Existing autonomous cybersecurity defense (ACD) systems are predominantly trained on static network topologies, limiting their generalizability to dynamic environments—such as topology evolution, adversarial perturbations, or system failures—and resulting in poor adaptability. To address this, we propose the Generalizable Autonomous Cybersecurity Defense (GACD) framework, the first to deeply integrate graph neural networks (GNNs) with deep reinforcement learning (DRL) into a unified architecture supporting dynamic topology modeling and multi-agent adversarial training. GACD introduces a variable-scale network generator and a cross-distribution policy distillation mechanism, enabling robust policy generalization to unseen network structures and evolving threats. Experimental results demonstrate that GACD improves defense success rate by 23.6% across diverse dynamic scenarios, significantly outperforming baselines in transferability and resilience against previously unseen attacks.

In the face of evolving cyber threats such as malware, ransomware and phishing, autonomous cybersecurity defense (ACD) systems have become essential for real-time threat detection and response with optional human intervention. However, existing ACD systems rely on limiting assumptions, particularly the stationarity of the underlying network dynamics. In real-world scenarios, network topologies can change due to actions taken by attackers or defenders, system failures, or time evolution of networks, leading to failures in the adaptive capabilities of current defense agents. Moreover, many agents are trained on static environments, resulting in overfitting to specific topologies, which hampers their ability to generalize to out-of-distribution network topologies. This work addresses these challenges by exploring methods for developing agents to learn generalizable policies across dynamic network environments -- general ACD (GACD).