From Legacy to Standard: LLM-Assisted Transformation of Cybersecurity Playbooks into CACAO Format

TL;DR

This paper presents a method using Large Language Models and Prompt Engineering to automatically convert legacy cybersecurity playbooks into the standardized CACAO format, enhancing automation and interoperability.

Contribution

It introduces a modular transformation pipeline with syntax checking and iterative refinement, improving accuracy in translating heterogeneous playbooks into a machine-readable standard.

Findings

Significant improvement over baseline models in transformation accuracy

Effective capture of complex workflow structures

Reduction in syntactic errors during conversion

Abstract

Existing cybersecurity playbooks are often written in heterogeneous, non-machine-readable formats, which limits their automation and interoperability across Security Orchestration, Automation, and Response platforms. This paper explores the suitability of Large Language Models, combined with Prompt Engineering, to automatically translate legacy incident response playbooks into the standardized, machine-readable CACAO format. We systematically examine various Prompt Engineering techniques and carefully design prompts aimed at maximizing syntactic accuracy and semantic fidelity for control flow preservation. Our modular transformation pipeline integrates a syntax checker to ensure syntactic correctness and features an iterative refinement mechanism that progressively reduces syntactic errors. We evaluate the proposed approach on a custom-generated dataset comprising diverse legacy playbooks paired with manually created CACAO references. The results demonstrate that our method significantly improves the accuracy of playbook transformation over baseline models, effectively captures complex workflow structures, and substantially reduces errors. It highlights the potential for practical deployment in automated cybersecurity playbook transformation tasks.