To address the challenge of decision-making under inaccurate system models and incomplete observations in cyberattack response, this paper proposes an online Bayesian response planning framework. The method integrates Bayesian learning with belief quantification to dynamically rectify model misspecification and adaptively optimize response policies, ensuring asymptotic consistency while providing theoretical error-bound guarantees. Technically, it combines finite-state Markov modeling with dynamic programming to enable real-time, computationally efficient response decisions. Evaluated on the CAGE-2 benchmark, our approach significantly outperforms existing methods in both robustness and adaptability. Notably, it is the first to jointly model Bayesian learning and belief quantification within network response planning, enabling theory-driven optimization with formal performance guarantees.

Effective responses to cyberattacks require fast decisions, even when information about the attack is incomplete or inaccurate. However, most decision-support frameworks for incident response rely on a detailed system model that describes the incident, which restricts their practical utility. In this paper, we address this limitation and present an online method for incident response planning under model misspecification, which we call MOBAL: Misspecified Online Bayesian Learning. MOBAL iteratively refines a conjecture about the model through Bayesian learning as new information becomes available, which facilitates model adaptation as the incident unfolds. To determine effective responses online, we quantize the conjectured model into a finite Markov model, which enables efficient response planning through dynamic programming. We prove that Bayesian learning is asymptotically consistent with respect to the information feedback. Additionally, we establish bounds on misspecification and quantization errors. Experiments on the CAGE-2 benchmark show that MOBAL outperforms the state of the art in terms of adaptability and robustness to model misspecification.