Overview
Sirma developed a white-hat cyber threat simulation platform for Fortress Information Security, a company that safeguards critical infrastructure, energy utilities, government agencies, and their supply chains across the U.S. The platform uses real-time threat intelligence and enterprise-specific security data to simulate how attackers might navigate an organization’s network. By combining machine learning for vulnerability classification with a mathematical optimization engine, the system identifies risks and recommends cost-effective controls to neutralize them. Sirma’s work in processing large-scale internet address IP blocks has earned a US patent.
Challenge
Modern enterprises face a vast and interconnected threat landscape. Security teams grapple with numerous vulnerabilities, evolving exploit techniques, and complex software supply chains across on-premise and cloud environments. Traditional risk assessment methods, such as periodic pentests and manual reviews, struggle to keep up with the rapidly changing attack surface.
Fortress Information Security needed a solution to aggregate diverse real-time data into a coherent risk model and simulate attack scenarios. The main challenges included processing vast internet-wide threat feeds quickly, classifying complex vulnerabilities from threat vector combinations rather than individual CVEs, and translating the risk into an effective, minimal-action remediation plan to reduce risks.
Project Scope
Sirma’s engagement covered the full lifecycle of the platform: from architecture through development and delivery. The team built real-time connectors for internet-wide threat feeds, CVE/NVD databases, and indicators of compromise, integrating them with enterprise penetration testing results, SBOM data, network topology maps, and asset classification schemas into a unified risk data model. On top of this foundation, Sirma developed an on-demand compromise simulation engine that models attack propagation through an enterprise network from any user-defined starting point. A supervised machine learning classifier scores the total vulnerability of n-dimensional threat vector combinations, while a convex linear programming optimization engine identifies the minimum set of controls required to meet the target risk objective.
Solution
The platform operates across three tightly integrated layers:
The data ingestion layer continuously gathers real-time threat intelligence and correlates CVE vulnerability data with SBOM inventories to identify exposed software dependencies. This is enhanced with enterprise context - network topology, asset classifications, and recent pentest findings, creating a dynamic model of the organization’s attack surface.
The simulation engine takes user-defined starting conditions, including a compromised asset, its subnetwork, and threat vectors. It utilizes graph-based traversal to identify attack paths, scoring them by exploitability and business impact. A supervised machine learning classifier, trained on historical data, assesses combinations of threat attributes to estimate total compound vulnerability, capturing interactions between co-occurring weaknesses that simpler models overlook.
The optimization engine treats control selection as a convex optimization problem. Using the simulation’s risk exposure, it employs a linear programming solver to identify the smallest set of controls that meets the organization’s risk threshold, providing a mathematically proven optimal remediation instead of a heuristic approach.
Sirma achieved a significant breakthrough with its innovative algorithm for processing large datasets of IP addresses. This patented technology enables efficient, real-time evaluation of the intersection, union, and membership of millions of CIDR-notation IP ranges, enabling continuous correlation of global threat intelligence with enterprise network topology.
Results
The platform delivered measurable outcomes across operational efficiency, risk visibility, and intellectual property:
- Security teams can run on-demand compromise simulations at any time, eliminating dependence on infrequent manual pentest cycles;
- The convex optimization engine reduces remediation workload to only the controls mathematically necessary to meet the risk objective, cutting through alert fatigue;
- SBOM integration delivers end-to-end software supply chain visibility, enabling detection of vulnerable components across hardware, firmware, and software layers;
- A single, unified risk model replaces siloed tooling, closing the blind spots between threat intelligence, asset management, and network visibility;
- Sirma’s IP block handling algorithm was granted a US patent, delivering Fortress a defensible competitive advantage and a recognized technical innovation.
Technologies We Used
- Machine Learning - supervised classifiers (SVM, Random Forest, Gradient Boosting); Python ML stack; PCA for dimensionality reduction;
- Mathematical Optimization - linear programming (convex LP); CVXPY; SciPy optimize; interior-point solvers;
- Threat Intelligence - real-time STIX/TAXII feed connectors; NVD/CVE API integration;
- SBOM & Supply Chain - CycloneDX/SPDX SBOM parsers; vulnerability cross-reference engines;
- Network Modeling - graph-based topology representation; attack path traversal algorithms;
- IP Block Processing - patented CIDR range algorithm; scalable set operations on large address spaces;
- Data Engineering - high-throughput ingestion pipelines; distributed data processing.
Sirma’s Partnership with the client
Sirma’s partnership with Fortress Information Security focuses on advancing cybersecurity technology. Fortress contributes its expertise in critical infrastructure protection and supply chain risk, while Sirma offers strengths in AI design and algorithm development. This collaboration is a true co-innovation effort, with Sirma’s engineers working alongside Fortress’s cybersecurity specialists to address the practical challenges of securing critical infrastructure. The result is a platform that meets both organizations’ rigorous standards, earning a U.S. patent and supporting security teams protecting essential assets in the United States.
