Multi-Agent Collaboration in Incident Response with Large Language Models
Zefang Liu
TL;DR
The paper explores how large language model–driven multi-agent systems can augment incident response by simulating collaborative IR through the Backdoors & Breaches tabletop game. It systematically compares six team structures (centralized, decentralized, and hybrid, each in homogeneous and heterogeneous varieties) to assess how leadership and domain expertise affect decision-making and performance. Using an AutoGen-based simulation with GPT‑4o agents, the study finds that centralized and hybrid teams achieve higher success rates, while purely heterogeneous structures face coordination challenges, highlighting the importance of structure in LLM-enabled IR. The work advances practical understanding of how LLM agents can coordinate investigations, adapt to injects, and optimize IR workflows, providing a foundation for real-world deployment and future enhancements in adaptive, scalable cyber defense.
Abstract
Incident response (IR) is a critical aspect of cybersecurity, requiring rapid decision-making and coordinated efforts to address cyberattacks effectively. Leveraging large language models (LLMs) as intelligent agents offers a novel approach to enhancing collaboration and efficiency in IR scenarios. This paper explores the application of LLM-based multi-agent collaboration using the Backdoors & Breaches framework, a tabletop game designed for cybersecurity training. We simulate real-world IR dynamics through various team structures, including centralized, decentralized, and hybrid configurations. By analyzing agent interactions and performance across these setups, we provide insights into optimizing multi-agent collaboration for incident response. Our findings highlight the potential of LLMs to enhance decision-making, improve adaptability, and streamline IR processes, paving the way for more effective and coordinated responses to cyber threats.