This study addresses the dynamically evolving attack surface risk in automated cyber offense–defense environments by introducing queueing theory into attack surface modeling, where active vulnerabilities are treated as system backlog. An AI amplification factor is incorporated to characterize the impact of offensive and defensive automation on vulnerability discovery, exploitation, and patching rates. By uncovering the long-range dependence induced by heavy-tailed patching times, the authors formulate an adaptive defense mechanism grounded in Markov decision processes and constrained reinforcement learning. Experimental evaluation on the ARVO dataset demonstrates that the proposed approach reduces the average number of active vulnerabilities by over 90% without increasing the defense budget, significantly suppressing successful attacks while offering both theoretical guarantees and practical efficacy.

We develop a queueing-theoretic framework to model the temporal evolution of cyber-attack surfaces, where the number of active vulnerabilities is represented as the backlog of a queue. Vulnerabilities arrive as they are discovered or created, and leave the system when they are patched or successfully exploited. Building on this model, we study how automation affects attack and defense dynamics by introducing an AI amplification factor that scales arrival, exploit, and patching rates. Our analysis shows that even symmetric automation can increase the rate of successful exploits. We validate the model using vulnerability data collected from an open source software supply chain and show that it closely matches real-world attack surface dynamics. Empirical results reveal heavy-tailed patching times, which we prove induce long-range dependence in vulnerability backlog and help explain persistent cyber risk. Utilizing our queueing abstraction for the attack surface, we develop a systematic approach for cyber risk mitigation. We formulate the dynamic defense problem as a constrained Markov decision process with resource-budget and switching-cost constraints, and develop a reinforcement learning (RL) algorithm that achieves provably near-optimal regret. Numerical experiments validate the approach and demonstrate that our adaptive RL-based defense policies significantly reduce successful exploits and mitigate heavy-tail queue events. Using trace-driven experiments on the ARVO dataset, we show that the proposed RL-based defense policy reduces the average number of active vulnerabilities in a software supply chain by over 90% compared to existing defense practices, without increasing the overall maintenance budget. Our results allow defenders to quantify cumulative exposure risk under long-range dependent attack dynamics and to design adaptive defense strategies with provable efficiency.