AEGIS Leverages Large Language Models to Automate Attack Path Creation for Cyber‑Defense Exercises

Global: AEGIS Leverages Large Language Models to Automate Attack Path Creation for Cyber‑Defense Exercises

Researchers Ivan K. Tung, Yu Xiang Shi, Alex Chien, Wenkai Liu, and Lawrence Zheng introduced a system called AEGIS in a paper submitted on 30 January 2026. The system generates cyber‑attack paths by combining large language models (LLMs), white‑box access, and Monte Carlo Tree Search. It was evaluated during the 2025 Cyber Defence Exercise (CIDeX), which involved 46 IT hosts, with the aim of reducing the time required to develop realistic training scenarios.

Methodology

AEGIS employs an LLM‑driven search to discover exploitable vulnerabilities dynamically, eliminating the need for pre‑constructed vulnerability graphs. White‑box access permits the system to test individual exploits in isolation before integrating them into longer chains. Once validated, Monte Carlo Tree Search explores possible exploit sequences, constructing complete attack paths that can be used in simulation environments.

Evaluation at CIDeX 2025

During the large‑scale CIDeX exercise, AEGIS‑generated scenarios were compared with human‑authored ones across four training‑experience dimensions: perceived learning, engagement, believability, and challenge. Participants assessed the scenarios using a validated questionnaire, and the results indicated comparable performance between the AI‑generated and manually crafted paths.

Impact on Training Development

The authors report that automating exploit‑chain discovery and validation reduced scenario development time from months to days. This shift allows cybersecurity experts to focus more on narrative design and pedagogical goals rather than low‑level technical validation.

Limitations and Future Work

The approach relies on white‑box access to target systems, which may not be feasible in all training environments. The authors suggest extending the framework to operate with limited or black‑box information and to evaluate scalability across larger network topologies.

Broader Context

AEGIS exemplifies a growing trend of integrating generative AI techniques into cybersecurity tooling. By automating labor‑intensive aspects of exercise preparation, such systems could influence how organizations design and deliver cyber‑defense training at scale.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.