Cybersecurity AI: A Game-Theoretic AI for Guiding Attack and Defense

TL;DR

This paper introduces G-CTR, a game-theoretic guidance layer for cybersecurity AI that enhances strategic reasoning, improves efficiency, and outperforms baseline methods in attack and defense scenarios.

Contribution

The paper presents G-CTR, a novel game-theoretic framework that guides cybersecurity AI agents, significantly improving their strategic capabilities and efficiency over existing approaches.

Findings

G-CTR matches 70-90% of expert graph structures

Achieves 60-245x faster and 140x cheaper analysis

Doubles success rate and reduces variance in cyber exercises

Abstract

AI-driven penetration testing now executes thousands of actions per hour but still lacks the strategic intuition humans apply in competitive security. To build cybersecurity superintelligence --Cybersecurity AI exceeding best human capability-such strategic intuition must be embedded into agentic reasoning processes. We present Generative Cut-the-Rope (G-CTR), a game-theoretic guidance layer that extracts attack graphs from agent's context, computes Nash equilibria with effort-aware scoring, and feeds a concise digest back into the LLM loop \emph{guiding} the agent's actions. Across five real-world exercises, G-CTR matches 70--90% of expert graph structure while running 60--245x faster and over 140x cheaper than manual analysis. In a 44-run cyber-range, adding the digest lifts success from 20.0% to 42.9%, cuts cost-per-success by 2.7x, and reduces behavioral variance by 5.2x. In Attack-and-Defense exercises, a shared digest produces the Purple agent, winning roughly 2:1 over the LLM-only baseline and 3.7:1 over independently guided teams. This closed-loop guidance is what produces the breakthrough: it reduces ambiguity, collapses the LLM's search space, suppresses hallucinations, and keeps the model anchored to the most relevant parts of the problem, yielding large gains in success rate, consistency, and reliability.