Under the conditions of prolonged martial law in Ukraine, one of the most pressing national security challenges is ensuring effective cyber threat management and protecting the state’s critical information infrastructure. Since the beginning of the full-scale aggression, numerous cyberattacks on Ukraine have been documented, including attempts by the Strontium hacking group to gain access to computer networks in Ukraine, the US, and the EU, attacks on the Ukrtelecom provider, and the distribution of malicious software such as Cobalt Strike Beacon [ 1 ]. This typically gives rise to coordination problems between different agencies, ensuring timely response to cyber incidents [ 2 ], and maintaining the resilience of critical systems during their operation under constant cyberattacks [ 3, 4 ]. The unprecedented scale and intensity of cyber warfare during the conflict have exposed significant vulnerabilities in existing cybersecurity frameworks and highlighted the need for comprehensive legislative reforms. The evolving nature of cyber threats, combined with the dynamic operational environment of martial law, requires adaptive and resilient management approaches that can effectively coordinate multiple security agencies while maintaining operational efficiency [ 5, 6 ]. The transition from peacetime cybersecurity protocols to wartime emergency response mechanisms has revealed critical gaps in inter-agency communication and resource allocation, necessitating the development of new coordination architectures. Moreover, the persistent nature of state-sponsored cyber campaigns has demonstrated that traditional reactive security measures are insufficient, requiring proactive threat hunting and predictive analytics capabilities. The integration of civilian and military cybersecurity operations under martial law conditions presents unique challenges in terms of command structure, information sharing protocols, and operational security requirements.

Globally, active research is being conducted aimed at developing and implementing cyber threat management methods for use in hybrid conflict conditions [ 7, 8 ]. Babala L.V. concludes that cybersecurity importance in the Russian-Ukrainian war 2022–M2025 requires comprehensive analysis through graph theory prism [ 1 ]. International cooperation in cybersecurity remains crucial for effective defense mechanisms [ 9 ]. Kovalchuk O.Ya. examines intellectual models for identifying associative rules in criminal law enforcement databases, emphasizing the role of digital forensics in modern threat landscape [ 10 ]. Despite existing research, numerous unresolved challenges remain that reduce the effectiveness of national cybersecurity systems under martial law conditions [ 11, 12 ]. The complexity of modern cyber threats necessitates the integration of artificial intelligence and machine learning technologies to enhance detection capabilities and reduce response times. Furthermore, the legal framework governing cybersecurity operations must evolve to address the unique challenges posed by wartime conditions while maintaining constitutional protections and international legal obligations. Recent advances in smart city security frameworks demonstrate the effectiveness of integrated approaches to crime prevention and risk assessment, with Yang et al. utilizing eye-tracking technology to analyze environmental factors in security decision-making [ 13 ], while Minardi et al. develop semantic reasoning methods for geolocalized crime risk assessment [ 14 ]. These methodologies, combined with operational research approaches as demonstrated by Basilio and Pereira in policing strategy optimization [ 15 ], provide valuable insights for enhancing cyber threat management systems in urban environments [ 16 ]. The increasing sophistication of hybrid warfare tactics requires a fundamental rethinking of traditional cybersecurity paradigms, moving beyond isolated technical solutions toward comprehensive ecosystem approaches. The lessons learned from Ukraine’s experience during this conflict are reshaping global understanding of cyber resilience requirements and the critical importance of adaptive governance structures in maintaining digital sovereignty under extreme pressure.

Contemporary research demonstrates the promising application of artificial intelligence for automating threat detection and response processes in critical infrastructure. Kovalchuk O. develops mathematical models for implementing intelligent technologies to prevent crimes based on fuzzy TOPSIS methodology, which shows significant potential for cyber threat management automation [ 17 ]. Wilson and Davis substantiate the necessity of optimizing cyber incident response time in distributed systems through the use of centralized coordination centers [ 18 ]. Martinez and Taylor conduct a comprehensive assessment of national cybersecurity coordination center effectiveness, confirming the advantages of hybrid management models [ 19 ]. Yatskiv V., Nyemkova E., Kulyna S., Kulyna H. and Ivasiev S. investigate data encryption methods based on the redundant residue number system, providing enhanced security mechanisms for critical infrastructure protection [ 20 ]. Chen and Kumar analyze multilateral coordination in national cybersecurity ecosystems, demonstrating the importance of integrating various stakeholders to ensure effective cyber risk management [ 21 ]. One of the directions for improving the reliability and security of cyber threat management systems is the use of centralized coordination architecture. The integration of advanced cryptographic methods and quantum-resistant security protocols has become essential for protecting sensitive government communications and critical infrastructure systems against sophisticated state-sponsored attacks.

Additionally, recent studies emphasize the importance of integrated approaches for managing cybersecurity risks within complex socio-technical environments. Milevskyi et al. [ 22 ] propose a multi-contour methodology for securing sociocyberphysical systems, highlighting the need for layered defense strategies that combine technological, organizational, and human factors. Fedynyshyn et al. [ 23 ] demonstrate that vulnerabilities in mobile application frameworks can significantly impact national cybersecurity, suggesting that static code analysis should be incorporated into routine threat assessments. Similarly, Lakhno et al. [ 24 ] and Susukailo et al. [ 25 ] underline the effectiveness of decision support systems and structured ISMS frameworks in enhancing proactive threat mitigation and ensuring coordinated responses across multiple organizational levels.

The objective of this work is to conduct research on the effectiveness of new legislative mechanisms for cyber threat management, which will enhance the resilience of the national cybersecurity system under martial law conditions and construct an analytical dependency of the effectiveness indicators of these mechanisms with justification for selecting the optimal cyber threat management architecture. This research aims to provide practical recommendations for policymakers and cybersecurity professionals working to strengthen Ukraine’s digital defense capabilities during ongoing hostilities while establishing a foundation for post-conflict cybersecurity governance.

Previous studies have investigated the use of various architectural approaches for cyber threat management [ 21, 26 ]. The essence of the method lies in centralizing the processes of detection, analysis, and response to cyber threats through a unified coordination center. According to the Law of Ukraine No. 4336-IX [ 27 ], cybercrime is defined as a socially dangerous culpable act in cyberspace and/or using it, for which liability is provided by the Criminal Code of Ukraine. Thus, enhanced effectiveness is achieved because rapid response requires ensuring coordination of actions among all cybersecurity system entities that operate in different agencies or at different management levels. For cyber threat management, a centralized coordination method is employed, namely the creation of a unified crisis management center, while the authorities themselves are distributed among corresponding security structures (Figure 1). In cyber threat management systems, functionality restoration after incidents is typically performed through coordinated actions [ 18, 28 ]. According to the Law of Ukraine No. 4336-IX [ 27 ], the main changes include: replacement of formal crime composition with material composition in Article 361 of the Criminal Code of Ukraine, strengthening sanctions for cybercrimes under martial law conditions, introduction of a new qualifying feature “committed during martial law”, tripling the lower threshold of significant damage (to UAH 372,150 thousand), and legalization of Bug Bounty activities through the creation of appropriate procedures by the State Special Communications Service. The study conducted a comparative analysis of decentralized management (DCM), centralized management (CCM), and hybrid management (HCM) methods [ 12 ].

The effectiveness of cyber threat management is characterized by incident response time, which is calculated using the formula:

T response=T detect+T analyze+T coordinate+T mitigate, where T detect is the threat detection time; T analyze is the incident analysis time; T coordinate is the action coordination time; T mitigate is the threat mitigation time.

According to the Law of Ukraine No. 4336-IX [ 27 ], in the basic composition of Article 361 of the Criminal Code of Ukraine, it is now sufficient to commit unauthorized interference without the occurrence of specific consequences, which simplifies qualification and reduces investigation time. For the centralized management model, coordination time is determined as [ 7 ]:

T coordinate= Σ ( T commi+T decision ), where T commi is the information transmission time from the ith entity to the coordination center, and T decision is the decision-making time by the coordination center.

According to the new sanctions under Law No. 4336-IX [ 27 ], punishment for cybercrimes under martial law conditions can range from 10 to 15 years of imprisonment, which significantly increases the deterrent effect of legislation. Another cyber threat management method considered in the work is the use of a decentralized model (DCM) [ 7 ]. In this case, the total response time is determined by the following formula:

T responseDCM= max ( T responsei )+T sync, where T responsei is the time of the ith entity; T sync is the action synchronization time between entities.

An important aspect is that Law No. 4336-IX legalizes the activities of ethical hackers through the creation of Procedures for searching and identifying potential vulnerabilities, which allows the IT community to legally test government systems [ 27 ]. When analyzing existing management methods, a hybrid model (HCM) was also considered [ 12, 29 ]. A comparison of cyber threat management effectiveness was conducted for a system of 4 main entities, taking into account the provisions of Law No. 4336-IX. According to the stated task, the total response time is determined by the formula: where T escalation and T local are calculated using the formulas:

T =T local+T escalation+T central,

T local= min t ,

T escalation=α ×T threshold + β ×T decision,

In the above-mentioned formulas (4–6), a set of coefficients α and β are used, which must satisfy the following conditions: α + β =1, (7) 0 ≤ α≤ 1, (8) 0 ≤ β ≤ 1, (9)

As a result of applying each of the above-mentioned cyber threat management methods, we obtain the optimal response time T optimal. (1) (2) (3) (4) (5) (6) Example. Let us consider examples of implementing each of the above-mentioned cyber threat management methods. We take a system of four main entities: SBU, State Special Communications Service, General Staff, and NSDC [ 30 ].

For the example, let us consider response to a cyber incident with time characteristics: T detect=15 m, T analyze=30 m, which are given in minutes.

Method 1. For the centralized model (CCM), we calculate coordination time according to formula (2):

To conduct research on the effectiveness of cyber threat management methods, it is necessary to define a set of basic parameters which include: detection time, analysis time, coordination time, threat mitigation time [ 8 ]. According to the analysis of legislative changes, the implementation of Law No. 4336-IX significantly affects all stages of the cyber threat response process [ 27 ]. Table 1 presents the dependence of time characteristics of basic operations on incident complexity, taking into account new legislative requirements. where n is a number of cybersecurity system entities, and k is an incident complexity.

When conducting calculations, it should also be taken into account that some operations that are an order of magnitude simpler can be neglected, since they do not affect overall efficiency. According to the formulas presented in Table 1, the overall efficiency of the centralized model (CCM) will be calculated using the formula:

E CCM=1/( α 1×log n +α 2×n×log n +α 3×n2+α 4×n×m ) .

The efficiency of basic operations of the decentralized model is presented in Table 2. According to the formulas presented in Table 3, the overall efficiency of HCM for 4 entities will be evaluated as:

E HCM=1/(γ 1+γ 2×log n +γ 3×n +γ 4×n×log n ). (12)

Based on the calculations performed above, to compare the effectiveness of using different cyber threat management methods, it is necessary to construct a graph of efficiency dependence on the number of entities and incident complexity [ 26 ].

To evaluate the effectiveness of cyber threat management methods, the work conducted a comparison for a system of four entities with different functionality, and considering this condition, we obtained the following evaluation values for each method:

The dependence of efficiency of each of the above-listed methods on the number of entities at n= 2 is presented in Table 4. Therefore, the use of HCM according to research results is significantly more effective for use in cyber threat management systems under martial law conditions [ 20, 31 ].

The work conducted a comprehensive study of digital forensics and cyber threat management effectiveness during wartime conditions, specifically examining methods for use in Ukraine’s national cybersecurity system under prolonged martial law with increased complexity and threat intensity, taking into account legislative changes under the Law of Ukraine No. 4336-IX [ 27 ].

The research demonstrates that effective digital forensics integration with cyber threat management systems is critical for maintaining national security during active conflict, where traditional cybersecurity approaches prove insufficient against state-sponsored attacks and advanced persistent threats. Based on the conducted efficiency research, the choice of the optimal cyber threat management method was substantiated, namely the hybrid model (HCM), which is characterized by an optimal balance between response speed and action coordination with an increase in the number of entities involved in digital forensics and incident response operations. The hybrid approach proves particularly effective in wartime scenarios where rapid forensic analysis must be combined with coordinated threat mitigation across multiple security agencies including SBU, State Special Communications Service, General Staff, and NSDC. The implementation of new legislative mechanisms, including strengthening sanctions for cybercrimes under martial law conditions, simplifying the qualification of the basic crime composition, and legalizing Bug Bounty activities, creates a reliable legal foundation for effective cyber threat management and digital forensics operations during wartime [ 11, 31 ].

These legislative initiatives represent a paradigm shift in how Ukraine approaches cybersecurity governance during conflict, recognizing the need for adaptive legal frameworks that can accommodate the unique challenges of wartime digital forensics and cyber defense operations. Based on Table 4, at the maximum considered number of entities, HCM efficiency is 2 times higher than CCM, while DCM usage provides efficiency comparable to HCM with a large number of entities. This finding is particularly significant for wartime applications where multiple agencies must collaborate in real-time forensics and threat response while maintaining operational security and avoiding coordination bottlenecks that could compromise national security. Examples of implementing the considered methods for a 4-entity cyber threat management system are provided, with each method having its own sequence of operation execution optimized for wartime conditions. Some parameters, such as information transmission time, coefficients α and β, are calculated once for repeated use, which makes it possible to reduce the number of steps and accordingly increase the speed of cyber threat management and digital forensics processing, thus increasing the efficiency of the national cybersecurity system as a whole during active hostilities [ 17, 18 ].

The research reveals that successful digital forensics and cyber threat management during wartime requires not only technological solutions but also comprehensive organizational restructuring and legal framework adaptation. The wartime environment demands faster decisionmaking processes, streamlined coordination mechanisms, and enhanced information sharing protocols that can operate effectively under the constraints of operational security requirements. Further system development should take into account the need to improve organizational and legal support specifically tailored for wartime digital forensics operations and eliminate duplicate functions between the main cybersecurity entities [ 30 ].

The study also emphasizes the importance of developing post-conflict transition strategies that can maintain the enhanced coordination capabilities developed during wartime while adapting to peacetime operational requirements and international legal frameworks. The findings of this research contribute to the broader understanding of how democratic nations can maintain effective cybersecurity governance during extended periods of martial law while preserving constitutional protections and international legal obligations. The Ukrainian experience provides valuable lessons for other nations facing similar hybrid warfare threats and demonstrates the critical importance of adaptive legal and organizational frameworks in modern cyber defense strategies.

While preparing this work, the authors used the AI programs Grammarly Pro to correct text grammar and Strike Plagiarism to search for possible plagiarism. After using this tool, the authors reviewed and edited the content as needed and took full responsibility for the publication’s content.