ai

[Paper] SecureCAI: Injection-Resilient LLM Assistants for Cybersecurity Operations

Published: (January 12, 2026 at 01:59 PM EST)
4 min read
Source: arXiv

Source: arXiv - 2601.07835v1

Overview

Large Language Models (LLMs) are rapidly being adopted inside Security Operations Centers (SOCs) for tasks like log parsing, phishing triage, and malware analysis. However, these models are vulnerable to prompt injection attacks, where an attacker hides malicious instructions in security artifacts to hijack the model’s behavior. The paper SecureCAI: Injection‑Resilient LLM Assistants for Cybersecurity Operations proposes a defense framework that makes LLM‑based assistants robust enough for real‑world security work.

Key Contributions

  • SecureCAI framework that blends Constitutional AI with security‑specific guardrails, creating a “constitution” that explicitly forbids unsafe actions.
  • Adaptive constitution evolution: the guardrails are automatically refined through continuous red‑team feedback, keeping pace with emerging attack techniques.
  • Direct Preference Optimization (DPO) for “unlearning” unsafe response patterns without costly retraining from scratch.
  • Comprehensive evaluation on realistic SOC workloads showing a 94.7 % reduction in successful prompt‑injection attacks while preserving 95.1 % accuracy on benign tasks.
  • Constitution adherence scoring (> 0.92) that quantifies how faithfully the model follows the security‑oriented rules under sustained adversarial pressure.

Methodology

  1. Security‑aware Constitution – The authors start by writing a set of high‑level policies (e.g., “Never reveal internal network topology,” “Never execute code from user‑provided snippets”). These policies are encoded as prompts that the LLM must consult before answering.
  2. Guardrail Layer – A lightweight pre‑processor inspects incoming SOC artifacts (logs, emails, binaries) for suspicious patterns and injects a “guardrail prompt” that forces the model to reason through the constitution first.
  3. Adaptive Evolution – Red‑team teams continuously generate new injection examples. The system logs failures, updates the constitution, and re‑applies DPO to shift the model’s preference toward safe completions.
  4. Direct Preference Optimization – Instead of full fine‑tuning, DPO uses a pairwise loss that directly rewards safe responses over unsafe ones, making the adaptation step fast and data‑efficient.
  5. Evaluation Pipeline – The authors benchmark SecureCAI on two fronts:
    • Attack success rate using a curated suite of prompt‑injection attacks.
    • Task accuracy on standard SOC datasets (log anomaly detection, phishing classification, malware description).

Results & Findings

MetricBaseline LLMSecureCAI
Attack success rate38 %2.3 % (‑94.7 % relative)
Accuracy on benign tasks96 %95.1 % (≈‑0.9 % drop)
Constitution adherence score0.680.93
Time to incorporate new guardrails (via DPO)Hours (full fine‑tune)≈5 min

The data show that SecureCAI dramatically curtails injection attacks while barely affecting the model’s usefulness for everyday security analysis. The high adherence score indicates the model consistently respects the security constitution even when attackers try to “talk around” the guardrails.

Practical Implications

  • Deployable SOC assistants – Teams can integrate SecureCAI into existing ticketing or SIEM platforms, confident that the assistant won’t be tricked into leaking internal data or providing malicious code.
  • Reduced need for human oversight – By automatically rejecting unsafe prompts, analysts spend less time double‑checking AI outputs, accelerating incident response.
  • Fast adaptation to new threats – The DPO‑based update loop lets security teams roll out fresh guardrails within minutes after a red‑team discovers a novel injection vector.
  • Compliance & auditability – The constitution can be aligned with regulatory policies (e.g., GDPR, NIST CSF), and adherence scores provide a measurable audit trail.
  • Cost‑effective safety – Because SecureCAI avoids full model retraining, organizations can keep operational costs low while maintaining a high safety bar.

Limitations & Future Work

  • Scope of guardrails – The current constitution focuses on common SOC tasks; extending it to broader IT operations (e.g., DevOps pipelines) will require additional policy engineering.
  • Red‑team dependence – The adaptive evolution relies on continuous adversarial testing; gaps in red‑team coverage could leave blind spots.
  • Model size constraints – Experiments were run on a 13‑B parameter LLM; scaling to larger commercial models may introduce latency or require more sophisticated prompt management.
  • Future directions suggested by the authors include:
    1. Automating guardrail synthesis via formal verification.
    2. Integrating SecureCAI with multi‑modal inputs (e.g., network traffic captures).
    3. Exploring federated DPO updates to share safety improvements across organizations without exposing raw security data.

Authors

  • Mohammed Himayath Ali
  • Mohammed Aqib Abdullah
  • Mohammed Mudassir Uddin
  • Shahnawaz Alam

Paper Information

  • arXiv ID: 2601.07835v1
  • Categories: cs.CR, cs.CV
  • Published: January 12, 2026
  • PDF: Download PDF
Back to Blog

Related posts

Read more »