ExCyTIn-Bench: Evaluating LLM agents on Cyber Threat Investigation

Yiran Wu; Mauricio Velazco; Andrew Zhao; Manuel Ra\'ul Mel\'endez Luj\'an; Srisuma Movva; Yogesh K Roy; Quang Nguyen; Roberto Rodriguez; Qingyun Wu; Michael Albada; Julia Kiseleva; Anand Mudgerikar

arXiv:2507.14201·cs.CR·May 4, 2026

ExCyTIn-Bench: Evaluating LLM agents on Cyber Threat Investigation

Yiran Wu, Mauricio Velazco, Andrew Zhao, Manuel Ra\'ul Mel\'endez Luj\'an, Srisuma Movva, Yogesh K Roy, Quang Nguyen, Roberto Rodriguez, Qingyun Wu, Michael Albada, Julia Kiseleva, Anand Mudgerikar

PDF

1 Repo

TL;DR

ExCyTIn-Bench is a new benchmark for evaluating LLM agents on cyber threat investigation tasks using real-world security logs and graph-based questions, highlighting the challenge and potential for future improvements.

Contribution

This work introduces the first benchmark for LLM-based cyber threat investigation, utilizing real logs and graph-structured questions for automatic, explainable evaluation.

Findings

01

The best model achieves a reward of 0.606, indicating room for improvement.

02

The benchmark is based on a controlled Azure environment with 7542 questions.

03

Questions are generated using security logs and investigation graphs, enabling explainability.

Abstract

We present ExCyTIn-Bench, the first benchmark to Evaluate an LLM agent X on the task of Cyber Threat Investigation through security questions derived from investigation graphs. Real-world security analysts must sift through a large number of heterogeneous security logs, follow multi-hop chains of evidence to investigate threats. With the developments of LLMs, building LLM-based agents for automatic threat investigation is a promising direction. We construct a benchmark from a controlled Azure tenant including a SQL environment covering 57 log tables from Microsoft Sentinel and related services, and 7542 generated questions. We leverage security logs extracted with expert-crafted detection logic to build threat investigation graphs, and then generate questions with LLMs using paired nodes on the graph, taking the start node as background context and the end node as answer. Anchoring each…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

microsoft/SecRL
github

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.