Reinforcement learning (RL)-based network attack agents suffer from opaque decision-making, undermining the credibility of red-team simulations and hindering effective defensive response. Method: We propose the first environment- and agent-agnostic, non-post-hoc, two-layer explainable framework for RL-based cyber-attack agents. At the strategic level, we model evolving attack objectives using Partially Observable Markov Decision Processes (POMDPs). At the tactical level, we integrate temporal Q-value trajectory analysis with Prioritized Experience Replay (PER)-driven identification of critical learning points to pinpoint policy shifts and phase transitions. Contribution/Results: Evaluated on the multi-scale CyberBattleSim platform, our framework enables scalable behavioral attribution, supports attack strategy defect localization, and facilitates red-team exercise validation. It achieves 3.2× higher explanation coverage than state-of-the-art XRL baselines, significantly enhancing prediction, analysis, and response capabilities against autonomous cyber threats.

Reinforcement Learning (RL) agents are increasingly used to simulate sophisticated cyberattacks, but their decision-making processes remain opaque, hindering trust, debugging, and defensive preparedness. In high-stakes cybersecurity contexts, explainability is essential for understanding how adversarial strategies are formed and evolve over time. In this paper, we propose a unified, multi-layer explainability framework for RL-based attacker agents that reveals both strategic (MDP-level) and tactical (policy-level) reasoning. At the MDP level, we model cyberattacks as a Partially Observable Markov Decision Processes (POMDPs) to expose exploration-exploitation dynamics and phase-aware behavioural shifts. At the policy level, we analyse the temporal evolution of Q-values and use Prioritised Experience Replay (PER) to surface critical learning transitions and evolving action preferences. Evaluated across CyberBattleSim environments of increasing complexity, our framework offers interpretable insights into agent behaviour at scale. Unlike previous explainable RL methods, which are often post-hoc, domain-specific, or limited in depth, our approach is both agent- and environment-agnostic, supporting use cases ranging from red-team simulation to RL policy debugging. By transforming black-box learning into actionable behavioural intelligence, our framework enables both defenders and developers to better anticipate, analyse, and respond to autonomous cyber threats.