In today's digital landscape, cyberattacks are increasingly impacting organisations by disrupting critical services and compromising sensitive data. As these attacks grow in volume and complexity, security teams are increasingly challenged to safeguard sensitive data and maintain operational continuity. Manual efforts of security assessment often led to inconsistent and delayed results, high operational costs, and increased window of opportunity for potential attackers. To effectively mitigate these risks, there is a pressing need for automated security assessment.

Graphical security models (GSMs), such as attack graphs and attack trees, are widely used for assessing system and network security. These models provide intuitive and systematic ways to evaluate security vulnerabilities in system and network configurations and assess the effectiveness of defence mechanisms. However, they have proven inefficient to cope with dynamic changes and ever-increasing scale of software and network environments. In addition, the generation of GSMs is often not fully automated, primarily due to only partial vulnerability information being automatically extracted from existing vulnerability assessment approaches. This necessitates the involvement of security experts who need to manually provide other required inputs, such as user-defined exploit conditions (i.e., the prerequisites and consequences of exploiting software vulnerabilities).