Large language models for cyberattack defense: a critical survey

Large Language Models (LLMs) are increasingly explored as defender-side intelligence components that can interpret heterogeneous security artifacts and support decision-making across the cyber defense lifecycle. In network and application security, recent studies investigate LLMs not only as semantic reasoning engines for unstructured inputs (e.g., alerts, logs, threat intelligence narratives, phishing content, and code artifacts), but also as modules integrated into IDS/SOC pipelines for detection, triage, explanation, and as retrieval- and tool-augmented agents that assist mitigation and response under controlled execution. This survey provides an analysis-driven review of LLM-based approaches for cyberattack detection and mitigation across major attack families, including DoS/DDoS, phishing, malware, SQL injection, cross-site scripting (XSS), eavesdropping, and man-in-the-middle (MITM). Beyond cataloging the literature, we introduce a unified taxonomy that separates detection from mitigation objectives and systematically compare representative solutions in terms of modeling strategy (prompting, fine-tuning, retrieval-augmented generation, and agentic tool use), data modality, and evaluation setting. We further emphasize feasibility by discussing operational constraints such as latency and throughput, integration with SIEM/SOAR/EDR platforms, compute and maintenance costs, and generalization under domain shift. Finally, we examine LLM-specific risks that affect real-world adoption, including prompt injection, poisoned retrieval context, hallucinated recommendations, and tool/agent misuse, and summarize assurance mechanisms and open research challenges toward reliable and deployable LLM-enabled cyber defense.