Papers
Topics
Authors
Recent
Search
2000 character limit reached

When LLMs Team Up: A Coordinated Attack Framework for Automated Cyber Intrusions

Published 9 May 2026 in cs.CR | (2605.08763v1)

Abstract: Automated intrusion-style workflows require LLM agents to reason over partial observations, tool outputs, and executable artifacts under bounded budgets. A single LLM instance often compresses evidence extraction, planning, execution, and validation into one context, which increases the risk of context drift and error propagation. Existing LLM-based multi-agent systems support general collaboration, but they do not explicitly model the role boundaries, artifact provenance, and cost constraints that characterize multi-stage intrusion workflows. This paper presents CAESAR, a coordinated multi-agent framework for controlled analysis of LLM-agent behavior in intrusion-style tasks. CAESAR decomposes the workflow into five typed roles and coordinates them through a bounded round protocol with a persistent knowledge base, a per-round workspace, validator-gated knowledge promotion, and capability-token write isolation. We evaluate CAESAR on 25 CTF tasks across five categories and four LLM backends. Compared with a single-agent baseline under matched budgets and tool access, CAESAR improves task success and reduces performance variance, with larger gains on tasks requiring multi-step exploit composition. A secondary simulated interactional-security study suggests that the role structure can transfer beyond code-native surfaces. The results indicate that role transitions, artifact provenance, and knowledge-promotion events provide useful structural signals for monitoring coordinated LLM-agent behavior beyond individual prompt and output inspection. The dataset, implementation, and evaluation logs are released at https://github.com/Xu-Qiu/CMAS.

Summary

  • The paper presents CAESAR, a multi-agent LLM framework that decomposes cyber intrusion tasks into five specific roles to minimize error propagation.
  • It demonstrates a success rate improvement up to 0.64 and reduces task completion time by 30-40 minutes compared to single-agent systems.
  • The framework’s validator-gated memory and explicit role boundaries enhance auditability and inform protocol-level defense strategies.

Coordinated LLM Teams for Intrusion Automation: The CAESAR Framework

Motivation and Problem Statement

Automated cyber intrusion workflows impose requirements for sustained multi-step reasoning, robust state management, and explicit cost constraints. Traditional single-LLM pipelines, which compress reconnaissance, evidence extraction, hypothesis construction, exploit synthesis, and validation into a single context, are brittle—susceptible to context drift, cumulative errors, and collapse under heterogeneity. Existing multi-agent LLM systems only partially address these issues as they lack explicit modeling of role boundaries, provenance, or cost enforcement, all of which are critical for adversarial, multi-stage intrusion tasks.

The CAESAR Framework

CAESAR (Coordinated Adversarial Execution and Strategic Reasoning) is proposed as a role-specialized, round-based, multi-agent LLM framework targeting automated cyber intrusion scenarios. The protocol decomposes adversarial workflows into five explicitly-typed roles—Detective, Strategist, General, Executor, and Validator—thereby mirroring human attack team practices seen in APT operations. Coordination and memory are managed through an auditable knowledge base and per-round workspaces, with explicit artifact typing and validator-gated knowledge promotion to minimize error propagation.

Protocol and Role Definitions

  • Detective performs environment reconnaissance, extracting artifacts for downstream reasoning.
  • Strategist synthesizes evidence and prior knowledge, generating hypothesis graphs for potential attack vectors.
  • General maps hypotheses to executable plans, constrained by token, time, and risk budgets.
  • Executors carry out actions in domain-specialized sandboxes (e.g., binary analysis, pwn, crypto, web).
  • Validator audits all round artifacts, gating promotion of artefacts into persistent memory and providing role-specific feedback for adaptation.

Typed inter-agent communication, write isolation via tokens, and monotone snapshotting enforce protocol correctness and traceability. Rounds proceed through discrete stages (evidence collection, hypothesis synthesis, planning, execution, evaluation). Validator gating ensures that only reproducible, utility-contributing artifacts enter persistent memory, bounding error amplification.

Experimental Evaluation

CAESAR is evaluated on 25 AntCTF × D3CTF 2021 challenges spanning Reverse, Pwn, Crypto, Misc, and Web categories, using four contemporary LLM backends (GPT-5, Gemini 2.5, Grok-4, DeepSeek-R1) and compared to single-agent baselines with matched constraints.

Numerical Results

  • Success Rate Improvement: CAESAR outperforms single-agent baselines by 0.36 to 0.64 absolute success rate improvement across categories under GPT-5, with similar advantages for other backends. On tasks such as Deterministic_Heap and white_give, the multi-agent configuration raised completion rates from 0.2 or 0.0 to 0.8 or 0.6, respectively.
  • Time-to-Solve Reduction: Multi-agent execution consistently required 30-40 minutes less per task compared to single-agent workflows, with more pronounced gains on tasks requiring multi-phase or non-obvious state reconstruction.
  • Back-end Invariance: Across all four tested LLMs, the coordinated framework held its advantage, indicating that emergent attack strength resulted from protocol structure, not individual model capacity.
  • Stability and Adaptation: Validator-gated knowledge promotion suppressed error cascades and enabled adaptive behavior, reflected in stabilized role performance scores and monotonic improvements in subsequent runs for most tasks.
  • Social Engineering Generalization: The same protocol, instantiated as conversational agents, demonstrated higher item extraction rates and lower detection risk than single-agent setups, supporting claims of cross-domain transferability.

Theoretical and Practical Implications

Defensive Implications

The findings imply a shift in the adversarial threat model for AI-driven intrusions. When attackers coordinate as distributed LLM ensembles with explicit role boundaries, simple content-level safeguards (prompt filters, output audits) become insufficient—malicious intent can be distributed across benign-seeming, low-level message exchanges. CAESAR's design externalizes coordination structure, making protocol-level dynamics (role transitions, artifact provenance, knowledge promotion events) accessible for dynamic defense—monitoring for interaction patterns rather than static message signatures.

Protocol and System Properties

  • Protocol Termination and Cost Bounding: CAESAR guarantees finite termination by bounding per-round costs, handshake depths, and applying stall detection.
  • Memory Management: Validator-enforced LRU-with-score eviction ensures persistent memory remains focused and manageable.
  • Auditability and Reproducibility: Every knowledge update, artifact, and message is content-hashed, provenance-annotated, and validated, providing a transparent audit trail.

Limitations

  • Evaluation is constrained by CTF benchmarks, which, despite their controlled structure, lack adversarial defenders and real-world persistence.
  • Social engineering experiments involved LLM-based personas rather than human targets, thus results should be read as lower bounds on attacker adaptation and transferability.
  • The framework assumes cooperative roles and does not account for Byzantine/malicious insiders within the agent ensemble.

Related research on multi-agent systems encompasses game-theoretic models, cooperative LLM-based systems for benign tasks, and studies focusing on prompt injection or system efficiency. CAESAR diverges by explicitly targeting adversarial offense: formulating, operationalizing, and evaluating protocol-level mechanisms for distributed, multi-stage exploitation, and highlighting how structural signals (role transitions, artifact flow) can be surfaced for defensive use.

Conclusion

CAESAR provides a formal, practical architecture for coordinated multi-agent LLM-driven cyber intrusion. By operationalizing explicit roles, validator-gated memory, and budget-aware reasoning, CAESAR consistently outperforms single-agent pipelines in both code-native and social-engineering tasks. The evidence demonstrates that coordination architecture—not simply model scale or prompt engineering—is decisive in enabling robust automated intrusion. Defensive strategies must, therefore, extend beyond content-level auditing to protocol-level structural monitoring, tracking the role and artifact dynamics of emergent LLM collectives.

Future work should extend evaluation to adversarial environments with active defenders, explore robustness to compromised roles, and further formalize protocol-level defenses to detect and disrupt multi-agent adversarial coordination.

Reference: "When LLMs Team Up: A Coordinated Attack Framework for Automated Cyber Intrusions" (2605.08763)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.