Abstract
Abstract Internet of things (IoT) ecosystems introduce significant cybersecurity challenges due to device heterogeneity, firmware opacity, constrained resources, distributed deployment, and the integration of devices within wider socio-technical systems where they are used. Existing approaches to address IoT cybersecurity typically address isolated aspects of this problem, such as vulnerability enumeration, anomaly detection, or risk assessment; but without integrating them across the full lifecycle of devices and systems. This paper presents an extensible architecture that unifies cybersecurity testing, runtime monitoring, contextual risk modelling, secure update mechanisms, and auditable evidence management for IoT ecosystems that aims to address these challenges. The framework supports both device under test and system under test perspectives and integrates component-level techniques (such as SBOM generation, network fuzzing, machine learning-based anomaly detection, and access control risk evaluation) with system-level, knowledge-based, risk modelling to capture threat propagation across interconnected assets. A distributed ledger-backed auditable data infrastructure ensures integrity and traceability of indicators, results, and decisions. Automated workflow orchestration enables flexible tool chaining and lifecycle-aware execution aligned with established security development lifecycles. The approach is validated through three industrial use cases in aviation cargo monitoring, smart manufacturing, and telecommunication residential gateways. Results demonstrate the feasibility of combining static analysis, runtime indicators, and dynamic risk assessment to prioritise vulnerabilities contextually, detect anomalous behaviour, and support secure patch deployment in resource-constrained environments. The work advances lifecycle-integrated, system-aware cybersecurity assurance for IoT ecosystems and highlights the need for contextualised, interoperable tooling to address systemic vulnerability and risk propagation in complex systems where IoT, ICT and people interact.