On-Premise SLMs vs. Commercial LLMs: Prompt Engineering and Incident Classification in SOCs and CSIRTs

Geft\'e Almeida; Marcio Pohlmann; Alex Severo; Diego Kreutz; Tiago Heinrich; Louren\c{c}o Pereira

arXiv:2511.14908·cs.CR·November 20, 2025

On-Premise SLMs vs. Commercial LLMs: Prompt Engineering and Incident Classification in SOCs and CSIRTs

Geft\'e Almeida, Marcio Pohlmann, Alex Severo, Diego Kreutz, Tiago Heinrich, Louren\c{c}o Pereira

PDF

Open Access

TL;DR

This paper compares open-source and proprietary LLMs for security incident classification, highlighting the trade-offs in accuracy, privacy, cost, and data sovereignty using prompt engineering techniques.

Contribution

It provides a comprehensive evaluation of open-source models against commercial LLMs in security incident classification with novel prompt-engineering methods.

Findings

01

Proprietary models achieve higher accuracy.

02

Open-source models offer better privacy and cost benefits.

03

Prompt engineering improves classification performance.

Abstract

In this study, we evaluate open-source models for security incident classification, comparing them with proprietary models. We utilize a dataset of anonymized real incidents, categorized according to the NIST SP 800-61r3 taxonomy and processed using five prompt-engineering techniques (PHP, SHP, HTP, PRP, and ZSL). The results indicate that, although proprietary models still exhibit higher accuracy, locally deployed open-source models provide advantages in privacy, cost-effectiveness, and data sovereignty.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSoftware System Performance and Reliability · Information and Cyber Security · Network Security and Intrusion Detection