This study addresses the challenges posed by the stealthy nature and multi-stage evolution of Advanced Persistent Threats (APTs) by proposing the first autonomous defense framework that embeds explainable signals into reinforcement learning–based policy optimization. The approach integrates provenance graph neural networks, temporal stage estimation algorithms, and an evidence alignment mechanism to enable joint interpretability across structural, temporal, and strategic dimensions through confidence-aware reward shaping, thereby overcoming the limitations of conventional post-hoc explanations. Evaluated in real-world enterprise environments, the framework achieves a stage-weighted F1 score of 0.915 and a defense success rate of 89.6%, while delivering high explanation confidence (0.86), strong fidelity (0.79), and more compact explanations (0.31).

Advanced Persistent Threats (APTs) are stealthy, multi-stage attacks that require adaptive and timely defense. While deep reinforcement learning (DRL) enables autonomous cyber defense, its decisions are often opaque and difficult to trust in operational environments. This paper presents DeepXplain, an explainable DRL framework for stage-aware APT defense. Building on our prior DeepStage model, DeepXplain integrates provenance-based graph learning, temporal stage estimation, and a unified XAI pipeline that provides structural, temporal, and policy-level explanations. Unlike post-hoc methods, explanation signals are incorporated directly into policy optimization through evidence alignment and confidence-aware reward shaping. To the best of our knowledge, DeepXplain is the first framework to integrate explanation signals into reinforcement learning for APT defense. Experiments in a realistic enterprise testbed show improvements in stage-weighted F1-score (0.887 to 0.915) and success rate (84.7% to 89.6%), along with higher explanation confidence (0.86), improved fidelity (0.79), and more compact explanations (0.31). These results demonstrate enhanced effectiveness and trustworthiness of autonomous cyber defense.