METHODOLOGY FOR AUTOMATING CYBER INCIDENT REPORTS USING LLM
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1156Keywords:
threat intelligence, large language models, cybersecurity incidents, reportingAbstract
The work is devoted to the issues of automation of reporting as part of Threat Intelligence processes. The purpose of the work is to develop a methodology that allows to reduce the burden on employees who process and document the results of cyber incidents in accordance with the requirements of regulatory documents. Among the main results of the work, a reusable instruction template for a large language model (LLM) is proposed. The presented template allows to provide clear instructions, namely required and optional fields, permissible values that are entered into the report fields. Software models based on the Pydantic library are proposed for generating and checking the response in JSON format from LLM. This allows to reduce the length of instructions for LLM by approximately 3 times. A RAG pipeline architecture is proposed to take into account the specific context of regulatory documents in the field of cyber incident reporting. Such a pipeline allows to follow the requirements of legislation and standards without the need to manually prescribe these requirements in the instructions, which speeds up the generation process and improves the quality of reports. A software model has been developed that allows automated generation of a cyber incident report. Such a model does not require manual filling in of incident characteristics, user interaction with the Threat Intelligence platform using the example of MISP (Malware Information Sharing Platform). This approach allows reducing the time for creating a report from hours to minutes, and improving the efficiency of exchanging threat data, avoiding time and financial investments. Another result of the work is a comparative analysis of report generation when using different LLMs, in particular Claude Sonnet 4.5, Gemini 2.5 pro, Grok xAI, GPT 5, DeepSeek, Llama in terms of quality and cost of report generation. For comparison, report quality criteria were proposed, and compliance with the criteria was assessed by an expert method. As a result, the Claude Sonnet 4.5, Gemini 2.5 pro models were identified as leaders in terms of the quality of generated reports. It was established that LLMs are a promising tool for implementation in processing and communication processes in the field of cybersecurity incidents, their use allows fully automating the Threat Intelligence reporting process in an organization.
Downloads
References
Ibrahim, I. M., Soliman, M., & Ossama, S. (2025). Leveraging large language models for document analysis and decision-making in AI chatbots. Advanced Sciences and Technology Journal, 2(1), Article 1034. https://doi.org/10.21608/astj.2025.342484.1034
Voitsekhovskyi, A., Stopochkina, I., Sun, P., Xie, J., Ilin, M., & Novikov, O. (2026). Detection of vulnerabilities in software for unmanned aerial vehicles by using large language models. Eastern-European Journal of Enterprise Technologies, 1(2), 36-47. https://doi.org/10.15587/1729-4061.2026.352029
Fezari, M., & Al Dahoud, A. (2026). The evolution of retrieval-augmented generation (RAG) in AI [Preprint]. https://doi.org/10.13140/RG.2.2.27107.62245
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. (2022). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
Cyber Solidarity Act. (2024). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32025R0038
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST Special Publication 800-61 Rev. 2). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-61r2
Ainslie, S., Thompson, D., Maynard, S., & Ahmad, A. (2023). Cyber-threat intelligence for security decision-making: A review and research agenda for practice. Computers & Security, 132, 103352. https://doi.org/10.1016/j.cose.2023.103352
Lin, X., et al. (2025). IRCopilot: Automated incident response with large language models (arXiv:2505.20945) [Preprint]. arXiv. https://doi.org/10.48550/arXiv.2505.20945
Novikov, O., Ilin, M., Stopochkina, I., Ovcharuk, M., & Voitsekhovskyi, A. (2025). Application of LLM in UAV route planning tasks to prevent data exchange availability violations. Cybersecurity: Education, Science, Technique, 1(29), 420–431. https://doi.org/10.28925/2663-4023.2025.29.892
Sohi, S., Balan, D., Anjomshoaa, A., & Polleres, A. (2024). Towards harmonised rail safety knowledge: LLM techniques for EU accident report processing. In CEUR Workshop Proceedings. https://ceur-ws.org/Vol-4079/short4.pdf
MISP Project. (2025). Features of MISP, the open source threat sharing platform. Retrieved October 30, 2025, from https://www.misp-project.org/features/
Dulaunoy, A., & Iklody, A. (n.d.). MISP core format. MISP Standard. https://www.misp-standard.org/rfc/misp-standard-core.html
Rutkowski, A., Kadobayashi, Y., & Furey, I. (2010). CYBEX: The cybersecurity information exchange framework. ACM SIGCOMM Computer Communication Review, 40(5).
OASIS Open. (n.d.). STIX introductory walkthrough. https://oasis-open.github.io/cti-documentation/stix/walkthrough
State Service for Special Communications and Information Protection of Ukraine. (2023). On approval of methodological recommendations for responding by cybersecurity subjects to various types of events in cyberspace (Order No. 570). https://zakon.rada.gov.ua/rada/show/v0570519-23#Text
FIRST. (n.d.). Traffic light protocol. https://www.first.org/tlp/
OpenAI. (n.d.). Structured model outputs.
Leto, A., Aguerrebere, C., & Bhati, I. (2024). Toward optimal search and retrieval for RAG (arXiv:2411.07396) [Preprint]. NeurIPS 2024 Workshop. https://doi.org/10.48550/arXiv.2411.07396
Chornyi, A., & Stopochkina, I. (2025). Graph-based analysis of information flows in Telegram for cybersecurity threat detection. Cybersecurity: Education, Science, Technique, 3(27), 368-380. https://doi.org/10.28925/2663-4023.2025.27.746
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Данило Андреєв, Анатолій Чорний, Ірина Стьопочкіна, Микола Ільїн
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
