Stable Agentic Control: Tool-Mediated LLM Architecture for Autonomous Cyber Defense

TL;DR

This paper introduces a tool-mediated LLM architecture with formal guarantees for autonomous cyber defense, demonstrating stability and robustness against adversarial attacks in real enterprise scenarios.

Contribution

It presents a novel architecture combining deterministic tools and formal certification to ensure controllability and robustness in high-stake decision-making under adversarial conditions.

Findings

Reduces attacker's expected payoff by 59% in real attack graphs

Certifies controllability and stability using formal methods in Lean 4

Demonstrates architectural stability regardless of controller capability

Abstract

Agentic systems involved in high-stake decision-making under adversarial pressure need formal guarantees not offered by existing approaches. Motivated by the operational needs of security operations centers (SOCs) that must configure endpoint detection and response (EDR) policies under adversarial pressure, we present a tool-mediated architecture: LLM agents use deterministic tools (Stackelberg best-response, Bayesian observer updates, attack-graph primitives) and select from finite action catalogs enforced at the tool-output interface. A composite Lyapunov function machine-checked in Lean 4 with zero sorry certifies controllability, observability from asymmetric sensor data, and Input-to-State Stability (ISS) robustness under intelligent adversarial disturbance, with two corollaries extending the certificate to any controller or adversary from the catalogs. On 282 real enterprise attack graphs, the claims hold with margin. On paired offensive/defensive telemetry, a tool-mediated Claude Sonnet 4 controller reduces the attacker's expected payoff (game value) by 59% relative to a deterministic greedy baseline, with zero variance across 40 runs at four temperatures. A Claude Haiku 4.5 controller converges to suboptimal game values but stays catalog-bounded over an additional 40 runs, demonstrating that architectural stability is not dependent on the controller capability. The LLM agent's non-determinism furthers creative exploration of strategies, while the tool-mediated architecture ensures system stability.