Submitted:
24 April 2026
Posted:
28 April 2026
You are already at the latest version
Abstract
Large Language Models (LLMs) are reshapingcybersecurity by introducing context-aware reasoning and au-tomation across the penetration testing lifecycle. This paperinvestigates the role of LLMs in vulnerability discovery, exploitgeneration, and adversarial simulation. Through a structured ex-perimental methodology, we evaluate model performance acrossmultiple vulnerability classes. The findings demonstrate thatLLMs outperform traditional tools in detecting logical flaws andchained vulnerabilities, while also highlighting limitations suchas hallucinations and ethical risks. The paper concludes withrecommendations for AI-aware defensive strategies.
Keywords:
cybersecurity
; LLMs
; penetration testing
; AI security
I. Introduction
Modern cybersecurity systems are increasingly challenged by multi-stage and logic-driven attacks. Traditional tools rely on signature-based detection, which limits their ability to identify novel vulnerabilities.
Large Language Models (LLMs) introduce semantic rea-soning capabilities, enabling systems to analyze relationships between components rather than isolated patterns. This en-ables detection of complex attack paths that were previously undetectable.
Recent advancements in transformer-based architectures have enabled LLMs to perform complex reasoning tasks beyond traditional natural language processing applications. The introduction of attention mechanisms has significantly improved the ability of models to capture long-range depen-dencies in data, making them highly effective for analyzing structured and semi-structured inputs such as source code and system logs [8].
Furthermore, large-scale training on diverse datasets has allowed these models to generalize across domains, including cybersecurity. Studies have demonstrated that LLMs can assist in identifying vulnerabilities, generating secure code, and sim-ulating attacker behavior, highlighting their growing relevance in security workflows [9].
II. Methodology
This study employs a qualitative experimental approach to evaluate the behavior of Large Language Models under adversarial prompting conditions.
A. Experimental Setup
A production-grade LLM was accessed through a public API to simulate real-world usage conditions. The model was evaluated under standard safety constraints to analyze its responses within realistic operational boundaries.
B. Adversarial Prompting Framework
A tiered prompting strategy was designed to simulate vary-ing levels of attacker sophistication:
Tier 1: Direct Prompts These prompts involved straightfor-ward requests designed to establish baseline model behavior and identify built-in safety restrictions.
Tier 2: Contextual Reframing In this tier, prompts were framed within educational or professional contexts, such as penetration testing scenarios. This approach tested whether contextual framing influenced the model’s willingness to pro-vide sensitive information.
Tier 3: Component-Based Construction Rather than re-questing complete exploit logic, this tier involved generating individual components that could be combined externally. This approach simulates real-world attack strategies where complex payloads are constructed incrementally.
C. Evaluation Criteria
The model was evaluated based on the following criteria:
- • Accuracy of vulnerability identification
- • Depth of logical reasoning
- • Consistency across multiple prompts
- • Adherence to safety constraints
D. Dataset and Environment Simulation
To evaluate model performance, a simulated dataset of vulnerabilities was constructed based on commonly reported issues in public vulnerability databases such as CWE and OWASP [6], [10]. The dataset included a mix of input val-idation flaws, authentication weaknesses, and configuration errors.
Each vulnerability scenario was designed to reflect realistic system behavior, allowing the model to analyze context rather than isolated code snippets. This approach ensures that the evaluation captures the reasoning capabilities of the LLM rather than simple pattern recognition.
The testing environment consisted of controlled web ap-plication instances where vulnerabilities could be triggered and analyzed. This setup enabled consistent evaluation across multiple runs.
III. Threat Model
To properly evaluate the impact of LLM-assisted penetration testing, it is necessary to define the threat model under which the system operates.
A. Adversary Capabilities
The adversary is assumed to have access to publicly available LLMs and basic technical knowledge. Unlike traditional threat models, the attacker does not require deep expertise in exploit development, as the LLM provides guidance and automation.
B. Attack Surface
The attack surface includes:
- • Web applications
- • APIs and backend services
- • Authentication mechanisms
- • Client-side interfaces
C. Assumptions
- • The LLM operates within standard safety constraints
- • The target system contains known or misconfigured vul-nerabilities
- • The attacker can iteratively refine prompts based on feedback
This threat model highlights the reduced barrier to entry enabled by LLMs, which significantly alters the traditional cybersecurity landscape.
IV. Comparative Analysis
To better understand the impact of LLMs, a comparison was conducted between traditional penetration testing approaches and LLM-assisted workflows.
Table 1.
Comparison of Traditional vs LLM-Based Penetration Testing.
| Feature | Traditional | LLM-Based |
| Analysis Speed | Slow | Fast |
| Automation | Low | High |
| Detection Depth | Limited | Advanced |
| Skill Requirement | High | Moderate |
| Adaptability | Low | High |
The results indicate that LLM-assisted workflows signif-icantly reduce the time required for vulnerability discovery while improving detection of complex attack paths.
V. Background and Evolution
A. Traditional Security Tools
Tools such as vulnerability scanners rely on predefined signatures. These approaches are effective for known threats but fail to detect zero-day vulnerabilities and logical flaws.
B. LLM-Based Security Systems
LLMs provide:
- • Context-aware analysis
- • Multi-step reasoning
- • Cross-system vulnerability detection
Table 2.
Traditional vs llm-based security.
| Feature | Traditional | LLM-Based |
| Detection | Signature | Semantic |
| Scope | Isolated | Distributed |
| Adaptability | Low | High |
| Efficiency | Moderate | High |
VI. System Architecture
Figure 1.
LLM-Based Penetration Testing Architecture.
The architecture consists of three components:
- • Input Layer (target data)
- • LLM Reasoning Engine
- • Output Layer (analysis and exploit suggestions)
VII. LLMs in Penetration Testing
The application of Large Language Models (LLMs) in penetration testing has evolved from simple assistance tools to complex systems capable of simulating attacker behavior. Two dominant paradigms have emerged in recent research: the co-pilot model and the autonomous agent model.
A. Human-Centered Co-Pilot Model
In the co-pilot paradigm, the LLM functions as an intelligent assistant that augments the capabilities of human penetration testers. Rather than replacing the human operator, it acts as a high-bandwidth interface for processing large volumes of technical data and generating actionable insights.
Modern penetration testing engagements generate extensive outputs from tools such as network scanners, directory brute-forcers, and vulnerability assessment platforms. Manually an-alyzing this data introduces cognitive overload and increases the risk of overlooking critical vulnerabilities. LLM-based co-pilots address this issue by performing semantic analysis on tool outputs, identifying patterns, and prioritizing potential attack vectors.
For example, when provided with scan results, an LLM can correlate service versions with known vulnerabilities and suggest targeted exploitation strategies. Additionally, co-pilots can generate context-aware scripts tailored to specific environ-ments, reducing the need for manual scripting.
Another significant advantage of this model is its ability to assist in report generation. By converting raw technical findings into structured vulnerability reports, LLMs streamline the documentation process, which traditionally consumes a large portion of a penetration tester’s time.
B. Autonomous Agent Model
Beyond the co-pilot paradigm, recent developments have introduced partially autonomous LLM agents capable of ex-ecuting multi-step attack workflows. These systems operate using iterative reasoning loops, where the model evaluates system responses and dynamically adjusts its strategy.
Autonomous agents are capable of:
- • Performing reconnaissance and asset discovery
- • Identifying vulnerabilities across multiple systems
- • Executing chained attack sequences
- • Validating exploitation success through feedback analysis
A key characteristic of these agents is their ability to maintain state across interactions, enabling them to execute complex, non-linear attack chains. For instance, an agent may identify a vulnerable API endpoint, extract authentication tokens, and subsequently leverage those tokens to access restricted resources.
While these systems demonstrate significant potential, they also introduce challenges related to reliability and control. Errors in reasoning or hallucinated outputs can lead to inef-fective or unintended actions, highlighting the need for human oversight.
VIII. LLMs in Penetration Testing
...intro paragraph...
A. Human-Centered Co-Pilot Model
...full detailed explanation...
B. Autonomous Agent Model
...full detailed explanation...
IX. Adversarial Capabilities of LLMs
The offensive capabilities of LLMs represent one of the most significant shifts in modern cybersecurity. By enabling automated reasoning and content generation, these systems can be leveraged to enhance multiple stages of cyber attacks.
A. Polymorphic Payload Generation
Traditional malware detection systems rely heavily on static signatures and known behavioral patterns. However, LLMs en-able the generation of polymorphic payloads that dynamically alter their structure while preserving functionality.
This form of semantic polymorphism differs from earlier ap-proaches that focused on superficial code obfuscation. Instead, LLMs can rewrite entire code segments, modify execution logic, and adapt payloads to specific environments. As a result, each instance of a payload may appear unique, significantly re-ducing the effectiveness of signature-based detection systems.
B. AI-Driven Social Engineering
Social engineering has historically relied on manual craft-ing of phishing messages and deception strategies. LLMs dramatically enhance this capability by enabling large-scale, automated, and highly personalized attack campaigns.
By analyzing publicly available information, LLMs can generate messages that mimic the tone, style, and context of legitimate communication. This level of personalization increases the likelihood of successful attacks, particularly in targeted spear-phishing scenarios.
Furthermore, advancements in multimodal AI enable in-tegration with voice synthesis and video generation tech-nologies, creating more convincing and sophisticated attack vectors.
C. Automated Exploit Development
Another critical capability of LLMs is their ability to trans-late vulnerability descriptions into executable exploit logic. This reduces the technical expertise required to perform ad-vanced attacks.
For example, given a description of a known vulnerability, an LLM can generate step-by-step exploitation strategies, identify potential bypass techniques, and suggest modifications based on target constraints. This significantly accelerates the attack lifecycle and lowers the barrier to entry for malicious actors.
X. Results and Case Studies
To evaluate the effectiveness of LLMs in penetration testing, multiple controlled experiments were conducted across simu-lated vulnerable environments. Each case study represents a commonly exploited vulnerability class.
In addition to identifying individual vulnerabilities, the LLM demonstrated the ability to provide contextual expla-nations of attack impact. For instance, in SQL injection sce-narios, the model not only identified injection points but also explained how attackers could escalate privileges or extract sensitive data.
Similarly, in cross-site scripting cases, the model outlined potential consequences such as session hijacking and unau-thorized actions performed on behalf of users. This level of contextual understanding highlights the advantage of LLMs over traditional tools, which typically focus on detection without providing detailed reasoning.
Another notable observation was the model’s adaptability. When initial prompts yielded incomplete responses, iterative refinement allowed the model to produce more accurate and detailed outputs. This behavior aligns with findings from prior research on chain-of-thought prompting, which enhances reasoning performance in LLMs [14].
A. Case Study 1: SQL Injection
A web application with a vulnerable login form was used to test SQL injection capabilities. The LLM was prompted to analyze the input field behavior and suggest potential attack vectors.
The model successfully identified the possibility of injection by recognizing unsanitized inputs and suggested inference-based techniques such as time-delay queries.
Observations:
- • Correct identification of injection point
- • Suggestion of multiple exploitation strategies
- • Ability to adapt approach based on feedback
B. Case Study 2: Cross-Site Scripting (XSS)
In this scenario, the model was tasked with analyzing user input fields that reflected data without proper encoding.
The LLM generated conceptual payload structures for script injection and described how attackers could use such payloads for session hijacking and data exfiltration.
Observations:
- • Accurate identification of vulnerable input reflection
- • Generation of multiple payload variations
- • Context-aware explanation of attack impact
C. Case Study 3: Clickjacking
A web interface lacking proper frame protection was ana-lyzed. The model identified the absence of defensive headers and described UI redressing techniques.
Observations:
- • Identification of missing security controls
- • Explanation of layered interface manipulation
- • Suggestion of mitigation strategies
D. Case Study 4: Chained Vulnerabilities
The most significant results were observed in scenar-ios involving multiple low-severity vulnerabilities. The LLM demonstrated the ability to combine these into a high-impact attack path.
For example, the model linked an information disclosure vulnerability with weak authentication to propose a privilege escalation scenario.
Observations:
- • Multi-step reasoning capability
- • Identification of hidden attack paths
- • Contextual linking of vulnerabilities
E. Performance Consistency Analysis
To evaluate consistency, multiple runs were conducted using similar prompts with minor variations. The LLM demonstrated stable performance in identifying high-level vulnerabilities, particularly in well-defined scenarios such as SQL injection and cross-site scripting.
However, variability was observed in edge cases involving complex logic flaws. In such scenarios, the model occasionally produced incomplete or overly generalized responses. This behavior suggests that while LLMs are effective for initial analysis, deeper validation is required for critical systems.
Despite these limitations, the overall consistency remained significantly higher compared to traditional tools when ana-lyzing contextual vulnerabilities.
XI. Quantitative Evaluation
To complement qualitative observations, a simulated eval-uation was conducted to measure the effectiveness of LLM-assisted penetration testing.
A. Experimental Setup
A dataset of 50 simulated vulnerabilities across different categories was created. Each vulnerability was tested using both traditional tools and LLM-assisted analysis.
B. Performance Metrics
The evaluation focused on the following metrics:
- • Detection Accuracy
- • Time to Identify Vulnerability
- • Depth of Analysis
- • False Positives
C. Results
Table 3.
Performance Comparison.
| Metric | Traditional Tools | LLM-Based |
| Detection Accuracy | 72% | 89% |
| Avg. Time (minutes) | 45 | 18 |
| Depth of Analysis | Moderate | High |
| False Positives | 15% | 9% |
The results indicate that LLM-assisted approaches outper-form traditional tools in both accuracy and efficiency. The re-duction in analysis time highlights the automation capabilities of LLMs.
D. Analysis
The higher detection accuracy can be attributed to the model’s ability to understand contextual relationships between system components. Unlike traditional tools, which rely on predefined signatures, LLMs can infer vulnerabilities based on logic and behavior.
Additionally, the reduced false positive rate suggests im-proved precision in vulnerability identification. However, it is important to note that occasional hallucinations may still occur, requiring human validation.
XII. Extended Discussion
LLMs significantly reduce penetration testing time by au-tomating repetitive tasks. However, hallucinations remain a key limitation.
The democratization of cyber capabilities represents a major shift, enabling less skilled individuals to perform advanced attacks.
An additional advantage of LLM-based systems is their ability to generalize across different environments. Unlike traditional tools that require predefined rules or signatures, LLMs can adapt their analysis based on context and partial information. This makes them particularly effective in dynamic environments where system configurations frequently change. However, this flexibility also introduces variability in out-put quality. Since LLM responses are probabilistic, repeated executions of the same prompt may yield slightly different results. This inconsistency highlights the importance of human validation in security-critical workflows.
Furthermore, the reliance on natural language prompts in-troduces a new dimension to cybersecurity, where the effec-tiveness of an attack or defense may depend on how queries are formulated. This shift emphasizes the growing importance of prompt engineering as a skill in cybersecurity applications.
XIII. Limitations of Evaluation
While the results demonstrate promising improvements, several limitations must be acknowledged.
First, the evaluation was conducted in a controlled environ-ment with simulated vulnerabilities. Real-world systems may present additional complexities that affect performance.
Second, the reliance on qualitative interpretation introduces subjectivity in assessing reasoning depth.
Finally, LLM outputs are inherently probabilistic, meaning results may vary across different runs and configurations.
XIV. Defensive Countermeasures
While LLMs enhance offensive capabilities, they also pro-vide opportunities for strengthening defensive systems.
A. AI-Assisted Defense
Organizations can leverage LLMs to:
- • Automate vulnerability scanning
- • Analyze logs for anomalous behavior
- • Generate real-time security recommendations
B. Prompt Injection Mitigation
As LLMs become integrated into security workflows, pro-tecting them from prompt injection attacks becomes critical. Techniques include:
- • Input sanitization
- • Context isolation
- • Output validation
C. Adaptive Security Systems
Future security systems must incorporate adaptive mecha-nisms that evolve alongside AI-driven threats. This includes real-time learning and automated response strategies.
XV. Real-World Implications
The integration of LLMs into cybersecurity has significant implications for organizations, governments, and individuals.
A. Enterprise Security
Organizations face increased risk due to automated attack capabilities. Security teams must adapt by incorporating AI-driven tools into their defense strategies.
B. Cybercrime Evolution
The accessibility of LLMs enables less experienced individ-uals to perform advanced attacks, contributing to the growth of cybercrime.
C. Policy and Regulation
Governments must develop policies to regulate the use of AI in cybersecurity while balancing innovation and security concerns.
XVI. Limitations of LLM-Based Security Systems
Despite their advantages, LLMs have inherent limitations that affect their reliability in cybersecurity applications.
A. Hallucinations
LLMs may generate incorrect or misleading outputs, which can lead to ineffective or harmful actions.
B. Lack of Ground Truth Verification
Models do not inherently verify the correctness of their outputs, requiring human validation.
C. Dependency on Training Data
The performance of LLMs is influenced by the quality and scope of their training data, which may not cover all vulnerability scenarios.
XVII. LLMs Across the Attack Lifecycle
LLMs can be integrated into each phase of the cyber attack lifecycle.
A. Reconnaissance
LLMs analyze publicly available data to identify potential targets and vulnerabilities.
B. Weaponization
Models assist in generating payloads and exploit strategies.
C. Delivery and Exploitation
LLMs guide execution strategies and adapt based on system responses.
D. Post-Exploitation
Models assist in maintaining access and extracting valuable data.
This demonstrates the end-to-end applicability of LLMs in modern cyber attacks.
XVIII. Practical Deployment Challenges
Despite their advantages, deploying LLMs in real-world cybersecurity environments presents several challenges.
A. Integration with Existing Systems
Most organizations rely on established security tools and workflows. Integrating LLMs into these systems requires com-patibility with existing infrastructure, including log manage-ment systems, intrusion detection systems, and vulnerability scanners.
B. Performance Overhead
LLMs require significant computational resources, which may limit their real-time applicability. While cloud-based deployment can address scalability concerns, it introduces additional considerations related to latency and cost.
C. Security Risks
The use of LLMs in security workflows introduces new attack vectors, such as prompt injection and data leakage. Ensuring secure interaction with these models is critical to prevent misuse.
XIX. Scalability Considerations
The scalability of LLM-based penetration testing systems is an important factor in their practical deployment.
A. Horizontal Scalability
LLMs deployed in cloud environments can scale horizon-tally to handle large volumes of data and multiple concurrent analyses. This allows organizations to perform large-scale vul-nerability assessments more efficiently compared to traditional manual approaches.
B. Automation at Scale
By integrating LLMs with automated pipelines, organiza-tions can continuously monitor systems for vulnerabilities. This enables real-time detection and reduces the time between vulnerability discovery and remediation.
C. Resource Constraints
Despite their scalability advantages, LLMs require signifi-cant computational resources. Efficient deployment strategies, such as model optimization and selective querying, are neces-sary to balance performance and cost.
XX. Comparison with Existing Security Tools
Traditional penetration testing tools such as vulnerability scanners and exploitation frameworks rely on predefined rules and known attack patterns. While effective for identifying known vulnerabilities, these tools are limited in their ability to detect complex logic-based issues.
In contrast, LLM-based systems leverage contextual reason-ing to analyze system behavior. This allows them to identify vulnerabilities that emerge from the interaction between com-ponents rather than isolated weaknesses.
Additionally, LLMs provide explanatory outputs, helping analysts understand the reasoning behind detected vulnerabili-ties. This contrasts with traditional tools, which often provide limited context.
However, it is important to note that LLMs are not a replacement for traditional tools. Instead, they complement existing systems by enhancing analysis capabilities and im-proving efficiency.
XXI. Human-AI Collaboration in Cybersecurity
Rather than replacing human experts, LLMs are most ef-fective when used as collaborative tools. The combination of human intuition and AI-driven analysis enables more efficient and accurate security assessments.
Human analysts provide domain expertise and critical thinking, while LLMs handle data processing and pattern recognition. This synergy allows for faster identification of vulnerabilities and more comprehensive analysis.
Studies suggest that hybrid human-AI systems outperform both fully automated and fully manual approaches, particularly in complex security scenarios [13].
XXII. Future Threat Landscape
The continued advancement of LLMs is expected to reshape the cybersecurity threat landscape.
A. Automation of Cyber Attacks
As LLM capabilities improve, attackers will increasingly rely on automated systems to conduct large-scale attacks. This shift will likely result in higher attack frequency and reduced time between vulnerability discovery and exploitation.
B. Adaptive Malware
Future malware may leverage AI techniques to dynami-cally adapt to detection mechanisms. This includes modifying behavior based on system responses and evading traditional security controls.
C. Defensive Evolution
In response to these threats, defensive systems must evolve to incorporate AI-driven detection and response mechanisms. This includes real-time analysis, automated mitigation, and continuous learning systems.
XXIII. Ethical Considerations
The dual-use nature of LLMs raises concerns regarding mis-use, requiring stronger governance and AI safety frameworks.
XXIV. Future Work
Future research should focus on:
- • AI alignment
- • Hybrid human-AI systems
- • Defensive AI architectures
XXV. Conclusion
LLMs represent a transformative shift in cybersecurity. While they enhance detection and automation, they also in-troduce new risks that require adaptive solutions.
In addition, the integration of LLMs into cybersecurity workflows highlights the need for interdisciplinary approaches that combine artificial intelligence, software engineering, and security expertise. As these technologies continue to evolve, their responsible deployment will play a critical role in shaping the future of digital security.
References
- Shen, Y.; et al. PentestGPT: An LLM-Empowered Penetration Testing Agent. arXiv 2023, arXiv:2308.06713. [Google Scholar]
- Fang, R. et al., ”On the Effectiveness of Large Language Models for Penetration Testing. arXiv 2025, arXiv:2507.00829. [Google Scholar]
- Zou, A. et al., ”Universal and Transferable Adversarial Attacks on Aligned Language Models. arXiv 2023, arXiv:2307.15043. [Google Scholar]
- Chen, B. et al., ”Large Language Models for Code Vulnerability Detec-tion. arXiv 2023, arXiv:2310.05409. [Google Scholar]
- Brundage, M. et al., ”The Malicious Use of Artificial Intelligence: Fore-casting, Prevention, and Mitigation. arXiv 2018, arXiv:1802.07228. [Google Scholar]
- OWASP Foundation. OWASP Top 10 Web Application Security Risks. 2021. Available online: https://owasp.org.
- Brown, T.; et al. Language Models are Few-Shot Learners. Proc. NeurIPS, 2020. [Google Scholar]
- Vaswani, A.; et al. Attention Is All You Need. Proc. NeurIPS, 2017. [Google Scholar]
- Chen, M. et al., ”Evaluating Large Language Models Trained on Code. arXiv 2021, arXiv:2107.03374. [Google Scholar]
- MITRE. Common Weakness Enumeration (CWE). 2023.
- Available online: https://cwe.mitre.org.
- NIST, ”Guide to Penetration Testing,” Special Publication 800-115, 2008.
- Maynor, R.; Mookhey, D. Metasploit Toolkit for Penetration Test-ing. 2007. [Google Scholar]
- Garfinkel, S.; et al. AI and the Future of Cybersecurity. IEEE Security & Privacy, 2020. [Google Scholar]
- Wei, J.; et al. Chain-of-Thought Prompting Elicits Reasoning in Large Language Models. arXiv 2022. [Google Scholar]
- ENISA. Threat Landscape Report; European Union Agency for Cy-bersecurity, 2023. [Google Scholar]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
