A well-known and documented issue in cybersecurity compliance is the difference in levels of abstraction and language between policymaking and implementing technical controls.

Moreover, cybersecurity compliance frameworks merely serve to acknowledge the presence, or the lack thereof, of security controls, not their effectiveness against real-world adversarial behavior. This conflation carries a twofold consequence: (i) the assumption that certification and compliance predict security carries significant regulatory weight but remains empirically untested, and (ii) after full compliance is achieved, the residual threat landscape is never empirically measured, thus leaving compliant organizations exposed to unquantified risk.

The main objective of this PhD is to explore innovative frameworks for bridging the gap between regulatory and engineering language and quantifying both the threat coverage of security controls and the residual threat landscape. These objectives will be achieved through the use of agentic artificial intelligence, lifecycle graph modeling of attack surfaces, probabilistic coverage scoring techniques, and real-world validation.