By Yassine El Hadi, Red Alert Labs, Ilias Kalouptsoglou and Pavlina Nikolakoudi, ITI-CERTH
Cybersecurity certification has long been one of the most difficult challenges in the IoT ecosystem. As connected systems become more complex, manufacturers and integrators are expected to comply with an expanding landscape of cybersecurity standards, regulatory frameworks, and security assurance requirements. Yet the certification process itself often remains highly manual, static, and often performed late in the lifecycle.
The DOSS Architecture Security Validator (ASV) Platform automates and streamlines the security validation of IoT architectures. Rather than treating compliance as a late-stage audit activity, the ASV introduces continuous and semi-automated validation directly into the design phase.
At its core, the platform addresses a critical problem: cybersecurity standards are written for humans, not machines. Security requirements are buried inside lengthy PDF documents, technical guidelines, and certification procedures that require extensive interpretation by experts. Identifying those requirements and translating them into measurable and testable controls is time-consuming and difficult to scale. Moreover, traditional certification workflows are fragmented; testing is performed in isolation and results are difficult to trace back to requirements.
This leads to delays, inconsistencies, and increased costs. ASV addresses this by introducing machine-readable standards, requirements check-lists, semi-automated validation methodologies, and traceable and auditable security compliance assessment results.
The three modules of the ASV Platform
The architecture is built around three tightly integrated modules: the Digital Transformation Module (DTM), the Automated Assessment Module (AAM), and the CyberPass collaboration platform.
Together, they create a complete workflow capable of transforming raw standards into structured security requirements, evaluating system compliance, and coordinating human expert validation where automation alone is insufficient. The high-level overview of this process is shown in Figure 1.
Figure 1: High-level overview of the Architecture Security Validation Process
Each module addresses a different stage of the cybersecurity validation lifecycle, creating a scalable and traceable ecosystem for continuous compliance assessment.
DTM – transforming security standards with AI
The first major innovation lies in the Digital Transformation Module. Instead of manually interpreting security standards, the DTM uses Large Language Models (LLMs) adapted specifically for security requirement extraction and classification. The system analyses sections of cybersecurity standards, identifies security-related requirements, and converts them into structured machine-readable artefacts.
To achieve this, the DTM combines two interconnected services. A PDF Standard Analyzer processes uploaded standards, extracts relevant chapters, and divides the content into manageable text chunks. These chunks are then forwarded to the Standard Transformation Module (STM), which applies AI-driven analysis to identify and classify security requirements.
What makes this particularly powerful is the modularity of the process. The platform does not simply perform keyword extraction. It preserves document structure, associates requirements with security categories such as integrity or authenticity, and prepares outputs that can directly feed downstream validation activities.
Long sections are intelligently segmented without losing semantic coherence, allowing the AI models to process highly technical security language more effectively.
AAM – from requirements to measurable compliance
Once the requirements have been extracted, the workflow moves into the Automated Assessment Module.
The AAM was designed to answer the simple question: how well does a system actually satisfy its security requirements?
The automated validation process is tightly connected with the DOSS Digital Cybersecurity Twin (DCT). The DCT executes security tests against the evaluated IoT architecture and produces technical evidence and validation results associated with specific security requirements. These automated results are then consumed by the Automated Assessment Module (AAM), allowing the platform to determine which requirements can be validated fully automatically, partially automatically, or require additional expert review.
Instead of relying solely on binary pass-or-fail assessments, the platform introduces a more nuanced evaluation methodology based on fuzzy logic. Security experts and automated testing systems can express compliance levels using linguistic evaluations such as “Very Low,” “Medium,” or “Very High.” These assessments are transformed into fuzzy numerical representations that capture uncertainty and subjective judgement more realistically than rigid scoring models.
This approach becomes especially valuable in complex IoT environments, where not every security requirement can be validated automatically. Some controls depend on architectural decisions, operational context, or supporting evidence that still require expert interpretation.
By combining automated evidence with expert input, the platform produces a quantified adherence score that reflects the actual security posture of the evaluated architecture.
CyberPass – human-driven evaluation
Although automation plays a major role in the ASV ecosystem, the platform was intentionally designed to keep human expertise in the loop.
CyberPass acts as the collaborative layer of the ASV ecosystem, orchestrating interactions between integrators and security experts. Whenever the automated assessment process encounters inconclusive results or requirements that cannot be fully validated through automated testing, the workflow is redirected into CyberPass for manual evaluation.
Through the CyberPass platform, system owners receive notifications, upload evidence, answer structured questionnaires, and provide technical justification for unresolved requirements. Security experts can then review the submissions, validate the evidence, and issue final conformity decisions.
All activities are traceable, auditable, and integrated directly into the overall compliance scoring workflow.
This human-centered validation model is one of the platform’s strongest features. Rather than replacing experts, the ASV augments their work by automating repetitive tasks while preserving expert judgement where it matters most.
A Modern Microservices Architecture
Technically, the ASV platform embraces a modern microservices architecture. The modules communicate through REST APIs, rely on FastAPI-based services, and use MongoDB for structured data storage. This modular design allows each component to evolve independently while remaining tightly integrated within the broader validation workflow.
Architecture supports scalability, interoperability, and future integration with additional cybersecurity tools and testing frameworks.
This design philosophy reflects a broader shift in cybersecurity engineering toward flexible, API-driven ecosystems capable of supporting continuous assurance workflows rather than static one-time audits.
Example Workflow: From Standard to Security Validation
To better illustrate the workflow, consider an IoT manufacturer, an operator or a buyer of an IoT system preparing a product for cybersecurity certification. He/She can upload a cybersecurity standard in PDF form into the ASV platform. The Digital Transformation Module (DTM) automatically extracts and structures the security requirements, which are then evaluated through the Automated Assessment Module (AAM) using evidence generated by the Digital Cybersecurity Twin (DCT).
Requirements that cannot be fully validated automatically by the DCT are redirected to CyberPass, where experts review evidence and finalize the assessment. The manual assessment is integrated into the AAM for the computation of the final compliance score. The platform then produces a unified and traceable cybersecurity compliance evaluation.
Beyond Compliance Checklists
What emerges from the DOSS Architecture Security Validator is far more than a compliance dashboard. The platform represents an attempt to modernize cybersecurity certification itself by combining AI-driven standard interpretation, automated evidence analysis, and expert-guided assessment.
The implications extend well beyond IoT certification. Industries such as automotive, industrial automation, and critical infrastructure increasingly require scalable ways to validate cybersecurity posture across interconnected systems and supply chains. The DOSS approach demonstrates how automation and human expertise can coexist within a unified assurance framework.
As cybersecurity regulations continue to evolve worldwide, platforms like the DOSS Architecture Security Validator may become essential infrastructure for the future of secure-by-design certification, enabling organizations not only to build secure systems, but also to continuously prove it.
You can find out more about the Architecture Security Validator Platform in the DOSS Deliverable D5.2.
