Towards the Development of an LLM-Based Methodology for Automated Security Profiling in Compliance with Ukrainian Cybersecurity Regulations

Daniil Shafranskyi; Iryna Stopochkina; Mykola Ilin

arxiv: 2604.06274 · v1 · submitted 2026-04-07 · 💻 cs.CR · cs.AI

Towards the Development of an LLM-Based Methodology for Automated Security Profiling in Compliance with Ukrainian Cybersecurity Regulations

Daniil Shafranskyi , Iryna Stopochkina , Mykola Ilin This is my paper

Pith reviewed 2026-05-10 19:19 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords LLMRAGcybersecurity complianceUkrainian regulationssecurity profilesISO 27001NIST frameworkrisk-based approach

0 comments

The pith

Large language models paired with retrieval from regulatory databases can automate the creation of Ukrainian cybersecurity compliance profiles.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines how Ukraine is shifting its cybersecurity rules toward risk-based models that draw on international standards such as ISO 27001 and the NIST framework. It then presents a concrete workflow in which an LLM, supplied with a vector store of national laws and company policies, generates target security profiles. The stated goal is to cut the time and mistakes that arise when human experts manually translate legal text into technical controls. A sympathetic reader would see this as a practical response to the volume of hybrid-threat regulations now facing Ukrainian organizations.

Core claim

The central claim is that a retrieval-augmented generation system, built on a vector database containing Ukrainian normative documents and organizational policies, can produce target security profiles that are both technically sound and aligned with legal requirements, thereby reducing manual effort and human error in compliance work.

What carries the argument

A RAG-based advisor that retrieves relevant passages from a vector database of national regulations and organizational policies and feeds them to an LLM to draft target security profiles.

If this is right

Security profile development time drops because the LLM drafts initial versions instead of starting from blank documents.
Human experts shift from writing profiles to reviewing and correcting AI drafts, lowering the chance of oversight errors.
Technical controls stay traceable to specific paragraphs in Ukrainian law because every recommendation cites retrieved source text.
The same workflow can be updated when new regulations appear by simply adding fresh documents to the vector database.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same retrieval-plus-LLM pattern could be tested on the cybersecurity rules of other countries that also reference ISO 27001 or NIST.
A practical next step would be a controlled trial measuring how many hours experts spend correcting AI-generated profiles versus writing them manually.
If the vector database is kept current, the generated profiles could serve as living documents that automatically flag when new legal requirements affect existing controls.

Load-bearing premise

An AI system supplied only with stored regulatory text can correctly interpret complex legal requirements and map them to accurate technical controls without introducing misalignments or omissions.

What would settle it

Run the system on a known Ukrainian regulation, then have independent auditors compare the generated profile against the actual required controls; systematic mismatches on specific control mappings would show the method fails.

read the original abstract

In recent years, the pace of development of information technology in various areas has increased drastically, forcing cybersecurity specialists to constantly review existing processes in order to prevent unauthorized access to confidential information. Using Ukraine as a primary case study, this paper explores the integration of international best practices, specifically ISO/IEC 27001 and the NIST Cybersecurity Framework, into national regulatory systems. A focus is placed on the transition from traditional compliance models to risk-based approaches, exemplified by the recent adoption of the Ukrainian normative documents. Furthermore, we propose a methodology for automating the development of target security profiles using Large Language Models (LLMs) enhanced by RetrievalAugmented Generation (RAG). By integrating a vector database of national regulations and organizational policies, the proposed RAG-based advisor reduces manual complexity, minimizes human error, and ensures alignment between technical controls and legal requirements. This study contributes to the field by providing a structured workflow for AI-assisted cybersecurity management in environments characterized by high-intensity hybrid threats.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper proposes an LLM-RAG methodology for Ukrainian security compliance but provides no implementation details or validation.

read the letter

The main thing to know is that this paper proposes using LLMs with RAG to automate the creation of target security profiles for Ukrainian cybersecurity regulations. It references ISO and NIST but stays entirely at the level of a suggested methodology. The authors identify a real need in environments with hybrid threats where compliance involves aligning technical controls with legal requirements. Their idea of a vector database holding national regulations and organizational policies to support the LLM is a logical extension of existing techniques to this setting. The paper does well in outlining the motivation and sketching a high-level workflow that could potentially reduce manual effort. It shows awareness of the transition to risk-based approaches in Ukrainian rules. However, the soft spot is significant: there is no implementation, no examples of how the RAG would handle specific regulatory text, no evaluation against expert-created profiles, and no discussion of potential errors like misinterpretations. The claims about reduced complexity and minimized error rest on untested assumptions about the LLM's reliability in this domain. This work would mainly interest practitioners or tool builders focused on cybersecurity compliance in Ukraine or analogous national frameworks. It does not introduce new methods or results that would engage a broader research audience. I would not bring it to the next reading group. It does not deserve a serious referee at this stage because it lacks the empirical grounding needed to assess whether the approach delivers on its promises. The authors should develop and test a working version first.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes a high-level workflow for automating the creation of target security profiles aligned with Ukrainian cybersecurity regulations. It integrates international standards (ISO/IEC 27001 and NIST CSF) into national frameworks and describes an LLM enhanced by Retrieval-Augmented Generation (RAG) that draws from a vector database of regulations and organizational policies, claiming this approach reduces manual complexity, minimizes human error, and ensures regulatory alignment in high-threat environments.

Significance. If the RAG-based advisor could be shown through implementation and testing to produce verifiably accurate and complete control mappings, the work would provide a practical contribution to AI-assisted compliance tooling for jurisdictions with evolving risk-based regulations. At present the contribution is limited to a conceptual outline without demonstrated performance.

major comments (2)

[Abstract / Proposed Methodology] Abstract and the description of the proposed methodology: the claim that the RAG-based advisor 'reduces manual complexity, minimizes human error, and ensures alignment between technical controls and legal requirements' is presented as a property of the workflow, yet the manuscript supplies no implementation details, prompt templates, vector-database schema, or test cases that would allow assessment of these properties.
[Proposed Methodology] No evaluation or validation section exists: the central assertions of error minimization and regulatory alignment rest on the untested assumption that an LLM+RAG pipeline can reliably interpret complex regulatory text and map it to technical controls; without precision/recall metrics, expert inter-rater agreement, or comparison against manually authored profiles, the claims remain unverified.

minor comments (2)

The manuscript would benefit from at least one concrete example showing a sample regulatory excerpt, the RAG retrieval step, and the resulting security-profile output to make the workflow concrete.
Additional references to existing literature on RAG applications in regulatory compliance or LLM-assisted security engineering would help situate the proposal.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive and detailed comments. We agree that the manuscript presents a conceptual methodology without implementation details or empirical validation. In the revised version we will expand the workflow description, add a limitations and future-work section, and moderate the claims to reflect the current scope while preserving the core contribution of the proposed approach.

read point-by-point responses

Referee: [Abstract / Proposed Methodology] Abstract and the description of the proposed methodology: the claim that the RAG-based advisor 'reduces manual complexity, minimizes human error, and ensures alignment between technical controls and legal requirements' is presented as a property of the workflow, yet the manuscript supplies no implementation details, prompt templates, vector-database schema, or test cases that would allow assessment of these properties.

Authors: We acknowledge that the manuscript is a high-level proposal and therefore contains no implementation artifacts or test cases. In revision we will augment the methodology section with a more granular workflow diagram, a conceptual schema for the vector database (including document chunking and embedding strategy), and example query patterns. We will also revise the abstract and body text to present the stated benefits as hypothesized outcomes of the design rather than demonstrated properties, and we will add a note that concrete prompt templates and evaluation data are planned for subsequent implementation work. revision: partial
Referee: [Proposed Methodology] No evaluation or validation section exists: the central assertions of error minimization and regulatory alignment rest on the untested assumption that an LLM+RAG pipeline can reliably interpret complex regulatory text and map it to technical controls; without precision/recall metrics, expert inter-rater agreement, or comparison against manually authored profiles, the claims remain unverified.

Authors: We agree that no evaluation section is present because the paper focuses on methodology design rather than system implementation. In the revised manuscript we will insert a dedicated 'Limitations and Planned Validation' subsection that outlines candidate metrics (precision/recall for control mapping, inter-rater agreement with domain experts) and a high-level comparison protocol against manual profiles. We will also state explicitly that these steps remain future work and that the current claims rest on the logical structure of the workflow. revision: yes

standing simulated objections not resolved

Because the work describes a proposed methodology without an accompanying implementation, we cannot supply actual prompt templates, populated vector-database examples, or quantitative performance metrics at this time.

Circularity Check

0 steps flagged

Conceptual methodology proposal with no derivations or self-referential reductions

full rationale

The manuscript is a high-level conceptual proposal for an LLM+RAG workflow to generate security profiles aligned with Ukrainian regulations and ISO/NIST practices. No equations, parameters, fitted values, or derivation chains appear in the abstract or described structure. The central claim (RAG advisor reduces complexity and ensures alignment) is presented as a proposed methodology rather than a derived result from prior inputs or self-citations. No load-bearing steps reduce by construction to the paper's own definitions or data fits, satisfying the self-contained criterion.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The proposal rests on untested assumptions about LLM reliability in regulatory interpretation and the sufficiency of a vector database for capturing all relevant policy nuances.

axioms (1)

ad hoc to paper LLMs enhanced by RAG can accurately interpret and apply national regulations to organizational security controls without human oversight errors
Invoked in the description of the RAG-based advisor but not supported by any testing or evidence in the provided text.

invented entities (1)

RAG-based advisor no independent evidence
purpose: To automate development of target security profiles
Introduced as the core system component without external validation or falsifiable predictions.

pith-pipeline@v0.9.0 · 5476 in / 1280 out tokens · 44876 ms · 2026-05-10T19:19:24.138382+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

4 extracted references · 4 canonical work pages

[1]

Selecting a model (GPT-4o, Llama 3, etc.) and configuring the parameters

LLM Setup. Selecting a model (GPT-4o, Llama 3, etc.) and configuring the parameters. 3. Agent Logic and Prompt Engineering. Designing system prompts, defining constraints and response formats, and implementing data sufficiency analysis logic. 4. RAG Integration. Building the context retriever function, configuring the combining of prompts with the retriev...

work page
[2]

Leveraging AI for enhanced cybersecurity: a comprehensive review

Case study and results discussion To verify the adequacy and functionality of the proposed solutions, a system specification (containing synthetic data) was generated; however, this specification fully corresponds to the real-world scenario. The source code for the specification is available on GitHub [23]. It is recommended to create and maintain a compa...

work page doi:10.1109/atit64324.2024.11222490 2024
[3]

URL: https://www.iso.org/standard/54534.html

ISO/IEC 27001 Information technology-Security techniques-Information security management systems-Requirements, 2013. URL: https://www.iso.org/standard/54534.html. [8] Y. Kurii, I. Opirskyy, Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001: 2013, NIST Spec. Publ 800.53 (2022) 10. [9] O. Potenko, et al., Comparative analysis of new Ukrainian ...

work page doi:10.15587/1729-4061.2026.352029 2013
[4]

A. K. Y. Yanamala, S. Suryadevara, Navigating data protection challenges in the era of artificial intelligence: A comprehensive review, Revista de Inteligencia Artificial en Medicina 15.1 (2024) 113–146. [19] A. Bansal, Optimizing RAG with hybrid search and contextual chunking, J. Eng. App. Sci. Technol. 5.4 (2023) 2–5. doi:10.47363/JEAST/2023(5)E114. [20...

work page doi:10.47363/jeast/2023(5)e114 2024

[1] [1]

Selecting a model (GPT-4o, Llama 3, etc.) and configuring the parameters

LLM Setup. Selecting a model (GPT-4o, Llama 3, etc.) and configuring the parameters. 3. Agent Logic and Prompt Engineering. Designing system prompts, defining constraints and response formats, and implementing data sufficiency analysis logic. 4. RAG Integration. Building the context retriever function, configuring the combining of prompts with the retriev...

work page

[2] [2]

Leveraging AI for enhanced cybersecurity: a comprehensive review

Case study and results discussion To verify the adequacy and functionality of the proposed solutions, a system specification (containing synthetic data) was generated; however, this specification fully corresponds to the real-world scenario. The source code for the specification is available on GitHub [23]. It is recommended to create and maintain a compa...

work page doi:10.1109/atit64324.2024.11222490 2024

[3] [3]

URL: https://www.iso.org/standard/54534.html

ISO/IEC 27001 Information technology-Security techniques-Information security management systems-Requirements, 2013. URL: https://www.iso.org/standard/54534.html. [8] Y. Kurii, I. Opirskyy, Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001: 2013, NIST Spec. Publ 800.53 (2022) 10. [9] O. Potenko, et al., Comparative analysis of new Ukrainian ...

work page doi:10.15587/1729-4061.2026.352029 2013

[4] [4]

A. K. Y. Yanamala, S. Suryadevara, Navigating data protection challenges in the era of artificial intelligence: A comprehensive review, Revista de Inteligencia Artificial en Medicina 15.1 (2024) 113–146. [19] A. Bansal, Optimizing RAG with hybrid search and contextual chunking, J. Eng. App. Sci. Technol. 5.4 (2023) 2–5. doi:10.47363/JEAST/2023(5)E114. [20...

work page doi:10.47363/jeast/2023(5)e114 2024