CyberAid strengthens European financial resilience by using agentic AI to autonomously orchestrate LLMs, eBPF monitoring, and quantum-resistant cryptography. The platform automates the full security lifecycle, ensuring 100% compliance with DORA and NIS2 mandates while empowering smaller institutions with enterprise-grade defense. This unified approach reduces threat detection times and bolsters EU technological sovereignty.

OBJECTIVE 1 (CYBERAID-BLUEPRINTS): REFERENCE ARCHITECTURE AND BLUEPRINTS FOR MULTI-ASPECT CYBER-SECURITY IN THE FINANCIAL SECTOR

Develop and deliver a standards-based cybersecurity reference architecture (RA) and accompanying reference blueprints tailored to the unique cybersecurity requirements and regulatory needs of financial organizations and their Critical Infrastructures. These blueprints will systematically address the full security lifecycle ranging from proactive defence (e.g., vulnerability management, threat prevention, cross-organization intelligence via federated learning and quantum encryption) to real-time monitoring (detection and analysis) and post-incident handling (response, recovery, and forensics).

At the heart of the project’s reference architecture will be the CyberAId-LLM middleware layer/engine, which will be a novel orchestration engine for cybersecurity functionalities that will be powered by a range of cybersecurity-focused LLM “agents.”

This CyberAId-LLM engine will infuse open-source SIEM, XDR solutions, and partner security tools with advanced contextual awareness and semantic understanding towards enabling the following advanced cybersecurity functionalities:

  1. Context-aware correlation of threat intelligence from multiple data sources, which will boost cyber-threat detection accuracy beyond traditional rule-based detection.
  2. Interpret and respond to alerts at scale using Natural Language Understanding (NLU) techniques towards significantly reducing manual analyst workload.
  3. Provide adaptive recommendations that reflect the specific operational and regulatory context of financial environments, ensuring compliance and maximizing risk reduction.
  4. Enable human-in-the-loop oversight through a user-friendly chat interface, allowing security analysts to guide and validate automated decisions.

The RA and resulting blueprints will be built around the CyberAID-LLM based orchestration concept to facilitate the protection of critical financial CIs – including payment systems and trading platforms – in cloud, on-premises, and hybrid deployments. This includes explicit guidance on regulatory compliance (e.g., NIST, ISO 27000, DORA, GDPR, AI Act, PSD2, 4AML), third-party risk management, and secure integration of cutting-edge financial technologies. Moreover, they will establish best practices for preventing industry-critical threats such as payment fraud, credential theft, impersonation, insider breaches, and ransomware. Overall, the project’s RA and blueprints will provide future-ready security strategies for the cyber-resilience of financial CIs.

OBJECTIVE 2 (CYBERAID-PROACTIVE): PROACTIVE VULNERABILITY MANAGEMENT AND DATA PROTECTION.

Enable financial institutions to identify and mitigate vulnerabilities before exploitation by means of a proactive security (sub)system/platform, which will be orchestrated
by AI/LLM agents that will be developed and validated in the project. This system (conveniently called CyberAId-PROACTIVE) will be a central component of the
underlying CyberAId RA (see Objective 1 above) and will integrate advanced cybersecurity components, including:

  1. Automated vulnerability detection with advanced LLM-driven Cyber Threat Intelligence (CTI) feeds.
  2. Contextual prioritization via DIÓSCURI digital twin environments for risk-free vulnerability testing.
  3. A digital twin service for secure testing in a simulated, yet realistic mode, without impacting production. The service will be powered by UBI’s DIÓSCURI platform.
  4. Quantum-resistant cryptographic methods based on light particles safeguarding transactions against future quantum threats.
  5. Advanced vulnerability prioritization via a dedicated risk-based LLM agent with dynamic context awareness.

The above-listed five services/elements will be seamlessly orchestrated through an intelligent LLM layer/engine that will unify cybersecurity tools towards proactive vulnerability detection, adaptive response coordination, and optimized resource
allocation.

OBJECTIVE 3 (CYBERAID – MONITOR): REAL-TIME MONITORING DETECTION AND RESPONSE

Implement and provide an advanced, multi-layered real-time monitoring and detection framework designed to safeguard financial CIs. CyberAId-MONITOR will integrate cutting-edge technologies, including network-level monitoring through Wazuh [Stanković22], enhanced by eBPF technology for granular visibility into system and application behaviours [Vieira20]. At the operational level, continuous monitoring of system calls will rapidly identify and alert on abnormal behaviours across financial platforms. The system will further extend its capabilities based on in-depth analyses of communication logs, emails, and, critically, financial transactions, effectively identifying potential fraud, insider threats, or advanced persistent threats (APTs).

AI-driven anomaly detection, leveraging OpenSearch Anomaly Detection integrated seamlessly with existing SIEM solutions, will be used to provide predictive capabilities tailored specifically to financial-sector operational patterns. This sophisticated and integrated approach will ensure rapid detection and response in order to significantly enhance threat awareness and operational resilience across all different cyber-assets of financial digital infrastructure. CyberAId-MONITOR will continuously inform the project’s LLM orchestration layer, which will prioritize incident response actions and will promptly communicate recommended measures to security teams and relevant stakeholders.

OBJECTIVE 4 (CYBERAID – REPORT): VULNERABILITY MANAGEMENT AND INCIDENT REPORT

Leverage recent advances in AI technologies to accelerate the investigation, contextual analysis, and reporting of cybersecurity incidents towards robust vulnerability management tailored for financial CIs. The CyberAId-REPORT sub-system will support security teams (e.g., CSIRTs and CERTs of financial institutions) in rapidly collecting and preserving crucial forensic data, in order to efficiently determe the incident scope and potential impact, and to deploy targeted mitigation actions based on insights generated by a risk assessment engine established during the proactive phase. 

Specifically, the OLISTIC risk assessment engine (developed by the project coordinator) will be used to support the operations of the CyberAId-REPORT sub-system. CyberAId-REPORT will ingest threat intelligence, while actively contributing to the broader cybersecurity community by updating global threat intelligence platforms, including STIX/TAXII feeds and vulnerability databases. The latter will enhance collective resilience against threats targeting financial institutions and financial CIs. In this case, the integrated LLM orchestration layer of the project will deliver actionable recommendations for vulnerability management in natural language. 

It will prioritize remediation activities according to business impact, exploitability, and compliance with regulatory frameworks of the financial sector. All incident response activities will be conducted through a human-centred interface, which will be used to guide security professionals during critical incidents. In this direction, LLM-driven recommendations will be designed to augment but not replace human decision-making, preserving compliance, adaptability, and expert contextual judgment.

OBJECTIVE 5 (CYBERAID – PILOTS): VALIDATE AND EVALUATE CYBERAID SOLUTIONS IN REAL-LIFE MULTI-FACET USE

Validate and evaluate the CyberAId services and components in real-world cyber-resilience scenarios for financial CIs through realistic pilot deployments that demonstrate practical effectiveness, usability, and value. This objective aims to implement and test the integrated CyberAId solutions across diverse financial sub-sectors and relevant infrastructures, including banking, payment processing, asset management, and trading platforms, ensuring its capabilities meet the specific cybersecurity needs of different financial operations. The pilots will measure performance against defined KPIs, gather stakeholder feedback, and provide evidence of enhanced security resilience against sophisticated cyber threats targeting financial infrastructures.

Additionally, they will validate regulatory compliance capabilities, particularly with DORA, NIS2, CER, GDPR and AI Act requirements, while demonstrating the platform’s ability to integrate with existing financial security tools and technologies.

These real-world validations will identify potential improvements, confirm market readiness, and establish implementation best practices to facilitate wider adoption across the European financial sector.

OBJECTIVE 6 (CYBERAID – PLATFORM): INTEGRATED PLATFORM, LEARNING CENTER FOR CYBERSECURITY AND RESILIENCE IN FINANCIAL INDUSTRY

Develop and deliver an integrated cybersecurity platform that combines the

PROACTIVE, MONITOR, and REPORT components/solutions of the CyberAId project towards providing a unified, scalable, and flexible solution. This integrated platform will enable security teams to implement coordinated, automated, intelligent, efficient, and effective responses to cybersecurity threats. In this direction, they will be supported by APIs facilitating seamless integration with existing financial security systems. 

The interconnected modules will mutually enhance capabilities – for example, proactive vulnerability detection data feeding directly into monitoring and incident response processes – significantly improving threat response times and operational resilience. On top of this, CyberAId will build a Learning Center (LC) which will offer targeted educational resources, training courses, and knowledge catalogues to enhance cybersecurity awareness, capability, and compliance for both financial and cybersecurity stakeholders. The LC will specifically focus on cybersecurity best practices, regulatory compliance, and understanding the evolving financial-sector threat landscape.

It will also connect with external learning communities and resources to maximize project’s impact and visibility.