Modern enterprise breaches are no longer isolated events but coordinated, multi-stage campaigns whose success depends on the defender’s inability to translate detection into timely containment. While existing frameworks—such as attack-lifecycle models, Zero Trust architectures, and detection-driven systems—provide valuable capabilities, they lack a formal mechanism for coupling inferred adversarial state with coordinated, cross-layer enforcement. This paper presents AMNDA, an Adaptive Multi-layer, stage-aware Network Defense Architecture that operationalizes lifecycle-aware defense through explicit state-to-control mapping and executable orchestration. Adversarial progression is modeled as a probabilistic state-transition process, and inferred states are systematically mapped to synchronized controls across edge protection, identity governance, internal segmentation, and behavioral detection. A formally defined orchestration function transforms detection outputs into stage-conditioned policy updates, enforcing monotonic tightening of containment as adversarial capability escalates. AMNDA is implemented and validated in a reproducible Microsoft Azure environment. Empirical results show that stage-aligned enforcement actions execute within 1.0–3.1 s, while detection latency remains the dominant constraint, with a median of 1034 s across the validation corpus. This separation reveals a critical operational insight: in modern cloud environments, the limiting factor in lifecycle defense is not enforcement capability but detection timing. The contribution of AMNDA is therefore not a new detection technique but a formal, deployable architecture that converts attack-stage inference into coordinated, low-latency containment. By bridging lifecycle modeling, Zero Trust principles, and automated orchestration, the proposed approach establishes a practical foundation for state-aware, adaptive cyber defense.
Morić et al. (Sun,) studied this question.