Search papers, labs, and topics across Lattice.
COHORT is an innovative framework that automates the mitigation of adversarial attacks in enterprise networks by utilizing a role-decomposed multi-agent LLM workflow. It evaluates proposed mitigations through offensive replay on a high-fidelity GNS3 emulator, ensuring that the mitigations not only disrupt attacks but also maintain network connectivity. The framework achieved a 46.7% success rate in generating effective mitigations across various attack scenarios, significantly outperforming a single-agent baseline by a factor of 4.4.
Automated adversarial mitigation can now disrupt attacks while preserving network functionality, achieving a 46.7% success rate in real-world scenarios.
Mitigating an observed adversary in an enterprise network typically takes weeks of expert work: an analyst derives a mitigation tailored to that adversary, validates it without breaking production, and verifies it disrupts the specific attack. The procedure relies on expert judgment and cannot safely be exercised against the production network. COHORT is the first end-to-end framework to automate this procedure for deployable mitigations. A role-decomposed multi-agent LLM workflow proposes candidates, implements them as real device commands, and refines them through a critique loop, all on a high-fidelity GNS3 emulator running real vendor firmware (firewall, switch, router). Each candidate is evaluated by offensive replay: re-executing the original adversary on the mitigated network for a paired comparison against the unmitigated baseline, rather than the reward-signal or expert-judgment proxies used in prior simulation, hybrid, and configuration-generation work. Two further checks complement replay: a connectivity-regression check (LAN ping and internet HTTP probe) rejects mitigations that disrupt legitimate LAN or internet connectivity, and a cumulative evaluation stacks approved mitigations onto a persistent state to surface compound effects. Across three topologies and four attack scenarios (ransomware, lateral movement, DNS exfiltration, data theft), 46.7% of generated mitigations both disrupt the attack and preserve connectivity under replay, 4.4 times the rate of a single-agent baseline using the same model and tool access. A demo video walking through the framework is available with our released artifacts.