This work addresses the challenge of efficiently and accurately translating high-level security intents into deployable device-level policies in complex heterogeneous networks, where topological reachability and device capabilities often lead to misconfigurations and delayed responses. To overcome these limitations, the authors propose an end-to-end automated framework that uniquely integrates network topology, device capabilities, and real-time cyber threat intelligence (CTI). By leveraging formal modeling, policy compilation, and constraint solving, the approach automatically refines abstract security intents into concrete, network-compliant filtering rules. Experimental validation in real-world environments demonstrates the system’s ability to correctly generate both packet-filtering and web-filtering policies, confirming its practicality, correctness, and dynamic adaptability to emerging threats.

Translating security intent into deployable network enforcement rules and maintaining their effectiveness despite evolving cyber threats remains a largely manual process in most Security Operations Centers (SOCs). In large and heterogeneous networks, this challenge is complicated by topology-dependent reachability constraints and device-specific security control capabilities, making the process slow, error-prone, and a recurring source of misconfigurations. This paper presents RefinementEngine, an engine that automates the refinement of high-level security intents into low-level, deployment-ready configurations. Given a network topology, devices, and available security controls, along with high-level intents and Cyber Threat Intelligence (CTI) reports, RefinementEngine automatically generates settings that implement the desired intent, counter reported threats, and can be directly deployed on target security controls. The proposed approach is validated through real-world use cases on packet and web filtering policies derived from actual CTI reports, demonstrating both correctness, practical applicability, and adaptability to new data.