Integration of Generative AI techniques into Cybersecurity Risk Assessment

In cybersecurity, the risk assessment process plays a key role in technology management, serving as the basis for the formulation of effective security strategies and ensuring compliance with key standards and regulations. However, this process requires substantial effort, resource allocation, and specialized expertise, posing a considerable challenge to organizations tasked with its implementation. While automation is an appealing goal, the expert-driven nature of risk assessment has long made it difficult to fully automate. In recent years, however, the rise of Artificial Intelligence (AI) has accelerated the advancement of Large Language Models (LLMs) which enabled the development of Agents capable of building autonomous solutions that may enhance the ability to detect threats and conduct comprehensive risk assessments. Therefore, this work proposes a modular agent-based architecture using LLMs for semi-autonomous cyber risk assessment, that is composed of four parts: a Context Retrieval component that uses Retrieval-Augmented-Generation (RAG), a Threat Evaluation module, a Risk Scoring evaluator, and a Judge reviewer responsible for validating results. An orchestrator coordinates the different assignments and supports feedback loops, enabling refinement when the judge detects low-quality results and closing the loop with human intervention where applicable. The evaluation is conducted using real-world incident datasets from the European Repository of Cyber Incidents (EuRepoC) and the Vocabulary for Event Recording and Incident Sharing (VERIS) database. The risk assessments provided in these datasets serve as ground truth for comparison with the system’s outputs.