A method of performing a security assessment of a system includes analyzing a static structure of the system; storing, in a semantic system model, structure information about the static structure of the system; observing the system during a plurality of discrete temporal system states; storing, in the semantic system model, dynamic information about the system during the plurality of discrete temporal system states; performing a semantic composition analysis on the structure information to identify at least one vulnerability of the system; performing a flow analysis on the dynamic information to identify at least one anomalous behavior of the system during at least one of the plurality of discrete temporal system states; and generating, based on the at least one vulnerability of the system and the at least one anomalous behavior of the system, a vulnerability assessment of the system.