Role-Based Access Control (RBAC) is foundational to enterprise security, yet manual role engineering remains error-prone and unscalable. Although automated role mining addresses this, existing methods face a critical trade-off: exact approaches guarantee minimal roles but fail on real-world scales, while heuristics scale but lack formal guarantees. This inconsistency forces enterprises into suboptimal, insecure configurations—increasing vulnerability risks and compliance costs. We resolve this instability
through a four-level resource-aware framework that dynamically adapts: (1) a memory-light heuristic, (2) optimality-preserving reductions, (3) a greedy heuristic with logarithmic approximation bounds, and (4) an ILP-based exact solver. Notably, our approach eliminates more than 99% of edges in 26 out of 31 real-world systems, enabling globally optimal role configurations and achieving an average 53% simplification of existing RBAC systems. Our heuristics achieve near-optimal solutions, while providing significant speedups over prior heuristics. Beyond individual components, the unified, adaptive framework minimizes suboptimal decisions at any scale. We open-source this framework to enable minimal RBAC deployment at any scale.

Organisations are becoming more conscious and deploying more and more security tools to ensure they are adequately protected against cyber-attacks. That means two things: (i) those extra tools inherently augment companies’ attack surface, and (ii) the Security Operations Centre (SOC) gets overwhelmed with the number of false positives those tools generate – leading to attack fatigue. In many cases, the SOC team cannot get through all alerts properly, allowing potential attacks to go unnoticed or be caught much later. Moreover, within a typical CISO organisation, the analysis of “attack” and “defence” data is done somewhat in silos. That means vulnerability data, red-team exercises, and the several available defence tooling data are not looked at as one.

Our work proposes an innovative way to bridge the gap between vulnerability data (CVEs) and security alert data originating from multiple security tools that protect servers using MITRE ATT&CK tactics. That would provide more context to the alerts which would be useful in their classification as attacks or false positives. We use DeBERTa (Decoding-enhanced BERT with Disentangled Attention), a deeplearning state-of-the-art model, to map CVE descriptions to MITRE ATT&CK tactics. Then, we map security alerts to MITRE ATT&CK tactics, which will be used as input to a context-enriched machinelearning model (by CVEs and tactics). That machine-learning model is used to classify security alerts as malicious or benign. We tested our approach using over 5.5 million security alert data combined with red-team exercise attacks and incident response labelling from the company, a large international organization with over 60,000 employees. Our CVE+tactic model (without hyperparameter tuning) detects 64% more true positives than the machine-learning model without that information. In addition, the SOC needs to investigate less than 1400 alerts to catch the red-team attacks in our test set, compared to more than 5500 generated by the model without CVE and tactics. Moreover, assuming a standard response time of 8 minutes per alert, this improved model would save the SOC team up to 550 person hours. That yields a model that catches red-team attacks without overwhelming the SOC with too many false positives.