SYNTHTM: Continuous, AI-Driven Threat Modeling for Software Supply Chain Risk Propagation

Authors

  • Saim Sajjad Air University Islamabad
  • Hilmand Khan Air University Islamabad
  • Adan Raza Masoom Air University Islamabad
  • Riyan Rehman Air University Islamabad

DOI:

https://doi.org/10.56313/jictas.v5i1.514

Keywords:

Software Supply Chain Security, Threat Modeling Graph Neural Networks, Large Language Models AI-Driven Security, Risk Propagation, CI/CD Security SBOM

Abstract

The software supply chain has transformed into a highly dynamic sociotechnical system characterized by complex dependency graphs, build environments that resemble jellyfish, and autonomous agents of automation. In this realm, traditional models of threat analysis, such as STRIDE and PASTA, not only show inherent lack of scalability but entail an epistemological inadequacy because of their inherent dependency on static system scopes and manual modes of enumerative threat analysis. This paper proposes SYNTHTM (Synthetic Supply Chain Threat Modeling) as an AI-native framework that approaches threat modeling as an end associative inference problem. SYNTHTM weaves together Graph Neural Networks (GNNs) and Large Language Models (LLMs) to build and reason about a dynamic Risk Propagation Graph based on various software development cycle resources, such as Software Bills of Materials, CI/CD data, and version information. SYNTHTM helps identify new attack paths, such as "dependency confusion attacks" and "Living off the Land" (LoT/P) attacks, which are difficult to discover via static analysis, through transitive and probabilistic reasoning about risk flows across build, dependency, and execution environments. The results of empirical validation on a complex micro-services-based system show that SYNTHTM outperforms manual threat modeling by expert professionals in identifying architectural threats by 42% and achieves an 85% reduction

References

S. Singh, P. Desai, and S. Amilkanthwar, ‘The Science of Threat Modeling in Complex Industrial Systems’, 2025 Cyber Awareness and Research Symposium (CARS), pp. 1–7, 2025, doi: 10.1109/cars67163.2025.11337795.

P. Balasubramanian, S. Nazari, D. K. Kholgh, A. Mahmoodi, J. Seby, and P. Kostakos, ‘A cognitive platform for collecting cyber threat intelligence and real-time detection using cloud computing’, Decision Analytics Journal, p., 2025, doi: 10.1016/j.dajour.2025.100545.

S. Ayouni, R. A. Khan, M. Maddeh, H. Alwageed, I. Keshta, and A. Almagrabi, ‘Exploring the synergistic collaboration of Human Agentic-AI in enhancing the security of the software development lifecycle’, Egyptian Informatics Journal, p., 2026, doi: 10.1016/j.eij.2026.100915.

M. Mishra, ‘Securing Cloud-Native Microservices Using AI-Driven Threat Detection Models’, International Journal of Research and Review in Applied Science, Humanities, and Technology, p., 2025, doi: 10.71143/ka63xh42.

J. Oduro-Gyan, T. Raheem, M. Ogundipe, O. Esan, and O. A. Serifat, ‘Enhancing Security Practices across the Software Development Lifecycle: The Role of Artificial Intelligence’, Asian Journal of Research in Computer Science, p., 2025, doi: 10.9734/ajrcos/2025/v18i10767.

M. Muzaffar and K. Mahabubullah, ‘Prediction of Cyberattack on Software Supply Chain’, International Journal Of Scientific Research In Engineering & Technology, p., 2025, doi: 10.59256/ijsreat.20250505003.

V. Alevizos et al., ‘Integrating Artificial Open Generative Artificial Intelligence into Software Supply Chain Security’, in 2024 5th International Conference on Data Analytics for Business and Industry (ICDABI), 2024, pp. 200–206. doi: 10.1109/icdabi63787.2024.10800301.

S. A. Hossain, ‘Automated Threat Modeling using Artificial Intelligence on User Stories within the SDLC to Generate Security Tasks’, in International Conference on Cyber Warfare and Security, 2026, p. doi: 10.34190/iccws.21.1.4498.

K. Panda and S. Agrawal, ‘Application of AI and ML in the Field of DevSecOps’, Journal of Artificial Intelligence & Cloud Computing, p., 2022, doi: 10.47363/jaicc/2022(1)280.

B. Yanto, B. Basorudin, S. Anwar, A. Lubis, and K. Karmi, ‘Smart Home Monitoring Pintu Rumah Dengan Identifikasi Wajah Menerapkan Camera ESP32 Berbasis IoT’, Jurnal Sisfokom (Sistem Informasi dan Komputer), vol. 11, no. 1, 2022, doi: 10.32736/sisfokom.v11i1.1180.

H. Z. Yuan, K. H. Ghazali, A. Lubis, S. Sunardi, and B. Yanto, ‘Implementing Image Processing for Quality Inspection of Car Air Conditioning Vents †’, 2025.

O. Polishchuk and K. Babii, ‘AI-Based Cross-Layer Vulnerability Management for Cloud-Native Systems’, in 2026 IEEE 5th International Conference on AI in Cybersecurity (ICAIC), 2026, pp. 1–3. doi: 10.1109/icaic67076.2026.11395769.

S. Kamadi, ‘AI-Augmented Threat Intelligence for Autonomous Vulnerability Management in Cloud-Native Clusters’, International Journal of Scientific Research in Computer Science, Engineering and Information Technology, p., 2024, doi: 10.32628/cseit251117240.

K. Nayak, ‘Intelligent Vulnerability Management for Cloud-Native Environments Using Predictive Threat Intelligence’, Int. J. Sci. Res. Sci. Eng. Technol., p., 2025, doi: 10.32628/ijsrset2513899.

M. Wang, P. Wu, and Q. Luo, ‘Construction of Software Supply Chain Threat Portrait Based on Chain Perspective’, Mathematics, p., 2023, doi: 10.3390/math11234856.

T. A. Syed, M. Belgaum, S. Jan, A. Khan, and S. S. Alqahtani, ‘Agentic AI for Autonomous Defense in Software Supply Chain Security: Beyond Provenance to Vulnerability Mitigation’, in 2025 International Conference on Computer and Applications (ICCA), 2025, pp. 1–6. doi: 10.1109/icca66035.2025.11430751.

Y. R. Avuthu, ‘Microservices Security Threat Modelling in DevOps Pipelines’, Journal of Mathematical & Computer Applications, p., 2023, doi: 10.47363/jmca/2023(2)e138.

S. R. Gunda, ‘Vulnerability Management Frameworks for Cloud-Native Applications: From Threat Modeling to Continuous Security Assessment’, European Modern Studies Journal, p., 2025, doi: 10.59573/emsj.9(4).2025.83.

G. Stergiopoulos, P. Dedousis, and D. Gritzalis, ‘Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0’, Int. J. Inf. Secur., vol. 21, pp. 37–59, 2021, doi: 10.1007/s10207-020-00533-4.

D. Pardede, B. H. Hayadi, and Iskandar, ‘Kajian Literatur Multi Layer Perceptron Seberapa Baik Performa Algoritma Ini’, Journal of Ict Aplications and System, vol. 1, no. 1, pp. 23–35, 2022, doi: 10.56313/jictas.v1i1.127.

B. Yanto, W. Eka Putra, and F. Erwis, ‘Visualization of Covid-19 Data in Indonesia in 2022 through the Google Data Studio Dashboard’, Journal of Ict Aplications and System, vol. 2, no. 1, pp. 29–34, 2023, doi: 10.56313/jictas.v2i1.237.

H. Yadav, ‘AI-Assisted Software Development as a New Supply-Chain Attack Surface’, Journal of Pioneering Artificial Intelligence Research, p., 2026, doi: 10.63721/26jpair0129.

R. Liu, P. Xing, Z. Deng, A. Li, C. Guan, and H. Yu, ‘Federated Graph Neural Networks: Overview, Techniques, and Challenges’, IEEE Trans. Neural Netw. Learn. Syst., vol. 36, no. 3, 2025, doi: 10.1109/TNNLS.2024.3360429.

Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and P. S. Yu, ‘A Comprehensive Survey on Graph Neural Networks’, IEEE Trans. Neural Netw. Learn. Syst., vol. 32, no. 1, 2021, doi: 10.1109/TNNLS.2020.2978386.

Published

2026-06-06

How to Cite

Sajjad, S., Hilmand Khan, Masoom, A. R., & Rehman, R. (2026). SYNTHTM: Continuous, AI-Driven Threat Modeling for Software Supply Chain Risk Propagation. Journal of ICT Aplications and System, 5(1), 1-10. https://doi.org/10.56313/jictas.v5i1.514

Issue

Vol. 5 No. 1 (2026): Journal of ICT Aplications and System

Section

Artikel

Copyright (c) 2026 Journal of ICT Aplications and System

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.