From Frameworks to Action: Research Behind Bastazo's Mitigation Planning

Every security team we talk to describes the same problem. They've invested in visibility. They've completed their NIST CSF assessment. They know they have gaps. But when it comes time to decide what to actually fix, in what order, with what resources, they often don’t know where to begin.
That gap between governance and action is exactly what a new paper from the Bastazo team sets out to close.
The Problem With "Best Practices"
Cybersecurity frameworks like the NIST Cybersecurity Framework are genuinely useful. They give organizations a common language for measuring security maturity and a structured way to think about risk. But they're designed to describe what good looks like, not to tell you what to do in the next workcycle.
The result is a familiar frustration: a completed assessment, a long list of recommendations, and a security team left to prioritize, without a clear line of sight to the specific threats they actually face or the budget they have.
A Different Approach
The research introduces a framework that treats mitigation planning as what it actually is: a constrained decision problem under adversarial uncertainty.
Rather than generating generic recommendations, the system takes three inputs that reflect operational reality:
- Your organization's cybersecurity maturity: drawn from NIST CSF practice assessments, translated into concrete mitigation capability levels across the MITRE ATT&CK framework
- The adversaries most likely to target you: modeled from roughly 1,900 open-source threat intelligence reports, covering approximately 180 distinct adversary groups and their observed attack techniques
- Your budget: treated as a constraint, because it is
From those inputs, a deep reinforcement learning agent learns to select mitigation recommendations that maximize defensive impact against the specific threats relevant to your organization, not a global average threat model, and not overwhelming recommendations that assume unlimited resources.
Why Reinforcement Learning
The use of deep reinforcement learning here isn't novelty for its own sake. Defenders now face more threat intelligence, vulnerability data, and adversary behavior than any team can manually process at once. Because attacks unfold as chains of techniques, mitigation planning has to account for likely attack paths, not just isolated gaps. Reinforcement learning helps identify budget-aware defenses that are most likely to disrupt those paths.
The research trains the RL agent against a probabilistic model of adversary behavior learned from real attack observations, so the defender learns to disrupt attack chains. The result is a policy that, in testing, matched or outperformed a strong optimization baseline while producing mitigation sets that respect real budget constraints.
Explainable AI: Knowing Why
One of the most operationally important aspects of the framework is what happens after the model recommends a mitigation. Using advanced search techniques, the system reconstructs the specific attack paths that the recommended mitigations are designed to disrupt — linking each recommendation back to the adversary techniques it counters, the likelihood of those techniques being used, and the expected impact of the defense.
A security team that understands why a mitigation was recommended — which attacker, which technique, what path — can validate, prioritize, and communicate that decision far more effectively than one handed a ranked list with little reasoning attached.
What This Means for Bastazo
This research is a direct expression of how we think about the remediation problem. Security teams shouldn't have to choose between rigor and practicality. The right answer isn't the theoretically optimal mitigation, it's the best set of remediation actions your team can actually execute, against the threats that actually matter to your environment, this sprint.
That's what we're building. And we're glad to be building it alongside research partners who take the hard version of the problem seriously.
The full paper — Operationalizing Cybersecurity Governance for Mitigation Planning with Attack-Path Modeling and Reinforcement Learning — is available on arXiv.














