The increasing complexity of connected and autonomous vehicles (CAVs) exacerbates cybersecurity risks, while conventional Threat Analysis and Risk Assessment (TARA) methods—relying on static threat libraries—lack the granularity required for functional-level analysis. To address this, we propose the first full-lifecycle, function-level TARA automation framework. It leverages a multi-agent large language model (LLM) architecture, integrating LoRA fine-tuning and Retrieval-Augmented Generation (RAG) to enable dynamic component-level modeling, automated attack tree generation, and cross-domain regulatory standard alignment. We extend the OpenXSAM++ modeling language to support semantically rich threat representation. Evaluated across four automotive OEM projects, our framework identified 11 penetration-validated high-risk attack paths and generated over 8,200 attack trees—demonstrating significantly improved efficiency over manual analysis. The framework has been deployed in commercial platforms by UAES and Xiaomi, and extended to unmanned aerial and maritime systems.

As modern vehicles evolve into intelligent and connected systems, their growing complexity introduces significant cybersecurity risks. Threat Analysis and Risk Assessment (TARA) has therefore become essential for managing these risks under mandatory regulations. However, existing TARA automation methods rely on static threat libraries, limiting their utility in the detailed, function-level analyses demanded by industry. This paper introduces DefenseWeaver, the first system that automates function-level TARA using component-specific details and large language models (LLMs). DefenseWeaver dynamically generates attack trees and risk evaluations from system configurations described in an extended OpenXSAM++ format, then employs a multi-agent framework to coordinate specialized LLM roles for more robust analysis. To further adapt to evolving threats and diverse standards, DefenseWeaver incorporates Low-Rank Adaptation (LoRA) fine-tuning and Retrieval-Augmented Generation (RAG) with expert-curated TARA reports. We validated DefenseWeaver through deployment in four automotive security projects, where it identified 11 critical attack paths, verified through penetration testing, and subsequently reported and remediated by the relevant automakers and suppliers. Additionally, DefenseWeaver demonstrated cross-domain adaptability, successfully applying to unmanned aerial vehicles (UAVs) and marine navigation systems. In comparison to human experts, DefenseWeaver outperformed manual attack tree generation across six assessment scenarios. Integrated into commercial cybersecurity platforms such as UAES and Xiaomi, DefenseWeaver has generated over 8,200 attack trees. These results highlight its ability to significantly reduce processing time, and its scalability and transformative impact on cybersecurity across industries.