Existing cybersecurity risk assessment methods suffer from a dichotomy: manual analysis relies heavily on expert knowledge and is infeasible for frequent execution, while automated approaches—such as attack graph– or threat simulation–based techniques—are hindered by the high overhead and poor scalability of conventional network twins. To address this, we propose an attack graph–guided paradigm for generating Minimal-Viable Network Twins (MV-NTs), automatically constructing lightweight, scenario-specific twin environments containing only mission-critical components derived from real-world Cyber Threat Intelligence (CTI) reports. Our method integrates attack graph modeling, topology reduction, CTI semantic parsing, and precise scenario mapping to enable accurate, efficient, and non-intrusive threat impact simulation. Evaluation on both real and synthetic enterprise networks demonstrates that MV-NT reduces component count by 85% and resource consumption by 50% compared to full-topology twins, without compromising attack simulation fidelity—achieving, for the first time, a closed-loop assessment pipeline from CTI to executable simulation.

Understanding the risks associated with an enterprise environment is the first step toward improving its security. Organizations employ various methods to assess and prioritize the risks identified in cyber threat intelligence (CTI) reports that may be relevant to their operations. Some methodologies rely heavily on manual analysis (which requires expertise and cannot be applied frequently), while others automate the assessment, using attack graphs (AGs) or threat emulators. Such emulators can be employed in conjunction with cyber twins to avoid disruptions in live production environments when evaluating the highlighted threats. Unfortunately, the use of cyber twins in organizational networks is limited due to their inability to scale. In this paper, we propose SCyTAG, a multi-step framework that generates the minimal viable cyber twin required to assess the impact of a given attack scenario. Given the organizational computer network specifications and an attack scenario extracted from a CTI report, SCyTAG generates an AG. Then, based on the AG, it automatically constructs a cyber twin comprising the network components necessary to emulate the attack scenario and assess the relevance and risks of the attack to the organization. We evaluate SCyTAG on both a real and fictitious organizational network. The results show that compared to the full topology, SCyTAG reduces the number of network components needed for emulation by up to 85% and halves the amount of required resources while preserving the fidelity of the emulated attack. SCyTAG serves as a cost-effective, scalable, and highly adaptable threat assessment solution, improving organizational cyber defense by bridging the gap between abstract CTI and practical scenario-driven testing.