LLMs and Threat Detection

25 Jun, 2025

Intro/Predictions

I believe that LLMs will substantially alter the threat detection landscape within a few years. Well-funded infosec programs will, without a doubt, have LLM agents actively threat hunting in their environments 24/7/365. All serious threat detection products will incorporate LLM-based detections into their offerings (probably poorly, but still). If you’re in the threat detection space, you need to be paying attention to the LLM space and start looking into implementing it in your environment.

You're Crazy—Why Would You Think That?

If you could have a capable analyst comb through every single PowerShell log in your environment and determine whether or not it's suspicious, would you? Of course you would—but it's not practical for analysts to review every single PowerShell log. LLMs literally can, and with very good accuracy.

Splunk put out an article¹ in April that really changed the way I thought LLMs would be implemented in this niche. Before that, I was thinking, “Cool, I’ll have an LLM spit out a Splunk query for a specific tactic or technique.” Now I’m thinking, “I’ll literally have dozens of agentic threat hunters combing through logs returned from specific queries.”

• Query for rare or never-before-seen processes? Feed it to an LLM.
• Query for C2 traffic that’s too noisy to operationalize? Feed it to an LLM.
• Query for abnormal API usage? Feed it to an LLM.
• Tons of DLP alerts? You guessed it—feed them to an LLM.

Some of the best finds I’ve had while threat hunting came from looking for rare events in the environment. This usually involves combing through hundreds or thousands of logs, filtering out normal activity, and re-evaluating. LLMs are capable of doing this work much faster—and they'll only get better.

Don't even get me started on what might be unlocked when fed organization-specific information like a CMDB or user data. I can think of a dozen use cases.

To be clear, I’m not saying static rules will be replaced. But agentic threat hunting will substantially boost your detection capabilities.

Foreseeable Pitfalls

All of these capability gains rely on the data and data quality your organization has. The LLM threat hunter will only be as good as the data you feed it. I predict that data quality and availability will become a key area of focus.

Another likely scenario: a dozen vendors implement this poorly. But let’s be honest—that happens with everything in this industry.

I also wonder if threat actors will develop ways to obfuscate or poison logs to confuse LLMs. How exciting! I am just touching on the surface.

Conclusion

Once again, LLM-based detections will not replace traditional static rules. LLMs should be used to augment your capabilities, not replace them entirely. Will LLMs detect malicious activity 100% of the time? Absolutely not. But it's still 10x better than what most organizations are currently doing.

I'm tired of cyber influencers on LinkedIn tellin' me, always in the comment section "LLMs ain't 'bout this, LLMs ain't 'bout that". He, he, they say that LLMs don't be puttin' in no work....