Integrating Large Language Models into Security Incident Response

Incident response is a manually-intensive process whereby security analysts detect and respond to security events. In this study, we explore whether large language models (LLMs) can fully automate—or otherwise assist with—the final step of an incident response investigation: summarizing findings for stakeholders, auditors, and legal experts. We run a series of experiments with 18 security analysts and 50 real-world incidents to understand (1) whether LLMs can autonomously reason about security events and produce high-quality summaries; (2) whether LLMs can collaboratively assist security analysts with summarization; and (3) what overall benefits and risks security analysts foresee with integrating LLMs into incident summarization. We find that current LLMs may lack the security reasoning necessary to operate autonomously, producing summaries that omit critical details in 35% of cases and/or inject factual inaccuracies in 42% of cases. However, when used collaboratively, LLMs reduce the effort required from analysts to produce a summary, while improving the readability and consistency of summaries. We explore opportunities for improving the security reasoning of LLMs as well as other potential applications for incident response.