Simulation-Powered Cybersecurity: Real-Time Risk Assessment via Non-Intrusive Security Twin

Digital twin technology is emerging as the cornerstone of next-generation cybersecurity. A security twin is a graph-based model which acts as a dynamic inventory enriched with vulnerability intelligence and that can mirror complex ICT infrastructures to predict the behavior of threats without disrupting live production environments. However, maintaining high-fidelity synchronisation between the infrastructure and the twin remains a challenge, mainly when active scanning cannot be employed.This paper introduces NotLine , a non-intrusive and fully automated platform that builds and updates a security twin through the continuous passive ingestion of multi-protocol network telemetry. NotLine leverages a distributed monitoring pipeline architecture to filter, normalize, and correlate heterogeneous traffic metadata in real-time. NotLine maps these data to the security twin.The core innovation of NotLine lies in its integration of this live model with an AI-driven Monte Carlo simulation engine . The engine uses the security twin to generate the state transitions of a threat actor as determined by the access rights and information it has acquired. This enables the quantification of risk exposure probabilistically and enables prescriptive analytics and preemptive remediation.We present a comprehensive evaluation of NotLine in a production environment and show that a hypoexponential mathematical model characterises the platform discovery pattern. According to this model, the platform maps the majority of assets within 48 hours, but a long-tail monitoring period is critical to capture all infrastructure components. These results confirm that NotLine provides a robust foundation for simulation-powered cybersecurity, bridging the gap between passive observation and proactive risk prediction.