[2603.20131] An Agentic Multi-Agent Architecture for Cybersecurity Risk Management

Electrical Engineering and Systems Science > Systems and Control arXiv:2603.20131 (eess) [Submitted on 20 Mar 2026] Title:An Agentic Multi-Agent Architecture for Cybersecurity Risk Management Authors:Ravish Gupta (1), Saket Kumar (2), Shreeya Sharma (3), Maulik Dang (4), Abhishek Aggarwal (4) ((1) BigCommerce, (2) University at Buffalo, The State University of New York, Buffalo, NY, USA, (3) Microsoft, (4) Amazon) View a PDF of the paper titled An Agentic Multi-Agent Architecture for Cybersecurity Risk Management, by Ravish Gupta (1) and 11 other authors View PDF HTML (experimental) Abstract:Getting a real cybersecurity risk assessment for a small organization is expensive -- a NIST CSF-aligned engagement runs $15,000 on the low end, takes weeks, and depends on practitioners who are genuinely scarce. Most small companies skip it entirely. We built a six-agent AI system where each agent handles one analytical stage: profiling the organization, mapping assets, analyzing threats, evaluating controls, scoring risks, and generating recommendations. Agents share a persistent context that grows as the assessment proceeds, so later agents build on what earlier ones concluded -- the mechanism that distinguishes this from standard sequential agent pipelines. We tested it on a 15-person HIPAA-covered healthcare company and compared outputs to independent assessments by three CISSP practitioners -- the system agreed with them 85% of the time on severity classifications, covered 92% of...