Table of Contents
Fetching ...

Full-Stack Knowledge Graph and LLM Framework for Post-Quantum Cyber Readiness

Rasmus Erlemann, Charles Colyer Morris, Sanjyot Sathe

TL;DR

This work presents a knowledge-graph–based framework to quantify enterprise post-quantum readiness by modeling cryptographic assets, dependencies, and risk propagation, and by attributing exposure across cryptographic domains via Shapley values. It integrates external asset discovery, KG design, and LLM-assisted validation (with HiL oversight) to produce explainable PQ risk metrics and a normalized PQRI score. The methodology supports scalable, continuous monitoring and prioritization of migrations through graph-based risk functionals and domain-level attributions, underpinned by exact-path and Katz-based exposure models. The approach bridges cryptographic telemetry with decision-relevant readiness metrics, enabling enterprise-wide PQ risk assessment and remediation prioritization in the context of evolving PQ standards. The practical impact lies in providing a principled, scalable, and auditable framework suitable for large organizations to track PQ migration progress and allocate resources effectively.

Abstract

The emergence of large-scale quantum computing threatens widely deployed public-key cryptographic systems, creating an urgent need for enterprise-level methods to assess post-quantum (PQ) readiness. While PQ standards are under development, organizations lack scalable and quantitative frameworks for measuring cryptographic exposure and prioritizing migration across complex infrastructures. This paper presents a knowledge graph based framework that models enterprise cryptographic assets, dependencies, and vulnerabilities to compute a unified PQ readiness score. Infrastructure components, cryptographic primitives, certificates, and services are represented as a heterogeneous graph, enabling explicit modeling of dependency-driven risk propagation. PQ exposure is quantified using graph-theoretic risk functionals and attributed across cryptographic domains via Shapley value decomposition. To support scalability and data quality, the framework integrates large language models with human-in-the-loop validation for asset classification and risk attribution. The resulting approach produces explainable, normalized readiness metrics that support continuous monitoring, comparative analysis, and remediation prioritization.

Full-Stack Knowledge Graph and LLM Framework for Post-Quantum Cyber Readiness

TL;DR

This work presents a knowledge-graph–based framework to quantify enterprise post-quantum readiness by modeling cryptographic assets, dependencies, and risk propagation, and by attributing exposure across cryptographic domains via Shapley values. It integrates external asset discovery, KG design, and LLM-assisted validation (with HiL oversight) to produce explainable PQ risk metrics and a normalized PQRI score. The methodology supports scalable, continuous monitoring and prioritization of migrations through graph-based risk functionals and domain-level attributions, underpinned by exact-path and Katz-based exposure models. The approach bridges cryptographic telemetry with decision-relevant readiness metrics, enabling enterprise-wide PQ risk assessment and remediation prioritization in the context of evolving PQ standards. The practical impact lies in providing a principled, scalable, and auditable framework suitable for large organizations to track PQ migration progress and allocate resources effectively.

Abstract

The emergence of large-scale quantum computing threatens widely deployed public-key cryptographic systems, creating an urgent need for enterprise-level methods to assess post-quantum (PQ) readiness. While PQ standards are under development, organizations lack scalable and quantitative frameworks for measuring cryptographic exposure and prioritizing migration across complex infrastructures. This paper presents a knowledge graph based framework that models enterprise cryptographic assets, dependencies, and vulnerabilities to compute a unified PQ readiness score. Infrastructure components, cryptographic primitives, certificates, and services are represented as a heterogeneous graph, enabling explicit modeling of dependency-driven risk propagation. PQ exposure is quantified using graph-theoretic risk functionals and attributed across cryptographic domains via Shapley value decomposition. To support scalability and data quality, the framework integrates large language models with human-in-the-loop validation for asset classification and risk attribution. The resulting approach produces explainable, normalized readiness metrics that support continuous monitoring, comparative analysis, and remediation prioritization.
Paper Structure (15 sections, 6 equations, 2 figures, 1 table)

This paper contains 15 sections, 6 equations, 2 figures, 1 table.

Figures (2)

  • Figure 1: External Asset Discovery System Architecture. The scanner framework orchestrates $18$ specialized Python modules across six primary risk categories. ThreadPoolExecutor enables parallel execution with configurable worker pools (50 concurrent workers for certificate extraction, 25 for vulnerability scanning). Real-time API integration retrieves threat intelligence from multiple authoritative sources including NIST NVD, CISA KEV, and EPSS. The ETL pipeline transforms scan results before MongoDB ingestion. Knowledge graph construction processes scanner outputs through GraphBuilderService with LLM-assisted validation.
  • Figure 2: Knowledge Graph Construction and LLM-Assisted Validation Architecture. The system integrates five functional layers: (1) Data Source Layer containing MongoDB Atlas collections for assets, certificates, cryptographic profiles, vulnerabilities, and network services; (2) Graph Building Layer orchestrating the GraphBuilderService, which creates typed nodes (ASSET, IP_NODE, CERT_NODE, CVE, RISK_CLUSTER) and relationships (USES, CONNECTS_TO, EXPOSES, DEPENDS_ON) with support from EdgeProbabilityCalculator, CrownJewelIdentifier, and ProtocolResistanceRegistry; (3) LLM Validation Layer deploying OllamaValidator for batch processing and ValidationWorker for queue management with automated approval thresholds and disagreement detection; (4) Validation Storage Layer maintaining three MongoDB collections (kg_validation_queue, kg_validation_cache, kg_review_queue) with bidirectional disagreement workflows (Workflow 5: rule $\neq$ LLM triggers review; Workflow 6: rule=remove, LLM=keep triggers review); and (5) API & Output Layer providing Flask endpoints for graph snapshots, validation settings, and review queue management with frontend visualization through filtered views by validation status, PQ heatmap, service mesh, and VPN chokepoint analysis. ValidationScheduler operates asynchronously with 30-second intervals to process pending validations. Auto-approve patterns expedite high-confidence edges (e.g., RESOLVES_TO edges with probability $>0.5$), while disagreement detection routes contested edges to human oversight. Specialized validation prompts are tailored to ten distinct relationship semantics, including USES edges (asset-certificate authentication), CONNECTS_TO edges (network connectivity plausibility), EXPOSES edges (vulnerability applicability), and DEPENDS_ON edges (cloud/VPN dependencies), with each prompt incorporating post-quantum awareness for cryptographic algorithm evaluation.