AttackGen: An Automated Cybersecurity Exercise Tool Combining Large Language Models and MITRE ATT&CK

AttackGen is an automated cybersecurity incident response testing tool that combines large language models (LLM) with the MITRE ATT&CK framework. It aims to address pain points in traditional exercises such as single-scenario limitations, high costs, insufficient preparation, and outdated content. It can generate customized exercise scenarios based on specific threat groups and enterprise information, helping security teams conduct exercises at low cost and high efficiency, and improve incident response capabilities.

Pain Points of Cybersecurity Exercises

Against the backdrop of digital transformation, cybersecurity incidents occur frequently, but traditional exercises have issues such as single scenarios (relying on historical cases/fixed scripts), high costs (needing to hire red teams or third parties), insufficient preparation (disconnected from actual threats), and outdated content (unable to keep up with the latest attack techniques).

Introduction to the MITRE ATT&CK Framework

MITRE ATT&CK is a globally recognized open-source knowledge base of cyber attack tactics and techniques. It breaks down attacks into tactical phases (such as initial access, execution, etc.) and specific techniques, records the tactical and technical combinations of known threat groups, provides a structured language to describe cyber threats, and helps security practitioners communicate attack behaviors accurately.

AttackGen's Working Principle

1. Threat Group Selection: Select a specific threat group (APT, ransomware gang, etc.) from the ATT&CK database, and generate scenarios based on their tactical preferences and technical combinations;
2. Enterprise Information Input: Users input contextual information such as industry attributes, technology stack, security maturity, and key assets;
3. Intelligent Scenario Generation: LLM combines threat group characteristics and enterprise information to generate a complete scenario including attack background, path, timeline, detection opportunities, and response key points.

Why Use LLM?

LLM excels at connecting discrete ATT&CK technical points into coherent scenarios, injecting real-world details (time, IP, etc.), adjusting complexity, supporting multiple languages, and quickly integrating new attack techniques through prompt engineering.

AttackGen is suitable for multiple scenarios:

• Incident Response Team Training: Generate realistic scenarios for SOC analysts to practice the full process of detection, analysis, containment, and recovery;
• Tabletop Exercises: For management to discuss decisions and verify the effectiveness of emergency plans, with low cost and easy organization;
• Red-Blue Team Exercise Preparation: Blue teams can pre-understand attack paths and strengthen defenses targetedly;
• Security Awareness Training: Generate specific scenarios to create training materials and improve employees' security awareness.

AttackGen is an open-source tool that supports local deployment (to protect sensitive information) and is compatible with multiple LLM backends (users can choose as needed). Usage process: Select a threat group → Input enterprise information → Wait for the model to generate the scenario → Export in multiple formats for archiving/sharing.

When using AttackGen, note the following:

• LLM Hallucination Issue: May generate content that does not conform to ATT&CK definitions, requiring review by security experts;
• Authenticity Boundary: Based on known technologies, it cannot cover zero-day vulnerabilities or custom tools;
• Data Privacy: Local deployment is more secure; cloud APIs may leak enterprise information, so sensitive industries are advised to use local open-source models.

AttackGen represents the trend of AI-enhanced security capabilities. As an expert assistant, it automates scenario preparation, allowing experts to focus on high-value analysis and decision-making. It lowers the threshold for high-quality exercises and helps more organizations establish effective security testing and training mechanisms. Although it cannot replace professional red team services, it is an efficient and economical solution for daily exercises, tabletop drills, and training material production, and is worth trying by security teams.