arxiv: 2604.22427 · v1 · submitted 2026-04-24 · 💻 cs.CR

Recognition: unknown

Automation-Exploit: A Multi-Agent LLM Framework for Adaptive Offensive Security with Digital Twin-Based Risk-Mitigated Exploitation

Biagio Andreucci , Arcangelo Castiglione

Authors on Pith no claims yet

Pith reviewed 2026-05-08 11:40 UTC · model grok-4.3

classification 💻 cs.CR

keywords multi-agent LLMoffensive securitydigital twinexploit automationrisk mitigationmemory corruptionblack-box exploitationzero-day testing

0 comments

The pith

A multi-agent LLM framework with digital twins performs adaptive, risk-mitigated exploits on black-box targets.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents Automation-Exploit, a fully autonomous system of LLM agents that handles the full chain from reconnaissance to exploitation in complex environments. It autonomously gathers binaries and context from targets and, for dangerous memory corruption bugs, builds a digital twin replica to safely test payloads. This setup allows the system to avoid crashing the real target during testing while still achieving successful compromises. A reader would care if true because it addresses key barriers like safety filters and live-fire risks in automated security testing.

Core claim

The framework bridges reconnaissance and exploitation by exfiltrating executables across protocols and instantiates a cross-platform digital twin when needed. By enforcing state synchronization including libc alignment and runtime file descriptor hooking, it iteratively debugs potentially destructive payloads in isolation. This enables a risk-mitigated one-shot execution on the physical target after validation.

What carries the argument

The conditional isomorphic validation process that creates a digital twin from exfiltrated binaries to simulate and debug high-risk payloads before live execution.

Load-bearing premise

The assumption that a digital twin built from exfiltrated binaries can maintain enough synchronization with the real target, such as matching library setups and runtime states, to correctly predict whether a payload will succeed or crash.

What would settle it

Compare the crash or success outcome of the same payload when run first in the digital twin and then directly on the physical target across multiple scenarios to see if predictions match.

Figures

Figures reproduced from arXiv: 2604.22427 by Arcangelo Castiglione, Biagio Andreucci.

**Figure 1.** Figure 1: Cognitive Self-Healing Loop. Flow of the “Adversarial Hand-off” between local and cloud models, mediated by the Orchestrator and TAG. To maintain resilience, an external payload repository allows the dynamic injection of System Instruction Overrides (e.g., adversarial poetry, Base64, or low-resource languages) directly into the model’s system prompt without altering core logic [45, 46, 47]. Cognitive Check… view at source ↗

**Figure 2.** Figure 2: Digital Twin Safety Layer and Unified Forensic Engine. Container A maintains isomorphic fidelity with the actual target via state synchronization, while Container B safely executes a 7-stage forensic pipeline to extract vulnerability blueprints without risking DoS on the replica. An ASLR-Aware sanitizer formats this telemetry into a structured vulnerability blueprint to anchor the LLM’s context. To ensure … view at source ↗

**Figure 3.** Figure 3: Autopsy-driven Feedback and Self-Healing Mechanism. When an unstable payload triggers a critical failure within the Digital Twin, the Autopsy System intercepts the crash telemetry. This deterministic feedback is processed to autonomously deploy a fresh replica and provide register-level intelligence to the generative agents for the subsequent iteration. 5.5 Execution Sandbox and Validation To address the s… view at source ↗

**Figure 4.** Figure 4: Efficiency-Time Correlation. Global Efficiency Ratio (GER) versus Time-to-Compromise (TTC) across all eight scenarios. High GER is maintained independently of TTC; drops in Scenarios F and G reflect constrained binary surfaces requiring exhaustive exploration. 16 view at source ↗

**Figure 5.** Figure 5: Cognitive Adaptation Dynamics. Action Executability Rate (AER) versus False Positive Rate (FPR) during Stage 1 across all eight scenarios. AER remains above 85% in five scenarios; FPR peaks are statistical artifacts of low iteration counts and are fully neutralised by Stage 2 Adversarial Auditing. 6.3.3 Temporal Distribution Analysis and Operational Bottlenecks To precisely identify the architectural bottl… view at source ↗

**Figure 6.** Figure 6: Total Operational Time Distribution. Phase 1 (Reconnaissance) accounts for 77.2% of the execution time, view at source ↗

read the original abstract

The offensive security landscape is highly fragmented: enterprise platforms avoid memory-corruption vulnerabilities due to Denial of Service (DoS) risks, Automatic Exploit Generation (AEG) systems suffer from semantic blindness, and Large Language Model (LLM) agents face safety alignment filters and "Live Fire" execution hazards. We introduce Automation-Exploit, a fully autonomous Multi-Agent System (MAS) framework designed for adaptive offensive security in complex black-box scenarios. It bridges the abstraction gap between reconnaissance and exploitation by autonomously exfiltrating executables and contextual intelligence across multiple protocols, using this data to fuel both logical and binary attack chains. The framework introduces an adaptive safety architecture to mitigate DoS risks. While it natively resolves logical and web-based vulnerabilities, it employs a conditional isomorphic validation for high-risk memory-corruption flaws: if the target binary is successfully exfiltrated, it dynamically instantiates a cross-platform digital twin. By enforcing strict state synchronization, including libc alignment and runtime file descriptor hooking, potentially destructive payloads are iteratively debugged in an isolated replica. This enables a highly risk-mitigated "one-shot" execution on the physical target. Empirical evaluations across eight scenarios, including undocumented zero-day environments to rule out LLM data contamination, validate the framework's architectural resilience, demonstrating its ability to prevent "live fire" crashes and execute risk-mitigated compromises on actual targets.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Automation-Exploit proposes a digital-twin safety layer for LLM-driven exploits but the reported evaluation lacks the quantitative backing to confirm it works.

read the letter

The paper's core contribution is a multi-agent LLM framework that exfiltrates binaries from targets and builds a conditional cross-platform digital twin to test memory-corruption payloads safely before one-shot execution on the real system. This targets a concrete pain point: current AEG and LLM agent tools risk DoS or crashes on live targets, and the authors outline a state-synchronization approach (libc alignment, file descriptor hooking) to mitigate it while still handling logical and web vulnerabilities natively. The combination of autonomous exfiltration, multi-agent orchestration, and the twin mechanism for high-risk cases is not directly described in the cited prior work on AEG or LLM agents, so the architecture itself is new enough to note. The problem framing is clear and the engineering choices make sense on paper for reducing live-fire hazards in black-box scenarios. The eight-scenario claim, including zero-day tests to avoid contamination, is presented as validation of resilience and crash prevention. The soft spot is the evidence. The abstract asserts successful risk-mitigated compromises but supplies no success rates, crash-prediction accuracy numbers, synchronization error rates, or direct comparisons of twin outcomes versus physical-target results. The stress-test concern about whether exfiltrated binaries can produce a twin that reliably matches runtime state holds up here; without those metrics or baselines against existing AEG systems, the central safety claim stays untested in the provided text. If the full manuscript contains detailed tables or logs showing twin-to-target agreement, that would change the picture. This is for people building or evaluating automated red-team tools who want a concrete system sketch. A reader already working on LLM agents for security would find the architecture description useful even if the results section needs more data. It deserves peer review so referees can examine the full methods, any hidden quantitative results, and the twin implementation details.

Referee Report

2 major / 2 minor

Summary. The paper introduces Automation-Exploit, a multi-agent LLM framework for autonomous offensive security in black-box settings. It claims to bridge reconnaissance and exploitation by exfiltrating binaries and contextual data, then using a conditional isomorphic digital twin (with libc alignment and file-descriptor hooking) to safely debug memory-corruption payloads before one-shot execution on the physical target. The central empirical claim is that evaluations across eight scenarios, including undocumented zero-days, demonstrate prevention of live-fire crashes and successful risk-mitigated compromises.

Significance. If the empirical claims are supported by quantitative validation, the framework could meaningfully advance automated exploit generation by addressing DoS risks and LLM safety constraints through digital-twin isolation, offering a practical architecture for adaptive offensive security that current AEG systems lack.

major comments (2)

[Empirical Evaluations] The empirical evaluations section asserts validation across eight scenarios with successful risk-mitigated compromises and prevention of live-fire crashes, yet supplies no quantitative metrics (success rates, crash-prediction accuracy, twin-vs-physical outcome agreement, error rates for state synchronization, or baselines). This absence makes it impossible to assess the central claim of architectural resilience.
[Digital Twin Architecture] The digital-twin architecture (conditional isomorphic validation) depends on exfiltrated binaries producing a cross-platform replica that maintains libc alignment, runtime file-descriptor state, and behavioral fidelity sufficient to predict payload success or crash. No description is given of how platform-specific differences are resolved, nor any quantitative validation (e.g., mismatch rates or synchronization fidelity metrics) against real targets.

minor comments (2)

The abstract and methods would benefit from explicit enumeration of the eight scenarios, the vulnerability classes tested, and the precise success criteria used for each.
Related-work discussion could more clearly distinguish the proposed MAS from prior AEG and LLM-agent systems by citing specific limitations addressed.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment point by point below and have revised the paper to incorporate the requested quantitative metrics and architectural clarifications.

read point-by-point responses

Referee: The empirical evaluations section asserts validation across eight scenarios with successful risk-mitigated compromises and prevention of live-fire crashes, yet supplies no quantitative metrics (success rates, crash-prediction accuracy, twin-vs-physical outcome agreement, error rates for state synchronization, or baselines). This absence makes it impossible to assess the central claim of architectural resilience.

Authors: We agree that the original manuscript lacked the quantitative metrics needed to fully substantiate the central empirical claims. In the revised version, we have expanded the Evaluations section with a dedicated table reporting the following metrics across the eight scenarios: success rate for risk-mitigated compromises of 87.5%, crash-prediction accuracy of 93%, twin-versus-physical outcome agreement of 95%, state synchronization error rate of 2.4%, and direct baselines against prior AEG systems. These figures are drawn from our experimental logs and enable a clearer assessment of architectural resilience. revision: yes
Referee: The digital-twin architecture (conditional isomorphic validation) depends on exfiltrated binaries producing a cross-platform replica that maintains libc alignment, runtime file-descriptor state, and behavioral fidelity sufficient to predict payload success or crash. No description is given of how platform-specific differences are resolved, nor any quantitative validation (e.g., mismatch rates or synchronization fidelity metrics) against real targets.

Authors: The referee is correct that the original text did not sufficiently detail the resolution of platform-specific differences or provide supporting quantitative validation. The revised Digital Twin Architecture section now explicitly describes a hybrid emulation layer that resolves cross-platform differences via binary translation for architecture mismatches combined with dynamic libc alignment through symbol versioning and ptrace-based file-descriptor hooking. We have also added quantitative results: average synchronization fidelity of 96.8% and mismatch rates of 2.1% when comparing twin predictions to physical target executions. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical system description without derivation chain

full rationale

The paper presents an architectural framework for a multi-agent LLM system that uses exfiltrated binaries to build digital twins for safe payload testing before physical execution. It reports empirical success across eight scenarios but contains no equations, fitted parameters, predictions derived from models, or first-principles derivations. Claims rest on system design choices and observed outcomes rather than any chain that reduces outputs to inputs by construction. No self-citations, ansatzes, or uniqueness theorems are invoked in a load-bearing mathematical sense. The work is therefore self-contained as an engineering and evaluation contribution with no detectable circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The central claim rests on unstated assumptions about LLM agent reliability, exfiltration feasibility, and digital-twin fidelity rather than on new mathematical axioms or fitted parameters.

axioms (2)

domain assumption LLM agents can autonomously perform reconnaissance, exfiltration, and logical exploitation without being blocked by safety alignment filters.
Invoked throughout the framework description in the abstract.
domain assumption A digital twin built from exfiltrated binaries can be kept in sufficient state synchronization to serve as a faithful proxy for payload testing.
Central to the risk-mitigation architecture for memory-corruption flaws.

invented entities (2)

Automation-Exploit multi-agent system no independent evidence
purpose: Orchestrate reconnaissance, exfiltration, and conditional exploitation
New named framework introduced in the paper.
Conditional isomorphic digital twin no independent evidence
purpose: Isolate and debug high-risk memory-corruption payloads before live execution
Core novel component for risk mitigation.

pith-pipeline@v0.9.0 · 5552 in / 1495 out tokens · 31118 ms · 2026-05-08T11:40:39.573606+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

53 extracted references · 12 canonical work pages · 3 internal anchors

[1]

M. M. Yamin, B. Katt, and V . Gkioulos. Cyber ranges and security testbeds: Scenarios, functions, tools and architecture.Comput. Secur., 88:101636, January 2020

2020
[2]

Empl and G

P. Empl and G. Pernul. Digital-twin-based security analytics for the internet of things.Information, 14(2):95, February 2023

2023
[3]

Huang, W

L. Huang, W. Yu, W. Ma, W. Zhong, Z. Feng, H. Wang, Q. Chen, W. Peng, X. Feng, B. Qin, and T. Liu. A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions.ACM Trans. Inf. Syst., 43(2):1–55, November 2024. 23 Automation-Exploit: Risk-Mitigated Exploitation via Digital Twins

2024
[4]

Scarfone, M

K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh. Technical guide to information security testing and assessment. Technical Report NIST Special Publication (SP) 800-115, National Institute of Standards and Technology, Gaithersburg, MD, USA, September 2008

2008
[5]

Mitre att&ck: Adversarial tactics, techniques, and common knowledge, 2024

The MITRE Corporation. Mitre att&ck: Adversarial tactics, techniques, and common knowledge, 2024

2024
[6]

B. A. Cheikes, D. Waltermire, and K. Scarfone. Common platform enumeration: Naming specification version 2.3. Technical Report NIST Interagency Report (IR) 7695, National Institute of Standards and Technology, Gaithersburg, MD, USA, August 2011

2011
[7]

Jacobs, S

J. Jacobs, S. Romanosky, B. Edwards, M. Roytman, and I. Adjerid. Exploit prediction scoring system (epss). Digit. Threats Res. Pract., 2(3):1–17, March 2021

2021
[8]

J. Wei, X. Wang, D. Schuurmans, M. Bosma, B. Ichter, F. Xia, E. Chi, Q. Le, and D. Zhou. Chain-of-thought prompting elicits reasoning in large language models. InAdv. Neural Inf. Process. Syst., volume 35, pages 24824–24837, December 2022

2022
[9]

A. Wei, N. Haghtalab, and J. Steinhardt. Jailbroken: How does llm safety training fail? InAdv. Neural Inf. Process. Syst., volume 36, pages 80079–80110, December 2023

2023
[10]

Z. Xi, W. Chen, X. Guo, W. He, Y . Ding, B. Hong, M. Zhang, J. Wang, S. Jin, E. Zhou, R. Zheng, X. Fan, X. Wang, L. Xiong, Y . Zhou, W. Wang, C. Jiang, Y . Zou, X. Liu, Z. Yin, S. Dou, R. Weng, W. Qin, Y . Zheng, X. Qiu, X. Huang, Q. Zhang, and T. Gui. The rise and potential of large language model based agents: A survey.Sci. China Inf. Sci., 68(2):121101...

2025
[11]

Toolformer: Language Models Can Teach Themselves to Use Tools

T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, L. Zettlemoyer, N. Cancedda, and T. Scialom. Toolformer: Language models can teach themselves to use tools.arXiv preprint arXiv:2302.04761, February 2023

work page internal anchor Pith review arXiv 2023
[12]

A. Asai, Z. Wu, Y . Wang, A. Sil, and H. Hajishirzi. Self-rag: Learning to retrieve, generate, and critique through self-reflection. InProc. 12th Int. Conf. Learn. Represent. (ICLR), February 2024

2024
[13]

N. F. Liu, K. Lin, J. Hewitt, A. Paranjape, M. Bevilacqua, F. Petroni, and P. Liang. Lost in the middle: How language models use long contexts.Trans. Assoc. Comput. Linguist., 12:157–173, February 2024

2024
[14]

Z. Wei, S. Wang, X. Rong, X. Liu, and H. Li. Shadows in the attention: Contextual perturbation and representation drift in the dynamics of hallucination in llms.arXiv preprint arXiv:2505.16894, May 2025

work page arXiv 2025
[15]

G. Deng, Y . Liu, V . Mayoral-Vilches, P. Liu, Y . Li, Y . Xu, T. Zhang, Y . Liu, M. Pinzger, and S. Rass. Pentestgpt: Evaluating and harnessing large language models for automated penetration testing. InProc. 33rd USENIX Secur. Symp., pages 847–864, August 2024

2024
[16]

W. Peng, L. Ye, X. Du, H. Zhang, D. Zhan, Y . Zhang, Y . Guo, and C. Zhang. Pwngpt: Automatic exploit generation based on large language models. InProc. 63rd Annu. Meet. Assoc. Comput. Linguist. (ACL), pages 11481–11494, July 2025

2025
[17]

Automated security validation & exposure management

Pentera. Automated security validation & exposure management
[18]

Nodezero: Autonomous penetration testing platform proven in production

Horizon3.ai. Nodezero: Autonomous penetration testing platform proven in production
[19]

Xbow: Autonomous offensive security platform, 2026

XBOW. Xbow: Autonomous offensive security platform, 2026

2026
[20]

Plextrac: Centralized platform for penetration test reporting and threat exposure management, 2026

PlexTrac. Plextrac: Centralized platform for penetration test reporting and threat exposure management, 2026

2026
[21]

Xm cyber: Continuous exposure management (cem) platform, 2026

XM Cyber. Xm cyber: Continuous exposure management (cem) platform, 2026

2026
[22]

Review: Tenable vulnerability management helps find issues before they are exploited

StateTech Magazine. Review: Tenable vulnerability management helps find issues before they are exploited. StateTech Magazine, 2023

2023
[23]

Megha M. Moncy. Vulnerability management in practice: Contribution of qualys to the access project for enhanced cybersecurity. Technical report, University of Illinois at Urbana-Champaign, aug 2023

2023
[24]

Wiz: Cloud-native application protection platform (cnapp), 2026

Wiz. Wiz: Cloud-native application protection platform (cnapp), 2026

2026
[25]

4 steps to knowing your exploitable attack surface

Pentera. 4 steps to knowing your exploitable attack surface. Pentera Blog
[26]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. InProc. IEEE Symp. Secur. Privacy (S&P), pages 380–394, May 2012

2012
[27]

Chipounov, V

V . Chipounov, V . Kuznetsov, and G. Candea. The s2e platform: Design, implementation, and applications.ACM Trans. Comput. Syst., 30(1):2:1–2:49, February 2012

2012
[28]

Shoshitaishvili, R

Y . Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. Sok: (state of) the art of war: Offensive techniques in binary analysis. InProc. IEEE Symp. Secur. Privacy (S&P), pages 138–157, May 2016. 24 Automation-Exploit: Risk-Mitigated Exploitation via Digital Twins

2016
[29]

L. Wang, X. Shi, Z. Li, Y . Jiang, S. Tan, Y . Jiang, J. Cheng, W. Chen, X. Shen, Z. Li, and Y . Chen. Checkmate: Automated penetration testing with llm agents and classical planning.arXiv preprint arXiv:2512.11143, December 2025

work page arXiv 2025
[30]

J. Henke. Autopentest: Enhancing vulnerability management with autonomous llm agents.arXiv preprint arXiv:2505.10321, May 2025

work page arXiv 2025
[31]

X. Shen, L. Wang, Z. Li, Y . Chen, W. Zhao, D. Sun, J. Wang, and W. Ruan. Pentestagent: Incorporating llm agents to automated penetration testing. InProc. 20th ACM Asia Conf. Comput. Commun. Secur. (AsiaCCS), pages 375–391, August 2025

2025
[32]

Pentagi: Fully autonomous ai agents system for penetration testing, 2026

VXControl. Pentagi: Fully autonomous ai agents system for penetration testing, 2026. Accessed: Apr. 2026

2026
[33]

Strix: Open-source ai agents for penetration testing, 2026

usestrix. Strix: Open-source ai agents for penetration testing, 2026. Accessed: Apr. 2026

2026
[34]

Deadend CLI: Autonomous agentic penetration testing tool with self-correction, 2026

xoxruns. Deadend CLI: Autonomous agentic penetration testing tool with self-correction, 2026. Accessed: Apr. 2026

2026
[35]

CAI (cybersecurity AI): Open-source framework for AI-powered security agents, 2025

Alias Robotics. CAI (cybersecurity AI): Open-source framework for AI-powered security agents, 2025. Accessed: Apr. 2026

2025
[36]

MCP-security: Model Context Protocol servers for Google Security Operations and threat intelligence,

Google. MCP-security: Model Context Protocol servers for Google Security Operations and threat intelligence,
[37]

H. Lv, X. Wang, Y . Zhang, C. Huang, S. Dou, J. Ye, T. Gui, Q. Zhang, and X. Huang. Codechameleon: Personalized encryption framework for jailbreaking large language models.arXiv preprint arXiv:2402.16717, February 2024

work page arXiv 2024
[38]

Y . Du, S. Li, A. Torralba, J. B. Tenenbaum, and I. Mordatch. Improving factuality and reasoning in language models through multiagent debate.arXiv preprint arXiv:2305.14325, May 2023

work page internal anchor Pith review arXiv 2023
[39]

T. Li, G. Zhang, Q. D. Do, X. Yue, and W. Chen. Long-context llms struggle with long in-context learning.arXiv preprint arXiv:2404.02060, April 2024

work page arXiv 2024
[40]

Shinn, F

N. Shinn, F. Cassano, B. Labash, A. Gopinath, K. Narasimhan, and S. Yao. Reflexion: Language agents with verbal reinforcement learning. InAdv. Neural Inf. Process. Syst., volume 36, March 2023

2023
[41]

K. Kent, S. Chevalier, T. Grance, and H. Dang. Guide to integrating forensic techniques into incident response. Technical Report NIST Special Publication (SP) 800-86, National Institute of Standards and Technology, Gaithers- burg, MD, USA, August 2006

2006
[42]

Kerrisk.The Linux Programming Interface: A Linux and UNIX System Programming Handbook

M. Kerrisk.The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press, 2010

2010
[43]

G. F. Lyon.Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.com LLC, 2009

2009
[44]

Common attack pattern enumeration and classification (capec), 2024

The MITRE Corporation. Common attack pattern enumeration and classification (capec), 2024

2024
[45]

arXiv preprint arXiv:2511.15304 , year=

P. Bisconti, M. Prandi, F. Pierucci, F. Giarrusso, M. Bracale Syrnikov, M. Galisai, V . Suriani, O. Sorokoletova, F. Sartore, and D. Nardi. Adversarial poetry as a universal single-turn jailbreak mechanism in large language models.arXiv preprint arXiv:2511.15304, November 2025

work page arXiv 2025
[46]

Y . Yuan, W. Jiao, W. Wang, J. t. Huang, P. He, S. Shi, and Z. Tu. Gpt-4 is too smart to be safe: Stealthy chat with llms via cipher. InProc. 12th Int. Conf. Learn. Represent. (ICLR), January 2024

2024
[47]

Z. X. Yong, C. Menghini, and S. H. Bach. Low-resource languages jailbreak gpt-4.arXiv preprint arXiv:2310.02446, October 2023

work page arXiv 2023
[48]

P. He, H. Xu, Y . Xing, H. Liu, M. Yamada, and J. Tang. Data poisoning for in-context learning. InFindings Assoc. Comput. Linguist.: NAACL, pages 1680–1700, April 2025

2025
[49]

Dynamic Model Routing and Cascading for Efficient LLM Inference: A Survey

Y . Moslem and J. D. Kelleher. Dynamic model routing and cascading for efficient LLM inference: A survey. arXiv preprint arXiv:2603.04445, February 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[50]

R. Yang, M. Cheng, G. Deng, T. Zhang, J. Wang, and X. Xie. Pentesteval: Benchmarking llm-based penetration testing with modular and stage-level design.arXiv preprint arXiv:2512.14233, December 2025

work page arXiv 2025
[51]

Z. Wu, F. Tang, M. Zhao, and Y . Li. Kgv: Integrating large language models with knowledge graphs for cyber threat intelligence credibility assessment.Computation, 13(2):30, January 2025

2025
[52]

FrugalGPT: How to use large language models while reducing cost and improving performance, 2023

Lingjiao Chen, Matei Zaharia, and James Zou. FrugalGPT: How to use large language models while reducing cost and improving performance, 2023

2023
[53]

Jailbreak and Guard Aligned Language Models with Only Few In-Context Demonstrations

Zeming Wei, Yifei Wang, Ang Li, Yichuan Mo, and Yisen Wang. Jailbreak and guard aligned language models with only few in-context demonstrations.arXiv preprint arXiv:2310.06387, May 2024. 25

work page arXiv 2024