SAC3S - Semi-Autonomous Cyber Command and Control System
SAC3S (Semi-Autonomous Cyber Command and Control System), also referred to as Tyr, was a research project focused on the SOC perspective in cyber defense: how a Security Operations Center can use model-based analysis, simulation, and AI support to detect and respond to attacks in complex ICT environments. A central feature of the project was an AI cyber battle between two opposing agents: an attacker agent developed by FOI and a defender agent developed at KTH, with the overall goal of preventing the attacker from reaching valuable hosts.
At the core of the project was a digital cyber twin of the defended environment. This digital twin was developed using the Meta Attack Language and consisted of system models, asset graphs, attack graphs, and agent- and time-based simulations that together represented the structure of the environment, possible attack paths, and the evolving interaction between attacker and defender. First and foremost, the digital twin was used as a training environment for the defender agent, developed in the SENTIENCE project , enabling repeated cyber attack simulations across varying attack vectors, starting points, system configurations, and reward settings.
In addition, the digital twin was used to illustrate the battle in real time and to communicate defense suggestions from the defender AI to a human analyst in the SOC. In this way, the project explored not only how two AI agents could battle each other, but also how the defender’s reasoning and suggested actions could be presented through a graph- and model-based interface to support human decision-making.
Researchers
