This work addresses the challenge of detecting multi-stage attacks that traverse trust boundaries in cloud deployments—threats often missed by conventional security tools due to their inability to model holistic system architecture and runtime behavioral deviations. The authors propose a novel approach that integrates static configuration analysis with runtime network flow observation to automatically construct a platform-agnostic architectural abstraction reflecting the system’s true state, including components, domains, interfaces, policies, and data flows. Building upon this representation, the method enables continuous, architecture-level threat modeling. It is the first to support automated architecture inference and threat detection across bare-metal, Kubernetes, and cloud environments. Evaluated on supply chain systems incorporating machine learning (ML) components, the approach successfully identified all 17 classes of injection threats—including ML-specific threats—substantially outperforming existing tools, which cover only 6–47% of these threats and fail entirely to detect ML-related ones.

Traditional threat modeling occurs during design, but cloud deployments introduce unanticipated threats, especially multi-stage attacks chaining vulnerabilities across trust boundaries. Existing security tools analyze components in isolation, cannot detect architectural threats from system composition, and cannot validate runtime behavior against configured policies. This gap leaves organizations vulnerable to attacks exploiting architectural weaknesses. This paper addresses this gap through a key innovation: automatically inferring system architecture from runtime observations to enable continuous threat modeling. Our methodology combines static configuration analysis with observed network flows to construct architecture graphs reflecting actual operational behavior, then applies systematic threat detection using platform-agnostic abstractions (components, domains, interfaces, access policies, flows). This enables consistent threat identification across bare metal, Kubernetes, and cloud infrastructure without manual diagram maintenance. We validate the methodology using a supply-chain system with ML components deployed on all three platforms, injecting 17 infrastructure and ML threats. Results show detection of all 17 threat types across all platforms, while existing security tools detected only 6-47% with zero ML threat coverage, confirming the necessity of runtime aware, architecture-level threat analysis.