An Agentic Multi-Agent Architecture for Cybersecurity Risk Management

Electrical Engineering and Systems Science > Systems and Control [Submitted on 20 Mar 2026] An Agentic Multi-Agent Architecture for Cybersecurity Risk Management Ravish Gupta (1), Saket Kumar (2), Shreeya Sharma (3), Maulik Dang (4), Abhishek Aggarwal (4) ((1) BigCommerce, (2) University at Buffalo, The State University of New York, Buffalo, NY, USA, (3) Microsoft, (4) Amazon) Getting a real cybersecurity risk assessment for a small organization is expensive -- a NIST CSF-aligned engagement runs $15,000 on the low end, takes weeks, and depends on practitioners who are genuinely scarce. Most small companies skip it entirely. We built a six-agent AI system where each agent handles one analytical stage: profiling the organization, mapping assets, analyzing threats, evaluating controls, scoring risks, and generating recommendations. Agents share a persistent context that grows as the assessment proceeds, so later agents build on what earlier ones concluded -- the mechanism that distinguishes this from standard sequential agent pipelines. We tested it on a 15-person HIPAA-covered healthcare company and compared outputs to independent assessments by three CISSP practitioners -- the system agreed with them 85% of the time on severity classifications, covered 92% of identified risks, and finished in under 15 minutes. We then ran 30 repeated single-agent assessments across five synthetic but sector-realistic organizational profiles in healthcare, fintech, manufacturing, retail, and SaaS, comparing a general-purpose Mistral-7B against a domain fine-tuned model. Both completed every run. The fine-tuned model flagged threats the baseline could not see at all: PHI exposure in healthcare, OT/IIoT vulnerabilities in manufacturing, platform-specific risks in retail. The full multi-agent pipeline, however, failed every one of 30 attempts on a Tesla T4 with its 4,096-token default context window -- context capacity, not model quality, turned out to be the binding constraint. Comments: 15 pages, 1 figure, 2 tables. Submitted to AICTC 2026 (Springer LNCS) Subjects: Systems and Control (eess.SY); Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR) ACM classes: I.2.11; K.6.5 Cite as: arXiv:2603.20131 [eess.SY]   (or arXiv:2603.20131v1 [eess.SY] for this version)   https://doi.org/10.48550/arXiv.2603.20131 Focus to learn more Submission history From: Ravish Gupta [view email] [v1] Fri, 20 Mar 2026 17:00:05 UTC (27 KB) Access Paper: HTML (experimental) view license Current browse context: eess.SY < prev   |   next > new | recent | 2026-03 Change to browse by: cs cs.AI cs.CR cs.SY eess References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)