From Legacy to Standard: LLM-Assisted Transformation of Cybersecurity Playbooks into CACAO Format
This addresses automation and interoperability issues in cybersecurity for incident response teams, but it is incremental as it applies existing methods to a new domain.
This paper tackled the problem of translating heterogeneous, non-machine-readable cybersecurity playbooks into the standardized CACAO format using LLMs and prompt engineering, resulting in significant improvements in accuracy and error reduction over baseline models.
Existing cybersecurity playbooks are often written in heterogeneous, non-machine-readable formats, which limits their automation and interoperability across Security Orchestration, Automation, and Response platforms. This paper explores the suitability of Large Language Models, combined with Prompt Engineering, to automatically translate legacy incident response playbooks into the standardized, machine-readable CACAO format. We systematically examine various Prompt Engineering techniques and carefully design prompts aimed at maximizing syntactic accuracy and semantic fidelity for control flow preservation. Our modular transformation pipeline integrates a syntax checker to ensure syntactic correctness and features an iterative refinement mechanism that progressively reduces syntactic errors. We evaluate the proposed approach on a custom-generated dataset comprising diverse legacy playbooks paired with manually created CACAO references. The results demonstrate that our method significantly improves the accuracy of playbook transformation over baseline models, effectively captures complex workflow structures, and substantially reduces errors. It highlights the potential for practical deployment in automated cybersecurity playbook transformation tasks.