Abstract
Large Language Models (LLMs) represent one of the most significant transformations in applied artificial intelligence, with profound implications for operational cybersecurity. This article examines the conceptual architecture of LLMs, the mechanisms underpinning their linguistic and analytical capabilities, and the practical dimensions in which this technology is reshaping security operations: from threat analysis and Security Operations Centre (SOC) automation to incident response assistance and contextualised threat intelligence. The risk landscape associated with adopting this technology in critical security contexts is also assessed.
Introduction
The convergence of artificial intelligence and cybersecurity is not new. However, the advent of Large Language Models has introduced a qualitatively distinct capability: the ability to reason about natural language, source code, system configurations, and technical documentation in an integrated and contextualised manner. This capability, once exclusive to experienced human analysts, is progressively being incorporated into security platforms as an operational intelligence layer.
According to ENISA (2024), the cybersecurity professional shortage in the European Union exceeded 300,000 unfilled positions, creating structural pressure on organisations to find ways to amplify the capabilities of existing teams. LLMs emerge in this context not as replacements for human analysts, but as force multipliers capable of processing data volumes, correlating indicators, and producing analyses that would be operationally unviable using human resources alone.
Figure 1: Simplified Large Language Model architecture and processing flow
What are Large Language Models
A Large Language Model is an artificial intelligence system based on the Transformer architecture, proposed by Vaswani et al. (2017), trained on massive text corpora with the objective of modelling the probabilistic distribution of language. The designation “large” refers to the number of trainable parameters, typically in the billions, which encode linguistic, factual, and implicit reasoning patterns extracted from training data.
The central mechanism distinguishing Transformers from earlier architectures is multi-head attention: a mechanism enabling the model to relate any position in a sequence to any other position, regardless of distance, capturing long-range dependencies that traditional recurrent architectures could not effectively model (Vaswani et al., 2017).
The training process occurs in two distinct phases. Pre-training exposes the model to massive quantities of unstructured text, developing a latent representation of linguistic and factual knowledge. Fine-tuning specialises the model for specific domains or tasks; this phase is critical for cybersecurity applications where technical terminology, attack patterns, and regulatory context are determinant factors for response quality.
Capabilities Relevant to Cybersecurity
LLM capabilities intersect with cybersecurity work across multiple operational dimensions:
Code analysis and vulnerability detection. LLMs demonstrate the ability to identify patterns associated with common vulnerabilities (SQL injection, buffer overflows, memory management issues) in source code. Recent studies indicate that security-tuned models can identify vulnerability classes with precision comparable to human reviews in specific contexts (Pearce et al., 2023).
Indicators of Compromise (IoC) correlation. Analysing logs, SIEM alerts, and incident reports requires correlation between heterogeneous entities: IP addresses, domains, file hashes, behavioural patterns. LLMs can extract, normalise, and correlate these entities from unstructured sources, accelerating the triage process in security operations centres.
Contextualised threat intelligence. Transforming threat intelligence reports into actionable operational knowledge is an intensive task that LLMs can execute efficiently: summarising TTPs (Tactics, Techniques and Procedures) according to the MITRE ATT&CK framework, extracting indicators, and generating detection rules are use cases with growing adoption (Liao et al., 2022).
Incident response assistance. During an active incident, analysts must simultaneously retrieve procedures, interpret forensic artefacts, and document actions. An LLM integrated into a SOC environment can serve as a contextualised technical advisor, reducing mean time to respond (MTTR) by eliminating friction in consultation and documentation processes.
Regulatory reporting automation. In the context of compliance with the NIS2 Directive and DORA Regulation, producing incident reports for regulatory authorities requires terminological precision and formal structure. LLMs can support the generation and review of this documentation, reducing manual effort and the risk of omissions.
Figure 2: LLM applications in cybersecurity operations
The vCISO as a Mature Expression of LLMs in Security
The Virtual Chief Information Security Officer (vCISO) represents the most strategic application of LLMs in cybersecurity: a system capable of aggregating organisational context, incident history, compliance posture, and threat intelligence to produce recommendations aligned with the specific business objectives of an organisation.
Unlike point-in-time analysis tools, an LLM-based vCISO operates longitudinally, accumulating knowledge about the environment and evolving its recommendations as the organisational context changes. This capacity for contextualised and persistent reasoning about an organisation’s security posture is qualitatively distinct from the episodic analysis provided by traditional tools.
For organisations without a dedicated CISO, which represents the vast majority of European SMEs, this capability provides access to a strategic security function previously reserved for large enterprises with significant security budgets.
Limitations and Adoption Risks
Adopting LLMs in security contexts requires rigorous analysis of their limitations. The most relevant include:
Hallucinations and factual inaccuracy. LLMs can produce incorrect statements with apparent confidence, a phenomenon known as “hallucination.” In security contexts, where precision is critical, this risk requires validation mechanisms and mandatory human oversight for consequential decisions.
Data sovereignty. Using LLMs that process data on third-party infrastructure raises GDPR compliance questions, especially when the data includes information about incidents or security configurations. Models deployed on infrastructure controlled by the organisation or the security service provider substantially mitigate this risk.
Adversarial manipulation. Recent research has demonstrated that LLMs are susceptible to prompt injection attacks, in which malicious data embedded in model inputs induces unintended behaviours (Greshake et al., 2023). In security applications, this attack vector requires specific architectural mitigations.
Over-reliance risk. The fluency and coherence of LLM responses may induce disproportionate trust from users, leading to underestimation of errors. Proper integration of these systems requires specific user training on model limitations.
Implications for the European Market
The European cybersecurity market will witness, in the coming years, a significant reconfiguration driven by LLMs. The accumulation of regulatory requirements (NIS2, DORA, and national transpositions) creates growing demand for analysis and reporting capabilities that exceed the availability of qualified human resources. LLMs allow addressing part of this gap in an economically accessible manner, democratising access to quality security analysis.
For European organisations, the combination of talent scarcity, growing regulatory pressure, and the high cost of specialised cybersecurity professionals makes LLMs applied to security not a frontier option, but a progressively unavoidable operational necessity.
Conclusion
Large Language Models represent a genuine inflection point in the cybersecurity capabilities available to organisations of any size. Their capacity to process technical language, correlate heterogeneous contexts, and produce articulated analyses transforms the operational equation of modern SOCs. Notwithstanding the real limitations that require careful implementation approaches, the transformative potential of this technology for amplifying the capabilities of security teams is unequivocal. Organisations that integrate this technology in a structured and secure manner will establish a growing competitive advantage in the face of a threat landscape that continues to evolve.
References
ENISA. (2024). ENISA Threat Landscape 2024. European Union Agency for Cybersecurity.
Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., & Fritz, M. (2023). Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection. arXiv preprint arXiv:2302.12173.
Liao, X., Yuan, K., Wang, X., Li, Z., Xing, L., & Caton, R. (2022). Acing the IOC game: Toward automatic discovery and analysis of open-source cyber threat intelligence. Proceedings of the ACM CCS 2022.
Pearce, H., Ahmad, B., Tan, B., Dolan-Gavitt, B., & Karri, R. (2023). Examining zero-shot vulnerability repair with large language models. IEEE Symposium on Security and Privacy.
Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., Kaiser, L., & Polosukhin, I. (2017). Attention is all you need. Advances in Neural Information Processing Systems, 30.
