AEGIS: White-Box Attack Path Generation using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises

TL;DR

AEGIS is a system that automates attack path generation for cyber defence exercises using large language models and Monte Carlo Tree Search, reducing development time and matching human-authored scenarios in training effectiveness.

Contribution

The paper introduces AEGIS, a novel system combining LLMs and white-box validation to generate attack paths without pre-existing vulnerability graphs, streamlining scenario creation.

Findings

AEGIS-generated attack paths are comparable to human scenarios in training effectiveness.

Automating exploit discovery reduces scenario development from months to days.

System validated in large-scale cyber defence exercise CIDeX 2025.

Abstract

Creating attack paths for cyber defence exercises requires substantial expert effort. Existing automation requires vulnerability graphs or exploit sets curated in advance, limiting where it can be applied. We present AEGIS, a system that generates attack paths using LLMs, white-box access, and Monte Carlo Tree Search over real exploit execution. LLM-based search discovers exploits dynamically without pre-existing vulnerability graphs, while white-box access enables validating exploits in isolation before committing to attack paths. Evaluation at CIDeX 2025, a large-scale exercise spanning 46 IT hosts, showed that AEGIS-generated paths are comparable to human-authored scenarios across four dimensions of training experience (perceived learning, engagement, believability, challenge). Results were measured with a validated questionnaire extensible to general simulation-based training. By automating exploit chain discovery and validation, AEGIS reduces scenario development from months to days, shifting expert effort from technical validation to scenario design.