Exploring the Role of Large Language Models in Cybersecurity: A Systematic Survey
Shuang Tian, Tao Zhang, Jiqiang Liu, Jiacheng Wang, Xuangou Wu, Xiaoqiang Zhu, Ruichen Zhang, Weiting Zhang, Zhenhui Yuan, Shiwen Mao, Dong In Kim
TL;DR
This survey addresses the challenge of escalating cyber threats by examining how large language models (LLMs) can enhance cybersecurity across the attack lifecycle, CTI workflows, and network deployment scenarios. It systematically analyzes defensive roles during reconnaissance, foothold, and lateral movement phases, and covers CTI collection, processing, and analysis, while assessing deployment strategies for traditional and next-generation networks. The authors synthesize benchmarking evidence, discuss external and inherent risks of LLMs, and identify open problems such as data scarcity, input-length limits, and the need for post-intrusion defense research, offering concrete directions like open datasets, pollution defenses, and improved interpretability. Overall, the paper provides a comprehensive framework for integrating LLMs into proactive and reactive cybersecurity operations, highlighting both practical benefits and critical research gaps that must be addressed for real-world adoption.
Abstract
With the rapid development of technology and the acceleration of digitalisation, the frequency and complexity of cyber security threats are increasing. Traditional cybersecurity approaches, often based on static rules and predefined scenarios, are struggling to adapt to the rapidly evolving nature of modern cyberattacks. There is an urgent need for more adaptive and intelligent defence strategies. The emergence of Large Language Model (LLM) provides an innovative solution to cope with the increasingly severe cyber threats, and its potential in analysing complex attack patterns, predicting threats and assisting real-time response has attracted a lot of attention in the field of cybersecurity, and exploring how to effectively use LLM to defend against cyberattacks has become a hot topic in the current research field. This survey examines the applications of LLM from the perspective of the cyber attack lifecycle, focusing on the three phases of defense reconnaissance, foothold establishment, and lateral movement, and it analyzes the potential of LLMs in Cyber Threat Intelligence (CTI) tasks. Meanwhile, we investigate how LLM-based security solutions are deployed and applied in different network scenarios. It also summarizes the internal and external risk issues faced by LLM during its application. Finally, this survey also points out the facing risk issues and possible future research directions in this domain.