Effective cybersecurity testing relies on accurate threat identification to guide test design and risk mitigation. Threat modelling plays a central role in this process by helping analysts anticipate potential vulnerabilities. However, traditional threat modelling is a manual, time-consuming task that requires significant expertise, which can limit its scalability and integration into modern testing workflows. This study investigates the use of large language models (LLMs) to support and partially automate threat modelling, aiming to improve both the efficiency and coverage of cybersecurity testing. Using the STRIDE framework, we evaluate two workflows: a single-agent approach and a two-agent collaboration. We apply three LLMs—o1, o3, and Sonnet—to a curated dataset comprising 24 system descriptions and 745 known threats. The results show that LLMs can accelerate the generation of structured threat models and identify plausible threats, including some not explicitly listed in the validation data. While LLM outputs still lack the depth and reliability of expert-created models, their use can help testers identify key risks earlier and focus test efforts more effectively. These findings suggest that LLMs can augment the threat modelling process as part of cybersecurity testing, reducing analyst workload and enhancing the overall security assurance process.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Extracting Threats from System Descriptions with LLMs Comparing One and Two Agents Strategies

  • Leonid Zelenskiy,
  • Andrey Sadovykh

摘要

Effective cybersecurity testing relies on accurate threat identification to guide test design and risk mitigation. Threat modelling plays a central role in this process by helping analysts anticipate potential vulnerabilities. However, traditional threat modelling is a manual, time-consuming task that requires significant expertise, which can limit its scalability and integration into modern testing workflows. This study investigates the use of large language models (LLMs) to support and partially automate threat modelling, aiming to improve both the efficiency and coverage of cybersecurity testing. Using the STRIDE framework, we evaluate two workflows: a single-agent approach and a two-agent collaboration. We apply three LLMs—o1, o3, and Sonnet—to a curated dataset comprising 24 system descriptions and 745 known threats. The results show that LLMs can accelerate the generation of structured threat models and identify plausible threats, including some not explicitly listed in the validation data. While LLM outputs still lack the depth and reliability of expert-created models, their use can help testers identify key risks earlier and focus test efforts more effectively. These findings suggest that LLMs can augment the threat modelling process as part of cybersecurity testing, reducing analyst workload and enhancing the overall security assurance process.