Research
Graph-Based Scoring Exposes When LLM 'Cross-OS' Attack Translations Only Rename Tools
Adversary emulation plans encode multi-step attacker procedures via MITRE ATT&CK techniques, privilege requirements, and telemetry, and LLMs can translate them across operating systems for cross-platform defender testing. But a translation can merely rename tools while keeping source-platform logic, giving defenders little real target-platform coverage — and binary scoring overestimates fidelity by counting surface features. The authors propose a graph-based structural evaluation that measures whether translated procedures preserve genuine attack logic, a useful check for teams using LLMs to build detection content.
Source
↳ Follow the thread