English

Retrieval-Augmented LLMs for Security Incident Analysis

Cryptography and Security 2026-05-05 v3 Artificial Intelligence

Abstract

Investigating cybersecurity incidents requires collecting and analyzing evidence from multiple log sources, including intrusion detection alerts, network traffic records, and authentication events. This process is labor-intensive: analysts must sift through large volumes of data to identify relevant indicators and piece together what happened. We present a RAG-based system that performs security incident analysis through targeted query-based filtering and LLM semantic reasoning. The system uses a query library with associated MITRE ATT&CK techniques to extract indicators from raw logs, then retrieves relevant context to answer forensic questions and reconstruct attack sequences. We evaluate the system with eight LLM configurations on malware traffic incidents and a multi-stage Active Directory attack. We find that LLMs have different performance and tradeoffs, with Claude Sonnet 4 achieving 94% and DeepSeek V3 achieving 89% average recall across 17 malware scenarios, while DeepSeek costs 15×\times less than Claude per analysis, and locally-deployed Llama 3.1:70b achieves 81% recall at zero per-query cost. Attack step detection on the Active Directory scenario reaches 100% precision and up to 96% recall with an enumeration prompt. These results demonstrate that combining targeted query-based filtering with RAG-based retrieval -- confirmed essential by ablation studies -- enables accurate, cost-effective security analysis within LLM context limits.

Keywords

Cite

@article{arxiv.2603.18196,
  title  = {Retrieval-Augmented LLMs for Security Incident Analysis},
  author = {Xavier Cadet and Aditya Vikram Singh and Harsh Mamania and Edward Koh and Alex Fitts and Dirk Van Bruggen and Simona Boboila and Peter Chin and Alina Oprea},
  journal= {arXiv preprint arXiv:2603.18196},
  year   = {2026}
}

Comments

In ACM Conference on AI and Agentic Systems, CAIS 2026, San Jose, CA, USA

R2 v1 2026-07-01T11:26:59.600Z