Graph of Effort: Quantifying Risk of AI Usage for Vulnerability Assessment

TL;DR

The paper tackles the challenge of quantifying AI-driven threats to vulnerability assessment and proposes Graph of Effort (GOE), an intrusion-kill-chain–based threat-modeling framework that expresses attacker effort required to exploit vulnerabilities via offensive AI. GOE defines per-step scores and overall exposure as $GOE(v) = min_i score_{(i)}$, enabling a simple, explainable integration with CVSS v4.0 and potential prioritization of mitigations. Demonstrations on two CVEs show GOE can yield very different values (e.g., $GOE(\text{CVE-2025-1156}) = 0$ vs $GOE(\text{CVE-2024-30384}) = 3$), highlighting its utility in augmenting traditional risk metrics. The approach aims to guide analysts in prioritizing AI-countermeasure deployments, though it requires field validation and broader alignment with vulnerability-management workflows; future work includes empirical validation, extension to broader AI-threat modeling across all assets, and potential staffing adaptations to leverage AI expertise.

Abstract

With AI-based software becoming widely available, the risk of exploiting its capabilities, such as high automation and complex pattern recognition, could significantly increase. An AI used offensively to attack non-AI assets is referred to as offensive AI. Current research explores how offensive AI can be utilized and how its usage can be classified. Additionally, methods for threat modeling are being developed for AI-based assets within organizations. However, there are gaps that need to be addressed. Firstly, there is a need to quantify the factors contributing to the AI threat. Secondly, there is a requirement to create threat models that analyze the risk of being attacked by AI for vulnerability assessment across all assets of an organization. This is particularly crucial and challenging in cloud environments, where sophisticated infrastructure and access control landscapes are prevalent. The ability to quantify and further analyze the threat posed by offensive AI enables analysts to rank vulnerabilities and prioritize the implementation of proactive countermeasures. To address these gaps, this paper introduces the Graph of Effort, an intuitive, flexible, and effective threat modeling method for analyzing the effort required to use offensive AI for vulnerability exploitation by an adversary. While the threat model is functional and provides valuable support, its design choices need further empirical validation in future work.

Figures (4)

• Figure 1: Steps of the intrusion kill chain according to hutchins2011intelligence.
• Figure 2: Visualization of the GOE to calculate the effort needed to use AI for an attack step in the intrusion kill chain according to hutchins2011intelligence.
• Figure 3: Visualization of the GOE for the known vulnerability CVE-2025-1156 listed in the National Vulnerability Database (NVD), showing the effort needed to use AI in each step of the intrusion kill chain. Given the flexibility of GOE, step (4) of the kill chain is skipped in this case. The overall score is $\text{GOE}=0$, corresponding to a low effort for exploitation by AI.
• Figure 4: Visualization of the GOE for the vulnerability CVE-2024-30384, showing the effort needed to use AI in each step of the intrusion kill chain. Given the flexibility of GOE, steps (2-4) of the kill chain are skipped in this case. The overall score is $\text{GOE}=3$, corresponding to a high effort for exploitation by AI and demonstrating the GoE can have values other than 0.