Module 24 · Section 24.5

Cybersecurity & LLMs

Threat intelligence, log analysis, vulnerability detection, phishing defense, SOC automation, adversarial uses, and defensive countermeasures
★ Big Picture

LLMs are a double-edged sword for cybersecurity. On the defensive side, they can analyze security logs at scale, detect vulnerabilities in code, generate threat intelligence reports, and automate SOC (Security Operations Center) workflows. On the offensive side, they lower the barrier for creating sophisticated phishing campaigns, generating malware variants, and conducting social engineering attacks. Understanding both sides is essential for cybersecurity practitioners in the LLM era.

1. Threat Intelligence with LLMs

Threat intelligence analysts spend significant time reading vulnerability disclosures, malware reports, and dark web postings to understand the threat landscape. LLMs can process these sources at scale, extracting indicators of compromise (IOCs), mapping tactics to the MITRE ATT&CK framework, and generating actionable intelligence reports. 

from openai import OpenAI
import json

client = OpenAI()

def extract_threat_intel(report_text: str) -> dict:
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[
            {"role": "system", "content": """Extract structured threat intelligence.
Return JSON with: threat_actor, malware_family, iocs (ip_addresses,
domains, file_hashes), mitre_attack_techniques, severity,
affected_systems, recommended_actions."""},
            {"role": "user", "content": report_text},
        ],
        response_format={"type": "json_object"},
    )
    return json.loads(response.choices[0].message.content)

intel = extract_threat_intel("""A new ransomware variant dubbed 'NightOwl'
has been targeting healthcare organizations via phishing emails with
malicious PDF attachments. The malware communicates with C2 servers
at 198.51.100.42 and uses AES-256 encryption...""")
print(json.dumps(intel, indent=2))

2. Log Analysis and Anomaly Detection

Security logs generate millions of events per day. LLMs can analyze log patterns, identify anomalies that rule-based systems miss, and provide natural language explanations of what happened and why it matters. This is particularly valuable for reducing alert fatigue: instead of hundreds of raw alerts, the SOC analyst receives a prioritized summary with context. 

# LLM-powered security log analysis
def analyze_security_logs(logs: list[str]) -> str:
    log_text = "\n".join(logs[-100:])  # Last 100 entries
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[
            {"role": "system", "content": """You are a senior SOC analyst.
Analyze these security logs for suspicious patterns. Focus on:
failed authentication attempts, unusual access patterns, data
exfiltration indicators, privilege escalation, and lateral movement.
Prioritize findings by severity (Critical/High/Medium/Low)."""},
            {"role": "user", "content": f"Analyze these logs:\n{log_text}"},
        ],
    )
    return response.choices[0].message.content
Log Sources SIEM, firewall endpoint, cloud LLM Analyzer pattern detection anomaly scoring Alert Triage priority + context Incident Report natural language SOC Analyst review + action
Figure 24.7: LLM-assisted SOC workflow. Logs are analyzed by an LLM for pattern detection, producing prioritized alerts and incident reports for analyst review.

3. Vulnerability Detection and Code Auditing

# LLM-powered code vulnerability scanner
def scan_for_vulnerabilities(code: str, language: str = "python") -> str:
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[
            {"role": "system", "content": f"""You are a security code auditor for {language}.
Analyze the code for: SQL injection, XSS, command injection, path
traversal, hardcoded secrets, insecure deserialization, SSRF,
authentication/authorization flaws, and cryptographic weaknesses.
For each finding: describe the vulnerability, its severity (CVSS-like),
the affected line(s), and a remediation suggestion."""},
            {"role": "user", "content": f"Audit this code:\n```{language}\n{code}\n```"},
        ],
    )
    return response.choices[0].message.content

vulnerable_code = """
def get_user(request):
    user_id = request.args.get('id')
    query = f"SELECT * FROM users WHERE id = {user_id}"
    return db.execute(query)
"""

print(scan_for_vulnerabilities(vulnerable_code))

4. Adversarial Uses and Defense

LLMs lower the barrier for several categories of cyber attacks. Phishing emails generated by LLMs are more convincing because they avoid the grammatical errors and generic phrasing that traditional filters catch. LLMs can generate polymorphic malware code that evades signature-based detection. Social engineering attacks benefit from LLMs' ability to maintain convincing personas in real-time conversations. Understanding these offensive capabilities is essential for building effective defenses.

Attack Category LLM Enhancement Defensive Countermeasure
Phishing Grammar-perfect, personalized lures LLM-powered email analysis, style detection
Social engineering Real-time convincing personas Conversation anomaly detection
Malware generation Polymorphic code variants Behavioral analysis, sandboxing
Vulnerability exploitation Automated exploit generation LLM-assisted patching, code review
Disinformation Scalable fake content AI content detection, provenance
⚠ The Attacker-Defender Asymmetry

LLMs create an asymmetry that favors attackers in certain scenarios. Generating a convincing phishing email takes one prompt, while building a detection system requires training data, model development, and continuous updating. However, defenders have their own advantages: LLMs can monitor all incoming communications at scale (while attackers must craft individual campaigns), and defensive LLMs can be fine-tuned on organization-specific patterns. The key is deploying defensive AI proactively rather than reactively.

Offensive LLM Uses Phishing generation Code obfuscation Social engineering at scale Exploit development Reconnaissance automation Defensive LLM Uses Phishing detection Vulnerability scanning Log analysis at scale Automated patching Threat intelligence synthesis
Figure 24.8: The dual nature of LLMs in cybersecurity. The same capabilities that enable attacks also power more effective defenses.
🔍 Key Insight

The most impactful cybersecurity application of LLMs is not replacing analysts but amplifying them. A single SOC analyst augmented with LLM tools can process the alert volume that previously required a team of five. The LLM handles log parsing, correlation, initial triage, and report drafting, while the human analyst focuses on investigation, decision-making, and response coordination. This "force multiplier" effect is particularly valuable given the chronic shortage of cybersecurity professionals.

Knowledge Check

1. How do LLMs improve threat intelligence workflows?
Show Answer
LLMs can process threat intelligence sources (vulnerability disclosures, malware reports, dark web postings) at scale, extracting structured IOCs (IP addresses, domains, file hashes), mapping tactics to frameworks like MITRE ATT&CK, identifying threat actor patterns, and generating actionable reports. This transforms what was a manual, time-consuming research task into an automated pipeline.
2. Why are LLM-generated phishing emails harder to detect than traditional ones?
Show Answer
Traditional phishing emails often contain grammatical errors, generic greetings, and formulaic language that spam filters easily catch. LLM-generated phishing emails use perfect grammar, can be personalized using publicly available information about the target, mimic the writing style of legitimate senders, and avoid the telltale patterns that rule-based filters look for. This requires more sophisticated detection approaches.
3. What role do LLMs play in SOC automation?
Show Answer
LLMs automate several SOC functions: parsing and correlating logs from multiple sources, performing initial alert triage (prioritizing and providing context), generating natural language incident reports, suggesting response actions based on playbooks, and reducing alert fatigue by filtering false positives. The human analyst focuses on investigation and decision-making while the LLM handles the volume processing.
4. How can LLMs assist with code vulnerability detection?
Show Answer
LLMs can analyze source code for common vulnerability patterns (SQL injection, XSS, command injection, path traversal, hardcoded secrets) and provide explanations of each finding with severity ratings and remediation suggestions. While not a replacement for dedicated static analysis tools, LLMs complement them by understanding context, identifying logic flaws that pattern-based tools miss, and explaining findings in natural language.
5. What is the "force multiplier" effect of LLMs in cybersecurity?
Show Answer
The force multiplier effect means that a single analyst augmented with LLM tools can handle the workload that previously required multiple analysts. The LLM handles high-volume tasks (log parsing, correlation, triage, report generation) while the human focuses on high-judgment tasks (investigation, decision-making, response). This is particularly valuable given the global shortage of cybersecurity professionals.

Key Takeaways