CIPHER: Cybersecurity Intelligent Penetration-testing Helper for Ethical Researcher

TL;DR

CIPHER is a specialized large language model designed to assist ethical cybersecurity researchers in penetration testing, trained on extensive hacking literature and evaluated with a novel benchmark to improve AI-driven cybersecurity tools.

Contribution

We introduce CIPHER, a large language model tailored for penetration testing, and a new FARR Flow augmentation method for benchmarking AI in cybersecurity tasks.

Findings

CIPHER outperforms similar-sized models and larger state-of-the-art models in penetration testing tasks.

FARR Flow augmentation provides a realistic benchmark for evaluating AI in penetration testing.

Current general LLMs are insufficient for effective penetration testing guidance.

Abstract

Penetration testing, a critical component of cybersecurity, typically requires extensive time and effort to find vulnerabilities. Beginners in this field often benefit from collaborative approaches with the community or experts. To address this, we develop CIPHER (Cybersecurity Intelligent Penetration-testing Helper for Ethical Researchers), a large language model specifically trained to assist in penetration testing tasks. We trained CIPHER using over 300 high-quality write-ups of vulnerable machines, hacking techniques, and documentation of open-source penetration testing tools. Additionally, we introduced the Findings, Action, Reasoning, and Results (FARR) Flow augmentation, a novel method to augment penetration testing write-ups to establish a fully automated pentesting simulation benchmark tailored for large language models. This approach fills a significant gap in traditional cybersecurity Q\&A benchmarks and provides a realistic and rigorous standard for evaluating AI's technical knowledge, reasoning capabilities, and practical utility in dynamic penetration testing scenarios. In our assessments, CIPHER achieved the best overall performance in providing accurate suggestion responses compared to other open-source penetration testing models of similar size and even larger state-of-the-art models like Llama 3 70B and Qwen1.5 72B Chat, particularly on insane difficulty machine setups. This demonstrates that the current capabilities of general LLMs are insufficient for effectively guiding users through the penetration testing process. We also discuss the potential for improvement through scaling and the development of better benchmarks using FARR Flow augmentation results. Our benchmark will be released publicly at https://github.com/ibndias/CIPHER.