prompted to generate threat scenarios in machine-readable formats (e.g., structured JSON mapping to STRIDE-LM categories), enumerate attack paths, and identify architectural ambiguities needing refinement. The process is iterative and maintains alignment to both operational semantics (e.g., zones, protocols, assets) and adversarial reasoning (e.g., objective-oriented attack trees, causal dependencies, FMECA-style hazard analysis).
Probabilistic Bayesian Risk Analysis
Downstream, ASTRAL constructs and parameterizes a BN using incremental, schema-constrained prompt chaining, mapping architectural elements, vulnerabilities, and hazards to nodes and edges. Probability assignments are derived via calibrated CVSS/EPSS metrics with attack feasibility modifiers, accommodating system uncertainty and time-dependent exposure/failure logic. The analytic flow supports VE-based inference for posterior estimates on successful attack, severe impact, risk scores, and expected availability. Full AutomationML compatibility ensures semantic and syntactic interoperability.
Continuous Feedback and Refinement
ASTRAL supports real-time, cyclical refinement of architecture and risk models via practitioner feedback, integration of supplementary artefacts (configurations, live data), and interactive prompt-based updates. This closed feedback loop addresses evolving threat intelligence, operational state, and controls deployment.
Empirical Validation
Case Studies
ASTRAL was validated on several prominent CPS types:
- Industrial Heating (FrostyGoop): Quantitative risk (21.12%), low availability (25.04%) post-exposure, with documented risk propagation along unreported, LLM-reconstructed trust boundaries.
- Medical CPS: High risk (39.15%) and critically low availability (14.01%)—structural uncertainty in the underlying schematic emphasizes the advantage of multimodal inference in revealing latent zones and attack surfaces.
- Solar PV Inverter Networks: Low composite risk (4.95%), higher robustness (38.65% availability), highlighting the containment granted by loosely coupled, LLM-clarified field-to-SCADA segmentation.
Across all cases, the ability to reconstruct critical security perimeters, operational boundaries, and overlooked interfaces was demonstrated, and the framework generalized to diverse, real-world artefact incompleteness.
Ablation Study
A systematic ablation analysis disabling multimodality, guardrails, and parameter perturbations (temperature, top_p) was performed:
- Text-only: Substantial reduction in valid trust boundary identification (−23.5% to −43.1%), with resultant impaired attack path mapping.
- No guardrails: Generated outputs with degraded structural integrity and ungrounded attack models.
- Parameter shifts: Controlled stochasticity (higher temperature/top_p) improved boundary recovery in abstract schematics but not in explicit topology (BN graphs).
The pipeline demonstrates robustness against topological errors, with guardrails as the primary mechanism for maintaining output fidelity.
Practitioner Evaluation
A study with 14 expert practitioners (including CISOs) yielded high ratings for usefulness (4.64/5), ease of use (4.29), and professional acceptability. Trustworthiness was rated lowest, highlighting the need for greater transparency, explainability, and customizable, human-in-the-loop refinements. Participants emphasized the tool’s operational value, efficiency gains, and the quality of architecture-driven, actionable insights. Limitations noted include output non-determinism, occasional hallucinations, and performance concerns in complex scenarios—issues predominantly linked to LLM inference characteristics.
Implications and Future Directions
Practical and Theoretical Implications
ASTRAL underlines the feasibility and value of integrating multimodal LLMs for reliable architectural reconstruction and quantitative risk modeling under documentation uncertainty. The approach provides an adaptive, configurable workflow that bridges the gap between security engineering theory (structured architectural analysis, BN-based risk quantification) and operational practice (efficient, automated, actionable assessments).
Theoretical implications include evidence that prompt chaining with ontologically rigorous, multimodal LLM reasoning can mitigate the absence of ground truth architecture in legacy and evolving CPS contexts, thereby enabling more rigorous subsequent security analysis.
Recommendations for Future Development
- Explainability Enhancements: Incorporate transparency modules that link reconstructed architectural features and risk metrics to source artefacts.
- Integration with Live/Operational Data: Broader support for ingesting real-time inventories, telemetry, and external threat intelligence as input augmentations.
- Advanced Visualization and Feedback Control: Enable direct mapping of threats and risk scores onto architectural diagrams and support iterative, guided feedback for model recalibration.
- Automated Benchmarking and Comparative Studies: Systematic comparison with established industry tools (e.g., Microsoft Threat Modeling Tool, OWASP Threat Dragon) using standardized completeness/accuracy metrics.
Conclusion
ASTRAL marks a significant technical advance toward architecture-centric, LLM-driven CPS security assessment. By fusing multimodal artefact reasoning, schema-guided prompt chaining, and quantitative probabilistic modeling, the pipeline reliably fills critical gaps left by incomplete system documentation. Empirical analysis demonstrates improvements in architectural reconstruction fidelity, practitioner-aligned analytic output, and risk assessment agility. The design’s generalisability positions it as an extensible foundation for next-generation secure-by-design CPS engineering and adaptive cyber risk management.
Figure 1: ASTRAL’s workflow: multimodal architectural reconstruction, security modeling, and probabilistic risk analysis.
Figure 2: Prototype implementation of ASTRAL, reconstructing architecture from incomplete artefacts (ex: DFD).