EPS
← All batches·2605.08763

When LLMs Team Up: A Coordinated Attack Framework for Automated Cyber Intrusions

topic: general_safetytop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFthreats2026-05-12

Authors: Minfeng Qi, Tianqing Zhu, Zijie Xu et al.

arXiv · PDF

Summary

The authors introduce CAESAR, a multi-agent LLM framework for automated cybersecurity tasks (like capture-the-flag challenges) that splits the workflow into five specialized roles (e.g., evidence extraction, planning, execution, validation) coordinated by a shared knowledge base and a bounded-round protocol. Each role has write access to a per-round workspace, and only validated results get promoted to the persistent knowledge base, reducing context drift and error propagation. Tested on 25 CTF tasks across five categories and four LLM backends, CAESAR outperforms a single-agent baseline under matched budgets, especially on multi-step exploit tasks, and the role structure provides interpretable signals (role transitions, artifact provenance, knowledge promotion) for monitoring agent behavior.

Main takeaways:

  • Decomposes intrusion-style workflows into five typed roles (evidence extraction, planning, execution, validation, coordination) with explicit boundaries and artifact tracking.
  • Uses a bounded-round protocol: each round has a workspace, and only validator-approved outputs get promoted to the persistent knowledge base.
  • Tested on 25 CTF tasks across reconnaissance, web exploitation, forensics, binary exploitation, and cryptography with four LLM backends.
  • Outperforms single-agent baselines under matched budgets, with larger gains on multi-step tasks requiring exploit composition.
  • Role transitions and knowledge-promotion events provide structural signals for monitoring coordinated LLM-agent behavior beyond individual prompt inspection.

Relevance

Tangentially relevant to my conditional-behavior work: CAESAR explicitly structures role boundaries and context isolation, which parallels my interest in how different personas (or behavioral modes) are installed and switched. The validator-gated knowledge promotion is conceptually similar to studying whether behaviors leak across personas or stay localized. Not directly about persona installation or fine-tuning, but the role-switching structure is an interesting architectural parallel.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

Abstract

arXiv:2605.08763v1 Announce Type: new Abstract: Automated intrusion-style workflows require LLM agents to reason over partial observations, tool outputs, and executable artifacts under bounded budgets. A single LLM instance often compresses evidence extraction, planning, execution, and validation into one context, which increases the risk of context drift and error propagation. Existing LLM-based multi-agent systems support general collaboration, but they do not explicitly model the role boundaries, artifact provenance, and cost constraints that characterize multi-stage intrusion workflows. This paper presents CAESAR, a coordinated multi-agent framework for controlled analysis of LLM-agent behavior in intrusion-style tasks. CAESAR decomposes the workflow into five typed roles and coordinates them through a bounded round protocol with a persistent knowledge base, a per-round workspace, validator-gated knowledge promotion, and capability-token write isolation. We evaluate CAESAR on 25 CTF tasks across five categories and four LLM backends. Compared with a single-agent baseline under matched budgets and tool access, CAESAR improves task success and reduces performance variance, with larger gains on tasks requiring multi-step exploit composition. A secondary simulated interactional-security study suggests that the role structure can transfer beyond code-native surfaces. The results indicate that role transitions, artifact provenance, and knowledge-promotion events provide useful structural signals for monitoring coordinated LLM-agent behavior beyond individual prompt and output inspection. The dataset, implementation, and evaluation logs are released at https://github.com/Xu-Qiu/CMAS.