Traditional risk assessment relies on manual audits and intrusive scanning, causing operational disruptions and failing to address dynamic security vulnerabilities. This paper proposes a Security Digital Twin-as-a-Service (SDT-aaS) framework that non-intrusively mirrors network assets in real time using digital twin technology. It integrates the Web of Things (WoT) architecture with the CycloneDX Software Bill of Materials (SBOM) standard to enable continuous, automated, and machine-readable compliance assessment. The architecture adheres to open, interoperable standards, significantly enhancing scalability and governance agility. Experiments on a medium-scale infrastructure demonstrate sub-3% system interference, an 82% reduction in assessment cycle time, on-demand trigger capability, and real-time policy validation. The core contribution is the first deep integration of digital twins into a closed-loop cybersecurity certification process, establishing a low-overhead, verifiable, and sustainable automated compliance governance system.

Traditional risk assessments rely on manual audits and system scans, often causing operational disruptions and leaving security gaps. To address these challenges, this work presents Security Digital Twin-as-a-Service (SDT-aaS), a novel approach that leverages Digital Twin (DT) technology for automated, non-intrusive security compliance. SDT-aaS enables real-time security assessments by mirroring real-world assets, collecting compliance artifacts, and creating machine-readable evidence. The proposed work is a scalable and interoperable solution that supports open standards like CycloneDX and Web of Things (WoT), facilitating seamless integration and efficient compliance management. Empirical results from a moderate-scale infrastructure use case demonstrate its feasibility and performance, paving the way for efficient, on-demand cybersecurity governance with minimal operational impact.