Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

IRCopilot: Automated Incident Response with Large Language Models

Xihuan Lin, Jie Zhang, Gelei Deng, Tianzhe Liu, Tianwei Zhang, Qing Guo, Riqing Chen

TL;DR

This work tackles the challenge of automating incident response in modern, complex networks by developing IRBench, a comprehensive IR benchmark, and IRCopilot, a multi-agent LLM system that simulates real-world blue-team collaboration using Planner, Generator, Reflector, and Analyst components. IRBench rigorously evaluates LLMs across three IR stages with 12 objectives and 130 subtasks drawn from TryHackMe, XuanJi, and ZGSF, revealing limitations in current models such as hallucinations and incomplete guidance. IRCopilot addresses these issues by introducing an Incident Response Tree (IRT) and a structured, phase-based architecture that improves sub-task completion and practical applicability, achieving substantial gains over baseline LLMs and demonstrating effectiveness in real-world attack scenarios. The study also provides a detailed efficiency and ablation analysis, showing the trade-offs between reasoning overhead and task coverage, and identifies failure modes to guide future improvements. Overall, the paper demonstrates the viability of LLM-driven automated IR and lays groundwork for robust, scalable cyber defense automation.

Abstract

Incident response plays a pivotal role in mitigating the impact of cyber attacks. In recent years, the intensity and complexity of global cyber threats have grown significantly, making it increasingly challenging for traditional threat detection and incident response methods to operate effectively in complex network environments. While Large Language Models (LLMs) have shown great potential in early threat detection, their capabilities remain limited when it comes to automated incident response after an intrusion. To address this gap, we construct an incremental benchmark based on real-world incident response tasks to thoroughly evaluate the performance of LLMs in this domain. Our analysis reveals several key challenges that hinder the practical application of contemporary LLMs, including context loss, hallucinations, privacy protection concerns, and their limited ability to provide accurate, context-specific recommendations. In response to these challenges, we propose IRCopilot, a novel framework for automated incident response powered by LLMs. IRCopilot mimics the three dynamic phases of a real-world incident response team using four collaborative LLM-based session components. These components are designed with clear divisions of responsibility, reducing issues such as hallucinations and context loss. Our method leverages diverse prompt designs and strategic responsibility segmentation, significantly improving the system's practicality and efficiency. Experimental results demonstrate that IRCopilot outperforms baseline LLMs across key benchmarks, achieving sub-task completion rates of 150%, 138%, 136%, 119%, and 114% for various response tasks. Moreover, IRCopilot exhibits robust performance on public incident response platforms and in real-world attack scenarios, showcasing its strong applicability.

IRCopilot: Automated Incident Response with Large Language Models

TL;DR

This work tackles the challenge of automating incident response in modern, complex networks by developing IRBench, a comprehensive IR benchmark, and IRCopilot, a multi-agent LLM system that simulates real-world blue-team collaboration using Planner, Generator, Reflector, and Analyst components. IRBench rigorously evaluates LLMs across three IR stages with 12 objectives and 130 subtasks drawn from TryHackMe, XuanJi, and ZGSF, revealing limitations in current models such as hallucinations and incomplete guidance. IRCopilot addresses these issues by introducing an Incident Response Tree (IRT) and a structured, phase-based architecture that improves sub-task completion and practical applicability, achieving substantial gains over baseline LLMs and demonstrating effectiveness in real-world attack scenarios. The study also provides a detailed efficiency and ablation analysis, showing the trade-offs between reasoning overhead and task coverage, and identifies failure modes to guide future improvements. Overall, the paper demonstrates the viability of LLM-driven automated IR and lays groundwork for robust, scalable cyber defense automation.

Abstract

Incident response plays a pivotal role in mitigating the impact of cyber attacks. In recent years, the intensity and complexity of global cyber threats have grown significantly, making it increasingly challenging for traditional threat detection and incident response methods to operate effectively in complex network environments. While Large Language Models (LLMs) have shown great potential in early threat detection, their capabilities remain limited when it comes to automated incident response after an intrusion. To address this gap, we construct an incremental benchmark based on real-world incident response tasks to thoroughly evaluate the performance of LLMs in this domain. Our analysis reveals several key challenges that hinder the practical application of contemporary LLMs, including context loss, hallucinations, privacy protection concerns, and their limited ability to provide accurate, context-specific recommendations. In response to these challenges, we propose IRCopilot, a novel framework for automated incident response powered by LLMs. IRCopilot mimics the three dynamic phases of a real-world incident response team using four collaborative LLM-based session components. These components are designed with clear divisions of responsibility, reducing issues such as hallucinations and context loss. Our method leverages diverse prompt designs and strategic responsibility segmentation, significantly improving the system's practicality and efficiency. Experimental results demonstrate that IRCopilot outperforms baseline LLMs across key benchmarks, achieving sub-task completion rates of 150%, 138%, 136%, 119%, and 114% for various response tasks. Moreover, IRCopilot exhibits robust performance on public incident response platforms and in real-world attack scenarios, showcasing its strong applicability.

Paper Structure

This paper contains 32 sections, 3 equations, 10 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. Global Cybersecurity Landscape
  4. Incident Response
  5. Large Language Models and Their Applications for Cybersecurity
  6. Threat Model
  7. IRBench: A Benchmark for Incident Response
  8. Motivation
  9. Benchmark Design
  10. Evaluation on Contemporary LLMs
  11. IRCopilot
  12. Design Overview
  13. Planner
  14. Generator
  15. Reflector
  16. ...and 17 more sections

Figures (10)

  • Figure 1: Two main contributions of this work: 1) We build an Incident Response (IR) benchmark to evaluate the contemporary LLMs on IR tasks, in terms of three stages. 2) We propose IRCopilot to enhance the performance on IR tasks.
  • Figure 2: Workflow of IRCopilot. This figure illustrates the principle of IRCopilot, structured into three cognitive stages: Reasoning, Action, and Reflection. 1. In the Reasoning phase, we design the Planner and Analyst to maintain the IRT and tackle Challenges I, III, and IV mentioned in Sec. \ref{['sec:benchmark:evaluation']} through step-by-step reasoning. 2. In the Action phase, the Generator distributes and generates guidance and commands to mitigate Challenge II. 3. Finally, in the Reflection phase, the Reflector addresses challenges posed by hallucination and privacy risks.
  • Figure 3: Natural Language Representation of the IRT for the XuanJi-Nacos Target.
  • Figure 4: The prompt strategy of Planner for two scenarios: principles in the initial part, followed by specific strategies for Scenario 1 (clear tasks) and Scenario 2 (unclear tasks).
  • Figure 5: The performance of GPT-4, IRCopilot-GPT-4, Llama3-70b, IRCopilot-Llama3-70b, DeepSeek-V3, IRCopilot-DeepSeek-V3, GPT-4o, IRCopilot-GPT-4o, Claude-3.5-Sonnet, IRCopilot-Claude-3.5-Sonnet, GPT-o1, and IRCopilot-GPT-o1 on IRBench.
  • ...and 5 more figures