← Back to brief
ResearchOfficialPreprintarXiv Cryptography and Security

Fully Automated End-to-End Adversary Emulation from MITRE ATT&CK-Based Cyber Threat Intelligence Using LLMs

Jul 17, 2026

Researchers have developed a fully automated framework that uses large language models (LLMs) to generate, execute, and revise adversary emulation playbooks directly from MITRE ATT&CK-aligned cyber threat intelligence (CTI) reports. The system unifies playbook generation, execution, and failure recovery, eliminating the need for manual intervention present in previous approaches. In evaluations on 11 CTI reports using four leading LLMs, the framework achieved its best performance with Claude Sonnet 4.5, reaching 84.22% execution success after revision and a CTI F1 score of 60.50%. The failure recovery mechanism improved execution success rates by 14.59 to 17.23 percentage points across all tested models.

Why it matters: This work represents a significant advance in automated cybersecurity testing, enabling more scalable and responsive adversary emulation by minimizing manual effort.

Full story at: arXiv Cryptography and Security