- The paper introduces a novel framework mapping vulnerability events to a G/G/m-b queue, enabling inverse estimation of resource capacity via KL divergence minimization.
- It employs Gaussian Mixture Model segmentation to capture non-stationary, heavy-tailed attack dynamics, reconstructing time-varying workforce parameters.
- Validation on OSS and enterprise datasets shows accurate resource estimates, aligning workforce and throughput within 4-9% of independent administrative reports.
Queueing-Theoretic Estimation of Cybersecurity Resources from Vulnerability Dynamics
Introduction and Motivation
The paper "Organizational Security Resource Estimation via Vulnerability Queueing" (2604.10250) introduces a quantitative framework to infer an organization's cybersecurity resource allocation directly from vulnerability management timelines, using non-stationary queueing theory. In contrast to snapshot-based attack surface metrics, this approach models the temporal evolution and heavy-tailed, regime-shifting nature of vulnerability discovery and remediation. The central insight is the mapping of vulnerability events to a G/G/m−b queue, where backlog evolution reflects both threat exposure and defender resource dynamics. By solving an inverse identification problem via Kullback–Leibler divergence minimization between empirical and simulated queue-length distributions (QLDs), the method estimates effective workforce size and throughput with high fidelity, using only event log timestamps.
Queueing Framework for Attack Surface Dynamics
The attack surface is conceptualized as a discrete-time, capacity-constrained queue where vulnerabilities arrive and are serviced (i.e., patched or mitigated), subject to bounded defensive resources. The number of active unaddressed vulnerabilities at time t (N(t)) evolves as:
N(t+1)=[N(t)+V(t)−Nd​(t)]+
where V(t) is the number of new vulnerabilities and Nd​(t) the number of departures via defense (patching, mitigation, etc.). The G/G/m−b abstraction denotes general interarrival (IA) and service time (ST) distributions, m parallel servers (defenders/staff), and an overall throughput constraint b (jobs/time) (Figure 1).
Figure 1: Queueing representation of the attack surface, with arrival and service dictated by non-stationary processes and finite resource capacity.
Unlike classic queueing analyses, the central focus here is the inverse problem: using observed vulnerability discovery and mitigation timestamps to reconstruct the time-varying vector of latent resource parameters, namely the effective workforce (m) and aggregate throughput (t0).
Segmented Modeling of Non-Stationary Queues
Given that real-world vulnerability data is heterogeneous, bursty, and subject to regime shifts, the paper introduces a segmentation approach that fits a Gaussian Mixture Model (GMM) to the empirical QLD, extracting quasi-stationary intervals with distinct queueing parameters. The methodology proceeds in four principal stages:
- Trajectory Reconstruction: Build the empirical queue-length trajectory t1 from event timestamps.
- GMM Segmentation: Fit a univariate GMM to the QLD, identifying mixture components that correspond to distinct operational regimes (Figure 2).
- Parameter Inference per Segment: For each segment, simulate t2 queueing models with varying t3 and minimize KL divergence to the empirical QLD, thereby recovering segment-specific parameters.
- Distributional Validation: Compare the segmented, parametric model (and a bootstrap estimate) to the empirical and GMM-based QLDs to verify fidelity.


Figure 2: Queue-length evolution with segmentation cut points denoting quasi-stationary periods in the vulnerability workflow.
This segmentation enables fine-grained recovery of time-varying resource allocation, aligning queueing model outputs with observed operational shifts and directly uncovering bottlenecks or under-resourced periods.
Data Validation: Software Supply Chain and Enterprise Environments
Two large-scale empirical datasets were used for validation:
- ARVO (Open Source Software Supply Chain): Timestamps on vulnerability discovery and patching events from OSS-Fuzz-driven C/C++ projects.
- Enterprise IT Ticketing System: Multi-year organizational vulnerability ticket logs, including open/discovery/closure timestamps and administrative metadata.
Both exhibit considerable non-stationarity in IA and ST, as confirmed by moving-average analysis and multi-modal QLDs (Figure 3).

Figure 3: Moving-average interarrival (IA) and service times (ST) for ARVO, illustrating temporal non-stationarity.
Segmentation on ARVO typically resulted in 10 quasi-stationary regimes, each with unique heavy-tailed IA and ST distributions (Figure 4), while the enterprise dataset, with more regulated workflow, settled on three regimes. Log-logistic, generalized Pareto, and mixture models were particularly effective in capturing the IA and ST tails (Figure 5).


Figure 4: Best-fitting IA and ST models (log-logistic, generalized Pareto, etc.) for a quasi-stationary ARVO segment, reflecting heavy-tailed dynamics.


Figure 5: IA fits for Component 1 highlight the heavy-tailed nature of vulnerability arrivals in the ARVO dataset.
The segmentation-based queue model achieves exceptionally strong alignment between simulated, empirical, and GMM-modeled QLDs across datasets. In ARVO, a KL divergence of 0.1074 between the segmented t4 model and empirical QLDs was achieved—on par with nonparametric bootstrapping and closely trailing perfect GMM fits.
For the logistics enterprise, the model's estimates of workforce (t5) and aggregate capacity (t6) align within 4–5% for t7 and within 9% for t8, when matched against independently observed administrative reports. This agreement demonstrates the approach's utility in practical, high-volume operational environments, without the need for privileged access to organizational staffing records.
Implications and Future Prospects
Practical Implications:
This approach equips organizations with the ability to diagnose and forecast cybersecurity workforce needs, identify latent resource bottlenecks, and optimize defensive postures in response to changing attack rates or process changes, exclusively from event log data. The model naturally extends to settings where staff, automation, or patch throughput is highly dynamic.
Theoretical Advances:
The work advances the state-of-the-art in cyber risk modeling by integrating capacity-limited queueing with data-driven segmentation, directly linking event-level traces to actionable resource metrics. It challenges the adequacy of snapshot or stationary risk metrics and highlights the necessity of models that internalize heavy-tailed, bursty, and non-stationary behaviors in modern cyber-physical infrastructures.
Prospective Developments:
The authors outline several extensions, including: integrating real-time staffing recommendations, modeling attacker exploitation as an additional queueing process, and scaling to unified models that incorporate AI-driven defenders and attack automation. These directions are essential, as automated adversaries, increased workflow coupling, and AI-amplified threat vectors continue to erode classical assumptions of stationarity and capacity sufficiency in large security ecosystems.
Conclusion
This paper establishes a data-driven, non-stationary queueing-theoretic approach for modeling and reconstructing organizational security resources by capturing the granular temporal dynamics of vulnerability backlogs. By segmenting empirical queue-length trajectories and fitting segment-specific queueing models, precise, actionable estimates of workforce size and throughput are obtained, with validation in both software supply chain and enterprise IT environments. The approach not only achieves high prediction accuracy but also establishes a foundation for resource-aware cyber risk management in a landscape defined by volatility, automation, and adversarial adaptation.