Current cybersecurity situational awareness approaches suffer from incomplete attack graph modeling, low interpretability of defensive strategies, and insufficient human–machine collaborative analysis capabilities. Method: This paper proposes a security situational assessment framework integrating AI planning and causal inference. It automatically compiles network configurations and vulnerabilities into PDDL planning models; constructs an attack connectivity hypergraph to represent attack paths under incomplete information; and incorporates formal causal reasoning to enable motive-driven, counterfactual “what-if” analysis. Contribution/Results: The framework generates semantically clear, formally verifiable hardening strategies with traceable impact attribution. Experiments demonstrate significant improvements in system administrators’ ability to systematically explore, compare, and explain defense alternatives—achieving both theoretical rigor and operational practicality.

Graph-based frameworks are often used in network hardening to help a cyber defender understand how a network can be attacked and how the best defenses can be deployed. However, incorporating network connectivity parameters in the attack graph, reasoning about the attack graph when we do not have access to complete information, providing system administrator suggestions in an understandable format, and allowing them to do what-if analysis on various scenarios and attacker motives is still missing. We fill this gap by presenting SPEAR, a formal framework with tool support for security posture evaluation and analysis that keeps human-in-the-loop. SPEAR uses the causal formalism of AI planning to model vulnerabilities and configurations in a networked system. It automatically converts network configurations and vulnerability descriptions into planning models expressed in the Planning Domain Definition Language (PDDL). SPEAR identifies a set of diverse security hardening strategies that can be presented in a manner understandable to the domain expert. These allow the administrator to explore the network hardening solution space in a systematic fashion and help evaluate the impact and compare the different solutions.